"

11. GDPR – Principles and Actors

Outline of the chapter 

The purpose of this chapter is to introduce the principles that one must follow when processing personal data as well as the legal bases that allow for processing of personal data. Adherence to the foundtional principles is mandatory and so is the choice of an appropriate legal basis in order to ensure that the processing of personal data is lawful. Following this discussion, this chapter will also introduce the main actors and their respective roles assigned to them in the GDPR.

The topics discussed are:

  • Important definitions (11.1)
  • Principles of data protection (11.2)
  • Legal grounds for lawful processing of personal data (11.3)
  • The main actors (11.4)

(11.1) Important definitions

To understand the terms and definitions used by the GDPR, one must turn the attention to Article 4 which provides, extensively so, definitions for key terms. Keeping in mind the meanings assigned by the Regulation is crucial in practice for the proper application of the rules subsequently provided.

Article 4 GDPR – Definitions

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(11.2) Principles of data protection

The data protection principles are listed in Article 5 GDPR. These principles are cumulative. When engaging in any data processing activities, a controller and processor must follow all of these principles.

Article 5 GDPR – Principles relating to processing of personal data

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

A more detailed explanation of each of these principles, can be found in Recital 39, GDPR. Below, we are breaking the content of this recital to directly explain each of the principles. Furthermore, these principles have been given further elaboration with regards to the rights of data subjects and the obligations of controllers and procesors that will be discussed in the following chapter.

The principle of fairness, lawfulness and transparencyAny processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.

The principle of purpose limitationIn particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.

The principle of data minimisationThe personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

The principle of storage limitationThis requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

The principle of accuracyEvery reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. 

The principle of integrity and confidentiality (security) – Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

The application of the abovementioned principles is mandatory and cumulative – each must be applies simultaneously with the rest. These principles serve as the backbone of GDPR, ensuring that controllers handle personal data in a respectful, lawful and secure manner. Non-compliance can result in significant penalties and but also in reputational damage.

In Article 5(2) GDPR that prescribes the principle of accountability, it is clearly stated that the burden of proof, to show compliance with the principles of data processing stays with the controller – not with the data subject.

(11.3) Legal grounds for lawful processing of personal data

For the lawful processing of personal data, Article 6 GDPR lists (and thus exhausts) all the possible legal grounds.

Article 6 GDPR – Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The lawful grounds for processing personal data are not cumulative. The controller needs to justify the processing of the data on the bases of one of these grounds.

Consent, is the first ground for processing personal data, but it is not the strongest one. According to the EDPB guidlines:

[…] consent can only be an appropriate lawful basis if a data subject is offered control and is
offered a genuine choice with regard to accepting or declining the terms offered or declining them
without detriment. When asking for consent, a controller has the duty to assess whether it will meet
all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is
a tool that gives data subjects control over whether or not personal data concerning them will be
processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for
processing, rendering the processing activity unlawful. […]

It is important to distinguish simple consent, requested under article 6 GDPR, from explicit consent, requested under article 9(2)(a) GDPR. For better understanding the meaning of simple consent in the framework of data processing activities, one needs to interpret together:

  • the definition of ‘consent’ in article 4(11) GDPR

consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

  • the conditions for consent provided in article 7 GDPR as well as in article 8 when the data subject is a minor that benefits from information society services

Article 7 GDPR – Conditions for consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 8 GDPR – Conditions applicable to child’s consent in relation to information society services

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
    Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
  • and the case law of the CJEU

Case C‑673/17 Planet49 EU:C:2019:801

Relevant Facts and legal question

The case concerned a promotional lottery organised by Planet49 on a website. Internet users wishing to take part in that lottery were required to enter their names and addresses on a web page with checkboxes. The checkbox authorising the installation of cookies contained a preselected tick.

The request for a preliminary ruling concerned the concept of consent.

Court’s interpretation

[51] Article 2(h) of Directive 95/46 defines ‘the data subject’s consent’ as being ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

….

[54] In particular, Article 7(a) of Directive 95/46 provides that the data subject’s consent may make such processing lawful provided that the data subject has given his or her consent ‘unambiguously’. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.

[55] In that regard, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited.

….

[62] Active consent is thus now expressly laid down in Regulation 2016/679. It should be noted in that regard that, according to recital 32 thereof, giving consent could include ticking a box when visiting an internet website. On the other hand, that recital expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent.

Case C‑61/19 Orange România EU:C:2020:901

Relevant facts and question before the court

Orange România had concluded contracts in writing for the provision of mobile telecommunications services with individuals and that copies of those persons’ identity documents were annexed to those contracts. Orange România has not proven that the customers whose identity documents had been copied and annexed to their contracts had given their valid consent to the collection and storage of copies of their identity documents.

The CJEU was basically asked to clarify the concepts of specific, informed and freely given consent.

The Court’s interpretation

[39] In that regard, the first sentence of Article 7(2) of that regulation states that if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent is to be presented in a manner which is clearly distinguishable from the other matters. In particular, it is apparent from that provision, read in conjunction with recital 42 of that regulation, that such a declaration must be presented in an intelligible and easily accessible form, using clear and plain language, in particular where it concerns a declaration of consent which is to be pre-formulated by the controller of personal data.

[40] As regards the requirement arising from Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679 that consent must be ‘informed’, that requirement implies, in accordance with Article 10 of that directive, read in the light of recital 38 thereof, and with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.

….

[46] Since, according to the information in the request for a preliminary ruling, the customers concerned do not appear to have themselves ticked the box relating to that clause, the mere fact that that box was ticked is not such as to establish a positive indication of those customers’ consent to a copy of their identity card being collected and stored. As the Advocate General observed in point 45 of his Opinion, the fact that those customers signed the contracts containing the ticked box does not, on its own, prove such consent, in the absence of any indications confirming that that clause was actually read and digested. It is for the referring court to carry out the necessary investigations to that end.

….

[52] In the light of the foregoing considerations, the answer to the questions referred is that Article 2(h) and Article 7(a) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679 must be interpreted as meaning that it is for the data controller to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data and that he or she has obtained, beforehand, information relating to all the circumstances surrounding that processing, in an intelligible and easily accessible form, using clear and plain language, allowing that person easily to understand the consequences of that consent, so that it is given with full knowledge of the facts. A contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent, as provided for in those provisions, to that collection and storage, where

  • the box referring to that clause has been ticked by the data controller before the contract was signed, or where
  • the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where
  • the freedom to choose to object to that collection and storage is unduly affected by that controller in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal.

Case C-129/21 Proximus EU:C:2022:833

Relevant facts and legal question

Proximus, a Belgian provider of telephone directories, had received the address data of a data subject from another company, which in return had received the data from the data subject on the basis of consent. The data subject’s consent authorised the disclosure of the data to third parties such as Proximus.

The data subject had then contacted Proximus and requested that his address not be displayed in their directories as well as in the directories of Proximus’ partners. However, after the data subject’s request had been complied with, the data subject’s address reappeared in the Proximus directory due to a “data update” by the company that had originally submitted the data subject’s address to Proximus.

Upon a second request from the data subject, Proximus deleted the data again and informed the data subject that it had forwarded the request to all third parties who had received the data subject’s data from Proximus.

One of the four legal questions asked on the obligation of a controller when a data subject withdraws consent or asks for the data to be erased based on the right to be forgoten.

Court’s reasoning

[96] Accordingly, in circumstances such as those at issue in the main proceedings, it must be concluded that a controller such as Proximus is required, under Article 17(2) of the GDPR, to ensure that reasonable steps are taken to inform search engine providers of the request addressed to it by the subscriber of a telephone service operator for erasure of his or her personal data. However, as the Advocate General observed in point 76 of his Opinion, in order to assess the reasonableness of the steps taken by the provider of directories, Article 17(2) of the GDPR provides that the available technology and the cost of implementation must be taken into account, a task that falls primarily upon the authority competent for such matters, subject to judicial review.

….

[99] In the light of the foregoing considerations, the answer to the fourth question is that Article 17(2) of the GDPR must be interpreted as not precluding a national supervisory authority from ordering a provider of directories – which has been requested by the subscriber of a telephone service operator to cease disclosing personal data relating to him or her – to take ‘reasonable steps’, within the meaning of that provision, to inform search engine providers of that request for erasure of the data.

It is important not to confuse ‘consent’ with the lawful ground of article 6(1)(b): ‘processing is necessary for the performance of a contract’. For the EDPB, a controller can rely on article 6(1)(b) to process personal data when it can establish both that: “the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract, the controller should consider another legal basis for processing.”

Case C-252/21 Meta Platforms Inc and Others v Bundeskartellamt EU:C:2023:537

Relevant facts

The business model of the social network Facebook, owned by Meta, is based on financing through online advertising, which is tailored to its individual users. That advertising is made possible in technical terms by the automated production of detailed profiles in respect of the network users and the users of the online services offered at the level of the Meta group. In order to be able to use that social network, when they register, users must accept the general terms drawn up by Meta Platforms, which refer to the data and cookies policies set by that company. Under those policies, in addition to the data which those users provide directly when they register, Meta Platforms also collects data about user activities on and off the social network and links the data with the Facebook accounts of the users concerned.

Relevant legal question

The referring court asks, in essence, whether and under what conditions point (b) of the first subparagraph of Article 6(1) of the GDPR must be interpreted as meaning that the processing of personal data by the operator of an online social network, may be considered to be necessary for the performance of a contract to which the data subjects are party.

Court’s reasoning

[42] Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. … For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[43] In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

….

[125] In the light of all the foregoing, the answer to Questions 3 and 4 is that point (b) of the first subparagraph of Article 6(1) of the GDPR must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party, within the meaning of that provision, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur.

 

When the lawful ground of Article 6(1)(f) GDPR is used for processing personal data, one must balance the legitimate interests pursued by the controller with the fundamental rights and freedoms of the data subject which necessitate the protection of his personal data. Such a balancing exercise can be expected to be complex and dynamic. While the EDPB has initially been strict in the interpretation, currently it seems to be more lenient, especially with regards of data scrapping for training AI technology.

Case C‑708/18 Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064

Relevant facts

TK lives in an apartment which he owns, located in the building M5A. At the request of certain co-owners of that building, the association of co-owners adopted, at a general assembly a decision approving the installation of video surveillance cameras in that building. TK objected to that video surveillance system being installed, on the ground that it constituted an infringement of the right to respect for private life. The association of co-owners stated that the decision to install a video surveillance system had been taken in order to monitor as effectively as possible who enters and leaves the building, since the lift had been vandalised on many occasions and there had been burglaries and thefts in several apartments and the common parts. Other measures did not work out.

Courts’s reasoning

[40] In that regard, Article 7(f) of Directive 95/46 lays down three cumulative conditions in order for the processing of personal data to be lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; secondly, the need to process personal data for the purposes of the legitimate interests pursued; and thirdly, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence over the legitimate interest pursued.

[41] It must be stated that Article 7(f) of Directive 95/46 does not require the data subject’s consent. Such consent, as a condition to which the processing of personal data is made subject, appears, however, only in Article 7(a) of that directive.

[42] In the present case, the objective which the controller essentially seeks to achieve when he or she installs a video surveillance system such as that at issue in the main proceedings, namely protecting the property, health and life of the co-owners of a building, is likely to be characterised as a ‘legitimate interest’, within the meaning of Article 7(f) of Directive 95/46. The first condition laid down in that provision appears, therefore, in principle, to be fulfilled.

Exercise

A small online bookstore uses customer purchase history to recommend similar books via email. Customers have not expressly consented to receive marketing emails, but the company believes that sending tailored recommendations improves customer satisfaction and supports its business model. The company includes an unsubscribe link in each email and ensures that data is not shared with third parties.

Can the company rely on Article 6(1)(f) (legitimate interests) as a legal basis for sending these recommendation emails? What factors should be considered in the balancing test between the company’s interest and the rights of the data subjects?

Exercise

A municipal housing office installs motion-activated CCTV cameras in the common areas of public housing buildings to deter vandalism and improve safety. The footage is retained for 30 days and accessed only if an incident is reported. The office does not request consent from tenants, and it does not rely on a specific legal obligation. Instead, it considers the surveillance to be in its legitimate interest, aiming to protect property and residents.

Can the housing office rely on Article 6(1)(f) (legitimate interests) as the legal basis for this processing? What legal or contextual factors might affect this assessment?

(11.4) The main actors

An effective data protection framework requires that there be clearly defined responsibilities for those involved in the processing of personal data. The GDPR establishes particular roles for key actors, most notably the data controller and the processor. Understanding their respective functions, duties and liabilities is essential for ensuring compliance. This section examines how the Regulation defines these roles and allocates responsibility within data processing activities, laying the groundwork for accountability and enforcement. How the breach of obligations affects the controller and processor will be discussed in Chapter 12.

(11.4.1) The role of the controller

The legal obligations of the controller when processing personal data can be found under Article 24 GDPR and they are as follows:

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Recital 74 refers to the responsibility and liability of controllers in the context of the GDPR. It makes clear that the obligations of the data controller are not mere suggestions – they lead to liability for non-compliance. Furthermore, the data controller must not only show that appropriate measures have been implemented, but he must also be able to demonstrate that they are truly effective.

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

The Regulation in its Article 25 suggests two types of data protection measures that a controller must implement – data protection by design and data protection by default.

Article 25 GDPR – Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

The GDPR regulates also the possibility of more than one controller to work jointly together and thus, be jointly liable for any GDPR infringements.

Article 26 GDPR – Joint controllers

  1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. 3The arrangement may designate a contact point for data subjects.
  2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
  3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

The CJEU has further clarified upon the concept of joint controllers.

Case C-210/16 Wirtschaftsakademie Schleswig-Holstein EU:C:2018:388

Relevant facts:

Wirtschaftsakademie offers educational services by means of a fan page hosted on Facebook. Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market. Administrators of fan pages can obtain anonymous statistical information on visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook makes available to them free of charge under non-negotiable conditions of use. That information is collected by means of evidence files (‘cookies’), each containing a unique user code, which are active for two years and are stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed when the fan pages are opened. According to the order for reference, neither Wirtschaftsakademie nor Facebook Ireland Ltd notified the storage and functioning of the cookie or the subsequent processing of the data, at least during the material period for the main proceedings.

Court’s reasoning

[35] While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.

[36] In this context, according to the submissions made to the Court, the creation of a fan page on Facebook involves the definition of parameters by the administrator, depending inter alia on the target audience and the objectives of managing and promoting its activities, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. The administrator may, with the help of filters made available by Facebook, define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.

[37] In particular, the administrator of the fan page can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.

….

[39] In those circumstances, the administrator of a fan page hosted on Facebook, such as Wirtschaftsakademie, must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page. The administrator must therefore be categorised, in the present case, as a controller responsible for that processing within the European Union, jointly with Facebook Ireland, within the meaning of Article 2(d) of Directive 95/46.

(11.4.2) The role of the processor

As already seen from the list of definitions in article 4 GDPR, the Regulation distinguishes between a controller (art 4(7) GDPR) and a processor (art 4(8) GDPR). While the controller (natural or legal person) is the one that determines the purposes and means of the processing of personal data, the processor is the one (natural or legal person) that processes the data on behalf of the controller. Undoubtedly, the roles are often overlaping and are covered by the same entity. Actually, other jurisdictions that have introduced their data protection laws inspired by the GDPR, do not always make the distinction between these two actors but use umbrella definitions  like ‘data handlers’ or ‘entrusted parties’.

The distinction between the two actors in the GDPR framework is mirrored in the distinct responsibilities that they have when processing personal data.

Article 28 GDPR – Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions […]

 

Thus, according to the GDPR provisions, the processor operates under clear and strict guidance from the controller. If the processor decides by itself the purposes and means of processing, then it is considered a controller for that specific processing activity.

Article 28(10) GDPR – Processor

Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Article 29 GDPR – Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

The complicated relationship between controller and processor with regards to operators of search engines, was clarified by the CJEU in the Google Spain case. While Google originally claimed that serch engines qualify only as processors of information that other controllers have made available on internet, the CJEU reasoned that search engine qualify as processors and controllers at the same time. This is important since the GDPR places most of the responsibilities on controllers and not on processors.

Case C‑131/12 Google Spain EU:C:2014:317

[22] According to Google Spain and Google Inc., the activity of search engines cannot be regarded as processing of the data which appear on third parties’ web pages displayed in the list of search results, given that search engines process all the information available on the internet without effecting a selection between personal data and other information. Furthermore, even if that activity must be classified as ‘data processing’, the operator of a search engine cannot be regarded as a ‘controller’ in respect of that processing since it has no knowledge of those data and does not exercise control over the data.

[23] On the other hand, Mr Costeja González, the Spanish, Italian, Austrian and Polish Governments and the European Commission consider that that activity quite clearly involves ‘data processing’ within the meaning of Directive 95/46, which is distinct from the data processing by the publishers of websites and pursues different objectives from such processing. The operator of a search engine is the ‘controller’ in respect of the data processing carried out by it since it is the operator that determines the purposes and means of that processing […]

….

[26] As regards in particular the internet, the Court has already had occasion to state that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46 (see Case C-101/01 Lindqvist EU:C:2003:596, paragraph 25).

[27] So far as concerns the activity at issue in the main proceedings, it is not contested that the data found, indexed and stored by search engines and made available to their users include information relating to identified or identifiable natural persons and thus ‘personal data’ within the meaning of Article 2(a) of that directive.

[28] Therefore, it must be found that, in exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine ‘collects’ such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results. As those operations are referred to expressly and unconditionally in Article 2(b) of Directive 95/46, they must be classified as ‘processing’ within the meaning of that provision, regardless of the fact that the operator of the search engine also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data […]

[33] It is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ in respect of that processing pursuant to Article 2(d).

[34] Furthermore, it would be contrary not only to the clear wording of that provision but also to its objective — which is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects — to exclude the operator of a search engine from that definition on the ground that it does not exercise control over the personal data published on the web pages of third parties. […]

….

[41] It follows from all the foregoing considerations that the answer to Question 2(a) and (b) is that Article 2(b) and (d) of Directive 95/46 are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

Brainstorming exercise

Your social media account does not have any privacy filters. You often publish pictures that show your student life. In these pictures you are sometimes alone, and other times together with others. According to the GDPR, you qualify as:

a. controller

b. processor

c. data subject

d. none of the above

 

License

Icon for the Creative Commons Attribution 4.0 International License

Texts and Materials in Data Protection and Digital Human Rights Copyright © by Mando Rachovitsa, Jonida Milaj is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book

Feedback/Errata

Leave a Reply

Your email address will not be published. Required fields are marked *