According to the General Data Protection Regulation (GDPR), two or more data controllers who jointly decide why and how personal data is processed are collectively referred to as “joint controllers”. Here is the GDPR definition of “joint controllers” in Article 26: Although the templates published by the LfDI constitute a first guide to contractual arrangements relating to joint controllers, they will only be applicable in exceptional cases without major revision. There are important things to consider in this agreement: there are different ways to jointly participate in the processing and processing of data. First, a company can hire another company to process the data according to its specifications. In another case, several controllers may jointly determine the purpose and means of the data processing. However, it is also possible that several data controllers are involved in the data processing, with each company determining its own purpose and means without coordination with the others. The following is an example of a joint control agreement between the Irish Central Applications Office (CAD) and higher education institutions (HEIs) with which CAO jointly processes personal data. To help you understand joint controllers, we need a brief reminder of the GDPR definition of a “controller”. Common objective or complementary objectives The guidelines confirm that joint responsibility may arise even if there are one or more jointly defined objectives that are closely related or complementary, e.B. where the same processing operation results in mutual benefit, provided that each of the parties concerned is involved in determining the purposes and means of the processing operation concerned. For example, by creating a page on a social network to promote its activities, a company defines the parameters of the target audience. Note that the mere existence of a mutual benefit resulting from a transformation activity does not entail joint liability.
Here is an example from the European Commission of how a common controller relationship can emerge between two companies offering “combined services”. The guidelines clarify the criteria that can be used by companies to assess their role in processing activities and include practical flowcharts in the form of annexes illustrating how to apply these criteria in different scenarios. This clearly shows that joint control is more likely than companies might have expected in the past, for example if there is.B no common definition of purposes, but there is a convergence of decisions on the purposes and means of processing, leading to inseparable processing activities by joint controllers. Another important point highlighted in the Guidelines is the need to establish real operational conditions in data processing agreements between joint controllers and controllers and processors that specify how personal data will be processed by the parties in practice. Simple reformulations of the provisions of the GDPR will not be enough. Therefore, as stated, the status of the controller is determined on the basis of its decision-making power and not on the execution of the data processing. Art. 29-EU Data Protection Working Group (WP) has published the following maxim to determine responsibility: “Why does the processing take place and who initiated it?” Therefore, the controller decides which data are processed for how long, who has access to them and what security measures must be taken. At the same time, the technical and organizational means of processing, such as . B the choice of hardware or software, may be delegated to another organization. Let`s look at some joint controller agreements to see how controllers are approaching this GDPR obligation. The shared responsibility for data processing is important for companies to work together and implement a successful business model.
There are many examples that demonstrate the need to transfer data or share a data pool. For example, franchises that need to share data in order to work closely together. Or Internet portals that offer different services can operate a common address management system / common address system. Joint controllers must allocate their GDPR compliance responsibilities “transparently” through a “joint controller agreement”. The “essence” of this agreement must be made available to the persons concerned. Once joint responsibility has been established, the legislator requires bodies to assign responsibilities, in particular with regard to the rights of the data subject and the information obligations of the controller in accordance with Art. . . .