Joint controller
Home » The GDPR » Main Actors » Joint controller

Who are these actors?

Joint Controllers are two or more controllers that are jointly determining the purposes and means of the processing of personal data. For such a joint controllership, specific rules are introduced in the GDPR to govern the relationship between the joint controllers.

What are their tasks?

The tasks are the same as those of a (single) controller but are performed by all joint controllers together.

When does a joint controllership occur?

A joint controllership occurs when a specific processing of data occurs whereby multiple controllers jointly determine the means and purpose of the processing. This means that multiple controllers decide together on the processing. Here, the EDPB distinguishes between common decisions and converging decisions.

  • Common decision: Joint controllers decide together with a common intention on the means and purposes of the procession.
  • Converging decision:Decisions can be considered as converging on purposes and means if they complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing.”[1] That means that the processing by each controller is linked to the processing of the other controller and would not be possible without it.

Joint controllership can also arise if one entity does not have access to the data. Regarding the means of the processing, not every joint controller has to determine all means all the time. Different controllers can use different means at different stages in the processing of the data. The same holds true for the purposes of the data. While a joint controllership occurs when the data is processed for the same purpose for all controllers, it can also occur if the purposes of different controllers are closely linked to each other or complementary. That means if the processing benefits all controllers and all controllers have agreed on the purposes and means, a joint controllership is formed.

However, the notion of joint controllership needs careful consideration and must be decided on a case-by-case basis. A clear overview on the relationship between all involved parties, as well as the flow of data is elementary to determine whether or not a joint controllership is taking place. The EDBP provides multiple examples in their guidelines on this issue. [2]

What are their rights and responsibilities?

The rights and responsibilities for joint controllers are defined in Art. 26(1-2) GDPR. Here, the joint controllers

“shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects”

In order to do so, standard contracts between the joint controllers should be used to clearly determine which controller has exactly which responsibilities and tasks to perform. This includes to determine the purposes of the processing as well as the means of the processing.[3] The data subjects should be provided with the contact information of one of the controllers to make it easier for them to determine who exactly to contact for issues regarding the processing of data.Additionally, the allocation of responsibilities and the essential results of the arrangement (the contract) between the joint controllers should be made available to the data subjects. For instance, a privacy notice for the data subject should include as an identification of the joint controllers and their tasks and responsibilities with the processing of data.

This clear allocation of responsibility and liability is stated in Recital 79 GDPR as a necessary condition for joint controllers. However, Art. 26(3) adds that the data subjects can address issues and exercise their rights against any of the joint controllers.[4]

Example 1:

Universities A, B and C decide to conduct a joint research project together. For this project, each university feeds personal data into a database that was provided by one of the universities for the joint research project. A, B and C then process the personal data in this database for their joint research project as they decided beforehand on the purposes and means for the processing. This means that in this research project, data is gathered in order to achieve a previously specified objective. The data is then analyzed using a specific, previously determined software solution. In this scenario, A, B and C are joint controllers as they determined the means and purposes of the processing together. Thus, all universities should determine, through contractual agreements, the rights, responsibilities of each party with respect to the data processing in a transparent manner.[5]Additionally, data subjects should always be sure which party they can and should contact should they have questions of if they would like to exercise rights specified in the GDPR.

If a university A know processes the data in the database for another purpose than that of the joint research project, that university A would become a separate controller for the respective purpose.

Example 2:

Company A is the parent company of a group of companies B, C and D. To store research data, the subsidiaries use a database hosted and provided by the parent company A.
Each company B, C and D can only access the data that they themselves have fed into the database. Each company also processes the data for its own purposes only.
In this scenario, no joint controllership exists. Companies B, C and D are separate controllers as they determine the purposes of their processing of the data. Company A is seen as a processor as it provides a means of processing, the storing of personal data in their database.
 

References

1EDPB. Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Version 1. Adopted on 02 September 2020. Available under: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf p. 18. Last accessed 30.10.2020.

Ibi2d. P.18ff for multiple examples for and against a joint controllership.

3Ibid. p.3

4For more information on joint controllership see the guidelines of the EDPS: EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, p.22ff

5For more information on Joint Controllership, see: EDPS, “EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725”, November 2019, p. 16ff

 

Skip to content