The EDPS – European Data Protection Supervisor states in an opinion that in order to act as a controller, the entity / involved party must determine the purposes & essential means of the processing. “Essential means” are closely linked to the purpose and the scope of the processing.
On the other hand, “non-essential means” concern more practical aspects of implementation, such as:
– the choice for a particular type of hardware or software
– the detailed security measures
And these “non-essential means” could be left to the processor to decide on, without being considered a controller.
The guidance and practical examples provided by the EDPS may also be relevant in practice within the scope of the GDPR when considering the extent to which a processor may make decisions in order to still be considered a processor.