EDPS: Gui­dance on the noti­ons of con­trol­ler, pro­ces­sor and joint controllers.

The Euro­pean Data Pro­tec­tion Super­vi­sor (EDPS), which is used for the Bodies and aut­ho­ri­ties of the EU com­pe­tent data pro­tec­tion aut­ho­ri­ty, has issued a Gui­dance on the noti­ons of con­trol­ler, pro­ces­sor and joint con­trol­lers published (EDPS Gui­de­lines on the con­cepts of con­trol­ler, pro­ces­sor and joint con­trol­ler­ship under Regu­la­ti­on (EU) 2018/1725). The gui­de refers to the legal defi­ni­ti­on of the Regu­la­ti­on 2018/1725 on the pro­tec­tion of per­so­nal data when pro­ce­s­sed by the bodies, insti­tu­ti­ons and agen­ci­es of the EU, i.e. not to the GDPR. Howe­ver, the cor­re­spon­ding legal defi­ni­ti­ons are prac­ti­cal­ly iden­ti­cal in wor­ding (with a few dif­fe­ren­ces that eit­her rela­te to the scope of Regu­la­ti­on 2018/1725 or are not significant).

In terms of con­tent, the­re is litt­le that is new in the gui­de from the point of view of pri­va­te-sec­tor mana­gers. Alt­hough the gui­de alre­a­dy takes up the cur­rent Decis­i­on of the ECJ in the case of Fashion ID but does not deri­ve anything sur­pri­sing from it. Howe­ver, it is clear – once again – that the scope of joint respon­si­bi­li­ty is (very) broad.

The fol­lo­wing flow­chart in the gui­de is helpful: