Just over a month ago, the Litigation Chamber of the Belgian Data Protection Authority had published a decision in which it appeared to adopt an extensive interpretation of the concept of "controller"; now, thanks to extensive developments by the EDPB, that interpretation no longer seems to be relevant.
In this newsletter, however, we wish to focus on other aspects of the EDPB's controller-processor guidelines, namely its considerations regarding contractual arrangements between controllers and processors and their compliance with the General Data Protection Regulation (GDPR).
A few standouts of the EDPB's interpretation:
- "Strict minimum" data processing agreements are insufficient;
- The EDPB sets out recommendations on signatures and amendments to data processing agreements;
- A high level of detail is required by the EDPB regarding the description of the processing activities, the controller's instructions, security (security measures as such or at least security objectives);
- A processor's employees etc. must not only keep the personal data processed confidential, but also "the details regarding the relationship" with the controller;
- The differences between a "specific" authorisation for sub-processing and a "general" one are more limited than one might expect;
and more…
Read more in our analysis of the impact of the EDPB's guidelines from the perspective of controller-processor agreements.