New EDPB guidelines on controllers/processors/joint-controllers
The terminology gets thrown around quite a bit. The point is always missed. It is seen as a contractual thing, with the onus put on the defensible position from the start. Conversations start with ‘Well we are a processor because x,y & z, so blah, blah, blah…..’ and one could sit back and take it for what it is. But when really delving in there, or maybe not, just asking the obvious probing-ish questions of whether you do or do not, you know, control or process, sometimes it gets a bit more tricky. Bigger questions are posed such as; what does it all really mean?
Lets’ go back to basics. The answer really lies in the GDPR definitions;
controller – determining the means and purposes of processing,
processor – undertaking processing on behalf of controller.
So, in relation on your initial opinion, it may make sense to turn the telescope back around. Think about the way it really should be thought about, try to look in the small end and out the big one.
What do you do with the personal data? I mean why are the contractual clauses like that do we think? By simply having them in a contract you are not suddenly transformed into a Controller or, a Processor. Aren’t they really a set of obligations to ensure that if you are either, then you will have the correct structures in place, so that you can protect the personal data that you have or use it legally or you know, great, yeah, whatever man, cool.
It can be tricky though. Remember Ross and Rachel – R & R – so cute – so perfect – so buddy-buddy – the whole shebang – but it didn’t really work out did it? Because relationships are complicated, difficult, testing even at times. It is not as simple as boy meets girl, happy-ever-after, end-of-movie. You have to work at it, you have to engage, you have to see it for what it really is.
I am not going to mention Friends again, but relationships with personal data can be complicated also. For one aspect of your arrangement you may be a controller then you may be a processor for another, then back to being a controller again. You have to engage, analyse, work at it.
Why is that important? It is important because if you are acting as a Controller then you will be judged as a Controller when it matters. This will be an objective standard. I called myself a Martian last week, but no-one else agreed, so I did not get allowed into the space café. It is possibly something to do with my ears. The point is that I could wish it to be true. I have to accept myself for what I am, limitations and all.
It is not about me though, it is about you. You have decided you are a Processor of personal data again haven’t you? Everyone wants to be a processor, less liability they say, nobody wants to be a controller, it stinks. At this point we need to listen; it is not a contractual fact, it is an actual fact. You decide who to send the marketing to, whether it is going to be by email or post. You are a Controller.
Controller or Processor, you may even be both. With the one Client for various aspects of personal data use for example. At times you may even be Joint-Controllers and independent Controllers in relation to the same personal data. We know that because of the Fashion ID case.
A simple summation of the law that the ECJ did not give, but my sources tell me was on the final draft only to be excluded at the last minute, explains it thus: I take the salami from the fridge, I determine that you are allowed 4 slices I shall have 5. Whatever we do with those slices is our own business, under our separate Control. However, the act of determination of means and purposes of salami distribution shall be our Joint Controllership.
The GDPR has been with us for over 2 years now and the dust is beginning to settle. The European Data Protection Board ‘EDPB’ adopted some guidance on the Controller/Processor/Joint-Controller relationship last month. It pretty much states the obvious, outlining when we are to identify the controller/processor relationship in order to then identify which obligations then apply.
The message is conveyed through some everyday examples:
Law firm – represents company in dispute (processor) acts with a significant degree of independence (joint-controller)
Payroll administrator – acts on the instruction of company, when/how much to pay employees (processor)
Hosting service – hosts servers for a company (Processor)
The ‘company’ in all these instances is the Controller which will attract certain obligations (for a start see the GDPR Art 24). But as a processor there are obligations to consider under GDPR also (have a look at GDPR Art 28). There is, of course, the option to change what way the data is processed in order to ensure more of a snug fit into the role of Controller or Processor. Either way, you will have obligations whichever way you look, so had better be sure you are compliant with whatever they actually are. The key, however, if it is not clear already, is to resist the urge to delve into fantasy, accepting your processing for what it is, not for what you wish it to be.