This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a must-read four part series addressing the key concepts and issues covered.  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”).  In case you missed it, the first part is available here.  You can access the second part in the series here.  As the authors explain, “[a]lthough the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorizing data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.”