We have further feedback on the ‘data controller issue’ following a recent meeting of the European Data Protection Board’s (EDPB) Key Provisions sub-group, which was attended by all the major Member State Data Protection Authorities (DPAs) including the ICO. The EDPB is the EU body in charge of the application of the GDPR.

Feedback from the EDPB’s Key Provisions subgroup

We have been informed that the consensus amongst the EDPB group was that, where organisations are jointly determining the purposes and means of processing, they will be considered joint data controllers (in accordance with GDPR Article 26), regardless of whether one controller is only determining the purposes and the other only determining the means.

The group was also in agreement that, in a joint controller scenario, where personal data are collected from the data subject, both controllers must be named when the data are obtained (in accordance with the requirements of GDPR Article 13(1)(a)).  However this is not formal guidance and further discussions are going to take place.

Not just a UK issue

It is notable that the EDPB group’s current thinking is in line with the ICO’s recent advice and makes it clear this is not a UK only issue.  It may previously have been perceived as a UK issue because it has not yet been actively considered by other European DPAs, this however means there is an absence of other decisions on this rather than differing views.

End client data controller

Putting the EDPB group's current view into practice would mean that within a market research context, the end client is likely to be a data controller as the market research is taking place for the end client’s overall purpose.  The second key point to bear in mind is that this is considered the case even if the end client never processes any personal data. 

A recent judgement from the European Court makes this point:

“A recent judgement of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others.

On 5 June 2018 the Court of Justice of the European Union (CJEU) provided judgement in Case C-210/16 Wirtschaftsakademie Schleswig-Holstein. The judgment found that the operator of a Facebook fan page (Wirtschaftsakademie Schleswig-Holstein, which used the fan page in offering educational services) is liable as a joint controller with Facebook, despite only receiving anonymised statistical data from Facebook in running the page.”

https://www.thedigitalwatcher.com/2018/06/new-judgment-on-joint-controllers-what-are-the-implications/

Whilst this case is not a direct parallel it is considered by many commentators to be indicative for other contexts. 

The following article also provides a useful summary:

https://panopticonblog.com/2018/06/05/the-facebook-fan-page-judgment-joint-data-controllers-cookies-and-targeted-advertising/

Further discussions

We know from recent discussions with the ICO that they do understand the serious unforeseen consequences of this for the research industry.  In view of these and the arguments that we raised, the ICO are going to be discussing the issue further with their own legal team and the EDPB to ensure a consistent EU-wide position.  Further discussions will be ongoing but the whole process is likely to take several months.  It is hoped that controller/processor guidelines are on the agenda for an EDPB September meeting and it’s likely that the production of these guidelines will allow the EDPB view to be formalised.

The BHBIA will continue to work with the MRS and ICO in the UK on this issue and will liaise with EphMRA and ESOMAR to support our European counterparts in highlighting the difficulties of this interpretation of GDPR requirements.

BHBIA advice

In the meantime, we can only re-iterate the ICO’s advice, the EDPB group’s view and the requirement for data controllers to be named when personal data are obtained from data subjects (including data controllers that do not process any personal data themselves).  It is important to remember that this is a risk-based decision (albeit relatively low risk) and the area is not one of priority enforcement for the ICO. 

The determination of roles should be considered and agreed between the end client and agency.

The determination of who is a data controller, joint controller, data processor or other party within the research chain is a question of fact rather than contractual stipulation.  It is based on a determination of the purposes and means of the processing, and essentially the level of decision-making power exercised. 

We would advise that roles are determined before projects are commissioned (on a case by case basis).

Documentation

It is important that your decision making is documented.

Subject to change

In view of the ongoing discussions on this issue members should be aware that advice on this point is subject to change.

Disclaimer:

The BHBIA’s Ethics & Compliance Committee is providing this guidance as general information for its members. It is not legal advice and should not be relied upon as such.  Specific legal advice should be taken in relation to any specific legal problems or matters.  Whilst every reasonable effort is made to make sure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA.  We do expect to update our guidance on the GDPR as more information becomes available.