Joint Controllership and the GDPR: what you need to know
Table of contents
At a glance
As of May 2018, the General Data Protection Regulation (GDPR) set the legislative framework for the handling of personal data throughout the European Union. With the GDPR, lawmakers provided companies with the means to handle user data in a way that is constructive and legally secure and constructive manner. One of these ways is the concept of Joint Controllership. This means that companies can share customer and personal data, but they assume joint responsibility for it.
Let’s begin with a definition: what is Joint Controllership?
Data processing is often carried out with the support of another company, for example, when several legally independent companies within a group access a joint customer file. Job applications are a common example of when joint controllership happens. Here, a service provider is contracted to publish a job posting and to review incoming applications. In both cases, there is joint responsibility for handling personal data. Article 26 of the GDPR requires this joint responsibility to be precisely described in advance and contractually regulated (Joint Controllership Agreement).
Benefits and obligations of Joint Responsibility
Shared accountability for data processing is important in order for organizations to collaborate and run a successful business model. There are numerous examples demonstrating the necessity of transferring data or sharing a data pool. For example, franchises that have to share data to work closely together. Or Internet portals that offer various services can operate a joint address management system/ shared address system.
What makes it unique?
Joint Controllership holds a special status in the GDPR. This is because it combines the interests of individuals to protect their data with the interests of businesses in sharing data. The big advantage here is that each controller can define their own area of operation and use the data within this framework.
How does it have to be implemented?
In addition to the purpose and means of the data agreement, the Joint Controllership Agreement must also clarify the roles and functions of the data controllers. This includes who is responsible for requests from data subjects contact persons and contact information for the data controllers. It is also useful to agree in writing on common technical standards for protecting user data.
When is Joint Controllership present?
Joint controllership applies whenever at least two data controllers decide on the purposes and means of data processing. More specifically, when they jointly determine which measures, tools and resources are necessary to achieve the agreed goal. A central question is whether a contracted service provider can also use the processed data for its own purposes. In this case, one can assume multiple responsibilities.
Relevantly, there have been three important decisions by the European Court of Justice (ECJ) to date: “Facebook Fanpage” (judgment of 05.06.2018, C-210/16), “Jehovah’s Witnesses” (judgment of 10.07.2018, C-25/17) and “Fashion ID” (judgment of 29.07.2019, C-40/17).
What is meant by Joint Responsibility and what are the different types?
There are different ways to be jointly involved in the handling and processing of data. To start, one company may commission another company to process data according to its specifications. In another case, several controllers can jointly determine the purpose and means of data processing. However, it is also possible for several data controllers to be involved in data processing, with each company determining its own purpose and means without coordinating with the others.
Case by case: what should we pay attention to?
It is very important to explicitly state and understand the obligations under the GDPR,and which regulations are involved. It is also crucial to determine whether the contractor is bound by directives or can act under their own initiative. It is critical to ensure that all people concerned are informed about the data processing arrangements made in the agreement.
Roles of the parties involved
Shared responsibility does not mean that everyone has the same impact when it comes to data processing. Nor does it mean that the parties involved have actual access to the data. Joint Controllership only states that multiple parties are involved in a data processing operation.
Rights of parties involved and how to deal with fines
The parties involved can assert their rights with any of the Joint Controllership’s data controllers, e.g. in case of damages. How responsibility is divided within the Joint Controllership does not necessarily affect all parties involved. It makes sense for the responsible parties to regulate what happens if one is held liable because of another’s mistake.
Conclusion: Joint Controllership and the GDPR
With Joint Controllership, the GDPR provides a tool for managing the sharing of customer data. In many cases, this regulation is an enormous relief. What is crucial is that the responsibilities are clearly defined and that the data subjects are informed about them in a transparent manner. If this agreement is missing, the supervisory authorities can impose a fine.
These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer.