European Data Protection Board’s (EDPB) recommendations on supplementary measures / European Commission latest news – Legal Monitoring Letter #6

/ EDPB adopted final recommendations on supplementary measures^[1]

On 7 July 2021, the EDPB has adopted Guidelines 7/2021 on the concepts of controller and processor in the GDPR (“the Guidelines”). Their aim is to clarify the meaning of the concepts and the different roles and the distribution of responsibilities between controllers and processors.

Below are noted key takeaways for each of the conceptions:

Controllers

There is no limitation as to the type of entity that may assume the role of a controller – it may be an organization, an individual, or a group of individuals. However, the EDPB notes that in practice, it is usually the organization as such, and not an individual within the organization (such as the CEO or an employee), that acts as a controller within the meaning of the GDPR.

A controller decides the key elements of the processing. Controllership may be defined by law or may derive from an analysis of the factual elements or circumstances of the case. In this regard, an assessment of the contractual terms between the parties can facilitate the determination of which party is acting as controller. However, the terms of a contract are not decisive in all circumstances.

When a processor offers a service that is preliminary defined in a specific way, the controller has to be presented with a detailed description of the service and must make the final decision to actively approve the way the processing is carried out. The processor cannot at a later stage change the essential elements of the processing without the approval of the controller.

It is not necessary that the controller actually has access to the data that is being processed (for example, someone who outsources a processing activity and determines the purpose and the essential means of the processing is to be regarded as controller even though will never have actual access to the data.)

Joint Controllers

The EDPB notes that the main criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of processing.

The EDPB highlights that the mere existence of a mutual benefit (for ex. commercial) arising from a processing activity does not give rise to joint controllership. If the entity involved in the processing does not pursue any purpose(s) of its own in relation to the processing activity but is merely being paid for services rendered, it is acting as a processor rather than as a joint controller.

The authority underlines that the use of a common data processing system or infrastructure will not in all cases lead to qualify the parties involved as joint controllers, in particular where the processing they carry out is separable and could be performed by one party without intervention from the other or where the provider is a processor in the absence of any purpose of its own (the existence of a mere commercial benefit for the parties involved is not sufficient to qualify as a purpose of processing).

Processors

The processor might be an organization, but it might also be an individual.

The EDPB note that there are two basic conditions for being qualified as processor: a) being a separate entity in relation to the controller and b) processing personal data on the controller’s behalf.

Within a group of companies, one company can be a processor to another company acting as controller, as both companies are separate entities. However, a department within a company cannot be a processor to another department within the same entity. Employees and other persons that are acting under the direct authority of the controller are not processors since they will process personal data as a part of the controller’s entity.

Third-party

The EDPB states that a third party refers to someone who, in the specific situation at hand, is not a data subject, a controller, a processor, or an employee. For example, the controller may hire a processor and instruct it to transfer personal data to a third party. This third party will then be considered a controller in its own right for the processing that it carries out for its own purposes.

Within a group of companies, a company other than the controller or the processor is a third party, even though it belongs to the same group as the company who acts as controller or processor.

Recipient

The Recipients are defined as anyone who receives personal data, whether they are a third party or not. For example, when a controller sends personal data to another entity, either a processor or a third party, this entity is a recipient. A third-party recipient shall be considered a controller for any processing that it carries out for its own purpose after it receives the data.

The Guidelines also pay attention to the consequences of attributing different roles:

Choice of the processor

When choosing a processor, the controller is responsible for assessing the sufficiency of the guarantees provided by the processor and should be able to prove that it has taken all of the elements provided in the GDPR into serious consideration. The EDPB notes that the processor’s expert knowledge, reliability, and resources are elements that should be considered by the controller in order to assess the sufficiency of the guarantees. The adherence to an approved code of conduct or certification mechanism can be used as an element by which sufficient guarantees can be demonstrated. The authority highlights that the controller should, at appropriate intervals, verify the processor’s guarantees, including through audits and inspections where appropriate.

Form of the contract

According to Article 28(3), GDPR any processing of personal data by a processor must be governed by a contract or other legal act under EU or Member State law between the controller and the processor. The EDPB states that such contract should be in writing, including in electronic form and that non-written agreements cannot be considered sufficient to meet the requirements stated in Article 28 GDPR.

The authority highlights that the competent supervisory authority will be able to direct an administrative fine against both the controller and the processor for the absence of a written contract, taking into account the circumstances of each individual case.

The EDPB also notes that contracts that have been entered into before the date of application of the GDPR should have been updated in light of Article 28(3) and the absence of such update will constitute an infringement of Article 28(3).

The authority highlights that the controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on SCCs in relation to obligations under Article 28.

Content of the contract

The EDPB states that the processing agreement should not merely restate the provisions of the GDPR but it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing.

Sub-processors According to Article 28(2) the processor shall not engage another processor without prior specific or general written authorization of the controller (including in electronic form). The main difference between the specific authorization and the general authorization is the meaning given to the controller’s silence: in case of specific authorization, the written consent of the controller is required before a particular sub-processor is appointed. In case of general authorization, the controller’s failure to object within the set time frame can be interpreted as authorization. The EDPB recommends in both cases the timeframe for the controller’s approval or objection to be included in the contract. In order to make the assessment and the decision whether to authorize subcontracting, the processor should be required to provide the controller with a list of intended sub-processors (including their locations, what they will be doing, and proof of what safeguards have been implemented).

Consequences of Joint Controllership The Guidelines also give more details regarding joint controllership and more specific: the responsibilities of the joint controllers and how they could be determined in a transparent manner, the agreement between the joint controllers, and the obligation towards data protection authorities. 

On June 16, 2021, the EC has launched the procedure for the adoption of an adequacy decision for transfers of personal data to South Korea^[1].

A draft has been submitted to the EDPB for its opinion. A positive conclusion to that procedure would be the culmination point after years of talks, fully supporting a partnership created by the Free Trade Agreement between the E.U. and the Republic of Korea, in force since 2011.

Data privacy in South Korea has evolved over time towards better protection of individual rights, thus progressively aligning with the principles and safeguards carried on by the GDPR. Currently regulated by the Personal Information Protection Act (“PIPA”), a general, comprehensive regulation, and the Credit Information Use and Protection Act which governs personal credit information, South Korea’s privacy regime offers enhanced investigation and enforcement powers for the Personal Information Protection Commission.

Some additional protective measures have been agreed between the EU and South Korea with regards to transparency, sensitive data processing as well as onward data transfers (i.e., from the EU to Korea). Data transfers from South Korea to the EU remain subject to South Korean law which requires data subjects’ active consent prior to any transfer of their personal data outside of the country.

The Spanish Data Protection Authority – the Agencia Española de Protección de Datos – (“the AEPD”) has issued new guidance for private and public organizations regarding the rights around employees’ data under the GDPR and the Organic Law of December 2018^[2].

The guidance addresses several important  topics relating to data processing throughout the labor relationship such as:

• Monitoring by the employer of the social networks used by employees; the employer cannot, during the recruitment process or during the course of the employment relationship, look into the employee’s social media accounts. Even if a candidate’s profile on social networks is publicly accessible, the employer cannot process the data obtained in this way if it does not have a valid legal basis for the processing. Informing the candidate and/or the employee will be necessary to demonstrate that such processing is necessary and relevant to perform the job.

• Where it is not part of the prevention of occupational risks, health surveillance on work premises through wearable technology such as bracelets, watches or other smart devices is generally prohibited unless expressly authorized by law. This would imply the treatment of a special category of data (health) without a legal basis, and without a legitimate purpose and this processing would violate the principle of proportionality, since it entails permanent monitoring and would allow the employer to access to specific health data, and not exclusively to the assessment of the aptitude to perform the job.

• Monitoring the labor activity (recording to keep control over the working day, video surveillance, geolocation and access to company premises). The principles of proportionality and data minimization apply here, meaning that the purpose of recording such information can be, for instance, to check the start and end of the working time but not to verify where the employee is/was at any given time.

• Data processing in the context of internal reporting systems such as whistleblowing, especially with regard to the protection of the data of victims of harassment at work or women having suffered gender-based violence (considered as special categories of data). The principle of purpose limitation must be strongly respected, on top of providing additional confidentiality and security to the complainant’s data. In this spirit, only a person within a Human Resources function may access that data in case of disciplinary action.

• Guidelines around processing data in relation to labor contracts and payslips. Reference to trade union membership, political preferences or religious beliefs may not be required by employers.