On 7 November, the EDPS published a series of guidelines to help businesses determine whether they are controllers, processors or joint controllers. The guidelines also include easy-to-use checklists and a flowchart.
The guidelines repeat many of the recommendations made by the Article 29 Group in its Opinion 1/2010 on the concepts of controller and processor and the body of established European jurisprudence. However, they contain some important clarifications and very specific, sectoral examples to enable companies to correctly define their role in the processing of personal data.
Another important clarification of the guidelines is that a company is a controller even if it does not have access to personal data processed on its behalf, as long as that company determines the purpose and method of processing, influences the processing by initiating the processing of personal data, or receives anonymous statistics based on personal data collected and processed by another company. While this was already common practice of some European data protection authorities and a position confirmed by the Court of Justice of the European Union, it is now confirmed by the EU DPO, in particular in relation to the controller/processor distinction.
The same clarification applies to the processing of personal data as joint controllership; it is not necessary for both data controllers to have access to personal data in order to qualify as joint controllers.
It is also important for companies to bear in mind that only a controller can determine the purpose and essential means of processing personal data. However, the processor is not a “subordinate” and can enjoy a high degree of autonomy in deciding the means when acting on behalf of the controller.
Should you require assistance in interpreting the guidelines, please do not hesitate to contact us at any time. We look forward to hearing from you.