One of the biggest problems with IoT systems is that they often use different devices, with their own characteristics. This creates significant problems in terms of the distribution of roles among the different controllers involved. On the other hand, it is obvious that a controller will often entrust some of the technical tasks to a processor, who could even involve a sub-processor in the tasks. In practice, however, there will be times when it will be difficult to ensure that the processor is not actually acting as a controller or joint controller.
IoT developers should do their best to avoid such issues, since the data protection regulation requires a clear answer to the question of “who is responsible for this processing?” to guarantee an effective and completeprotection of the data subjects’ rights and freedoms. Thus, a key requirement of an adequate data protection by design policy is to clarify from the very beginning who are the data controllers and processors, in order to ensure that the legal accountability is understood.
In order to fulfil this goal, written agreements between all agents involved in the development of the tool should be reached and documented. These should include clear specifications about the responsibilities taken by all participants. Promoting a continuous interaction between all DPOs involved might be an excellent option. Ad-hoc supervisory bodies and tools can be adopted to ensure a smooth oversight of the participants’ processing. See the box below.
|Box 2: Dealing with complex data responsibilities scenarios
The EU-funded research project Synchronicity was aimed at creating a harmonized ecosystem for IoT-enabled smart city solutions, where IoT device manufacturers, system integrators and solution providers can innovate and openly compete. Thus, it used a lot of personal data provided by different sources. In this context, “it appeared quite clearly that the de facto data controllers were the cities themselves. They are the ones who control what data are collected and for what purpose. At the same time, the project had a collective responsibility to ensure that its research activities were complying with the regulation too. Data Protection Coordination – Mezzanine Model While several data controllers may be involved, coordination among them at the project level has to be ensured and guaranteed. This is what Synchronicity experienced by setting up a Data Protection Committee (DPC) gathering the Data Protection Officers (DPO) of each smart city chaired by a Project Data Protection Coordinator (PDPC) at the project level. By law, the cities remain the formal data controllers of the data processing under their control and they are directly accountable for it. However, the establishment of the DPC enables close coordination and sharing of experience to ensure that the project as a whole complies with the regulation, as well as to identify and mitigate potential risks that may impact the partners.”
Following this criterion, the roles and responsibilities in the project were distributed as follow:
At City DPO Level
x DPO functions and responsibilities, including data protection and GDPR compliance monitoring
x Personal Data collection identification, including data controllers & processors identification
x Data Protection Impact Assessment (DPIA)
At Project Level
x Data Protection Policy Coordination
x Public Information and Contact
x Reporting and data protection Issues Management
In addition, some parties may draft contracts positioning themselves in a different role than what really applies to them. For instance, a stakeholder may argue it is a processor in order to avoid certain controllership obligations, and even sign a contract. However, reality rules here and, regardless of what the parties say, their role will have to be defined according to their acts. In this sense, EU case law tends to widen the concept of controller and joint-controller, reducing the space for pure processors. In this regard, it will often happen that all parties involved share some degree of responsibility and become joint-controllers for those parts of the processing activities involving those different parties. From there on, each party will have its own independent separate responsibility.
1See: Judgment of the Court (Grand Chamber) of 5 June 2018.UnabhängigesLandeszentrumfürDatenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH.Request for a preliminary ruling from the Bundesverwaltungsgericht. Case C210-16, at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62016CJ0210 ↑