Cyber and Information Law Newsletter: Issue 1 - Guidance

Published 30 abril 2019

New ICO guidance on controllers, processors and joint controller – what has changed? 

The ICO produced guidance in 2014 to assist organisations in determining whether they are a controller or a processor and it can be accessed here (“Old Guidance”). This was since updated following the implementation of the GDPR and can be accessed (here) and (here) (“New Guidance”). We have set out below the key points to be aware of:

Determining whether a party is a controller or a processor

The New Guidance contains the following checklists for determining whether you are a controller or processor:

The Old Guidance, although not updated, is still considered by the ICO to be useful. However the ICO does note that there are some subtle differences between the Old Guidance and the New Guidance; the key difference being how to determine whether an organisation is a controller or processor.

In paragraph 16 of the Old Guidance there is a list of decisions and if an organisation makes any one of those decisions, it will be a controller. In contrast, the New Guidance states that the more boxes that are ticked in the above checklists, the more likely it is that a party will fall within that particular category. Therefore, until the ICO clarifies which approach should be taken, we would advise applying both sets of checklists to determine an organisation’s data protection designation.

Can you be both a controller and a processor of the same personal data?

No – the ICO’s New Guidance is clear on this point; you cannot be both a controller and a processor for the same processing activity i.e. processing personal data for the same purpose.

However the New Guidance does acknowledge that you can be both a controller and a processor if you are processing the personal data for different purposes and if your systems and procedures can distinguish between the personal data you are processing in your capacity as controller and what you process as a processor. Where your systems cannot make this distinction and do not allow you to apply different processes and measures to each, the ICO considers that you are likely to be considered a joint controller rather than a processor. This is a new conclusion by the ICO and one that will have substantial ramifications because:

• The GDPR requires that joint controllers must have an arrangement in place that sets out agreed roles and responsibilities. The main points of the arrangement should also be made available to individuals (ideally in the form of privacy notices); and
• Joint controllers are joint and severally liable.

Additionally the New Guidance provides various examples of joint controllers and they appear to imply that any service provider who is not acting as a processor will be acting as joint controller with its customer (rather than a separate controller). We will be co-ordinating feedback on the New Guidance in the hope that the ICO will provide definitive examples of joint controllers. We are also aware that the European Data Protection Board will be publishing guidelines on the concepts of controller and processor over the next two years which should bring extra clarity.

In the meantime, we would strongly recommend that all organisations: (1) refer to the New Guidance when determining the data protection designation of a party; and (2) address the relevant joint controller relationship requirements in respect of any parties who would be deemed by the ICO to be joint controllers.

Author

Shehana Cameron-Perera

What will be keeping the EDPB busy over 2019 and 2020? 

The European Data Protection Board (“EDPB”) which replaced the Article 29 Working Party advisory body (WP29) in May 2018 have set out their 2019/2020 work program. Key items on their agenda include producing the following items:

• Guidelines on concepts of controller and processor (this will update the historic WP29 Opinion which can be accessed here)
• Guidelines on the notion of legitimate interest of the data controller (this will update the WP29 Opinion which can be accessed here)
• Guidelines on the territorial scope of the GDPR (which will be finalised after the public consultation on the draft guidelines which can be accessed here)
• Guidelines on Data Protection by Design and Default
• An opinion on decisions regarding standard contractual clauses for processors

The EDPB has already adopted its opinion on the interplay between the ePrivacy Directive and the GDPR and it can be accessed here.

For a full list of the tasks on the EDPB’s work program over the next two years, please see here. We will keep a watching brief and report back on all publications as they are released.

Authors

Shehana Cameron-Perera

Michael McMillen

Certification guidelines

The EDPB has adopted guidelines on GDPR “certification” (“Guidelines”) which aim to provide advice on the interpretation and implementation of GDPR certification (an undefined term in the GDPR). Once certified, an organisation can display a seal or mark to show that the organisation is GDPR compliant. Restricted transfers to certified organisations will therefore be allowed provided that the organisation makes commitments to apply appropriate safeguards.

The Guidelines are intended to assist member states, supervisory authorities and certification bodies in their approaches to a certification mechanism.

There are currently no approved certification schemes or accredited certification bodies for issuing GDPR certificates in the UK and the ICO does not have any current plans to accredit certification bodies or to carry out certification. In the event that the ICO focusses on certification or for organisations whose supervisory authorities are not in the UK, the Guidelines will be useful. Certification can be an easy win for organisations to demonstrate GDPR compliance and provide transparency and reassurance to other organisations and individuals about the level of data protection safeguarding measures that they have in place.

The Guidelines can be accessed here.

Authors

Michael McMillen