Guidelines 07/2020 on the concepts of controller and processor in the GDPR

SECTION 1  GENERAL OBSERVATIONS

6. The GDPR, in Article 5 (2), explicitly introduces the accountability principle which means that:

• the controller shall be responsible for the compliance with the principles set out in Article 5 (1) GDPR; and that

• the controller shall be able to demonstrate compliance with the principles set out in Article 5 (1) GDPR. This principle has been described in an opinion by the Article 29 WP and will not be discussed in detail here.

7. The aim of in corporating the accountability principle into the GDPR and making it a central principle was to emphasize that data controllers must implement appropriate and effective measures and be able to demonstrate compliance.

8. The accountability principle has been further elaborated in Article 24, which states that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Such measures shall be reviewed and updated if necessary. The accountability principle is also reflected in Article 28, which lays down the controller’s obligations when engaging aprocessor.

9. The accountability principle is directly addressed to the controller. However, some of the more specific rules are addressed to both controllers and processors, such as the rules on supervisory authorities’ powers in Article 58. Both controllers and processors can be fined in case of non-compliance with the obligations of the GDPR that are relevant to them and both are directly accountable towards supervisory authorities by virtue of the obligations to maintain and provide appropriate documentation up on request, co-operate in case of an investigation and abide by administrative orders.  At the same time, it should be recalled that processors must always comply with, and  actonly on, instructions from the controller.

10. The accountability principle, together with the other, more  specific rules on how to comply with the GDPR and the distribution of responsibility, therefore makes it necessary to define the different roles of several actors involved in a personal data processing activity.

11. A general observation regarding the concepts of controller   and processor in the GDPR is that they have not changed compared to the Directive 95/46/EC and that overall, the criteria for how to attribute the different roles remain the same.

12. The concepts of controller and processor are functional concepts: they aim to allocate responsibilities according to the actual roles of the parties. This implies that the legal status of an actor as either a “controller” or a “processor” must in principle be determined by its actual activities in a specific situation, rather than up on the formal designation of an actor as being either a “controller” or “processor” (e.g. in a contract).

13. The concepts of controller and processor are also autonomous concepts in the sense that, although external legal sources can help identifying who is a controller, it should be interpreted mainly according to EU data protection law. The concept of controller should not be prejudiced by other -sometimes colliding or overlapping – concepts in other fields of law, such as the creator or the right holder in intellectual property rights or competition law.

14. As the underlying objective of attributing the role of controller is to ensure accountability and the effective and comprehensive protection of the personal data, the concept of ‘controller’ should be interpreted in a sufficiently broad way so as to ensure full effect of EU data protection law, to avoid lacunae and to prevent possible circumvention of the rules.