Skip to main content

Advertisement

SpringerLink
Log in

The data protection concepts of ‘controller’, ‘processor’ and ‘joint controllership’ under Regulation (EU) 2018/1725

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

Following the entry into force of the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725, multiple questions were raised in relation to the novelties introduced to the concepts of ‘controller’, ‘processor’ and ‘joint controllership’ and their roles in the processing of personal data. The purpose of the article is to summarise such novelties in the context of Regulation (EU) 2018/1725, with a particular focus on the concept of ‘joint controllership’ as interpreted by the Court of Justice of the European Union (CJEU).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ 2016 L 119 [14].

  2. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295 [15].

  3. See Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 40 [3] and Opinion of Advocate General Bot in case C-210/16, Wirtschaftsakademie, paras. 64 and 65 [12]. Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 paras. 78-81 [5] and Opinion of Advocate General Bobek in case C-40/17, Fashion ID, paras. 68-70 [11].

  4. European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020 (version for public consultation), pp. 13-15 [8]. See also Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010, 00264/10/EN WP 169 [1].

  5. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295, Art. 4(2) [15].

  6. Case C-131/12 Google Spain SL e Google Inc. v Agencia Española de Protección de Datos (AEPD) e Mario Costeja González ECLI:EU:C:2014:317 para. 34 [2]. See also Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, paras. 27-28 [3] and Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 66 [4].

  7. Consolidated version of the Treaty on the Functioning of the European Union, [2012] OJ C 326/01 [6].

  8. European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 15 [9].

  9. Ibid, p. 18 [9].

  10. Ibid, pp. 18 and 19 [9].

  11. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001 [13].

  12. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995 [7].

  13. See Case C-40/17 Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 [5]. See also European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020 (version for public consultation), paras. 51-53 [8].

  14. Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 38 [3]. Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, paras. 69 and 75 [4]. This has been reiterated in Case C-40/17 Fashion ID & Co KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 [5].

  15. Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388, para. 43 [3]; Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 66 [4]; Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW Ev ECLI:EU:C:2019:629, paras. 70 and 85 [5].

  16. European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 27 [9].

  17. European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 30 [9].

  18. Ibid, p. 31 [9].

  19. Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 39 [3].

  20. Ibid, paras 36 and 39 [3].

  21. Ibid, para. 37 [3].

  22. Ibid, para. 40 [3].

  23. Ibid, para. 38 [3].

  24. Ibid, para. 43 [3].

  25. Mahieu R. and van Hoboken J., ‘Fashion-ID: Introducing a Phase oriented Approach to Data Protection?’ (European Law Blog, 30 September 2019), accessed on 21.08.2020, para. 9 [10].

  26. Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 62 [4].

  27. Ibid, paras. 23 and 65 [4].

  28. Ibid, para. 66 [4].

  29. Ibid, para. 75 [4].

  30. Ibid, para. 69 [4].

  31. Ibid, para. 68 [4].

  32. Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW Ev ECLI:EU:C:2019:629, para. 76 [5].

  33. Ibid, para. 76 [5].

  34. Ibid, para. 80 [5].

  35. Ibid, paras. 101 and 106 [5].

References

  1. Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”, 16.02.2010, 00264/10/EN WP 169. https://www.pdpjournals.com/docs/88016.pdf

  2. Case C-131/12 Google Spain SL e Google Inc. v Agencia Española de Protección de Datos (AEPD) e Mario Costeja González ECLI:EU:C:2014:317

  3. Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388

  4. Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551

  5. Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629

  6. Consolidated version of the Treaty on the Functioning of the European Union, [2012] OJ C 326/01

  7. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995

  8. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02.09.2020 (version for public consultation). https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf

  9. European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019. https://edps.europa.eu/sites/edp/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf

  10. Mahieu, R., van Hoboken, J.: Fashion-ID: Introducing a Phase oriented Approach to Data Protection? European Law Blog, 30 September 2019. https://europeanlawblog.eu/2019/09/30/fashion-id-introducing-a-phase-oriented-approach-to-data-protection/

  11. Opinion of Advocate General Bobek in case C-40/17, Fashion ID

  12. Opinion of Advocate General Bot in case C-210/16, Wirtschaftsakademie

  13. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001

  14. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ 2016 L 119

  15. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295

Download references

Author information

Authors and Affiliations

  1. LL.M. in European Law at Leiden University, Leiden, The Netherlands

    Veronique Cimina

  2. Legal Officer at the European Data Protection Supervisor (EDPS), Brussels, Belgium

    Veronique Cimina

Authors
  1. Veronique Cimina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Veronique Cimina.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The views expressed are personal.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cimina, V. The data protection concepts of ‘controller’, ‘processor’ and ‘joint controllership’ under Regulation (EU) 2018/1725. ERA Forum 21, 639–654 (2021). https://doi.org/10.1007/s12027-020-00632-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-020-00632-8

Keywords

Search

Navigation