Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: EDPB publishes guidelines on concepts of controller and processor

The European Data Protection Board ('EDPB') published, on 13 July 2021, the final version of its guidelines on concepts of controller and processor under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which were adopted on 7 July 2021. In particular, the guidelines highlight that the notions of controller, joint controller, and processor play a crucial role in the application of the GDPR since they are functional concepts where they seek to allocate responsibilities according to the actual roles of the parties and autonomous concepts which should be interpreted mainly in accordance with EU data protection law.

The guidelines outline the definitions of the concepts before detailing the consequences of attributing different roles and the relationship between controllers and processors. Specifically, the guidelines clarify that a controller is a body that decides certain key elements of the processing whereas a processor, which should be a separate entity to the controller, processes personal data on behalf of the controller. Furthermore, the guidelines outline that where more than one actor is involved in the processing, this may result existence of joint controllers that can take a common decision.

In addition, the guidelines highlight that, in relation to the relationship between controller and processor, a controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Regarding the relationship among joint controllers, the guidelines state that joint controllers shall, in a transparent manner, determine and agree on their respective responsibilities, including the exercise of data subjects' rights, the duty to provide information, security measures, data breach notification obligations, and third country transfers. Notably, the guidelines recommend that the legal form of the arrangement should take the form of a binding document, such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.

You can read the guidelines here.