On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC. The full text of the Opinion (in English) has been made public on the Dutch DPA’s website.
The interaction between data controllers and data processors is essential in the application of Directive 95/46/EC, not least because the concepts determine who will be responsible for compliance with data protection rules and how data subjects can exercise their rights. However, the increasing complexity of the environment in which these concepts are used has given rise to new and difficult issues. The Opinion emphasizes the need to allocate responsibility between data controllers and data processors so that compliance with data protection rules are upheld sufficiently. Despite the impact of information and communication technologies and globalization, the Working Party concluded that the current distinction between data controllers and data processors remains relevant and workable. The following points are of particular importance:
Regarding Data Controllers
- first and foremost, the role of the concept of a data controller is to determine who will be responsible for compliance with data protection rules (i.e., allocation of responsibility) and how data subjects can exercise their rights in practice;
- the concept of a data controller also is essential in determining which national law is applicable to a processing operation/ set of processing operations;
- the concept of a data controller is autonomous, (i.e., it should be interpreted mainly in accordance with Directive 95/46/EC), and functional (i.e., it is based on a factual rather than formal analysis);
- determining the “purpose” of processing triggers the qualification of (de facto) data controller;
- determining the “means” of processing can be delegated by the data controller (as far as technical or organizational questions are concerned), however, substantial questions that are essential to the core of lawfulness of processing (e.g., type of data to be processed, length of storage, access, etc) are to be determined by the data controller.
Regarding Data Processors
- the qualification of a data processor depends on the decision of the data controller, who may decide to process the data within his organization, or to delegate all or part of the processing activities to an external organization;
- two basic conditions arise for qualifying as a data processor: (a) being a separate legal entity with respect to the data controller; and (b) processing personal data on behalf of the data controller;
- the role of a data processor stems from its core activities in a specific context and with regard to specific sets of data or operations.