Cyber and Information Law Newsletter - Round up of 2019: Guidance

Cyber and Information Law Newsletter: Issue 1 - Guidance's Tags

Tags related to this article

Cyber and Information Law Newsletter: Issue 1 - Guidance

Published 30 abril 2019

New ICO guidance on controllers, processors and joint controller – what has changed? 

The ICO produced guidance in 2014 to assist organisations in determining whether they are a controller or a processor and it can be accessed here (“Old Guidance”). This was since updated following the implementation of the GDPR and can be accessed (here) and (here) (“New Guidance”). We have set out below the key points to be aware of:

Determining whether a party is a controller or a processor

The New Guidance contains the following checklists for determining whether you are a controller or processor:

Are we a controller? Are we a processor? Are we a joint controller?
We decided to collect or process the personal data. We are following instructions from someone else regarding the processing of personal data. We have a common objective with others regarding the processing.
We decided what the purpose or outcome of the processing was to be. We were given the personal data by a customer or similar third party, or told what data to collect. We are processing the personal data for the same purpose as another controller.
We decided what personal data should be collected. We do not decide to collect personal data from individuals. We are using the same set of personal data (e.g. one database) for this processing as another controller.
We decided which individuals to collect personal data about. We do not decide what personal data should be collected from individuals. We have designed this process with another controller.
We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller. We do not decide the lawful basis for the use of that data. We have common information management rules with another controller.
We are processing the personal data as a result of a contract between us and the data subject. We do not decide what purpose or purposes the data will be used for.  
The data subjects are our employees. We do not decide whether to disclose the data, or to whom.  
We make decisions about the individuals concerned as part of or as a result of the processing. We do not decide how long to retain the data.  
We exercise professional judgement in the processing of the personal data. We may make some decisions on how data is processed, but implement these decisions under a contract with someone else.  
We have a direct relationship with the data subjects. We are not interested in the end result of the processing.  
We have complete autonomy as to how the personal data is processed.    
We have appointed the processors to process the personal data on our behalf.    

The Old Guidance, although not updated, is still considered by the ICO to be useful. However the ICO does note that there are some subtle differences between the Old Guidance and the New Guidance; the key difference being how to determine whether an organisation is a controller or processor.

In paragraph 16 of the Old Guidance there is a list of decisions and if an organisation makes any one of those decisions, it will be a controller. In contrast, the New Guidance states that the more boxes that are ticked in the above checklists, the more likely it is that a party will fall within that particular category. Therefore, until the ICO clarifies which approach should be taken, we would advise applying both sets of checklists to determine an organisation’s data protection designation.

Can you be both a controller and a processor of the same personal data?

No – the ICO’s New Guidance is clear on this point; you cannot be both a controller and a processor for the same processing activity i.e. processing personal data for the same purpose.

However the New Guidance does acknowledge that you can be both a controller and a processor if you are processing the personal data for different purposes and if your systems and procedures can distinguish between the personal data you are processing in your capacity as controller and what you process as a processor. Where your systems cannot make this distinction and do not allow you to apply different processes and measures to each, the ICO considers that you are likely to be considered a joint controller rather than a processor. This is a new conclusion by the ICO and one that will have substantial ramifications because:

  • The GDPR requires that joint controllers must have an arrangement in place that sets out agreed roles and responsibilities. The main points of the arrangement should also be made available to individuals (ideally in the form of privacy notices); and
  • Joint controllers are joint and severally liable.

Additionally the New Guidance provides various examples of joint controllers and they appear to imply that any service provider who is not acting as a processor will be acting as joint controller with its customer (rather than a separate controller). We will be co-ordinating feedback on the New Guidance in the hope that the ICO will provide definitive examples of joint controllers. We are also aware that the European Data Protection Board will be publishing guidelines on the concepts of controller and processor over the next two years which should bring extra clarity.

In the meantime, we would strongly recommend that all organisations: (1) refer to the New Guidance when determining the data protection designation of a party; and (2) address the relevant joint controller relationship requirements in respect of any parties who would be deemed by the ICO to be joint controllers.

Shehana Cameron-Perera

What will be keeping the EDPB busy over 2019 and 2020? 

The European Data Protection Board (“EDPB”) which replaced the Article 29 Working Party advisory body (WP29) in May 2018 have set out their 2019/2020 work program. Key items on their agenda include producing the following items:

  • Guidelines on concepts of controller and processor (this will update the historic WP29 Opinion which can be accessed here)
  • Guidelines on the notion of legitimate interest of the data controller (this will update the WP29 Opinion which can be accessed here)
  • Guidelines on the territorial scope of the GDPR (which will be finalised after the public consultation on the draft guidelines which can be accessed here)
  • Guidelines on Data Protection by Design and Default
  • An opinion on decisions regarding standard contractual clauses for processors

The EDPB has already adopted its opinion on the interplay between the ePrivacy Directive and the GDPR and it can be accessed here.

For a full list of the tasks on the EDPB’s work program over the next two years, please see here. We will keep a watching brief and report back on all publications as they are released.


Shehana Cameron-Perera Michael McMillen

Certification guidelines

The EDPB has adopted guidelines on GDPR “certification” (“Guidelines”) which aim to provide advice on the interpretation and implementation of GDPR certification (an undefined term in the GDPR). Once certified, an organisation can display a seal or mark to show that the organisation is GDPR compliant. Restricted transfers to certified organisations will therefore be allowed provided that the organisation makes commitments to apply appropriate safeguards.

The Guidelines are intended to assist member states, supervisory authorities and certification bodies in their approaches to a certification mechanism.

There are currently no approved certification schemes or accredited certification bodies for issuing GDPR certificates in the UK and the ICO does not have any current plans to accredit certification bodies or to carry out certification. In the event that the ICO focusses on certification or for organisations whose supervisory authorities are not in the UK, the Guidelines will be useful. Certification can be an easy win for organisations to demonstrate GDPR compliance and provide transparency and reassurance to other organisations and individuals about the level of data protection safeguarding measures that they have in place.

The Guidelines can be accessed here.

Michael McMillen


Michael McMillen

Michael McMillen

London - Walbrook

+44(0)20 7894 6981

< Back to articles