The (Belgian) Data Protection Authority (DPA) recently published an opinion on the concepts of data controller and data processor. This opinion largely reproduces an older opinion of the Article 29 Working Party that was published in 2010 and belongs as such to the pre-GDPR era. Hence, the opinion of the DPA confirms that the reasoning of the Article 29 Working Party, now the European Data Protection Board, still holds up in the GDPR era. Let us reflect for a moment on the most important positions in this opinion.
A party is a data controller if it “alone or jointly with others, determines the purposes and means of the processing” and a data processor if it “processes personal data on behalf of a data controller”.
Although both definitions come across as rather clear at first sight, the distinction tends to prove difficult in practice. In a previous blogpost, we already mentioned the importance of the distinction between both concepts and the implications of an incorrect qualification.
In its recent opinion, the Belgian DPA stresses that both concepts are functional concepts. Responsibility must be placed on the parties who have an actual influence on the processing activities, meaning they determine one or more essential elements of the processing. A factual analysis is necessary to correctly qualify the parties.
However, this does not prevent the data processor from having a certain margin of discretion in relation to the non-essential elements of a processing activity. Accordingly, the data processor may choose appropriate technical and organisational means when providing services, as long as these are limited to the non-essential elements of a processing activity.
According to the DPA, essential elements are:
In addition, the data processor may only process personal data on behalf of the data controller. If the data processor goes beyond the instructions of its data controller, he exceeds his mandate and will acquire the capacity of data controller.
The DPA reiterates the criteria that may be useful for the legal qualification of the factual situations:
A useless element however, according to the DPA, is the contractual weight of one party vis-à-vis the other party in a negotiation. The party that takes the initiative or has an excessive dominant position in negotiations is therefore not necessarily a data controller. The focus must be on the above-mentioned criteria.
This analysis shows that the legal qualification of a party as data controller or data processor is not as black and white as it may appear to be. When determining whether a party is a data controller or a data processor, the main criterion is the actual influence a party has on the intended processing. If a particular party has a broad decision-making power when it comes to the essential elements of a processing activity, that party is a data controller.
You can read the complete opinion of the DPA here (in Dutch).
Do you have a legal question about the qualification of your organisation as a controller or as a processor and the associated GDPR obligations? International law firm Timelex can help you with the correct qualification. Please contact Timelex for a non-binding introduction.