The Article 29 Data Protection Working Party shows us the way; interpretation of the concepts of controller and processor
In 2001 the Dutch Personal Data Protection Act (Wet
bescherming persoonsgegevens, "Wbp") came into effect. The Wbp
contains the legal framework for the processing of personal data,
and is the implementation of the European Directive on the
protection of individuals with regard to the processing of personal
data and on the free movement of that data, 95/46/EC (the
"Directive"). Just like the Directive, the provisions of the Wbp
have been formulated as technology-neutral as possible in order to
prevent that the fast developments in the field of technology stand
in the way of the interpretation of these rules. In the almost ten
years that the Wbp has been in effect, it appears that due to the
current technological developments and despite the neutral
formulation it is often still hard to determine which party is the
controller or how the relationship between the parties should be
qualified.
In practice, this entails a great risk. If it is not clear which
party has to meet the obligations, there is a chance that none of
the parties will do so. The result of not complying with the
statutory regulation is that the intended protection will not be
effectuated. In order to reduce this risk, the advisory body of the
European Commission with respect to the implementation of the
Privacy Directive, i.e. the Article 29 Data Protection Working
Party ("Working Party"), published its opinion 1/2010 on the
concepts of "controller" and "processor" ("Opinion") on 16 February
2010. In the Opinion, the Working Party explains and defines two
key concepts in the Directive and the Wbp, the "controller" and
"processor".
First of all, the concept of controller. The concept of
controller has been included in Section 1 sub d of the Wbp and
reads as follows: "the controller is the natural person, legal
person, or the administrative body that, or any other entity which,
alone or in conjunction with others, determines the purpose of and
means for processing personal data".
Clarity is of the essence with respect to this concept since
almost all obligations arising from the Wbp are placed on the party
qualifying as the controller. For instance, by means of the
location of the controller it will be determined which national law
applies to the processing of the personal data (Section 4 of the
Wbp). In addition, the obligations which are included in the first
sections of the Wbp are explicitly attributed to the controller
(Section 15 of the Wbp), and it is the controller who is
responsible for a careful compliance with the legal obligations.
But not only compliance with these general obligations falls under
the responsibility of the controller, also the obligations with
respect to reporting the processing and a possible prior
investigation are vested in the controller. It is also the
controller who, in principle, is liable for any loss suffered as a
result of the processing of the personal data without due care.
In its Opinion, the Working Party describes three elements to be
distinguished in the definition. These three elements determines
whether a party qualifies as controller. The first important part
relates to the last sentence of the definition of controller; which
party determines the purpose of and the means for the processing of
personal data. This concerns a factual analysis of the situation
and not only a determination in a formal legal sense. The Working
Party indicates that the controller can be determined on the basis
of various grounds. For instance, there may be an explicit legal
basis, but it may also arise from a functional division of roles
between the parties, which is governed by, for example, civil law
or employment law. However, if one of these grounds is lacking it
may be determined by means of an analysis of the contractual
relationship between the parties who the controller is. A division
of roles between the controller and the processor in a contract is
a clue in this respect. This will not always be decisive because
the factual circumstances play an important role. This became clear
in the SWIFT case. It had been made clear by contract which of the
parties was the controller and which the processor.
Nevertheless the Working Group reached the opinion that SWIFT
qualified as controller, although being the processor by contract,
since it independently decided on the transfer of personal data.
When it is plausible that the contractual agreements are a good
reflection of reality, the contract will be a basis indeed,
according to the Working Group. According to the Working Group, in
the event of such agreements, it is advisable that a controller
checks whether the processor adheres to the commission and does not
de facto grant himself more authorities.
The next distinguishable element of the definition is the part
that determines what or who the controller may be: the natural
person, the legal person or the administrative body. This is
certainly an important element for larger organizations. It is
important for acts in the framework of the processing of personal
data that when a natural person acts, this person has the authority
to do so on behalf of the legal person or the administrative body.
In addition, it is important that the acts fit into the framework
of the processing. There is a risk that the natural person himself
qualifies as controller at the moment when the acts performed do
not fall within this framework or when the person is not authorized
to act on behalf of the legal person or the administrative body. As
a consequence, all obligations with regard to this processing lie
with the natural person.
As the last element the Working Group indicates that there may
be various forms of responsibility. Examples of such forms of
responsibility are collective responsibility, but also
responsibility of participating parties where each party is
responsible for its part of the processing. There are various
possibilities with various corresponding forms of liability. It is
important, especially in complex processes, that relationships
between parties are set out clearly and that the parties clearly
set out between themselves who is responsible for which part of the
processing of personal date.
With respect to the processor the Working Party observes that
whether a party qualifies as processor depends on the actual work
that is performed in a specific case for the benefit of a
controller.
This Opinion offers a guideline for the interpretation of
privacy regulations in a society that is constantly subject to
technological changes. It remains a complicated puzzle to qualify
all parties in the correct manner and also to set out these
qualifications in a correct manner, but this Opinion of the Working
Party points us in the right direction.