Belgium's privacy watchdog publishes guidance on the notions of controller and processor

Belgium
Recently, the Belgian Data Protection Authority (“DPA”) published guidance on controller and processor concepts (see original documents in French and in Dutch), refreshing the distinction between these two concepts and their implications.

In view of recent questions about the qualification and concrete application of the concepts of controller and processor, the DPA has decided to recap the principles and definitions applicable to these concepts. Here's a quick overview.

The roles of parties processing personal data must be assessed on a case-by-case basis per data processing operation.

The party with the decision-making power to determine both the processing purpose and the processing means usually qualifies as controller. There can be some discretion regarding the processor’s role, as the controller may delegate the non-essential elements of the processing means to its processor(s).

But how far can the delegation go? It can extend to determining appropriate technical and organisational measures, but not to determining the categories of data subjects and processed data, the data recipients, the retention period or the lawful basis. If the processor exceeds the mandate it received from the controller, it will qualify as controller and must fulfill its obligations under the data protection legislation as controller. Going beyond the controller’s instructions could also potentially constitute a violation of data protection legislation and thus result in the processor’s liability.

Is the bargaining power of one party over the other in the negotiation important? No. The fact that one party has the initiative or dominance in terms of negotiating the data processing agreement is irrelevant when assessing the parties’ roles.

The controller–processor scenario is different from joint controllership. The latter entails two or more controllers jointly determining the purposes and means of the data processing, which means they must set out their respective responsibilities in an arrangement (e.g. an agreement), unless those responsibilities are determined by a specific statutory provision. Note that joint controllership leads to joint liability for a processing activity. This means that, vis-à-vis the data subject, each controller can be held fully liable for the entire damage caused by processing under joint controllership, to ensure that the data subject is effectively compensated.

The distinction between controller and processor is also crucial so that the parties understand their obligations, responsibilities and liabilities. In this context, the GDPR sets out that:
  • The subprocessing must be arranged contractually between the controller and the processor;
  • The processor can only process data in accordance with the controller’s instructions, unless the processor must process data pursuant to a legal obligation;
  • The processor cannot further process the data without prior written consent of the controller.

Further, the DPA has also reiterated the processor’s (new) obligations under the GDPR: 

  • The obligation to secure the personal data it processes;
  • The obligation to keep a register of data processing activities;
  • The obligation to notify data breaches to its controllers;
  • The appointment of a data protection officer (under specific circumstances);
  • The obligation to fulfil the requirements for the transfer of data outside the European Economic Area (“EEA”);
  • The appointment of a representative within the EEA, if the processor is located outside the EEA; and
    The obligation to assist the controller in fulfilling the latter’s obligations under the GDPR and to inform the controller if it breaches the GDPR or any other data protection legislation.

How can one determine whether a company is acting as a controller or a processor? Some criteria may help in assessing the roles of the various subjects involved:

  • Level of prior instructions given by the controller, which determines the margin of manoeuvre for its vendor: the bigger the vendor’s margin, the greater the likelihood that it qualifies as a controller.
  • Monitoring by the controller of the vendor’s execution of the service. Close and careful supervision by the controller to ensure strict compliance by the vendor with instructions and terms of contract provides an indication that the vendor acts as a processor.
  • Visibility vis-à-vis the data subjects and expectations of the data subjects on the basis of this visibility: the lower the vendor’s visibility towards the data subjects, the more likely it is to qualify as a processor.
  • Expertise of the parties: in certain cases, the professional expertise of a party may qualify it as controller.

What about a fan page hosted on a social network (e.g. Facebook)? The processing of statistical data by such a fan page may mean both the social network and the administrator of the fan page qualify as joint controllers in view of the impact on the data processing involved in the creation and configuration of the fan page as determined by its administrator (this was the outcome of a dispute between the German data protection authority and a German academic institution operating a fan page on Facebook and collecting user data via cookies; C-210/16).

Finally, the DPA reminds us that regulated professions (e.g. doctors, lawyers, etc.) must ensure that access to personal data in the electronic mail system complies with any professional secrecy codes by which they are bound.

In conclusion, despite the DPA’s guidelines, there is no simple answer as to who qualifies as controller or processor and in many instances it will be hard to make that call. Hopefully, the European Data Protection Board will soon update/recast its earlier guidance on controllers/processors, as it discussed the update/recast during its latest plenary meeting.