There is a published guide from the EDPB concerning Controllers and Processors. It is a guideon the concepts of controller and processor in the GDPR from the European Data Protection Board (EDPB). The intention of the guide, is to clarify the consequences of having one of these roles. There are differens Supervisory Authorities that have been working together to produce this EU-wide guide. The EDPB adopted the guide on 02 September 2020.
It has been noted that there is some ambiguity. Specially regarding when a party takes on the role of personal data controller and personal data processor, respectively. The guide also contains information that explains the different roles. And it can be helpful in the assessment of the roles.
In addition, the guide contains a description and clarification of so-called joint personal data responsibility. For example, when at least two or more parties are responsible for personal data together for a certain processing. The guide also contains descriptions of how the responsibility is to be divided between several people responsible for the same treatment.
Guide from the EDPB concerning Controllers and Processors
The hope is that this guide will facilitate the assessment of the roles that many companies and entrepreneurs face and must implement. The guidance clarifies boundaries and obligations for personal data controllers and personal data assistants.
According to the GDPR, a natural or legal person, can either have the role of a Controller or a Processor. (or sub-processor). The most important thing is to be able to answer the following question: Who determines the purpose and means of personal data processing? The person who does this, is responsible for personal data as a Personal Data Controller.
The EDPB has written the guide in English. But there are also several translations into other languages. The guide contains various sections and explanatory examples. You can read it through the European Data Protection Board’s website.