Rules of the General Data Protection Regulation (GDPR) don’t just apply to companies that fall under its territorial scope, but also those that don’t have an establishment in the European Union (EU) but do target data subjects in the EU. The key elements of the concepts of the controller, joint controller, processor, and data transfer can be confusing, but the European Data Protection Board (EDPB) has tried to clarify in various guidelines. Basically, the controller determines the purposes of the processing of the relevant personal data and the means of such processing. Joint controllership results from joint participation in the determination of the purposes and means of a processing operation. The processor processes personal data on behalf of the controller, in accordance with its instructions. According to guidelines published in November by the EDPB, a “transfer implies that personal data are sent or made available by a controller or processor (exporter) which, regarding the given processing, is subject to the GDPR pursuant to Article 3, to a different controller or processor (importer) in a third country, regardless of whether or not the importer is subject to the GDPR in respect of the given processing.”
