The EDPB launches a public consultation on its draft guidelines on the concepts of controller and processor
On 2 September 2020, the EDPB adopted a first version of guidelines on the concepts of controller and processor, which are essential for the good understanding and application of the GDPR. A public consultation is now open until 19 October 2020 to collect views and contributions of all interested stakeholders.
The concepts of controller and processor play a crucial role in the application of the GDPR: they determine in particular who shall be responsible for compliance with data protection rules and also how data subjects can exercise their rights effectively. The GDPR clarified these concepts with regard to the previous regime and has further introduced new obligations that are imposed on these actors.
These provisions, as well as recent decisions from the Court of Justice of the European Union on joint controllership, raise several questions from the concerned organizations: regarding the definition and the extent of joint controllership, the respective obligations of joint controllers, the exact nature of obligations imposed on processors, etc.
It is thus essential that the precise meaning of these concepts and the related criteria are sufficiently clear and harmonized within the European Union. This is why the EDPB, which gathers European data protection authorities, has deemed necessary to adopt new guidelines which aim at replacing the previous opinion from the Article 29 Working Party on these notions (WP169). This document thus intends to clarify the definition of the concepts of controller, joint controller, processor, third party and recipient of data, by illustrating them with concrete examples within different sectors. It also aims at specifying the obligations that are attached to these qualifications.
The CNIL encourages any interested party to contribute to the public consultation launched by the EDPB. The modalities of participation to this public consultation are available at the following address.
Following the public consultation and after analyzing the contributions received, the final version of the guidelines will be adopted by the EDPB. The CNIL will provide a summary of the guidelines on its website in order to allow the different actors of a personal data processing to better meet the obligations to which they are subject under the GDPR. These recommendations will allow to specify and complete the guidance the CNIL already makes available for these actors, such as for instance regarding processors.