Precedent corpus / EDPB (European Data Protection Board)
European Data Protection Board
EDPB (European Data Protection Board) case GL-07-2020, decided 2021-07-07. No monetary penalty (reprimand or guidance).
Regulator guidance (positive exemplar)
What the regulator decided
The notions of controller and processor are functional - they aim to allocate responsibilities according to the actual roles of the parties. A controller is the body which "determines the purposes and means" of the processing; a processor processes "on behalf of the controller". Where an entity defines what data is collected, for what purpose, with whom it is shared and for how long, it acts as a controller regardless of its self-description.
Primary source
Regulator-owned URL. Quote this in legal briefs and academic citations.
https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_enConsentMark interpretation
Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.
[Type: guidance] Non-enforcement guideline. Cite when the scanner narrative covers a vendor (analytics, tag-management, email-tracking) that self-classifies as Article 28 processor while in fact determining the purposes of processing - the AEPD Mailtrack PS-00388-2022 decision applies this guideline directly.
Verification trail
- Verified by
- donal
- Verified at
- 2026-05-27
- Review due
- 2026-11-27
Cite this case
Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.
@misc{consentmark-precedent-edpb-gl-07-2020,
author = {{ConsentMark}},
year = {2021},
title = {EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board},
howpublished = {\url{https://www.consentmark.com/precedent/edpb-gl-07-2020}},
note = {ConsentMark methodology v1.3}
}ConsentMark. (2021, July 7). EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board. Methodology v1.3. https://www.consentmark.com/precedent/edpb-gl-07-2020[EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board - ConsentMark](https://www.consentmark.com/precedent/edpb-gl-07-2020)EDPB (European Data Protection Board) GL-07-2020 - European Data Protection Board - ConsentMark, 2021-07-07, methodology v1.3, https://www.consentmark.com/precedent/edpb-gl-07-2020