European Data Protection Board Issues Guidance Clarifying Controller-Processor Relationship

Written by: Charles R. Langhorne IV, Esq.

On July 7, 2021, the European Data Protection Board (“EDPB”) issued guidance further clarifying the relationship between controllers, joint controllers, and processors, under the General Data Protection Regulation (“GDPR”). This guidance is an update to the guidance issued by the Article 29 working party on February 16, 2010.

The reason for the updated guidance is to clarify the roles played by a controller, joint controller, or processor, since the GDPR came into effect in 2018. The guidance takes the opportunity to:

1. 1. Expand on the GDPR Article 4 definitions of controller and processor;
   2. Explain the requirements GDPR Article 28 places on processors; and
   3. Provide examples of the consequences of attributing the role of processor or joint controller to a party.

This guidance outlines the crucial analysis that needs the be undertaken as a threshold matter, prior to sharing personal data with a new third party. The guidance states that while the underlying contract between the parties is a good place to start when attributing roles, but the actual processing activities being carried out by each party are truly indicative of the role each party plays.

To the surprise of no one, the guidance also speaks to ensuring that the role of each party is adequately explained to data subjects so that the data subjects can assert the rights granted under GDPR. This is inline with the theme that continues to sweep not only the European Union, but also the world at-large, in that enforcement authorities are cracking down on businesses for not making it clear the processing being undertaken on a data subject’s personal data, by whom, and how a data subject can assert his/her rights.