271. ALLOCATION OF RESPONSIBILITY AND LIABILITY – Within the regulatory scheme of EU data protection law, the controller carries the primary responsibility for ensuring compliance. At the moment of its enactment, the EU legislature was mindful of the practice whereby one organisation requests another organisation to perform certain processing operations on its behalf. By introducing the concept of a “processor”, the EU legislature hoped to be able address this situation and to ensure a continuous level of protection.

272. RELATIONSHIP CONTROLLER-PROCESSOR – The Article 29 Working Party has approximated the relationship between controllers and processors with the figure of delegation. The analogy appears to be founded on a number of considerations. In first instance, a processor acts “on behalf” of a controller and is called upon to abide by the instructions given by the controller. Secondly, the consequences of the processor's actions are in principle attributed to the controller, provided that the processor merely follows the latter's instructions. Finally, the delegation figure also permits the delegate (processor) to exercise a certain amount of discretion on how to best serve the principal's (controller's) interests.

273. MULITPLICITY OF CONTROL – Not every collaboration involving the processing of personal data among two separate actors implies the existence of a controller-processor relationship. It is equally possible that each actor processes personal data for their own distinct purposes, in which case each actor is likely to be considered a controller independently of the other. It is also possible that collaborating actors jointly exercise decision-making power concerning the purposes and means of the processing, in which case they are considered to act as joint or (co) controllers.

274. VARYING DEGREES OF CONTRACTUAL FLEXIBILITY – The GDPR has devoted several provisions to the relationship between controllers and processors. Article 28(3) specifies that the relationship between controller and processor shall be governed by a contract or other legal act, which must contain, at a minimum, all the elements mentioned in this provision. As far as joint controllers are concerned, Article 26(1) GDPR stipulates that they shall in principle determine their respective responsibilities for compliance, in particular as regards the exercise of data subject rights and their respective duties to provide the information, by means of an arrangement between them. The contrast, in terms of detail, between Article 28(3) and Article 26(1) of the GDPR is striking.