CNIL / EDPD: draft guidelines on the concepts of controller and processor

The European Data Protection Board (EDPB) is an independent European body which contributes to the consistent application of data protection rules within the European Union and encourages cooperation between EU authorities responsible for data protection.

The European Data Protection Board is made up of representatives of national data protection authorities and the European Data Protection Supervisor (EDPS). In addition, there are the supervisory authorities of the EFTA-EEA States with regard to matters related to the GDPR, but without the right to vote and without the possibility of standing for election for the presidency or vice-presidency. The European Data Protection Board is established by the General Data Protection Regulation (GDPR), and its headquarters are located in Brussels. The European Commission and - in matters related to the GDPR - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the committee without the right to vote.

On September 2, 2020, the EDPS adopted first guidelines on the concepts of controller and processor, which are essential for the proper understanding and application of the GDPR. A public consultation is now open until October 19, 2020 to gather the opinions and contributions of all interested stakeholders.

The concepts of controller and processor play a crucial role in the application of the GDPR: in particular, they determine who is responsible for complying with data protection rules and how data subjects can exercise their rights in a meaningful way. effective. The GDPR clarified these concepts in relation to the state of the previous law and also provided for new obligations weighing on these actors.

These provisions, as well as recent rulings of the Court of Justice of the European Union relating to joint responsibility for data processing, raise many questions on the part of the organizations concerned: on the definition and scope of responsibility joint, on the respective obligations of these “co-controllers”, on the exact nature of the obligations incumbent on the subcontractors, etc.

It is therefore essential that the precise meaning of these concepts and their criteria are sufficiently clear and harmonized within the European Union. This is why the EDPS, which brings together the European CNILs, considered it necessary to adopt new guidelines, which are intended to replace the previous opinion of the "Article 29" working group on these concepts (WP169). This document aims to clarify the definition of the concepts of controller, joint controller, subcontractor, third parties and data recipient, by illustrating them with concrete sector examples. It also aims to detail the various obligations attached to these qualifications.

The CNIL encourages anyone interested to contribute to the public consultation organized by the EDPS.

Following this consultation and after analysis of the contributions received, the final version of the guidelines can be adopted by the EDPS. The CNIL will offer a summary of these on its website in order to allow the various players in the processing of personal data to better fulfill their obligations under the GDPR. These reminders and recommendations will thus make it possible to specify and supplement the advice that the CNIL already makes available to these actors, such as for example with regard to subcontracting.

How to participate in the consultation

Guidelines for data controllers and processors - version for public consultation

Virginie Gastine Menou

“Personalized support on the complex road to compliance”

Share the article on the networks!

Articles recent:

IMF: Fiscal Monitor

Budget action to fight the COVID-19 pandemic
A roadmap for the budgetary measures to be taken during the different phases of the pandemic
Public investments for the recovery

en_USEnglish fr_FRFrançais es_ESEspañol