The new EDPB guidelines (07/2020) will help to determine who is the controller, co-controller or processor in the given processing of personal data. The guidelines are currently being consulted publicly and comments to them can be submitted until October 19, 2020.
The proper determination of roles in personal data processing can be a challenge especially for entities operating within large capital groups and cooperating with many subcontractors. The purpose of the guidelines is to provide instructions to facilitate the practical application of the GDPR’s provisions.
As a reminder - a data controller is an entity (including an individual, company or organization) that decides about the purpose and methods of data processing, e.g. the employer in relation to the its employees. A processor is an entity that processes personal data on behalf of the controller, e.g. a company operating payroll on behalf of the employer.
What should be kept in mind when establishing roles in the processing of personal data?
1. the agreement does not decide who is the data controller
Whether an entity is an controller or a processor is determined by facts or laws, and not by the content of the contract. An entrepreneur cannot effectively free himself/herself from responsibility for the processing of personal data by constructing a contract in such a way that it does not assign this role to him/her. The entity that decides why and how data processing takes place will always be the controller, even if in the contract the parties give it the role of a processor.
2. the processor may also influence the way data is processed, but only to a limited extent
The controller in data processing is an entity that decides both the purposes and methods of personal data processing. The processor will never decide on the purpose of data processing, however, to some extent it may influence the way the data are processed.
This influence should, however, be limited to non-essential aspects of the processing, mainly of a technical nature, such as the choice of software. Key aspects of personal data processing, i.e. the scope of data, processing period or recipients of data are always determined by the controller or co-controllers.
3. the controller does not always have to have access to the personal data he or she processes
Access to personal data is not a necessary condition for being a data controller. For example, an company commissioning an external company to carry out a market research on the profile of his potential customers will act as the controller of their data, even if it receives a report containing only statistical data - as long as it decides on the purpose and method of processing (e.g. the company will provide a list of questions to the questionnaire).
In order to correctly assign roles in the processing, it is worth to use guiding questions such as: Why does data processing take place? Who decides that data processing takes place for a specific purpose? How much freedom does an entity have in data processing, does it have to comply with any guidelines?
Incorrectly establishing roles in the processing of personal data can expose both parties to serious consequences, because each role is assigned a different scope of duties, which if not performed exposes the subject to liability under the GDPR. First of all, it is the controller who has to demonstrate the compliance of the data processing with the principles indicated in Article 5 of the GDR (e.g. legalism, limited purpose, data minimization).