We continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller. See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.
Part 3: Focus on Joint Controllers
What is new in the draft Guidelines?
The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.
What are the criteria for classification as joint controllers?
Joint determination of purposes and means of processing with another controller
The concept of a joint controller is not new and was discussed in previous guidelines issued by the Article 29 Working Party (predecessor to the EDPB) in February 2010 (“Opinion 1/2010 on the concepts of controller and processor”). The definition of controller under the EU Data Protection Directive 95/46/EC already envisaged scenarios in which there may be one or two controllers jointly determining the purposes and means of processing. Joint controllers engage in the same processing activities and jointly decide on the purposes and means of the processing. This should be differentiated from independent controllers that are involved in processing the same data sets but which do not have the same or common purposes or means of processing.
The draft Guidelines incorporate the holdings of recent CJEU judgments issued in three notable cases: Facebook Fan page (C-201/16), Jehowa’s Witnesses (C-25/17), and Fashion ID (C-40/17). In line with the CJEU’s decisions, organisations whose purposes for processing personal data are inextricably linked or complementary are classified as joint controllers. For example, in Fashion ID, an e-commerce website that placed a social network plug-in on its website benefited from making its goods more visible on the social network. At the same time, the social network benefited from collecting personal data from the e-commerce website for its own commercial benefit. The EDPB clarifies that this expanded definition does not cover a scenario where the benefit to one of the actors is payment for services; in that case, the company would be acting as a processor.
Another helpful clarification from the EDPB is that not all parties sharing the means of processing, such as using common platforms, standardised tools or other infrastructure will be classified as joint controllers as a result of their processing the same data. Such parties will not be considered joint controllers “where the processing they carry out is separable and could be performed by one party without intervention from the other or where the provider is a processor in the absence of any purpose of its own”.
In parallel to the draft Guidelines, the EBPD has also published for consultation draft Guidelines 08/2020 on the targeting of social media users. The main aim of this guidance is to clarify the roles and responsibilities of social media providers and online targeters and, “where joint responsibility exists, […] to clarify what the distribution of responsibilities might look like between [them]”. The draft guidelines provide specific examples of joint controllership in the context of online targeting.
Access to personal data is irrelevant
Just as with independent controllers, the EDPB stresses that organisations that do not have direct access to the personal data being processed, but which rely on its processing, cannot exclude themselves from joint controllership.
Granular view of the processing
In the above-mentioned cases, the CJEU split the processing into separate stages to facilitate its assessment of the roles of the organisations involved in the processing. A party does not have to exercise control over the entirety of the processing to be a joint controller; it can instead exercise control over a particular stage or stages of processing. The level of involvement of joint controllers may not necessarily be equal in the processing. There may be different degrees of involvement. The obligations and responsibilities of an organisation as a joint controller can be limited to those specific stages where it is involved in the processing and will also depend on the degree of its involvement in such processing.
Joint controllers must document their internal analysis of their respective roles as joint controllers in relation to a specific processing activity or service and provide a rationale for allocating their respective obligations under the GDPR (e.g., in regard to transparency notices, responding to data subject rights requests, etc. – see below). This assessment will help in each organisation’s negotiation of joint controller arrangements with other joint controllers and providing clarity around which organisation is responsible for responding to requests and queries from data subjects and supervisory authorities (“SAs”).
Further detail on arrangements between joint controllers
The draft Guidelines add further detail on what the EDPB expects to see as part of the arrangement between joint controllers, which are required by Article 26 of the GDPR. The EDPB recommends that the arrangement between joint controllers is made in the form of a binding document such as a contract and should cover the following:
-
Subject matter,
-
Purposes of processing,
-
Types of personal data, and
-
Categories of data subjects.
The documented arrangement should specify which party will be responsible for:
-
Providing transparency information in line with Articles 13-14,
-
Responding to requests from data subjects to exercise their rights under the GDPR,
-
Ensuring compliance with the GDPR principles,
-
Documenting a lawful basis for the processing (in this respect, the draft guidelines on the targeting of social media users address what legal bases may be relied upon in social media platforms context),
-
Taking necessary technical and organisational security measures,
-
Notifying personal data breaches to relevant supervisory authorities and/or data subjects,
-
Carrying out a data protection impact assessment, where required,
-
Engaging and vetting processors,
-
Ensuring lawful international transfers of personal data, and
-
Communications with data subjects and SAs.
Once the parties agree on the allocation of data protection responsibilities and liabilities, the responsible party should make known (1) which of the joint controllers is responsible for complying with each element of Articles 13-14 of the GDPR, and (2) the point of contact for each joint controller. The EDPB draft Guidelines indicate that this information can be included in the privacy notice or can be made available to data subjects upon request.