GDPR - A case of responsibility
One year after the GDPR became applicable in May 2018, some organizations that are impacted by the regulation still lack appropriate knowledge to determine whether to consider themselves as controllers or processors.
Jean-Pierre Maissin - [Sponsoring] Partner - EMEA FSI Analytics Leader - Deloitte
Roland Bastin - [Sponsoring] Partner - Information & Technology Risk - Deloitte
Irina Hedea - Partner - Information & Technology Risk - Deloitte
Georges Wantz - Managing Director - Technology & Enterprise Application - Deloitte
Loic Saint-Ghislain - Director - Technology & Enterprise Application - Deloitte
Published on 04 June 2019
Since it became applicable in May 2018, the General Data Protection Regulation has raised a number of questions across the market, one of which addresses the challenge for organizations to identify whether they should be considered as a controller or a processor in processing activities where a third-party stakeholder is involved. This question becomes even more complicated where the role of each involved party would vary from one processing activity to another.
In addition, while the EU regulation strictly frames the relationship between a controller and a processor, the means to define the relationship between controllers, joint or not, are less defined, leaving the decision on how to determine, to formalize, and to transparently communicate on their respective responsibilities up to the parties involved.
The lack of comprehensive definitions for specific relationships (e.g. consultants, external accountants, auditors, etc.) often leads to the common misconception that all service providers should be considered as processors.
This absence of a “one size fits all” approach for the identification and the formalization of the relationships between the parties involved in a common processing activity generates some confusion. As is commonly observed, the nature of the processing is the main driver to determine whether an organization is a controller or a processor, making certain types of relationships specific to an industry.
If we take a step back, we find that the GDPR defines a controller (or joint controller) as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It also defines a processor as a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Further guidance is expected from the EDPB as the last Working Party 29’s opinion on the concept dates back to 2010.
Furthermore, this concept of acting on behalf of another entity could lead to the perception that most responsibilities and obligations (and therefore consequences) fall on the controller. While this may be correct for certain aspects of the relationship (providing the necessary information to the data subjects, reporting to and cooperating with supervisory authorities, etc.), other topics are widely underestimated in terms of the involvement and obligations for the processor, including:
- Acting on behalf of another entity means having to follow the instructions of this entity, including deleting personal data upon request and strictly processing personal data under the terms of the contract
- Being subject to audits at the request of the controller
- Being obligated to help the controllers on behalf of whom they carry out processing activities by making available to the controller all information necessary to demonstrate compliance with the obligations laid out in the regulation
This misconception in the understanding of one’s responsibilities is also prevalent when it comes to controllers where the concerned entities do not consider themselves as responsible for the processing of personal data in certain cases, wrongfully so.
Recently, the Court of Justice of the European Union ruled against two controllers that did not implement the appropriate measures to demonstrate their compliance with the regulation for the processing of personal data. In particular, the Court ruled that:
- People and companies such as the German educational company called Wirtschaftsakademie Schleswig-Holstein that administer Facebook fan-pages for their own purpose are jointly responsible with Facebook for the processing of data from visitors to the page.
In other words, Facebook and the fan-page administrator are jointly responsible, to some extent, for any case of infringement in regards to privacy matters
- A religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching. In other words, the processing of personal data carried out in the context of such activities must respect the rules of EU law on the protection of personal data
 Judgment of the Court – Case C-25/17 [link]
Even if those cases refer to the directive from 95/46 (replaced by the GDPR), the concepts of controller and processor remain the same as under EU regulation.
In such cases, roles and consequently responsibilities are not only determined by the terms of a contract, if there is one, but mainly by the particular circumstances concerning personal data processing.
It is recommended for any party involved in a joint processing activity, even more so in the case of joint controllership, to enter into a contract (or agree any other arrangement) based on these circumstances and that includes at least all of the following:
- A liability clause in case one of the parties fails to respect the provisions of a said contract/arrangement
- A confidentiality clause in regard to the personal data processed, including the explicit provision that each staff member involved in the processing is aware and trained with regard to their confidentiality obligations and has consented to the confidentiality obligations
- A clause framing the transfers of personal data to a third party, where relevant/necessary
- A clause that clearly and unambiguously specifies the purpose(s) for which each party processes the personal data, including secondary purpose(s) (in)directly linked to the primary purpose(s)
- A clause properly defining which party is responsible for informing the data subjects, managing the requests to exercise a right, or reporting data breaches to the competent Supervisory Authority
Ultimately, all involved parties will have to cooperate to demonstrate their compliance, including their accountability in regards to the protection of personal data, in order to guarantee the right to have one’s personal data protected, a fundamental right in the European Union.
As such, clarifying the responsibilities of each party is the first mandatory step to achieve that goal, in particular since there may be impacts for both controllers and processors as both actors could face fines and indemnities in cases where the Regulation in not respected.
 Regulation (EU) 2016/679 – Article 82 “Right to compensation and liability”
General Data Protection Regulation
The General Data Protection Regulation (GDPR) has been enforced since 25 May 2018, changing the European privacy landscape. What changes will the GDPR bring and how can organizations approach this new privacy law? Deloitte can assist companies to address these changes.