September 1st, 2021
The European Data Protection Board (EDPB1) has published Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
See below for more details.
Members may also find the BHBIA's updated Data Protection Update – Naming the End Client guide useful. This update aims to explain clearly and simply the circumstances in which an end client needs to be identified to market research participants. You can find it in the Privacy & Data Protection section of the website, or download it directly via the link at the bottom of this page.
The EDPB Guidelines
The guidelines do make clearer:
─ A controller has to determine purpose and means (not purpose or means).
─ A controller does not have to process personal data directly to be a controller.
─ They talk about ‘essential’ means and ‘non-essential’ means, a controller must determine essential means. They also provide some specific (but not exhaustive or definitive) examples:
- Essential means = determining the type of data to be processed, the type of data subjects, length of storage, recipients of personal data;
- Non-essential means = choice of hard and/or software, security measures.
─ The criteria to take into account when determining whether parties are joint or independent controllers – common or converging, inextricably linked decision making.
As ever, the determination of who is a processor and a controller will always be context-specific based on the data processing decision making roles of the organisations involved. It may be the case that different data processing tasks undertaken during the course of a market research project will have different controllers or processors.
We are in regular contact with the UK Market Research Society (MRS) to make sure our interpretation and guidance is consistent – it is.
1 The EDPB is the independent body responsible for ensuring consistent application of the General Data Protection Regulation and promoting cooperation among the EU’s data protection authorities. It is made up of members from EU member states’ data protection authorities.
2 The ICO is the UK data protection supervisory authority - the Information Commissioner’s Office.