The Article 29 Data Protection Working Party, an independent EU advisory body, has published detailed guidance on how to interpret two core definitions of Directive 95/46/EC of 24 October 1995: Data Controller and Data Processor. The interaction between these two concepts is of paramount importance in the application of the Directive, as it determines who will be responsible for compliance with EU data protection rules, which Member State laws apply, which data protection authorities are competent to supervise data processing operations and how data subjects can exercise their rights.
Opinion 1/2010 (adopted on 16 February 2010, reference number 00264/EN/WP 169) confirms that the current definitions of the terms Data Controller and Data Processor (as set forth in Article 2 of the Directive) continue to be relevant and workable. The Working Party takes the position, however, that applying these concepts to complex processing environments can be difficult; and the guidance provided in its Opinion is intended to ease the allocation of the two roles and their respective responsibilities.
Functional Approach of the Working Party
The Working Party acknowledges that data processing is becoming increasingly complex. The extensive use of outsourcing arrangements, internationalisation and cutting edge information and communication technology infrastructure such as cloud computing can sometimes make it difficult to identify and differentiate between a Data Controller and Data Processor within the meaning of the Directive.
Against such a background, the Working Party favours a functional interpretation of the terms rather than a formal analysis. Most importantly, the Working Party holds the view that the terms should be construed so that responsibilities related to data processing are clearly allocated. For example, the distinction between Data Controller and Data Processor should be determined on the basis of an assessment of the factual circumstances. Contractual terms should therefore not necessarily be determinative. Although this approach will increase flexibility, it may bear the risk of more unpredictable interpretations by national supervisory authorities.
Concept of Data Controller
As to the concept of Data Controller, the Working Party identifies and interprets the three main building blocks of the EU Data Controller definition:
- “Natural or legal person” – the first building block defining the potential addressee
- “Which alone or jointly with others” – the second building block allowing pluralistic control
- “Determines the purposes and means of processing” – the third building block dealing with the decisive competence of the Data Controller
Considering the term “determines the purposes and means of processing” (i.e., the “why” and “how” of processing activities), the Working Party highlights the importance of the factual circumstances. In particular, contracts stipulating who determines the purpose and who, thus, shall be the Data Controller may only give an indication of the parties’ intentions. These stipulations should not be treated as definitive, however, as to do so would allow parties to allocate responsibility where they think fit.
In determining the purposes and means, the Working Party focuses on the “purpose” of processing rather than the “means” of processing. Accordingly, whoever decides on the “purposes” of the data processing operation triggers the qualification to be (de facto) the Data Controller. Determination of the “means” of processing can be delegated by the Data Controller as far as technical or organisational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing, however, such as the type of data to be processed, length of storage and access to that data, may only be determined by the Data Controller.
Concept of Data Processor
Two basic conditions must be met for a party to qualify as a Data Processor:
- Being a separate legal person or entity to the Data Controller
- Processing personal data on the Data Controller’s behalf
In essence, therefore, the Data Processor is expected to execute and implement the Data Controller’s instructions. A data processor may, however, at its own discretion, choose the most suitable technical and organisational means for processing without qualifying as (co-) Data Controller.
The lawfulness of the processing by the Data Processor depends on the specific mandate given by the Data Controller, but a Data Processor working beyond that mandate could be viewed as assuming the responsibilities of a (joint) Data Controller. There is, of course, a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities provided that all parties are compliant.
Equally, the Opinion explicitly acknowledges pluralities of Data Processors. According to the Working Party, the Directive allows several entities to be designated as Data Processors or Data Sub-processors by subdividing relevant tasks, as far as they comply with the instructions of the Data Controller(s).
The Working Party gives numerous examples on how its construction of the terms Data Controller and Data Processor can be applied to real life settings, such as employment or recruitment agencies, or to the health sector.
In the context of the health sector it includes platforms for managing health data and intermediaries for processing data related to scientific purposes or processing data from clinical trials. With respect to the latter, the Working Party gives clear guidance by qualifying sponsors as Data Controllers and trial centres (“sites”) as (co-) Data Controllers.
Effect of the Opinion
The Working Party is an advisory body, therefore this Opinion, in theory, should not be directly binding on the national supervisory authorities. In practice, however, as the Working Party is mainly composed of national supervisory authority representatives explicitly tasked with contributing to the uniform application of the Directive within the European Union, its Opinion will be highly respected and taken into account by such authorities when applying the national laws transposing the Directive.