Legal Brain

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act or DSA) is a piece of legislation recently adopted at EU level as part of a package of legislation aimed at standardising the rules for digital service providers operating in the single market. Its main objective is to prevent illegal and harmful online activities and the spread of misinformation. The DSA focuses on protecting consumers and ensuring a safe digital environment and imposes obligations on operators according to their role in providing intermediary services in the European internal market.

The scope of the DSA includes: (i) intermediary service providers; (ii) hosting providers; (iii) online platforms; and (iv) very large online platforms (VLOPs) and very large online search engines (VLOSEs). Those platforms and online search engines that fall into the "very large" category have already been specifically named by the European Commission. To the latter, the DSA already applies from end of 2023. As regards the other service providers, the DSA will take effect from 17 February 2024.

Leaving aside the situation of VLOP and VLOSE (on which the DSA imposes the most onerous obligations), other intermediary service providers are imposed obligations according to their role in the market. Below we have selected some general issues to consider, with the caveat that each situation must be treated separately and, in a manner, tailored to the activity carried out by the provider in question.

Conditioned exemption of liability

As per the DSA, the service provider shall not be liable for the information stored at the request of a recipient of the service, on one of the following conditions: [1] (a) the provider does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content.

The condition mentioned under (a) above shall not apply where the recipient of the service is acting under the authority or the control of the provider and also with respect to the liability under consumer protection law of online platforms that allow consumers to conclude distance contracts with traders, where such an online platform presents the specific item of information or otherwise enables the specific transaction at issue in a way that would lead an average consumer to believe that the information, or the product or service that is the object of the transaction, is provided either by the online platform itself or by a recipient of the service who is acting under its authority or control.

It should be noted that the DSA does not impose any general obligation to monitor the information which providers of intermediary services transmit or store, nor actively to seek facts or circumstances indicating illegal activity shall be imposed on those providers. [2]

The DSA provides for the following obligations applicable to intermediary service providers upon receipt of an order from a public authority:

• To act against illegal content/activity; [3]

• To provide the authority with relevant information about the illegal content/activity; [4]

• To inform the authority of how the order has been acted upon, stating whether and when the order has been acted upon; [5]

• To inform the recipient of the service concerned of the order received and how the order was acted upon. This information provided to the addressee of the service will include a statement of reasons, possible remedies, and a description of the territorial scope of the order. [6]

Due diligence obligations applicable to providers of intermediary services

The following specific due diligence obligations apply to intermediary service providers:

• To designate a single point of contact that allows them to communicate directly, by electronic means, with the authorities set out in the DSA; [7]

• To designate a single point of contact allowing the recipient of the service to communicate directly and rapidly with the provider, by electronic means, but also allowing the recipients of the service to choose means of communication which do not rely exclusively on automated tools; [8]

• To include in the general conditions of use information on any restrictions they impose on the use of their service in relation to information provided by recipients of the service. Such information will include information on the policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision making and human verification, as well as on the rules of procedure of the internal complaints handling system; [9]

• To make available to the public, in a machine-readable format and in an easily accessible manner, at least once a year, clear and understandable reports on any content moderation they have carried out during the relevant period. [10]

To be noted that some of the obligations laid down for intermediary service providers do not apply to SMEs that are not very large online platforms.[11]

Application of the DSA in Romania

In Romania, the competent authority for digital services is the National Authority for Management and Regulation in Communications of Romania (ANCOM). The draft law on the establishment of measures for the implementation of DSA is currently in the legislative process in the Romanian Parliament, with an expected adoption date of 22 March 2024, according to information available on the website of the Chamber of Deputies at the time of this article. How the DSA will be applied in Romania remains to be seen, starting with the new text of the law, and continuing with the decisions to be adopted by ANCOM.

[1] Art. 6 DSA

[2] Art. 8 DSA.

[3] Art. 9 (1) DSA

[4] Art. 10 DSA

[5] Art. 9(1) DSA

[6] Art. 9 (5) DSA

[7] Art. 11 DSA

[8] Art. 12 DSA

[9] Art. 14 DSA

[10] Art. 15 DSA

[11] Art. 15(2) DSA.

“The purpose of this Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.” This is Article 1 of the EU Directive 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (also referred to as the “Whistleblower Directive” or herein the “Directive”). The Directive lays out several measures which legal entities in the private and public sector need to implement and observe in order to attain the purpose outlined in the cited Article 1.

As per Union law, EU Member States were under an obligation to transpose the Directive in national legislation, with the observance of two deadlines, namely 17 December 2021 and 17 December 2023. The last deadline concerned legal entities in the private sector with 50 to 249 workers, in relation to which Member States were required to bring into force the laws, regulations and administrative provisions necessary to comply with the obligation to establish internal reporting channels.

In Romania, the transposition of the provisions of the Whistleblower Directive due until 17 December 2021 has been carried out through amendments brought to several normative acts,[1] while the provisions due on 17 December 2023 have been transposed by Law No 361/2022 on the protection of whistleblowers in the public interest (“Law 361”).

Below is a non-exhaustive, selective overview of the national particularities included in Law 361 transposing the Directive.

[1] Including the Civil Code, the Labour Code, the Civil Procedure Code, the Criminal Procedure Code, as well as other laws containing provisions relevant to citizen rights and justice.[

[2] Article 6 para. 2) of the Directive.

[3] Article 2 para. 3) of Law 361.

[4] Article 11 para. 1) letter b) of Law 361.

[5] Article 8 para. 7 of the Directive.

[6] Article 5 para. 3) of Law 361.

[7] Article 11 para. 1) of the Directive.

[8] Article 18 para. 1) of the Directive.

[9] Article 7 para. 2) of Law 361.

[10] Article 19 of the Directive.

[11] Article 22 para. 1) of Law 361.

[12] Article 23 of the Directive.

[13] Article 28 para. 2 letter a) of Law 361.

[14] Ibid letter b).

[15] Ibid letter c).

[16] The duty of confidentiality is included in Article 16 of the Directive.

[17] Article 28 para. 2 letter d) of Law 361.

[18] Ibid letter e).

Although from the definitions given by the GDPR it seems that we understand quite well what a data controller or a data processor means, in practice, although 5 years since the entry into force of the GDPR have passed, assigning one or the other of these qualities to an entity that processes personal data is not an easy task. Thus, the actual circumstances in which the personal data are processed, the roles of the participants to the processing, the independence or, on the contrary, the decision-making dependence, are all factors which have to be analysed in order to establish the quality of an entity, either as an independent data controller, a joint controller or a data processor.

Independent Data Controller is the entity that determines (i) the purpose and (ii) the means of personal data processing.

But what exactly do these concepts mean?

The purpose of processing is nothing else than "the reason, the final objective for which that processing is necessary", respectively, “what the legal entity in question seeks to obtain from processing data in a certain situation”. Therefore, by analysing the purpose, it will also be possible to determine the entity to which that purpose directly serves. If the purpose clearly serves a particular entity, then that entity is most likely also the data controller. Simply put, the data controller is the entity with which the purpose has the closest ties.

Some examples: 

• an employer will process the data of its employees for the purposes of the employment relationships and for the performance of the obligations arising from the employment contract;

• a travel agency will process customer data in order to fulfil contractual obligations regarding the provision of tourism services;

• a company that sells clothing or any other type of consumer goods will process the data of the participants to the promotional campaigns it runs for the purpose of organizing these campaigns, designating the winners and awarding the prizes;

• a medical service provider will process medical data from patients in order to provide the medical services requested by them;

• a personnel recruitment company will process the personal data of candidates for the purpose of providing recruitment services.

As can be seen from the examples above, most of the time, the quality of data controller is dictated by the close relationship between the company → the services/products it offers and → its clients (i.e. natural persons whose personal data are processed, referred to by the GDPR as "data subjects").

Means of processing represent the way, the method, the process by which that goal can be achieved.

These means must be viewed from two perspectives, in relation to their importance and impact on data processing, the second perspective having a close connection with the concept of data processor which we will analyze below.

Essential means of processing whose nature is rather of a legal importance, regarding the categories of personal data processed, the persons to whom the data are disclosed, the period for which the data are processed for a specific purpose.

Non-essential means of processing which are more of a logistical nature, mainly related to the actual way of implementing essential means. These are often varied and have an alternative character. Especially because the data controller can replace them with others without changing the purpose of the processing or the essential means, they are not of the essence of that processing.

Some examples:

• the processing of payroll and salary data can be done by a data controller using the software program x, which the same data controller later changes to software program Y. Therefore, the purpose of the processing does not change, nor do the essential means of processing (the same data, for the same periods will be processed, etc.), changing only the non-essential logistic mean which is the software program.

• the data controller can organize a promotional campaign to which several participants can sign up. The method of collecting data from participants can be done either by email correspondence, or through social networks, or through a platform dedicated to the respective campaign. So, these means of data processing (data collection is a type of data processing, a notion that will be clarified in a future article) are alternative options that the data controller can use without affecting either the purpose of the processing or the essential means of this processing.

Joint controllers are in fact data controllers, as analysed above, which have a common purpose of processing. This means that, jointly, two or more data controllers (independent data controllers in other circumstances), with regard to a specific project, have a common interest and consequently, they establish together, both the purpose and the means of processing. To be joint controllers, it is not absolutely necessary that each of the joint data controllers processes the data collected in an absolute identity, for the same periods of time etc., but rather to pursue the same objective for the achievement of which to use the same (even in different proportions) means of processing.

Some examples:

• a cosmetics company and another spa & wellness services company want to jointly promote themselves, in the sense that they are starting a contest-type promotional campaign in which several people can sign up, with the winners receiving a package of cosmetic products as a gift and a spa voucher. Through the campaign regulations, the two entities establish the common purpose, as well as the means of processing, i.e. what types of data they will collect, for what period they will store them, to whom they will give access to the data, but also how they will do all this concretely (through what platforms will run the campaign, in which database they will collect and store the data, etc.)

• a company that offers recruitment services is requested by a company to identify a person to occupy position x. The recruitment company has a portfolio of people looking for a job (potential candidates), but it will identify, in the market, other people who meet the requirements of that position. In a first stage, recruitment involves a verification of the CVs of potential candidates, from the portfolio of the recruiting company or identified later, and the first interviews, only by the recruiting company, during which the recruiting company will act as an independent data controller. But, in a next step, 3 of the shortlisted candidates will have meetings and will also need to be known by the client. From this moment, until the completion of the recruitment process, the recruitment company and the client can be considered as joint data controllers as they have a common goal (recruitment of the best candidate) and the means by which they achieve the goal are jointly determined (the client and the company of recruitment participates in meetings with candidates, exchanges impressions, information about his experience, his expectations in the position report for which the recruitment process is taking place, etc.)

Data Processor is the entity that processes data on behalf of the independent data controller or of the joint data controllers. The data processor does not pursue its own goal in relation to the data subjects whose data are processed, but only in relation to the data controller/s, by providing the data controller/s its supporting services in its/their effort/s to achieving its/their own goals. It is true that, in practice, the data processor has his own contribution to achieving the purpose of the processing, especially by using its own non-essential means for that purpose or proposed by it. However, given the fact that these means used by it are non-essential, the data processor does not take the decision neither with regard to the purpose, nor with regard to what personal data must be processed.

The data processor may advise the data controller, but it will not take a decision in the absence of the approval of the data controller, even if that approval has a general nature and it is not specific to a particular case. So, in the end, it is still the decision of the data controller in establishing the rights and powers of the data processor with respect to data processing, the limits of such powers, establishing the mandate of the data processor within which it can exercise its role of proxy (these are actually the "instructions" of the data controller to the data processor).

Some examples:

• an employer uses a payroll company to perform all its duties towards its employees. The payroll service provider owns its own software (non-essential means) to provide the services to the employer. However, in this relationship, the payroll company will never act as data controller because it does not determine the purpose and the essential means of processing (it will not determine the salaries of the employees, nor their days off, the annual leaves, the value of the allowance for overtime, nor whether it pays a bonus to the employee or not). The payroll company will always be a data processor in relation to the services it offers.

• a company which runs a promotional campaign hires an advertising agency to manage the campaign. The advertising agency may have the freedom to choose the (non-essential) means of processing the participants’ data (e.g. on which social networks to run the campaign), but running the campaign, the targeted audience, the period of time when the campaign would be run, the nature of the prizes to be awarded, etc. will be chosen by the beneficiary of the company which acts as data controller and not by the advertising agency.

HINT! As a general rule (without excluding exceptions and which must be analyzed on a case-by-case basis), when one aims to determine whether a legal entity has the capacity of data controller or data processor, they may analyze whether that legal entity services, by their nature, are addressed merely or in the same degree to legal entities and to individuals or only to one of these categories. If they are, rather, designed to be provided to legal entities, and not (or in a small degree) to individuals, the likelihood that such legal entity acting as a data processor is very high. On the contrary, if the services of an entity are, by their nature, oferred mainly to individuals or, in a similar degree to natural persons and legal entities, the likelihood that the third party is a data controller is very high.

Some examples:

• services addressed, by their nature, mainly to legal entities = their providers act mainly as data processors: health & safety services, payroll, accounting, IT maintenance, cloud services, advertising agencies, call centre services;

• services addressed, by their nature, mainly to natural persons or equally to natural and legal persons = act mainly as data controller: medical service providers, travel agencies, legal advisors, public notaries, insurance companies.