« US-CISAが連邦機関に対する脆弱性情報の開示方針を発表していましたね。。。 | Main | 欧州データ保護委員会 (EDPB)が「ソーシャルメディアユーザーのターゲティングに関するガイドライン」について意見募集をしていますね。。。 »


欧州データ保護委員会 (EDPB)が「GPDRにおけるコントローラとプロセッサーの概念に関するガイドライン」について意見募集をしていますね。。。



・2020.09.05 欧州データ保護委員会 (EDPB) 第37回総会でコントローラ・プロセッサーに関するガイドライン、ソーシャルメディアユーザに関するガイドラインを可決したようですね、



European Data Protection Board (EDPB)

・2020.09.07 Guidelines 07/2020 on the concepts of controller and processor in the GDPR

・2020.09.02 [PDFGuidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0










The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA).

The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.



In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller.

A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case.

Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.

A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.


Joint controllers

The qualification as joint controllers may arise where more than one actor is involved in the processing.

The GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.



A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf.

The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.


Relationship between controller and processor

A controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Elements to be taken into account could be the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources and the processor’s adherence to an approved code of conduct or certification mechanism.

Any processing of personal data by a processor must be governed by a contract or other legal act which shall be in writing, including in electronic form, and be binding. The controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses.

The GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.


Relationship among joint controllers

Joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the GDPR. The determination of their respective responsibilities must in particular regard the exercise of data subjects’ rights and the duties to provide information. In addition to this, the distribution of responsibilities should cover other controller obligations such as regarding the general data protection principles, legal basis, security measures, data breach notification obligation, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities.

Each joint controller has the duty to ensure that they have a legal basis for the processing and that the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data.

The legal form of the arrangement among joint controllers is not specified by the GDPR. For the sake of legal certainty, and in order to provide for transparency and accountability, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.

The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à- vis the data subjects and the essence of the arrangement shall be made available to the data subject.

Irrespective of the terms of the arrangement, data subjects may exercise their rights in respect of and against each of the joint controllers. Supervisory authorities are not bound by the terms of the arrangement whether on the issue of the qualification of the parties as joint controllers or the designated contact point.


Table of contents






2.1 Definition of controller

 2.1.1 “Natural or legal person, public authority, agency or other body”
 2.1.2 “Determines”
 2.1.3 “Alone or jointly with others”
 2.1.4 “Purposes and means”
 2.1.5 “Of the processing of personal data”


3.1 Definition of joint controllers

3.2 Existence of joint controllership

 3.2.1 General considerationsz
 3.2.2 Assessment of joint participation





1.1 Choice of the processor

1.2 Form of the contract or other legal act

1.3 Content of the contract or other legal act

1.3.1 The processor must only process data on documented instructions from the controller (Art.28(3)(a) GDPR).

1.3.2 The processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

1.3.3 The processor must take all the measures required pursuant to Article 32 (Art. 28(3)(c) GDPR).

1.3.4 The processor must respect the conditions referred to in Article 28(2) and 28(4) for engaging another processor (Art. 28(3)(d) GDPR).

1.3.5 The processor must assist the controller for the fulfilment of its obligation to respond to requests for exercising the data subject's rights (Article 28(3) (e) GDPR).

1.3.6 The processor must assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Art. 28(3)(f) GDPR).

1.3.7 On termination of the processing activities, the processor must, at the choice of the controller, delete or return all the personal data to the controller and delete existing copies (Art. 28(3)(g) GDPR).

1.3.8 The processor must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Art. 28(3)(h) GDPR).

1.4 Instructions infringing data protection law

1.5 Processor determining purposes and means of processing

1.6 Sub-processors


2.1 Determining in a transparent manner the respective responsibilities of joint controllers for compliance with the obligations under the GDPR

2.2 Allocation of responsibilities needs to be done by way of an arrangement

2.2.1 Form of the arrangement

2.2.2. Obligations towards data subjects

2.3 Obligations towards data protection authorities


« US-CISAが連邦機関に対する脆弱性情報の開示方針を発表していましたね。。。 | Main | 欧州データ保護委員会 (EDPB)が「ソーシャルメディアユーザーのターゲティングに関するガイドライン」について意見募集をしていますね。。。 »


Post a comment

(Not displayed with comment.)

Comments are moderated, and will not appear on this weblog until the author has approved them.

« US-CISAが連邦機関に対する脆弱性情報の開示方針を発表していましたね。。。 | Main | 欧州データ保護委員会 (EDPB)が「ソーシャルメディアユーザーのターゲティングに関するガイドライン」について意見募集をしていますね。。。 »