FiCom’s comments on the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

To European Data Protection Board

Finnish Federation for Communications and Teleinformatics FiCom is a lobbying organization for the ICT industry in Finland and looks after its interests. FiCom’s members (Cinia Oy, Cisco Systems Finland Oy, Digita Oy, DNA Oyj, Elisa Oyj, Oy L M Ericsson Ab, Finnet Association, Geomatikk Finland Oy, Google Finland Oy, HP Finland Oy, Maxisat concern, Microsoft Oy, Nestor Cables Oy, Rejlers Oy, Suomen Erillisverkot Oy, Teleste Oyj, and Telia Finland Oyj) are companies and other entities that operate in the ICT sector in Finland.

FiCom thanks for the opportunity to comment on the Guidelines and states the following:

Definition of recipient and relationship between two parallel controllers

The relationship between two parallel controllers has not been properly addressed in the Guidelines. In practice, only the sections 88, 89, and 90 concerning the recipient deal with the issue, in particular chapter 90 stating that ”third party recipient shall be considered a controller for any processing that it carries out for its own purpose(s) after it receives the data.” There should be more practical examples concerning the relationship.

Opinion 1/2010 on the concepts of “controller” and “processor” by the Article 29 Data Protection Working Party, which was adopted on 16 February 2010, has a such example. On page 11 of the Opinion it states the following:

”Example No. 1: Telecom operators An interesting example of legal guidance to the private sector relates to the role of telecommunication operators: Recital 47 of Directive 95/46/EC clarifies that “where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; (…) nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service”. The provider of telecommunications services should therefore, in principle, be considered controller only for traffic and billing data, and not for any data being transmitted12. This legal guidance from the Community legislator is completely in line with the functional approach followed in this opinion.”

The WP29 example is not in conflict with the Guidelines but including a similar example to the Guidelines would significantly clarify the situation and negotiations. The option should be considered.

Definition of processor

Other issue that asks for clarification and examples is accidental processing. Examples on pages 25 and 26 of the Guidelines hint that accidental processing of personal data does not necessary result in being regarded as a processor, but this should be sharpened further with additional examples. Especially this concerns situations, where a consultant from a third country performs maintenance, e.g. a software update, remotely and exits the remote connection after performing task in question. At no point is this third party processing personal data and is not intended to do so either, as it is prohibited by contract, but it can still happen by accident. This should not result in being regarded as a processor.

Consequences of joint controllership

We also want to highlight the power imbalance and its impact when negotiating with f. ex. big platform giants. Individual internet service provider has little to no control over how the parties determine and agree on their respective responsibilities for compliance with the obligations under the Regulation while negotiating with e.g. Facebook, but the consequences and responsibilities are currently exactly the same as in situations negotiated balancedly. This should be taken into consideration.