Legal Brain

“The purpose of this Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.” This is Article 1 of the EU Directive 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (also referred to as the “Whistleblower Directive” or herein the “Directive”). The Directive lays out several measures which legal entities in the private and public sector need to implement and observe in order to attain the purpose outlined in the cited Article 1.

As per Union law, EU Member States were under an obligation to transpose the Directive in national legislation, with the observance of two deadlines, namely 17 December 2021 and 17 December 2023. The last deadline concerned legal entities in the private sector with 50 to 249 workers, in relation to which Member States were required to bring into force the laws, regulations and administrative provisions necessary to comply with the obligation to establish internal reporting channels.

In Romania, the transposition of the provisions of the Whistleblower Directive due until 17 December 2021 has been carried out through amendments brought to several normative acts,[1] while the provisions due on 17 December 2023 have been transposed by Law No 361/2022 on the protection of whistleblowers in the public interest (“Law 361”).

Below is a non-exhaustive, selective overview of the national particularities included in Law 361 transposing the Directive.

[1] Including the Civil Code, the Labour Code, the Civil Procedure Code, the Criminal Procedure Code, as well as other laws containing provisions relevant to citizen rights and justice.[

[2] Article 6 para. 2) of the Directive.

[3] Article 2 para. 3) of Law 361.

[4] Article 11 para. 1) letter b) of Law 361.

[5] Article 8 para. 7 of the Directive.

[6] Article 5 para. 3) of Law 361.

[7] Article 11 para. 1) of the Directive.

[8] Article 18 para. 1) of the Directive.

[9] Article 7 para. 2) of Law 361.

[10] Article 19 of the Directive.

[11] Article 22 para. 1) of Law 361.

[12] Article 23 of the Directive.

[13] Article 28 para. 2 letter a) of Law 361.

[14] Ibid letter b).

[15] Ibid letter c).

[16] The duty of confidentiality is included in Article 16 of the Directive.

[17] Article 28 para. 2 letter d) of Law 361.

[18] Ibid letter e).

Although from the definitions given by the GDPR it seems that we understand quite well what a data controller or a data processor means, in practice, although 5 years since the entry into force of the GDPR have passed, assigning one or the other of these qualities to an entity that processes personal data is not an easy task. Thus, the actual circumstances in which the personal data are processed, the roles of the participants to the processing, the independence or, on the contrary, the decision-making dependence, are all factors which have to be analysed in order to establish the quality of an entity, either as an independent data controller, a joint controller or a data processor.

Independent Data Controller is the entity that determines (i) the purpose and (ii) the means of personal data processing.

But what exactly do these concepts mean?

The purpose of processing is nothing else than "the reason, the final objective for which that processing is necessary", respectively, “what the legal entity in question seeks to obtain from processing data in a certain situation”. Therefore, by analysing the purpose, it will also be possible to determine the entity to which that purpose directly serves. If the purpose clearly serves a particular entity, then that entity is most likely also the data controller. Simply put, the data controller is the entity with which the purpose has the closest ties.

Some examples: 

• an employer will process the data of its employees for the purposes of the employment relationships and for the performance of the obligations arising from the employment contract;

• a travel agency will process customer data in order to fulfil contractual obligations regarding the provision of tourism services;

• a company that sells clothing or any other type of consumer goods will process the data of the participants to the promotional campaigns it runs for the purpose of organizing these campaigns, designating the winners and awarding the prizes;

• a medical service provider will process medical data from patients in order to provide the medical services requested by them;

• a personnel recruitment company will process the personal data of candidates for the purpose of providing recruitment services.

As can be seen from the examples above, most of the time, the quality of data controller is dictated by the close relationship between the company → the services/products it offers and → its clients (i.e. natural persons whose personal data are processed, referred to by the GDPR as "data subjects").

Means of processing represent the way, the method, the process by which that goal can be achieved.

These means must be viewed from two perspectives, in relation to their importance and impact on data processing, the second perspective having a close connection with the concept of data processor which we will analyze below.

Essential means of processing whose nature is rather of a legal importance, regarding the categories of personal data processed, the persons to whom the data are disclosed, the period for which the data are processed for a specific purpose.

Non-essential means of processing which are more of a logistical nature, mainly related to the actual way of implementing essential means. These are often varied and have an alternative character. Especially because the data controller can replace them with others without changing the purpose of the processing or the essential means, they are not of the essence of that processing.

Some examples:

• the processing of payroll and salary data can be done by a data controller using the software program x, which the same data controller later changes to software program Y. Therefore, the purpose of the processing does not change, nor do the essential means of processing (the same data, for the same periods will be processed, etc.), changing only the non-essential logistic mean which is the software program.

• the data controller can organize a promotional campaign to which several participants can sign up. The method of collecting data from participants can be done either by email correspondence, or through social networks, or through a platform dedicated to the respective campaign. So, these means of data processing (data collection is a type of data processing, a notion that will be clarified in a future article) are alternative options that the data controller can use without affecting either the purpose of the processing or the essential means of this processing.

Joint controllers are in fact data controllers, as analysed above, which have a common purpose of processing. This means that, jointly, two or more data controllers (independent data controllers in other circumstances), with regard to a specific project, have a common interest and consequently, they establish together, both the purpose and the means of processing. To be joint controllers, it is not absolutely necessary that each of the joint data controllers processes the data collected in an absolute identity, for the same periods of time etc., but rather to pursue the same objective for the achievement of which to use the same (even in different proportions) means of processing.

Some examples:

• a cosmetics company and another spa & wellness services company want to jointly promote themselves, in the sense that they are starting a contest-type promotional campaign in which several people can sign up, with the winners receiving a package of cosmetic products as a gift and a spa voucher. Through the campaign regulations, the two entities establish the common purpose, as well as the means of processing, i.e. what types of data they will collect, for what period they will store them, to whom they will give access to the data, but also how they will do all this concretely (through what platforms will run the campaign, in which database they will collect and store the data, etc.)

• a company that offers recruitment services is requested by a company to identify a person to occupy position x. The recruitment company has a portfolio of people looking for a job (potential candidates), but it will identify, in the market, other people who meet the requirements of that position. In a first stage, recruitment involves a verification of the CVs of potential candidates, from the portfolio of the recruiting company or identified later, and the first interviews, only by the recruiting company, during which the recruiting company will act as an independent data controller. But, in a next step, 3 of the shortlisted candidates will have meetings and will also need to be known by the client. From this moment, until the completion of the recruitment process, the recruitment company and the client can be considered as joint data controllers as they have a common goal (recruitment of the best candidate) and the means by which they achieve the goal are jointly determined (the client and the company of recruitment participates in meetings with candidates, exchanges impressions, information about his experience, his expectations in the position report for which the recruitment process is taking place, etc.)

Data Processor is the entity that processes data on behalf of the independent data controller or of the joint data controllers. The data processor does not pursue its own goal in relation to the data subjects whose data are processed, but only in relation to the data controller/s, by providing the data controller/s its supporting services in its/their effort/s to achieving its/their own goals. It is true that, in practice, the data processor has his own contribution to achieving the purpose of the processing, especially by using its own non-essential means for that purpose or proposed by it. However, given the fact that these means used by it are non-essential, the data processor does not take the decision neither with regard to the purpose, nor with regard to what personal data must be processed.

The data processor may advise the data controller, but it will not take a decision in the absence of the approval of the data controller, even if that approval has a general nature and it is not specific to a particular case. So, in the end, it is still the decision of the data controller in establishing the rights and powers of the data processor with respect to data processing, the limits of such powers, establishing the mandate of the data processor within which it can exercise its role of proxy (these are actually the "instructions" of the data controller to the data processor).

Some examples:

• an employer uses a payroll company to perform all its duties towards its employees. The payroll service provider owns its own software (non-essential means) to provide the services to the employer. However, in this relationship, the payroll company will never act as data controller because it does not determine the purpose and the essential means of processing (it will not determine the salaries of the employees, nor their days off, the annual leaves, the value of the allowance for overtime, nor whether it pays a bonus to the employee or not). The payroll company will always be a data processor in relation to the services it offers.

• a company which runs a promotional campaign hires an advertising agency to manage the campaign. The advertising agency may have the freedom to choose the (non-essential) means of processing the participants’ data (e.g. on which social networks to run the campaign), but running the campaign, the targeted audience, the period of time when the campaign would be run, the nature of the prizes to be awarded, etc. will be chosen by the beneficiary of the company which acts as data controller and not by the advertising agency.

HINT! As a general rule (without excluding exceptions and which must be analyzed on a case-by-case basis), when one aims to determine whether a legal entity has the capacity of data controller or data processor, they may analyze whether that legal entity services, by their nature, are addressed merely or in the same degree to legal entities and to individuals or only to one of these categories. If they are, rather, designed to be provided to legal entities, and not (or in a small degree) to individuals, the likelihood that such legal entity acting as a data processor is very high. On the contrary, if the services of an entity are, by their nature, oferred mainly to individuals or, in a similar degree to natural persons and legal entities, the likelihood that the third party is a data controller is very high.

Some examples:

• services addressed, by their nature, mainly to legal entities = their providers act mainly as data processors: health & safety services, payroll, accounting, IT maintenance, cloud services, advertising agencies, call centre services;

• services addressed, by their nature, mainly to natural persons or equally to natural and legal persons = act mainly as data controller: medical service providers, travel agencies, legal advisors, public notaries, insurance companies.

#gigeconomy #platformwork #platformworkersdirective

What does it mean to be a “platform worker”? According to the European Industrial Relations Dictionary,[1] “platform work” is “a form of employment in which organisations or individuals use an online platform to access other organisations or individuals to solve specific problems or to provide specific services in exchange for payment.” This immediately triggers the thought: “Oh, this is Uber!” or “This is Bolt/Glovo/[any other similar service].” But a platform worker may also offer their services for qualified services, such as programming, copyright services or even legal services.

At EU level, it was considered that the conditions under which platform workers offer and provide their services often resembles employment conditions. According to official data, approximately 28 million workers in the EU are platform workers, while about 5.5 million thereof are working under conditions resembling employment, while not benefitting from the benefits of such set-out.[2] Thus, the European Commission initiated in December 2021 a public debate in relation to a new draft directive on “improving condition of persons working through digital labour platforms” i.e. the so-called “Platform Workers Directive” (EU Directive 2021/0414 Improving working conditions of persons working through digital labour platforms) (see the draft under this link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52021PC0762&qid=1700641785604 )

If adopted in its current form pending further negotiations and debate, the Platform Workers Directive will create the framework for Member States to adopt national legislation granting platform workers various rights which would otherwise be only available for employees i.e. individuals who have concluded labour agreements. According to the explanatory memorandum to the draft Directive, “the general objective of the proposed Directive is to improve the working conditions and social rights of people working through platforms, including with the view to support the conditions for the sustainable growth of digital labour platforms in the European Union.” while “the specific objectives through which the general objective will be addressed are: (1) to ensure that people working through platforms have – or can obtain – the correct employment status in light of their actual relationship with the digital labour platform and gain access to the applicable labour and social protection rights; (2) to ensure fairness, transparency and accountability in algorithmic management in the platform work context; and (3) to enhance transparency, traceability and awareness of developments in platform work and improve enforcement of the applicable rules for all people working through platforms, including those operating across borders.”

In Romania, the status of platform workers remains for the time being unregulated. Hence, most such workers register either as PFA (self-employed individuals or, in Romanian, persoană fizică autorizată) or they set up limited liability companies via which they provide the services. At governmental level and in the context of EU-wide negotiations/discussions, Romania has expressed its support towards the adoption of regulation in order to create legal safeguards for platform workers (including by instituting a legal (rebuttable) presumption of employment under certain conditions).[3]

Undoubtedly, creating rights and protections for platform workers may prove to be beneficial in certain circumstances (for social benefits mostly). However, the question remains why regulate platform work in the first place? Isn’t it just as clear that individuals choosing to do platform work effectively have opted out of the standard type of employment allowing certain particular rights, but removing the benefit of enhanced flexibility, at least a certain degree of self-management of time and other resources and allowing the practice (or even simulation) of entrepreneurship (if not actually creating the basis for it)? And if the answer to this question is a sound “yes”, then why do we need regulation? The continuing debate on the draft Directive may suggest that the benefits of such regulation are not that obvious to all parties and that the impact may be less than fully favourable. Nevertheless, the Directive is expected to be adopted; more comments to follow on its final form.

[1] Available on the website of the European Foundation for the Improvement of Living and Working Conditions (Eurofound) under the link https://www.eurofound.europa.eu/en/european-industrial-relations-dictionary/platform-work [2] https://www.consilium.europa.eu/en/policies/platform-work-eu/ [3] See in this regard the Joint Statement by Belgium, Luxembourg, Malta, the Netherlands, Portugal, Romania, Slovenia and Spain regarding the Proposal for a Directive of the European Parliament and of the Council on improving working conditions in platform work: https://gouvernement.lu/dam-assets/documents/actualites/2023/06-juin/12-engel-directive-travail-epsco/proposal-for-a-directive-of-the-european-parliament-and-of-the-council -on-improving-working-conditions-in-platform-work-joint-statement.pdf