On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive (the “Directive”). The Working Party’s opinion is welcome guidance, not only because the designations determine who is responsible for compliance with data protection rules and how data subjects can exercise their rights, but also because the European Commission recently updated its Standard Contractual Clauses (which we blogged about here). Additionally, such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.
The definition of data controller, under Article 2(d) of the Directive, is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data . . . .”
In clarifying the definition of controller, the Working Party analyzed its constituent parts.
- In its discussion of “joint control,” the Working Party stated that parties who act jointly have certain flexibility with respect to the allocation of obligations and responsibilities under the Directive. In its assessment, the Working Party said that the factual circumstances relating to the relationship must be considered. It warned that joint control among multiple controllers may lead to a lack of clarity in the allocation of responsibilities, which could potentially result in a violation of the principle of fair processing.
- In its discussion of “determines,” the Working Party advised that such an analysis should be factual, and should begin with the questions “why is this processing taking place? Who initiated it?” “[A] body which has neither legal nor factual influence to determine how personal data are processed cannot be considered as a controller.”
- In its discussion of “purposes and means of processing,” the Working Party advised that the key questions that should be asked when analyzing purposes of processing are “why the processing is happening and what is the role of possible connected actors like outsourcing companies: would the outsourced company have processed data if it were not asked by the controller, and at what conditions?” It also stated that the key questions that should be asked when analyzing the means of processing include technical questions, like “which hardware or software will be used?” and organizational questions, like “which data shall be processed? For how long shall they be processed?” The Working Party went on to state that determining the purpose of processing is reserved solely to the controller, while determining the means of processing may be delegated by the controller to a processor.
Data processor, under Article 2(e) of the Directive, is defined as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” The processor must be a separate legal entity with respect to the controller. In its assessment, the Working Party focused on the meaning of “on behalf of the controller.” It called upon the legal concept of “delegation,” in that the processor is only permitted to perform data processing within the bounds of the mandate given by the controller. The Working Party stressed that should a processor exceed such bounds and begin to acquire a role in determining the purposes and means of processing, it may become a controller rather than a processor under the Directive.