Precedent corpus / EDPB (European Data Protection Board)

European Data Protection Board

EDPB (European Data Protection Board) case GL-07-2020, decided 2021-07-07. No monetary penalty (reprimand or guidance).

Regulator guidance (positive exemplar)

What the regulator decided

The notions of controller and processor are functional - they aim to allocate responsibilities according to the actual roles of the parties. A controller is the body which "determines the purposes and means" of the processing; a processor processes "on behalf of the controller". Where an entity defines what data is collected, for what purpose, with whom it is shared and for how long, it acts as a controller regardless of its self-description.

Primary source

Regulator-owned URL. Quote this in legal briefs and academic citations.

https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en

ConsentMark interpretation

Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.

[Type: guidance] Non-enforcement guideline. Cite when the scanner narrative covers a vendor (analytics, tag-management, email-tracking) that self-classifies as Article 28 processor while in fact determining the purposes of processing - the AEPD Mailtrack PS-00388-2022 decision applies this guideline directly.

Verification trail

Verified by
donal
Verified at
2026-05-27
Review due
2026-11-27
Cite this case

Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.

BibTeX
@misc{consentmark-precedent-edpb-gl-07-2020,
  author       = {{ConsentMark}},
  year         = {2021},
  title        = {EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board},
  howpublished = {\url{https://www.consentmark.com/precedent/edpb-gl-07-2020}},
  note         = {ConsentMark methodology v1.3}
}
APA
ConsentMark. (2021, July 7). EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board. Methodology v1.3. https://www.consentmark.com/precedent/edpb-gl-07-2020
Markdown
[EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board - ConsentMark](https://www.consentmark.com/precedent/edpb-gl-07-2020)
Plain text
EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board - ConsentMark, 2021-07-07, methodology v1.3, https://www.consentmark.com/precedent/edpb-gl-07-2020