On 7 July 2021, the European Data Protection Board (EDPB) adopted the final version of its guidelines 07/2021 on the concepts of controller and processor in the General Data Protection Regulation (GDPR) (Guidelines), following a period of public consultation regarding the first draft of the Guidelines (about which we reported in an earlier blogpost). As discussed below, the final Guidelines have considerable significance for the life sciences sector.
Another key GDPR development that is directly relevant for the life sciences sector and international transfers of personal health data (e.g., conduct of cross-border clinical trials) is the adoption of the new version of the standard contractual clauses (New SCCs) published by the European Commission (EC) on 4 June 2021. The second part of this blogpost outlines some key takeaways of the New SCCs. (We provide a more detailed analysis of the design, scope and main content of the New SCCs in our related advisory.)
EDPB Guidelines on the concept of controller and processor
The final Guidelines set forth key clarifications and illustrations on:
- the definition of the core concepts of controller, joint controller, and processor under the GDPR;
- the form and content of data processing agreements (DPA) between controllers and processors; and
- the relationship between joint controllers.
The clarifications provided by the Guidelines make them a must-read handbook for life sciences companies that process personal data subject to the GDPR, especially in the context of complex data processing activities involving many parties (e.g., investigators, healthcare professionals, hospitals, CROs, patients).
As mentioned in our previous blogpost, the accurate identification of the controller and the processor is essential for allocating responsibilities under the GDPR and for ensuring the effective protection of data subjects. The EDPB Guidelines instruct that companies should determine their roles based on applicable legal provisions and/or by analysing the factual elements and circumstances of each data processing activity. The determination should reflect the nature of the personal data processing activities and their exact purpose.
In practice, a company may have various roles depending on the specific processing activity and purpose, even if it processes the same personal data when performing in those various roles. For instance, a medical device company could be considered as a processor when processing personal health data on behalf of a healthcare provider for the purpose of healthcare and treatment, while being a controller when processing the same data to meet its legal obligations as a medical device manufacturer.
In addition to the points we discussed in our previous blogpost, the following elements of the Guidelines are particularly notable:
Roles of entities involved in several stages of processing
The Guidelines state that if processing of personal data is divided into several operations/stages, it is possible that an entity involved in the processing may be considered a controller only for a particular processing stage, i.e., one in which it determines the processing purposes and means. The same entity could be a processor for other processing stages, i.e., those in which it does not determine either the purposes or the means.
In other situations, two entities may be considered to be joint controllers, rather than either of them being a processor. This would be the case where at “micro-level” the different processing stages of the overall processing activities may seem separate and performed for different purposes, but at “macro-level” they eventually form a sequence or set of processing operations performed for a joint purpose and through joint means.
Use of a standardised cloud storage service
As an example of the determination of the GDPR roles in practice, the final Guidelines describe a scenario where a company uses a large cloud service provider for the storage of personal data that offers a completely standardized service and defines the terms of the contract unilaterally. Since it is the company that decides to use the specific cloud service provider to store personal data, the company is essentially determining the purpose and approving the means of the processing and is, therefore, the controller, even if the service is preliminary defined by the cloud service provider. The service provider would be the processor, unless it processes the personal data for its own purposes and beyond the instructions of its customer.
In practice, this means that life sciences companies, which quite commonly use large cloud service providers to store personal health data, may be considered controllers with respect to that storage, even where they lack the ability to customise the cloud storage services. Such companies should, therefore, seek to ensure that the cloud service providers process the personal data solely according to the defined purposes and the accepted essential elements of the processing, as well as that the services agreement complies with the requirements of Article 28(3) of the GDPR.
Joint controllership in the context of a health data analysis’ project
The final Guidelines provide a helpful example of the existence of joint controllership in the case where multiple entities in a joint research project analyse personal health data for a commonly defined purpose.
The Guidelines give an example of a situation where a developer of a blood pressure monitoring app, a provider of apps for medical professionals, and a hospital set up a joint project to analyse personal health data (consisting of data which each company separately processes as an individual controller) in order to assess how blood pressure changes can help predict specific diseases. According to the EDPB, in this situation, the three entities could be joint controllers for the joint processing of the personal health data because:
- all the entities jointly determine the purpose of the processing, i.e., they jointly decide to process the personal health data for the assessment of the blood pressure changes;
- even if the essential means of the processing are suggested by the app provider, the other entities actively accept those means and are involved partially in the development of the app, meaning that in essence they co-determine the processing means;
- all the entities may benefit from the processing of the personal health data by implementing the results of the assessment in their own activities. (However, the existence of such a mutual benefit could not be decisive in itself and could only be an indication, not a sole determinant, of the joint controllership.)
In contrast, if the app provider is merely instructed to conduct the blood pressure assessment and thus to process the personal health data on behalf of the other two entities, in the absence of any purpose of its own, it would be considered a processor, even if it may determine the non-essential means (i.e., the more practical aspects of implementation) of the processing.
With regard to the joint controllership scenario in the context of clinical trials, which was described in our previous blogpost, the final Guidelines indicate that further guidance in relation to clinical trials is anticipated in the forthcoming guidelines on processing of personal data for medical and scientific research purposes.
Data Processing Agreements between controllers and processors
The final Guidelines highlight that companies executing a DPA should not simply include in it the provisions of Article 28(3) of the GDPR, but rather negotiate and elaborate on how the requirements of this Article will be met in practice, considering the specific circumstances of the processing. For instance, the DPA may provide specific details on the level of data security that is required by the processor.
New Standard Contractual Clauses for international data transfers
The New SCCs replace the previous controller-to-controller and controller-to-processor SCCs (Prior SCCs). They are adapted to the GDPR requirements and include provisions addressing the CJEU’s Schrems II decision to safeguard the protection of the personal data transferred. The most apparent change in the New SCCs, which renders them more practical and business-friendly, is the inclusion of “modular” clauses for different data transfer contexts:
- controller-to-controller
- controller-to-processor
- processor-to-controller, and
- processor-to-processor transfers.
Hence, companies can select the clauses that correspond to their needs and specific contractual relationships.
Companies may continue to conclude agreements based on the Prior SCCs until 27 September 2021, after which date the Prior SCCs will be repealed. Nevertheless, companies can still rely on pre-existing transfer agreements based on the Prior SCCs until 27 December 2022, provided that the processing operations remain unchanged and that the Prior SCCs ensure appropriate safeguards.
Companies should keep in mind that the United Kingdom (UK) and Switzerland have not taken a position yet on the New SCCs and, therefore, only the Prior SCCs are applicable for now for transfers of personal data from the UK or Switzerland to “non-adequate” countries. The UK supervisory authority has, however, announced that it will publish UK SCCs in 2021.
We also anticipate EC guidance on the practical implementation of the New SCCs to be issued within 2021.