The factual interpretation of the data controllership

teamwork, cooperation, brainstorming-3213924.jpgAccording to provisions in the GDPR the data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determine the overall control of the purpose for which, and how, personal data are processed. The data processor, in exchange is the natural or legal person, public authority, agency or other body which processes the personal data on behalf of the data controller.

Depending on the written agreement with the data controller, the data processor can, by itself, exercise some control over the processing of the personal data, especially regarding: the IT systems or other methods used to collect and store personal data, the detail of the security surrounding the personal data, the means used to transfer the personal data from one organization to another, etc.  Nonetheless, even if the power to determine the means of the processing is delegated to a processor, the data controller must be able to exercise an appropriate degree of control over the data processor’s activities. 


Activities such as the interpretation, the exercise of professional judgement or significant decision-making in relation to personal data must be carried out by the data controller which ultimately bears the legally liability over the processing.   It is therefore, of a paramount importance to determine the roles of the parties and their processing capacity to establish the legal responsibility for complying with their respective obligations under the law.


The challenging task of division of responsibilities is conspicuous especially in cloud computing services when the data controller is a small size enterprise, and the processor is a large corporation with power to impose terms and conditions of its services. In such circumstances, however, the European Data Protection Board (EDPB) predecessor, Article 29 Working Party (WP 29) recommends that the standard of responsibility should not be lowered on the ground of economic imbalance between parties. 


Furthermore, the EDPB makes it clear in its Guidelines on the concepts of controllers and processors in the GDPR that all relevant factual circumstances must be considered to reach a conclusion as to whether a particular entity exercises a determinative influence with respect to the processing of personal data under processing.


There are no doubts that the benefits of cloud computing are underpinned by shared resources and infrastructure. A precondition for relying on cloud computing arrangements is the data controller’s obligation to perform an adequate risk assessment, considering the locations of the servers where the data are going to be processed, the risks for the rights and freedoms of individuals whose data are going to be processed in the cloud and the data controller’s own benefits.


On the flip side, lack of control over the data is one of the inherent data protection risks of cloud computing. Article 29 WP notes that, by committing personal data to the systems managed by a cloud vendor, data controllers may no longer be in exclusive control of the data and may no longer deploy the technical and organizational measures necessary to ensure the availability, integrity, confidentiality, transparency, isolation, intervenability and portability of the data. The cloud vendor could create a lock-in effect when proprietary infrastructure is being relied upon. In this sense, WP 29 Guidelines points to the very difficulty for a cloud customer to shift data and documents between different cloud-based systems (data portability) or to exchange information with entities that use cloud services managed by different providers (interoperability). 


From a legal perspective one of the biggest challenges of the stakeholders and SMEs in the cloud computing set-up is the lack of room for maneuver in negotiating the terms of use of the cloud services as standardized boilerplate agreements are a feature of many cloud computing services. An example of this is the “take-it-or-leave-it” Service Level Agreements (SLAs) or User Licensing Agreements (ULAs), which seems to offer an already structured text where it leaves little to no space for customers to negotiate and diverge.


Nevertheless, according to the EDPB Guidelines on the concepts of controller and processor in the GDPR the fact that the contract and its detailed terms of business are prepared by the vendor rather than by the data controller is not in  itself problematic and is not in itself a sufficient basis to conclude that the vendor should be considered a data controller. Furthermore, the contractual imbalance of power between parties should not be considered as a justification for either party to propose clauses and terms which are not in compliance with data protection law, nor can it discharge any of the parties of their respective data protection obligations.


The imbalance of power situation is addressable, according to WP 29, through the data controller prerogative to choose a cloud provider that guarantees compliance with data protection legislation. In addition, according to the same WP 29 special emphasis must be placed on the features of the applicable contracts which must include a set of standardized data protection safeguards. These safeguards can include technical and organizational measures as well as on additional mechanisms that can prove suitable for facilitating due diligence and accountability, such as independent third-party audits and certifications of a provider’s services.


At present, most legal issues are resolved using negotiation through contracting methods. Nevertheless, this approach showcases that the law is lacking teeth for the sphere of cloud computing because it is allowing the parties to negotiate the controllership contractually. This can be detrimental for the data subject or other parties who do not possess the negotiation power or the possibility to contribute to defining such the content of the contractual arrangements.


Furthermore, the allocation of obligations to ensure an efficient protection of personal data which the law is aiming for can be distorted by this imbalance in control. Terms such as those related to the storage locations can generate legal complexities and difficulties in complying with the law. Data in a cloud set-up can be kept in several locations simultaneously to enable efficient and real-time services. An example of this is AWS, which offers data storage both in the US and the EU. With multiple storing and processing locations, it is difficult to ascertain which law of which jurisdiction is applicable to the data processing procedure and things are getting even more complicated if the data is transferred through multiple locations. Additionally, another difficulty can originate from a cloud provider who wishes to lessen its own obligation or liability by establishing a data center in a country with a level of protection which is not substantially
equivalent with that of the EU’s.


Although, apparently lacking pragmatic answers and solution to such worries coming from practice, the alleviation seems to be contained in the pages of EDPB Guidelines on the concepts of controllers and processors in the GDPR. The later seem to make the case for defining the term of controller as a functional concept and advocates for using the factual influence to determine the title of each actor.

Therefore, even though the arranged contractual relationship may indicate that
A has a power to define the means and purpose of the processing, B could in fact decide on those two notions. With the factual influence, the legal status of B could be that of a controller of that processing procedure, even if this differs from the contract. 


The SWIFT case can be seen a “by the book” example here. A vendor has a contractual relationship as a processor with financial institutions for the purpose of processing financial transaction on behalf of those financial institutions. Later, the vendor transfers the data under a U.S. subpoena without any prior authorization of either the financial institutions or their end-users. This transfer is solely initiated by the vendor and occurs outside the contractual scope agreed with the financial institutions. The autonomous act of the company to transfer the client’s personal data to U.S. authorities makes the vendor liable as a data controller.

Therefore, the degree of power of data controllers and processor can vary. This variation can result in different degrees of liability and processing beyond the instruction of the data controller can factually determine an independent or joint controllership situation, no matter the stipulations in the boilerplate agreements. 


Beside the SWIFT case cited above there is a considerable number of useful decisions interpreting the legal status of a controller and a processor. One of the most recent useful case comes from the European Data Protection Supervisor which appreciated in its Decision in complaint case 2020-1013 submitted by Members of the Parliament againts the European Parliament that whereas the contractual arrangements reveal the Parliament’s intention to be the controller for the processing operations that fall within the contract framework, the EDPS still needs to assess the level of instructions the Parliament gave to Ecolog, in order to determine whether the Parliament is indeed the sole controller and exclude a case of joint controllership. It follows from the relevant correspondence between Ecolog and the Parliament that the latter delegated the setting up and functioning of the website to Ecolog. The correspondence reveals that before setting up the website, Ecolog had consulted the Parliament about the complete website and the privacy statement (including the use of cookies), which were approved by the Parliament. Therefore, Ecolog was ‘under the assumption that the technical set-up’ was in line with [the Parliament’s] regulations. “Based on the above, the EDPS considers the Parliament as the sole data controller for the processing in question, i.e., the operation of the Parliament’s dedicated website, whereas Ecolog acts as a processor.”


On top of it, although in its January 13, 2022, rule against Google Analytics the Austrian Data Protection Authority (DSB) only assessed the data processing activities up to the point of successful transfer to Google without commenting on the further data processing performed by Google, a separate legal proceeding was initiated for this point. Interestingly enough on 12.05.2020, the German Data Protection Conference (Datenschutzkonferenz/DSK), issued certain guidelines regarding the use of Google Analytics in the non-public sector (‘the Guidelines’). 


The guidelines concludes that the contractual framework governing the relationship between Google and website operators, should not be considered as “processing by a processor on behalf of a controller” as stipulated in Article 28 of the GDPR, but as a joint controllership where “two or more controllers jointly determine the purposes and means of processing” (Article 26 of GDPR).


Having regard to the complexities and dynamics of the business models and relations we stand by the factual interpretation of party’s roles and influence theory which means that the controllership is primarily about allocating responsibility among each party. Overall, in the GDPR, the data controller is a legal status of an entity with the capacity to decide on the purpose and the means of a processing. This capacity needs to be implemented in a real scenario and there can be more than one entity that can exercise this capacity. 

A data processor is a party that acts on behalf of a data controller or according to its instructions. Any autonomous action of a data processor is a factor that can change its legal status to a data controller.

Author: Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law EU Digital Partners