New controller-processor guidelines: beware of impact on data processing agreements
Armed with useful flowcharts to help organisations determine their role, the European Data Protection Board (EDPB) has published new guidelines on the concepts of "controller", "processor" and "joint controller". Just over a month ago, the Litigation Chamber of the Belgian Data Protection Authority had published a decision in which it appeared to adopt an extensive interpretation of the concept of "controller"; now, thanks to extensive developments by the EDPB, that interpretation no longer seems to be relevant.
In this newsletter, however, we wish to focus on other aspects of the EDPB's controller-processor guidelines, namely its considerations regarding contractual arrangements between controllers and processors and their compliance with the General Data Protection Regulation (GDPR).
A few standouts of the EDPB's interpretation:
- "Strict minimum" data processing agreements are insufficient;
- The EDPB sets out recommendations on signatures and amendments to data processing agreements;
- A high level of detail is required by the EDPB regarding the description of the processing activities, the controller's instructions, security (security measures as such or at least security objectives);
- A processor's employees etc. must not only keep the personal data processed confidential, but also "the details regarding the relationship" with the controller;
- The differences between a "specific" authorisation for sub-processing and a "general" one are more limited than one might expect;
Read more in our analysis of the impact of the EDPB's guidelines from the perspective of controller-processor agreements.