Abstract
Following the entry into force of the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725, multiple questions were raised in relation to the novelties introduced to the concepts of ‘controller’, ‘processor’ and ‘joint controllership’ and their roles in the processing of personal data. The purpose of the article is to summarise such novelties in the context of Regulation (EU) 2018/1725, with a particular focus on the concept of ‘joint controllership’ as interpreted by the Court of Justice of the European Union (CJEU).
Similar content being viewed by others
Notes
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ 2016 L 119 [14].
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295 [15].
See Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 40 [3] and Opinion of Advocate General Bot in case C-210/16, Wirtschaftsakademie, paras. 64 and 65 [12]. Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 paras. 78-81 [5] and Opinion of Advocate General Bobek in case C-40/17, Fashion ID, paras. 68-70 [11].
European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020 (version for public consultation), pp. 13-15 [8]. See also Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010, 00264/10/EN WP 169 [1].
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295, Art. 4(2) [15].
Case C-131/12 Google Spain SL e Google Inc. v Agencia Española de Protección de Datos (AEPD) e Mario Costeja González ECLI:EU:C:2014:317 para. 34 [2]. See also Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, paras. 27-28 [3] and Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 66 [4].
Consolidated version of the Treaty on the Functioning of the European Union, [2012] OJ C 326/01 [6].
European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 15 [9].
Ibid, p. 18 [9].
Ibid, pp. 18 and 19 [9].
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001 [13].
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995 [7].
Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 38 [3]. Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, paras. 69 and 75 [4]. This has been reiterated in Case C-40/17 Fashion ID & Co KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 [5].
Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388, para. 43 [3]; Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 66 [4]; Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW Ev ECLI:EU:C:2019:629, paras. 70 and 85 [5].
European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 27 [9].
European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019, p. 30 [9].
Ibid, p. 31 [9].
Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 39 [3].
Ibid, paras 36 and 39 [3].
Ibid, para. 37 [3].
Ibid, para. 40 [3].
Ibid, para. 38 [3].
Ibid, para. 43 [3].
Mahieu R. and van Hoboken J., ‘Fashion-ID: Introducing a Phase oriented Approach to Data Protection?’ (European Law Blog, 30 September 2019), accessed on 21.08.2020, para. 9 [10].
Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551, para. 62 [4].
Ibid, paras. 23 and 65 [4].
Ibid, para. 66 [4].
Ibid, para. 75 [4].
Ibid, para. 69 [4].
Ibid, para. 68 [4].
Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW Ev ECLI:EU:C:2019:629, para. 76 [5].
Ibid, para. 76 [5].
Ibid, para. 80 [5].
Ibid, paras. 101 and 106 [5].
References
Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”, 16.02.2010, 00264/10/EN WP 169. https://www.pdpjournals.com/docs/88016.pdf
Case C-131/12 Google Spain SL e Google Inc. v Agencia Española de Protección de Datos (AEPD) e Mario Costeja González ECLI:EU:C:2014:317
Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388
Case C-25/17 Jehovan todistajat ECLI:EU:C:2018:551
Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629
Consolidated version of the Treaty on the Functioning of the European Union, [2012] OJ C 326/01
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995
European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02.09.2020 (version for public consultation). https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
European Data Protection Supervisor (EDPS), EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, 7.11.2019. https://edps.europa.eu/sites/edp/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf
Mahieu, R., van Hoboken, J.: Fashion-ID: Introducing a Phase oriented Approach to Data Protection? European Law Blog, 30 September 2019. https://europeanlawblog.eu/2019/09/30/fashion-id-introducing-a-phase-oriented-approach-to-data-protection/
Opinion of Advocate General Bobek in case C-40/17, Fashion ID
Opinion of Advocate General Bot in case C-210/16, Wirtschaftsakademie
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ 2016 L 119
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The views expressed are personal.
Rights and permissions
About this article
Cite this article
Cimina, V. The data protection concepts of ‘controller’, ‘processor’ and ‘joint controllership’ under Regulation (EU) 2018/1725. ERA Forum 21, 639–654 (2021). https://doi.org/10.1007/s12027-020-00632-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12027-020-00632-8