Controller, Processor and Joint Controllership: the latest guidelines
The guidelines issued by the European Data Protection Supervisor (EDPS) are intended to clarify the concepts of Data Controller, Data Processor and Joint Controllership for the purposes of the correct application of Regulation (EU) 2018/1725 (hereinafter referred to as the “Regulation”) on the protection of personal data processed by the institutions and bodies of the European Union (EUI).
the Guidelines focus in particular on one element of the definition of Controller: the control over data processing operations and, specifically, the origin of the control itself. In this regard, they distinguish according to whether the control derives from explicit legal competence or from implicit one.
In the first case, the Controller or the specific criteria for his appointment may be provided for by European Union law, especially when the purposes and methods of a processing operation are already determined by a legislative act of the Union.
In the second case, the role of Data Controller is not explicitly provided for by law, though it may derive from the assignment of specific tasks involving the processing of personal data.
The Guidelines provide some indications regarding the subjects suitable to cover the role of Processor, as these are not exhaustively listed in the Regulation. Specifically, reference is made to the Directorates General (DGs), branches of administration dedicated to a specific field of expertise, into which the European Commission is divided, which are not commonly considered as data Processors. However, the EDPS remarks that some EU Directorates-General act as “support DGs” for other Directorates-General, often carrying out data processing operations.
In order to ensure an effective allocation of responsibilities and to guarantee a better level of protection of natural persons, the EDPS recommends identifying the roles and responsibilities of the DGs in the existing internal agreements between them.
With regard to the concept of Joint Controllership (art. 28 of the Regulation), the EDPS provides some recommendations.
Joint Controllership may arise not only between two or more EUIs, but also between EUIs and external actors. However, the EDPS invites EUIs using services provided by private companies to clearly define the areas of operation and control over the data of the latter. In any case, the EDPS recommends that the agreement signed by the Joint Controllers, which sets out their respective roles and responsibilities, shall be as clear as possible.
Such an agreement between the Joint Controllers, among other things, should also include cooperation obligations for the management of requests from the data subjects.
The EU institutions and bodies must respect specific rules on data protection. In this regard, using case studies and checklists, the guidelines provide them with examples and practical advice in order to support them in the process of compliance with the Regulation.