Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

EDPB Issues Draft of GDPR Controller-Processor Guidelines

By Phillips Lytle LLP on October 19, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.[1] The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA).[2] The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways:

  • A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case.
  • A controller determines the purposes and means of the processing (the why/how of the processing). It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller. The guidelines require that controllers must only use processors providing appropriate measures under the GDPR.
  • Joint controllership is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. The guidelines recommend that a legal form of joint controllership be arranged in the form of a binding document, such as a contract.
  • The guidelines state that an agreement between a controller and a processor should do more than just restate the provisions of the GDPR. An agreement should include specific, concrete information as to how processing will comply with the requirements of the GDPR.

The guidelines are still in draft form and were open for public consultation until October 19, 2020.[3] Expect a forthcoming detailed analysis of the guidelines upon their final release.

[1] Eur. Data Prot. Bd., Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Sept. 2, 2020), https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf.

[2] Id.

[3] Id.

  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Security & Privacy
  • Organization:
    Phillips Lytle LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Beyond the First 100 Days
  • In the Legal Interest
  • Cooking with SALT
  • The Fiduciary Litigator
  • CCN Mexico Report™
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo