October 15th, 2020
The European Data Protection Board (EDPB1) has recently published draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
Consultation on these EU-wide guidelines closes on 19 October but it is not clear when they will be finalised.
The guidelines do make clearer:
─ A controller has to determine purpose and means (not purpose or means).
─ A controller does not have to process personal data directly to be a controller.
─ They talk about ‘essential’ means and ‘non-essential’ means, a controller must determine essential means. They also provide some specific (but not exhaustive or definitive) examples:
- Essential means = determining the type of data to be processed, the type of data subjects, length of storage, recipients of personal data;
- Non-essential means = choice of hard and/or software, security measures.
─ The criteria to take into account when determining whether parties are joint or independent controllers – common or converging, inextricably linked decision making.
As ever, the determination of who is a processor and a controller will always be context-specific based on the data processing decision making roles of the organisations involved. It may be the case that different data processing tasks undertaken during the course of a market research project will have different controllers or processors.
We are in regular contact with the UK Market Research Society (MRS) to make sure our interpretation and guidance is consistent – it is. In addition, the BHBIA and the MRS hope to meet with the ICO2 to discuss their response to the EDPB guidelines and the specific implications for the research sector. We also hope to discuss the potential impacts of Brexit for data processing legislation in the UK; given that the UK/EU discussions on this issue are not progressing as smoothly or swiftly as hoped this is of great interest to us.
If you have any comments you would like us to consider before these discussions, please let us know; send them to: firstname.lastname@example.org with 'Data Controller/Processor Guidance' as the subject line.
We will keep members informed of the publication of the final guidance and any key outcomes from discussion with the ICO.
1 The EDPB is the independent body responsible for ensuring consistent application of the General Data Protection Regulation and promoting cooperation among the EU’s data protection authorities. It is made up of members from EU member states’ data protection authorities.
2 The ICO is the UK data protection supervisory authority - the Information Commissioner’s Office.