An employer will generally be the controller of its employees’ personal data. However, in certain relations it may become a processor of such data. Late 2020 saw the publication of European Data Protection Board’s Guidelines on the basic concepts of controller, processor, third party, recipient etc. (see here). EDPB’s guidelines certainly do not provide any breakthrough in the understanding of those key concepts of the GDPR framework. But they do constitute a valuable roundup while offering a second look at the role the employer plays in the processing of its employees’ personal data.
The purpose of processing is not always related to employment
Date: 24 March 2021