Untangling language industry GDPR controller and processor roles

Nearly two and a half years after the GDPR took effect across the EU, there continues to be confusion about the core concepts of “controller” and “processor”; and that confusion is not just among members of the language professions.

The European Data Protection Board (EDPB), an independent European body contributing to the consistent application of data protection rules throughout the European Union, has acknowledged the continuing confusion. In an effort to redress this, it put out for consultation draft guidelines on the concepts of controller and processor in the GDPR.

FIT Europe, representing the interests of the freelance community and EUATC, on behalf of the company sector, joined forces to respond to the consultation. Their joint response had the full support of EULITA, the Association representing the interests of legal interpreters and translators.

Overall more than 100 individuals or organisations submitted comments and while most ranged from one to four pages, the joint FIT Europe/EUATC response was the longest and most comprehensive.

In their response, they highlighted the diversity of views which have been expressed about who is a controller or processor in the translation and interpreting sector and gave numerous examples of those divergent views. The aim was to show the EDPB that the translation and interpreting sector has been making concerted efforts to adapt to the GDPR but that it has been hampered in its efforts because there has been no clear answer to the central question of whether translators, interpreters and LSPs are controllers or processors.

Until the question of who is controller and who is processor is cleared up definitively, the sector cannot fully and faithfully implement the obligations flowing from the Regulation. To that end, a simple solution has been proposed:

  • translators, interpreters and LSPs are controllers only in relation to the personal data of their clients needed to enter into contracts, invoice, etc.
  • translators, interpreters and LSPs are processors of any personal data contained in translated documents and the client is the controller.

Other issues relevant to the sector, such as what is to be done with personal data in old translation memories, how anonymisation is to be achieved, data retention periods, etc. were also raised as part of the response.

Commenting on behalf of FIT Europe, John O’Shea (pictured) said: “We look forward to receiving the EDPB’s position on this topic. Both FIT Europe and the EUATC hope that the EDPB will give our views serious consideration.”

Agreeing, Heike Leinhäuser, President of the EUATC said: “Our hope is that as many of the language-specific and practical examples we have provided will feature in the final version of EDPB guidance.”