Takea­ways (AI):
  • The Euro­pean Data Pro­tec­tion Board hat die fina­len Leit­li­ni­en zu Respon­si­ble and Pro­ces­sors published.
  • The daten­schutz­recht­li­chen Rol­len sind an legal enti­ties und nicht an ein­zel­nen Abtei­lun­gen gebunden.
  • A Hosting­dienst­lei­ster ist nicht ver­ant­wort­lich für Daten, die der Kun­de verwendet.
  • For joint respon­si­bi­li­ty ist die Mit­be­stim­mung über Pur­po­ses and Medi­um entscheidend.
  • The EDSA emp­fiehlt, Audit­ver­trä­ge sepa­rat vom Haupt­ver­trag zu dokumentieren.

The Euro­pean Data Pro­tec­tion Board EDSA has published the final ver­si­on of the gui­de­lines on the con­cepts of con­trol­ler and pro­ces­sor (“Gui­de­lines 07/2020 on the con­cepts of con­trol­ler and pro­ces­sor in the GDPR, Ver­si­on 2.0″, July 7, 2021). A del­ta­view of the final vs. draft ver­si­on is here available.

The devia­ti­ons from the draft are limi­t­ed; in other cases, EDSA has usual­ly made more exten­si­ve chan­ges in a final ver­si­on. Some are only Cla­ri­fi­ca­ti­ons, e.g.

  • that the roles under data pro­tec­tion law are lin­ked to the legal enti­ties and not to indi­vi­du­al depart­ments, even if they act with a high degree of autonomy;
  • that a tele­com­mu­ni­ca­ti­on ser­vice pro­vi­der is not respon­si­ble for con­tent data of the trans­mit­ted c0mmunication (this is only the sender);
  • that a hosting ser­vice pro­vi­der is not a respon­si­ble par­ty even if it designs the ser­vice inde­pendent­ly of the cus­to­mer and uni­la­te­ral­ly dic­ta­tes the terms of the con­tract, becau­se it is still the cus­to­mer who deci­des how the ser­vice is used;
  • that the essen­ti­al means that only the con­trol­ler can deci­de on are tho­se means that are clo­se­ly rela­ted to the pur­po­se and ext­ent becau­se they are “clo­se­ly lin­ked” “to the que­sti­on of whe­ther the pro­ce­s­sing is lawful, neces­sa­ry and proportionate”;
  • that a mar­ket rese­arch com­pa­ny that auto­no­mously obta­ins and ana­ly­zes per­so­nal data and only pro­vi­des anony­mous sta­tis­tics to its cli­ents wit­hout the cli­ent having any say in which per­so­nal data is pro­ce­s­sed and how, is the sole controller.

On the que­sti­on of how gra­nu­lar to assess pro­ce­s­sing ope­ra­ti­ons in role assign­ment, EDSA attempts to pro­vi­de cla­ri­ty with a new para­graph wit­hout gai­ning much:

In prac­ti­ce, the pro­ce­s­sing of per­so­nal data invol­ving seve­ral actors may be divi­ded into seve­ral smal­ler pro­ce­s­sing ope­ra­ti­ons for which each actor could be con­side­red to deter­mi­ne the pur­po­se and means indi­vi­du­al­ly. On the other hand, a sequence or set of pro­ce­s­sing ope­ra­ti­ons invol­ving seve­ral actors may also take place for the same purpose(s), in which case it is pos­si­ble that the pro­ce­s­sing invol­ves one or more joint con­trol­lers. In other words, it is pos­si­ble that at “micro-level” the dif­fe­rent pro­ce­s­sing ope­ra­ti­ons of the chain appear as dis­con­nec­ted, as each of them may have a dif­fe­rent pur­po­se. Howe­ver, it is neces­sa­ry to dou­ble check whe­ther at “macro-level” the­se pro­ce­s­sing ope­ra­ti­ons should not be con­side­red as a “set of ope­ra­ti­ons” pur­suing a joint pur­po­se using joint­ly defi­ned means.“

At the shared respon­si­bi­li­ty the EDSA spe­ci­fi­es that the mutu­al bene­fit of both par­ties from a pro­ce­s­sing can only be an indi­ca­ti­on of joint respon­si­bi­li­ty and can­not be decisi­ve in its­elf. Howe­ver, the EDSA does not rede­fi­ne the con­cept of joint respon­si­bi­li­ty. The fol­lo­wing pas­sa­ge also remains unch­an­ged, accor­ding to which co-deter­mi­na­ti­on only over the pur­po­ses or only over the essen­ti­al means of a pro­ce­s­sing is not suf­fi­ci­ent for a joint responsibility:

The over­ar­ching cri­ter­ion for joint con­trol­ler­ship to exist is the joint par­ti­ci­pa­ti­on of two or more enti­ties in the deter­mi­na­ti­on of the pur­po­ses and means of a pro­ce­s­sing. More spe­ci­fi­cal­ly, joint par­ti­ci­pa­ti­on needs to include the deter­mi­na­ti­on of pur­po­ses on the one hand and the deter­mi­na­ti­on of means on the other hand. If each of the­se ele­ments are deter­mi­ned by all enti­ties con­cer­ned, they should be con­side­red as joint con­trol­lers of the pro­ce­s­sing at issue.

At the Job pro­ce­s­sing also con­ta­ins litt­le that is new. Howe­ver, the EDSA now recom­mends that, for docu­men­ta­ti­on rea­sons, a pro­ce­s­sing agree­ment as part of a more exten­si­ve agree­ment (ser­vice agree­ment, SLA, etc.) should not be inte­gra­ted direct­ly into the lat­ter, but should be struc­tu­red sepa­ra­te­ly, e.g. as a sepa­ra­te annex.

Inte­re­st­ing, howe­ver, are the addi­ti­ons to the Audit right of the respon­si­ble per­son, a par­ti­cu­lar­ly fre­quent­ly nego­tia­ted point at ADV:

  • Here, the EDSA sta­tes that alt­hough the Pro­ces­sor may pro­po­se an audi­tor, it is the Con­trol­ler who ulti­m­ate­ly deci­des on the per­son of the audi­tor. If an audit is car­ri­ed out by a body pro­po­sed by the Pro­ces­sor (e.g. as a regu­lar self-audit), the Con­trol­ler would have to be able to dis­pu­te the result. As a result, the EDSA pro­ba­b­ly requi­res that the con­trol­ler must have the right to appoint his own audi­tor or to initia­te his own audit, at least as an escala­ti­on level.
  • Fur­ther­mo­re, the final decis­i­on on the type of audit must lie with the per­son respon­si­ble (e.g., whe­ther remo­te or on-site). This is also likely to stand in the way of a rule that an audit can only be car­ri­ed out once a year, for exam­p­le, wit­hout exception.
  • The EDSA also expli­ci­t­ly addres­ses the allo­ca­ti­on of audit costs. This is a que­sti­on that is not regu­la­ted by the GDPR and can be nego­tia­ted as a com­mer­cial issue. Only pro­hi­bi­ti­ve costs that under­mi­ne the right to audit would be inadmissible.

AI-gene­ra­ted takea­ways can be wrong.