Search for:

The European Data Protection Board (EDPB) has published draft guidelines on the concepts of controller and processor in the GDPR (Guidelines). They replace the previous guidelines on the concepts of controllers and processors which the Art. 29 Working Party, i.e., basically the EDPB’s predecessor, had published in 2010. The Guidelines are open for public consultation until October 19, 2020, after which the final version will be issued.

In its comprehensive Guidelines (45 pages), the EDPB not only provides guidance on the concepts of controllers, processors and joint controllers, but also long-anticipated guidance on data processing agreements pursuant to Art. 28 GDPR. We have summarized the key aspects of the Guidelines below:

Summary

  • The criteria leading to the qualification as a controller or a processor have remained unchanged considering the guidelines of the Art. 29 Working Party on controller and processor under the previous EU Data Protection Directive.
  • For data processing agreements, it shall not be sufficient to recap the obligations in Art. 28 GDPR. Rather, the data processing agreement shall specify the obligations and the procedures between the controller and the processor to comply with those obligations. We, therefore, recommend reviewing any existing data processing agreements as well as templates and determining whether they should be updated in light of the Guidelines (at least once the Guidelines are final).
  • The EDPB provides further guidance on the criteria leading to a joint controllership, in particular: (a) the fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership, (b) joint responsibility does not necessarily imply equal responsibility of the various operators involved, and (c) joint controllership does not necessarily mean that entities need to have the same purpose, but that purposes which are closely linked or complementary may be sufficient.
  • The Guidelines indicate that situations that so far have been qualified as a controller to processor relationship may now be qualified as joint controller relationships. Companies should consider whether certain controller-processor set-ups should be re-qualified and implemented as joint controller relationships, in particular in light of existing case law by the Court of Justice of the European Union relating to certain website tools and sharing of website user data and other explicit examples provided by the EDPB in the Guidelines.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt. Prior to joining the Firm, Lukas was an associate at the Austrian headquarter of an international law firm, vice director at the European Center for E-Commerce and Internet Law, and an intern at the European Commission, DG Information Society & Media. Having worked at IT companies in Vienna, Leeds, and New York, he has experience as a system and network administrator. In April 2014, Lukas has been named as Cyber Security Lawyer of the Year for Austria in the 2014 Finance Monthly Law Awards. In 2011, he received the Jus-Top-League Award from Die Presse and the Academy for Law, Taxes & Business as one of the five most promising up-and-coming lawyers.

Author

Francesca Gaudino is a member of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology. She has been recognized in Chambers Europe’s individual lawyer rankings from 2011 to 2014. Ms. Gaudino is a regular contributor on international publications such as World Data Protection ReviewDataGuidance, and others. She routinely holds lectures on data privacy and security at post-graduate courses of SDA – Manager Direction School of the Milan Bocconi University and Almaweb – University of Bologna. She regularly speaks at national and international conferences and workshops on the same topics.

Author

Julia Kaufmann is a partner in the Munich office of Baker McKenzie. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Julia obtained her Master of Laws degree at the University of Texas at Austin, USA.

Author

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie since June 2011 and was admitted as an attorney to the German bar shortly after. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation. In 2017/2018, Michaela received several recommendations for data protection law in kanzleimonitor.de.

Author

Prof. Dr. Michael Schmidl is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He is a partner at Baker McKenzie´s Munich office and advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Mr. Schmidl also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie with more than 10 years of experience. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and in particular data privacy law. Before joining the Firm, Florian worked for two major law firms and a large US-based technology company.

Author

Magdalena Kogut-Czarkowska is a counsel in the IP/IT department of Baker McKenzie Warsaw. She is seasoned in personal data protection and intellectual property law, focusing on e-commerce and consumer protection issues. Ms. Kogut-Czarkowska is a Certified Information Privacy Professional (CIPP/E). Between 2011 and 2012, she went on a 12-month part-time secondment in a high-profile global management consulting, technology services and outsourcing company, where she handled IT and privacy matters.

Author

Joanna de Fonseka is a senior associate in Baker McKenzie's Technology group in London, having joined the Firm as a trainee in 2012. Joanna is also a Certified Information Privacy Professional (CIPP/E).

Author

Benjamin Slinn is an Associate in Baker McKenzie's London office.