DATA PROTECTION
EDPS Guidelines on the concepts of controller, processor and joint controllership under Reg. (EU) 2018/1725.
When processing personal data, EU institutions and bodies (EUIs) must comply with specific data protection rules. Depending on their role, their obligations differ.
The Guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).
Following the entry into force of the General Data Protection Regulation (the GDPR) and Regulation 2018/1725, many questions were raised on the changes to the concepts of controller, processor and ‘joint controllership’, and particularly on their respective roles and responsibilities.
These guidelines aim at providing practical advice and instructions to EUIs to comply with Regulation 2018/1725 by providing specific guidance on the concepts of controller, processor and joint controllership based on the definitions provided in the Regulation. EUIs will have more clarity on the role these may assume for specific processing operations and their implications in terms of obligations and responsibilities under the Regulation. While these guidelines are aimed at the Data Protection Officers, Data Protection Coordinators and all persons having responsibility within the EUIs for the processing operations of personal data, other external organisations might equally find them useful.
The guidelines focus on:
- the concepts of controller, processor and joint controllership;
-the distribution of their obligations and responsibilities, in particular when dealing with the exercise of the rights of data subjects;
-specific case studies on controller-processor, separate controllership and joint controllership situations.
The identification and assessment of whether EUIs may be considered as controllers, processors or joint controllers, together with their respective duties are presented in flowcharts and checklists.
These guidelines will also be useful to senior management in supporting a culture of data protection from the top of the organisation and to implement the principle of accountability. The purpose of the guidelines is to make it easier for EUIs to fulfil their obligations. Under the accountability principle, EUIs remain responsible for compliance with their obligations.
The Guidelines provide explanation and practical advice to EU institutions and bodies on how to comply with Regulation (EU) 2018/1725 (‘the Regulation’).
Following the entry into force of the General Data Protection Regulation (the GDPR) and Regulation 2018/1725, many questions were raised on the changes to the concepts of controller, processor and ‘joint controllership’, and particularly on their respective roles and responsibilities.
These guidelines aim at providing practical advice and instructions to EUIs to comply with Regulation 2018/1725 by providing specific guidance on the concepts of controller, processor and joint controllership based on the definitions provided in the Regulation. EUIs will have more clarity on the role these may assume for specific processing operations and their implications in terms of obligations and responsibilities under the Regulation. While these guidelines are aimed at the Data Protection Officers, Data Protection Coordinators and all persons having responsibility within the EUIs for the processing operations of personal data, other external organisations might equally find them useful.
The guidelines focus on:
- the concepts of controller, processor and joint controllership;
-the distribution of their obligations and responsibilities, in particular when dealing with the exercise of the rights of data subjects;
-specific case studies on controller-processor, separate controllership and joint controllership situations.
The identification and assessment of whether EUIs may be considered as controllers, processors or joint controllers, together with their respective duties are presented in flowcharts and checklists.
These guidelines will also be useful to senior management in supporting a culture of data protection from the top of the organisation and to implement the principle of accountability. The purpose of the guidelines is to make it easier for EUIs to fulfil their obligations. Under the accountability principle, EUIs remain responsible for compliance with their obligations.
