Processor or (joint) controller: does the EDPB provide clarity?

January 14, 2021

The European privacy supervisors as united in the Data Protection Board (EDPB) have published new guidelines on the concept of “controller” and “processor”. What’s new, what’s better and what’s missing? Vonne Laan and Eliëtte Vaal determined this in their opinion for the Dutch scientific journal on internet law (Tijdschrift voor Internetrecht).

With the introduction of the GDPR, the relevance of the interpretation on the concepts of “controller” and “processor” by the European privacy supervisors has been questioned repeatedly. Besides the introduction of the GDPR, the concrete application of the concept of controller and processor were in dire need of clarification since the processing of personal data has become increasingly complicated during the last decade. The fact that the concepts seemed to be interpreted differently by the various supervisory authorities and national and international judges did not help.


Did the EDPB succeed in their mission to provide clarity on the concept in their new guidelines? Vonne Laan and Eliëtte Vaal put it to the test. Read their article in Tijdschrift voor Internetrecht here (link; in Dutch).