This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR. CPW will be re-reposting a four part series addressing the key concepts and issues covered.
This is the final post in our series on the Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. Notably, as the authors explain, this clarity is important as the GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations. The EDPB Guidelines, however, offer clarity as they consider the roles of “third parties” and “recipients” from the perspective of their relationship to a controller or processor.
Find out what it all means here.