France: National Commission on Informatics and Liberty adopted guidance clarifying the role of data controllers and subcontractors in personal data processing

On 6 June 2025, the French National Commission on Informatics and Liberty (CNIL) adopted guidance clarifying how entities should determine their roles as data controllers, joint controllers, or processors under the General Data Protection Regulation. The guidance applies to all organisations processing personal data and emphasises that qualifications must be based on actual decision-making responsibilities rather than contractual labels. Controllers determine the purposes and essential means of processing, joint controllers make these decisions together, and processors act strictly on a controller’s instructions. The guidance highlights the need for documented justifications, clear contractual arrangements, and accountability regardless of power imbalances.