- The European Data Protection Board hat die finalen Leitlinien zu Responsible and Processors published.
- The datenschutzrechtlichen Rollen sind an legal entities und nicht an einzelnen Abteilungen gebunden.
- A Hostingdienstleister ist nicht verantwortlich für Daten, die der Kunde verwendet.
- For joint responsibility ist die Mitbestimmung über Purposes and Medium entscheidend.
- The EDSA empfiehlt, Auditverträge separat vom Hauptvertrag zu dokumentieren.
The European Data Protection Board EDSA has published the final version of the guidelines on the concepts of controller and processor (“Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0″, July 7, 2021). A deltaview of the final vs. draft version is here available.
The deviations from the draft are limited; in other cases, EDSA has usually made more extensive changes in a final version. Some are only Clarifications, e.g.
- that the roles under data protection law are linked to the legal entities and not to individual departments, even if they act with a high degree of autonomy;
- that a telecommunication service provider is not responsible for content data of the transmitted c0mmunication (this is only the sender);
- that a hosting service provider is not a responsible party even if it designs the service independently of the customer and unilaterally dictates the terms of the contract, because it is still the customer who decides how the service is used;
- that the essential means that only the controller can decide on are those means that are closely related to the purpose and extent because they are “closely linked” “to the question of whether the processing is lawful, necessary and proportionate”;
- that a market research company that autonomously obtains and analyzes personal data and only provides anonymous statistics to its clients without the client having any say in which personal data is processed and how, is the sole controller.
On the question of how granular to assess processing operations in role assignment, EDSA attempts to provide clarity with a new paragraph without gaining much:
“In practice, the processing of personal data involving several actors may be divided into several smaller processing operations for which each actor could be considered to determine the purpose and means individually. On the other hand, a sequence or set of processing operations involving several actors may also take place for the same purpose(s), in which case it is possible that the processing involves one or more joint controllers. In other words, it is possible that at “micro-level” the different processing operations of the chain appear as disconnected, as each of them may have a different purpose. However, it is necessary to double check whether at “macro-level” these processing operations should not be considered as a “set of operations” pursuing a joint purpose using jointly defined means.“
At the shared responsibility the EDSA specifies that the mutual benefit of both parties from a processing can only be an indication of joint responsibility and cannot be decisive in itself. However, the EDSA does not redefine the concept of joint responsibility. The following passage also remains unchanged, according to which co-determination only over the purposes or only over the essential means of a processing is not sufficient for a joint responsibility:
The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing. More specifically, joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand. If each of these elements are determined by all entities concerned, they should be considered as joint controllers of the processing at issue.
At the Job processing also contains little that is new. However, the EDSA now recommends that, for documentation reasons, a processing agreement as part of a more extensive agreement (service agreement, SLA, etc.) should not be integrated directly into the latter, but should be structured separately, e.g. as a separate annex.
Interesting, however, are the additions to the Audit right of the responsible person, a particularly frequently negotiated point at ADV:
- Here, the EDSA states that although the Processor may propose an auditor, it is the Controller who ultimately decides on the person of the auditor. If an audit is carried out by a body proposed by the Processor (e.g. as a regular self-audit), the Controller would have to be able to dispute the result. As a result, the EDSA probably requires that the controller must have the right to appoint his own auditor or to initiate his own audit, at least as an escalation level.
- Furthermore, the final decision on the type of audit must lie with the person responsible (e.g., whether remote or on-site). This is also likely to stand in the way of a rule that an audit can only be carried out once a year, for example, without exception.
- The EDSA also explicitly addresses the allocation of audit costs. This is a question that is not regulated by the GDPR and can be negotiated as a commercial issue. Only prohibitive costs that undermine the right to audit would be inadmissible.