Høringssvar: Dataansvarlig- og databehandlerbegreberne
Local Government Denmark (LGDK) welcomes the opportunity to comment on "Guidelines 07/2020 on the concepts of controller and processor in the GDPR".
In Denmark the Ministry of Justice has just carried out a national evalution of the GDPR and in that context LGDK has asked the Danish municipalities to contribute to the evalution with their experiences regarding the implementation of the GDPR. And one of the main challenges of the municipalities is the definition of controller, processor and joint controllers. In many cases the municipalities collaborate with other public authorities or hire private companies to carry out different tasks. And to define whether the different kinds of relationships qualify as a controller-processor relationship, controller-controller relationsship or a joint controller relationsship is often seen as a difficult and very time consuming task which in many cases require in-house legal consultation. Therefore, the Danish municipalities call for more guidelines, including specific examples and flowcharts. In this context LGDK welcomes the present guidelines on the concept of controller and processor in the GDPR. Especially the elaborations on joint controllers since this concept is new to the Danish municipalities.
The Danish municipalities´ influence over the processing of personal data, eg. for employment activities, is defined by Danish law and therefore the municipalities in most cases are defined as controllers, cf. section 19. However, when the municipalities collaborate with the Danish government in a controller-processor relationship, the municipalities often experience that they are not able to exercise the decision making power connected to the role of the controller. Since the government determines the purpose for the processing and decides how the processing will be organized using a specific it-system eg. In these cases the processor agreement does not reflect the factual setup. LGDK would like to call on the European Data Protection Board to further elaborate on how to solve this in the guidelines.
LGDK finds the flowcharts in Annex I very useful for assessing the role of each entity in a relationship. As the municipalities call for more easily accesible and understandable information, LGDK would like to suggest that the flowcharts get a more dominent placement in the guidelines, eg. by presenting (parts of) the flowcharts throughout the guidelines linked to the relevant sections of the guidelines.
Lastly, on a more practical note, LGDK would like to suggest that the European Data Protection Board makes it possible for interested stakeholders to sign up for a newsletter with information about upcoming public consultations. This is important information for LGDK and getting this as soon as the consultations are made public would be considered very helpful.
Digitalisering & Teknologi