Pin Code 2021/1 N° 7
Journal article

Commentary on the EBF’s response to the EDPB’s guidelines on the concepts of controller and processor in the GDPR

Pages 22 to 26

Cite this article

  • HEIRBRANT, Sigrid,
2021. Commentary on the EBF’s response to the EDPB’s guidelines on the concepts of controller and processor in the GDPR. Pin Code, 2021/1 N° 7, p.22-26. DOI : 10.3917/pinc.007.0022. URL : https://droit.cairn.info/revue-pincode-2021-1-page-22?lang=en.
  • Heirbrant, Sigrid.
« Commentary on the EBF’s response to the EDPB’s guidelines on the concepts of controller and processor in the GDPR ». Pin Code, 2021/1 N° 7, 2021. p.22-26. CAIRN.INFO, droit.cairn.info/revue-pincode-2021-1-page-22?lang=en.
  • Heirbrant, S.
(2021). Commentary on the Ebf’s Response to the Edpb’s Guidelines on the Concepts of Controller and Processor in the Gdpr. Pin Code, 7(1), 22-26. https://doi.org/10.3917/pinc.007.0022.

https://doi.org/10.3917/pinc.007.0022

Abstract
Authors

Cite this article

  • Heirbrant, S.
(2021). Commentary on the Ebf’s Response to the Edpb’s Guidelines on the Concepts of Controller and Processor in the Gdpr. Pin Code, 7(1), 22-26. https://doi.org/10.3917/pinc.007.0022.
  • Heirbrant, Sigrid.
« Commentary on the EBF’s response to the EDPB’s guidelines on the concepts of controller and processor in the GDPR ». Pin Code, 2021/1 N° 7, 2021. p.22-26. CAIRN.INFO, droit.cairn.info/revue-pincode-2021-1-page-22?lang=en.
  • HEIRBRANT, Sigrid,
2021. Commentary on the EBF’s response to the EDPB’s guidelines on the concepts of controller and processor in the GDPR. Pin Code, 2021/1 N° 7, p.22-26. DOI : 10.3917/pinc.007.0022. URL : https://droit.cairn.info/revue-pincode-2021-1-page-22?lang=en.

https://doi.org/10.3917/pinc.007.0022

Notes

  • [1]
    Art. 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169) adopted on 16 February 2010.
  • [2]
    The full version of the feedback of the EBF is available at : https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/ebf_042951_ebf_response_edpb_ guidelines_on_controllerprocessor_191020.pdf.
  • [3]
    CJEU, Wirtschaftsakademie, 5 June 2018, C-210/16, LexNow Référence/ID 27275.
  • [4]
    CJEU, Fashion ID, 29 July 2019, C-40/17, LexNow Référence/ID 28639.
  • [5]
    Art. 4 (8) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
  • [6]
    EDPB Guidelines 07/2020, 24, § 71.
  • [7]
    Ibid., § 74.
  • [8]
    Ibid., § 76.
  • [9]
    EBF response to the European Data Protection Board’s consultation on the Guidelines 7/2020 on the concepts of controller and processor in the GDPR (EBF’s Response), 19 October 2020, EBF_042951, 7.
  • [10]
    EDPB Guidelines 07/2020, 24-25, § 78.
  • [11]
    EBF’s Response, 19 October 2020, EBF_042951, 7.
  • [12]
    CSSF Circular 17/654 as amended by CSSF Circular 19/714, § 31.b.
  • [13]
    European Commission, Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) no. 1060/2009, (EU) no. 600/2014 and (EU) no. 909/2014, published 24 September 2020, COM(2020) 595 final (DORA Proposal).
  • [14]
    Art. 25 (6) DORA Proposal.
  • [15]
    Art. 27 DORA Proposal.
  • [16]
    CSSF Circular 17/654 as amended by CSSF Circular 19/714, § 24.a; EBA Guidelines on outsourcing arrangements, §35; DORA Proposal, art. 25 (1).
  • [17]
    EBF’s Response, 19 October 2020, EBF_042951, 7.
  • [18]
    EBF’s Response, 19 October 2020, EBF_042951, 8.
  • [19]
    Ibid.
  • [20]
    Ibid.
  • [21]
    EDPB Guidelines 07/2020, 32, § 107.
  • [22]
    EBF’s Response, 19 October 2020, EBF_042951, 9.
  • [23]
    Ibid.
  • [24]
    Ibid.
  • [25]
    EBF’s Response, 19 October 2020, EBF_042951, 10.
  • [26]
    A question that is also raised by P. Craddock, NautaDutilh SRL, in his feedback to the EDPB Guidelines.
  • [27]
    EDPB Guidelines 07/2020, 39, § 151.
  • [28]
    EBF’s Response, 19 October 2020, EBF_042951, 10.
  • [29]
    Ibid., 2.
  • [30]
    EBF’s Response, 19 October 2020, EBF_042951, 2.
  • [31]
    European Commission, draft Annex to the Commission Implementation Decision, on standard contractual clauses between controllers and processors under Article 28 (7) GDPR and Article 29 (7) of Regulation (EU) 2018/1725, available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12740-Data-protection-standard-contractual-clauses-betweencontrollers-processors-located-in-the-EU-implementing-act-.
  • [32]
    EBF’s Response, 19 October 2020, EBF_042951, 2.
  • [33]
    The implementation rules in the EBA Guidelines on outsourcing arrangements (§13-15) foresee application as of 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date. The deadline to review and amend existing outsourcing arrangements with a view to ensuring that these are compliant with the guidelines is set on 31 December 2021. Even if that deadline cannot be met, the companies can inform the competent authority of that fact, including measures planned to complete the review or the possible exit strategy.
  • [34]
    Art. 36 Dora Proposal.
  • [35]
    EDPB Guidelines, p. 16, § 42.
  • [36]
    European Commission, Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act), COM(2020) 767 final, published on 25 November 2020.
  • [37]
    The question of a potentially too broad interpretation of the CJEU case law is also raised by the Luxembourg National GDPR Working Group for Research in its feedback dd. 19.10.2020 to the EDPB Guidelines.
  • [38]
    EDPB Guidelines 07/2020, 18, § 52-53.
  • [39]
    Ibid., 19, § 58.
  • [40]
    Ibid., 20, § 63.
  • [41]
    Ibid., 20, § 69-70.
  • [42]
    A question that is also raised by KU Leuven Research & Development in its feedback dd. 19.10.2020 to the EDPB Guidelines.
  • [43]
    It is expected that the EDPB will publish a version adopted after public consultation.
English

On 7 September 2020, the European Data Protection Board published for public consultation the Guidelines 07/2020 on the concepts of controller and processor in the GDPR. As many other entities, the European Banking Federation took the opportunity to submit its feedback to those guidelines. This contribution comments on the European Banking Federation’s response to the guidelines and will address the main remarks raised by it without aiming to be exhaustive.

Français

Le 7 septembre 2020, le Comité Européen de la Protection des Données a publié pour consultation publique les Lignes Directrices 07/2020 sur les notions de responsable du traitement et de sous-traitant dans le RGPD. Comme de nombreuses autres entités, la Fédération Bancaire Européenne a saisi l’occasion de soumettre ses commentaires sur ces lignes directrices. La présente contribution commente la réponse de la Fédération Bancaire Européenne aux lignes directrices et abordera les principales remarques qu’elle a soulevées sans chercher à être exhaustive.

Uploaded: 09/18/2023

https://doi.org/10.3917/pinc.007.0022

This article is available in conditional access

Cairn Pro Management - Journals

From €25 per month

300 full-text journals at the heart of your profession

Buy this issue

€60.00

36 pages, format digital (HTML and PDF, by article)

Buy this article

€16.00

5 pages format digital (HTML and PDF)
Already subscribed to Cairn Pro? Member of a client institution?