Guidelines 07/2020 on the terms 'controller' and 'processor' in the AVG

coauthor: Adrine Like

Current Guidelines

The EDPB is an independent European body that contributes to the consistent application of data protection rules throughout the European Union (EU). The EDPB also promotes cooperation among privacy regulators in the EU.

The EDPB was established in response to the General Data Protection Regulation (GDPR). It is the successor to the Article 29 Data Protection Working Party, which adopted an opinion in 2010 addressing the concepts of "controller" and "processor" under Directive 95/46/EC. Since then and particularly since the entry into force of the AVG, the aforementioned concepts and the obligations arising from Directive 95/46/EC have evolved. In addition, new obligations for controllers and processors have been added. The European Court of Justice (CJEU) has also issued several rulings on the interpretation of the relevant concepts, in particular the concept of joint controllers.

The new guidelines are the next stage in this evolution, in addition to responding to calls for clarification.

Definitions and illustrations

To make the terms "controller," "joint controllers," and "processor" clear, the draft text includes detailed descriptions and even illustrations.

• Controller

The guidelines state that the controller is the body that has the final say on the main elements of the processing, for what purposes the data are processed and the means by which they are processed, in short, the "how" and "why" of the processing. In addition, the function of controller may also be defined in law or result from an analysis of the actual circumstances of the case, which is explained in the guidelines.

An interesting development is that the guidelines now define precisely that certain processing activities are by their very nature part of an entity's role (as an employer to employees, as a publisher to subscribers or as an association to members). In many cases, the data controller can be determined on the basis of the content of the agreement, although this does not provide conclusive answers in all cases. Furthermore, the controller need not actually have access to the data to be processed to still qualify as a responsible party.

• Joint managers

Where more than one party is involved in the processing operation, those parties may qualify as joint controllers. The guidance therefore now confirms that the joint participation of two or more entities in determining the purposes and means of a processing operation is the key criterion for qualifying as joint controllers. Joint participation can take several forms. It may be a joint decision by two or more entities, or it may be the result of a process in which the decisions of two or more entities are aligned. Here, the decisions complement each other and are both necessary for the processing to occur in a way that has an appreciable impact on the determination of the purposes and means of the processing.

The EDPB finally defines in precise terms that the fact that several parties are involved in the same processing process does not in itself mean that they should also be considered joint controllers of that process. Qualification as joint controllers is not implicit in every type of partnership or collaboration, since such a qualification requires a case-by-case analysis of the processing in question and the role of each entity in it. The EDPB provides another example of a case where controllers are not qualified as joint controllers:

A company collects and processes employee personal data. The purpose of this is to manage payroll, health insurance, etc. By virtue of legislation, the company is obliged to transmit all salary data to the tax authorities in order to carry out tax audits. Although the company and the tax authority process the same salary data, the fact that no joint goals and means have been established with respect to this processing process causes the two entities to be classified as separate controllers.

• Processor

To qualify as a processor, an entity must meet two basic conditions. First, the entity must be an entity other than the controller, and second, the entity must process personal data on behalf of the controller. The processor must follow the controller's instructions regarding the processing of the data. With respect to how the interests of the controller are best served, the instructions allow a degree of freedom. For example, the processor is free to choose the most appropriate technical and organizational method of processing. However, a processor does violate the AVG if it takes the controller's instructions for granted and determines for itself the purpose and means of processing. In that case, the processor is considered the controller for the processing in question and sanctions can be imposed for not following instructions.

The contractual relationship between the parties

Regarding the contractual relationship between the controller and the processor, the AVG names the components that must be included in the processing agreement. However, this agreement should not be a simple copy of the AVG provisions recommended by the EDPB. The agreement must contain specific, concrete information on how the requirements will be met and what measures are needed to ensure the security of the personal data involved.

The AVG says nothing about the legal form in which joint controllers cast their agreements. However, for the sake of legal certainty, transparency and accountability, the EDPB does recommend that those arrangements be set out in a binding document, such as an agreement or other instrument that legally binds those responsible under national or European law.

More articles from AKD