EDPB provides guidance on the ideas of controller as well as processor in the GDPR (Part I)

Photo of Sarah Cleary

The European Information Security Board(EDPB)released its settled Guidelines on the principles of controller as well as processor in the GDPR(07/2020)(Guidelines) in July. These principles play a crucial role in the application of the GDPR as they determine who is accountable for compliance with GDPR responsibilities and just how data topics can exercise their data defense rights in practice. Partly I of this blog, we lay out a few of the essential highlights of the Guidelines in regard of the controller and cpu ideas and also the effects of the controller to processor relationship. Component II will deal with the vital highlights of the Guidelines in regard of joint controllers.


The principles and the general requirements for how different duties are connected has not transformed contrasted to the Data Security Regulation 95/46/EC (currently repealed). However, following the entry into pressure of the GDPR and current judgments of the Court of Justice of the European Union (CJEU), a variety of inquiries have been increased regarding these principles (especially the effects of the idea of joint controllership) and the EDPB has recognized the requirement for quality in this respect. Part I of the Standards clears up the principles of controller, joint controller, cpu and also third party/recipient. Component II lays out the consequences connected to the roles. The Standards also give sensible instances of the situations in which each duty may be attributed to an entity, in addition to a flowchart to give additional functional assistance. The Guidelines replace the previous Opinion of the Post 29 Working Party on the ideas of controller and also processor (Opinion 1/2010).

General Concepts

  • The EDPB is clear that an analysis of which function an organisation satisfies must be based upon a factual rather than formal analysis. Control can stem from regulation (e.g. where national law marks neighborhood authorities with the power to administer social welfare payments) however will certainly a lot more commonly be based on the organisation’s actual tasks and also functions in a specific situation. The Standards are clear that a case-by-case evaluation is called for and the evaluation should be driven by the valid facts of the handling tasks, and the regards to a contract are not decisive in all scenarios. From a responsibility perspective, organisations should document the reasoning behind their resolution that they satisfy a specific function.
  • The EDPB stresses that the concept of controller must be analyzed in an adequately wide way which favours defense of data topics as high as possible.
  • The EDPB notes that the very same entity might serve as controller for sure processing operations and as processor for others– accordingly, the certification as controller or processor should be evaluated in the context of each specific handling activity.



  • A controller determines both the purposes as well as methods of the processing of personal data (i.e. the “why” and the “exactly how” of the handling). If an entity just identifies among these aspects, this will certainly not be sufficient to certify it as a controller.
  • The EDPB identifies that a degree of discretion can be offered for the processor to “make some choices in regard to the processing“. However, the controller has to identify the “vital” methods of the handling, which is closely aligned with the objective of handling– the controller should determine the type of personal information to be processed, whose information will be processed, the duration of the handling and the recipients of the handling. Just decisions on “non-essential” means of the processing can be left to the processor, i.e. a lot more practical elements of the handling such as the hardware, software as well as security steps to be used.
  • The controller does not require to have real accessibility to the data that is being refined to qualify as a controller.



  • The EDPB keeps in mind both key problems for certifying as a cpu are: (i) the organisation is a different entity in relation to the controller (i.e. an exterior organisation) as well as (ii) it refines individual information on the controller’s part. For instance, within a team of business, one firm can be a processor to an additional firm acting as controller, as both companies are different entities. However, employees (acting under the straight authority of the controller) are not processors as they refine individual data as component of the controller’s entity.
  • As laid out over, cpus might have a level of discretion to identify particular “non-essential” means of the handling. Nevertheless, processors have to offer the controller’s rate of interests. If a processor utilizes the information for its very own functions it will certainly be a controller and may be subject to sanctions under the GDPR for surpassing the controller’s guidelines.
  • The EDPB notes that even if a counterparty provides solutions to the controller does not imply that a service provider is immediately a processor as well as, as discussed above, a case-by-case analysis is called for to establish whether the organisation is in fact refining the information in behalf of the controller.

Controller to Processor Partnership

  • Controllers have the key responsibility for compliance with the GDPR as a result of the accountability principle and various other commitments, which are enforced directly by the GDPR on controllers. Controllers need to only engage cpus that supply enough warranties that the handling will certainly fulfill GDPR demands. Finishing this assessment could include the processor making available specific documents to the controller (e.g. privacy notice, security standards, external audits and so on) for review and the controller ought to think about the cpu’s understanding, sources and also integrity in accomplishing its review. This will certainly be a risk-based assessment made on a case-by-case basis and the EDPB keeps in mind that the assessment should be undertaken at ideal periods (not just at the onboarding stage) as well as through using audits and also inspections (where suitable).
  • The responsibility to guarantee the arrangement of adequate guarantees additionally applies to giving authorisation for processors to involve sub-processors. From a practical perspective, this implies that controllers must develop an added layer right into their due persistance process when involving company who, consequently, engage sub-processors.
  • Post 28 GDPR calls for a composed contract to be put in place controling the processing in between a controller and processor. The EDPB makes clear that this responsibility applies to both the controller as well as the processor. This agreement needs to not merely reiterate the arrangements of the GDPR and instead need to consist of much more specific, concrete information as to exactly how the requirements will certainly be satisfied in practice and also the information safety and security determines to be adopted by the cpu. See our just recently released blog which lays out the EDPB’s referrals on what need to be included in information processing contracts between controllers and processors to make sure compliance with Write-up 28 GDPR.

You May Also Like