Yung Shin Van Der Sype and Wim Nauwelaerts of Alston & Bird write:
The European Data Protection Board (“EDPB”) has published draft guidelines on the concepts of controller and processor for public consultation. While its predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns have been raised since the entry into force of the General Data Protection Regulation (“GDPR”). These concerns relate in particular to the substance and implications of the concept of joint controllership (in Article 26 GDPR) and the specific obligations imposed on processors (mainly in Article 28 GDPR). The new EDPB guidelines will replace the previous opinion of the Article 29 Working Party but are currently open for stakeholder feedback. Comments and suggestions on how to improve the guidelines can be provided to the EDPB by 19 October 2020 at the latest.
Read more on Privacy & Cybersecurity Blog.