A prerequisite for being able to apply the GDPR is to understand who is responsible for the processing of certain personal data. The European Data Protection Board EDPB are now announcing a guideline on this issue. Anna Lööv, partner at Kompass Advokat and specialist in issues of data protection, goes through the most important news of the guideline.
Who is responsible for personal data?
The person who determines the purpose (why) and the means (how) for the processing of personal data, is called the controller according to GDPR. The responsibility entails an obligation to comply with the GDPR and is therefore a basis for the entire regulatory framework.
In some cases, it is very clear who is the controller, for example in cases where laws or regulations state that an authority is responsible for personal data. In other cases, it is also almost self-evident, e.g., employers are the controller for the processing of employees' data or in the relationship e-commerce company - customer or media company - subscriber.
But situations sometimes arise when it is more doubtful who the controller really is. What applies, for example, when the company's auditing company handles personal data about e.g. customers or employees in their reviews? The new guidelines state that the auditing company itself is the controller because the auditing company's work cannot be controlled by the client company, but is regulated by law. The auditing company therefore has great power over the processing of personal data that the company becomes the controller.
Two or more companies can sometimes be joint controllers. This commonly occurs when a company provides information or data to another company. The guidelines provide a few examples from court cases. In one of them, a company using cookies from Facebook, was considered joint controller together with Facebook, for the extraction of personal data through the cookie to Facebook. This means that the companies have an obligation to reach an agreement, preferably a written contract, clarifying who is responsible for, e.g., providing information to the registered individuals.
At the same time, the guidelines state that the mere fact that several companies use the same technical platform for their personal data processing, does not mean that they automatically become joint controllers.
When a company processes personal data on behalf of someone else, as a service provider, it is referred to as processor. The guidelines contain new and detailed rules for the agreement that must exist according to the GDPR between the two parties. The guidelines also indicate that the controller needs to check that the processor really has the knowledge, resources and sufficient IT security before they are accepted as processors but also during the assignment period.
"Anna Lööv, partner at Kompass Advokat and specialist in data protection issues."
In some cases, the processor has a very large influence on how the data is processed. For example, if the processor is an advanced technical platform, can the customer really be considered to decide on the means of processing, for how the data is processed? The guidelines explain that as long as it is a matter of non-essential means, e.g. practical aspects of the treatment or which hardware or software to use, the responsibility is not affected.
On October 19, the consultation period ends. The guidelines are expected to enter into force in 2021, probably in the spring. Here is a checklist of what your company can think of:
- Reconcile any doubts in the current division of roles. Are there e.g. joint control in certain situations?
- Negotiate agreements with any joint controllers.
- Create a routine for evaluating new processors.
- Reconcile existing agreements with processors.