Joint Controllership: A Collection of Recent Guidance

This blog was originally published www.paolobalboni.eu.

By Paolo Balboni, Top-tier ICT, privacy & data protection lawyer and Founding Partner of ICT Legal Consulting.

Article 26 GDPR on Joint controllers determines that, “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.”

Furthermore, Art. 26 (2) states that, “The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.”

European Court of Justice

A fundamental ruling with respect to joint controllership is the July 2019 Decision of the European Court of Justice in the Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV case. Here the CJEU determined that a website owner which embeds a Facebook like button on its website is a joint controller with Facebook concerning the collection and disclosure by transmission of visitor data to Facebook as they jointly determine the means and purposes of such operations.

Being a joint controller brings with it certain responsibilities, such as providing adequate information to the visitors of the website at the time their data are collected, including both the purposes of processing and its identity. Furthermore, it is noteworthy that, “with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data. With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court found that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.”

This decision effectively contributes to a wider understanding of the concept of joint controllership.

Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Providing more concrete guidance with respect to the concrete governance of such relationship, in May 2019, the DPA of Baden-Wurttemberg issued a sample document template meant to aid companies in cases when several persons jointly determine the purposes and means of data processing. The same DPA recently issued information on joint controllership pursuant to Article 26 (2)2 of the General Data Protection Regulation in English which can be found here.

The templates act as a useful standard for organizations in establishing a joint controllership relationship.

European Data Protection Supervisor

On 7 November 2019 the European Data Protection Supervisor published Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725.The EDPS Guidelines provide instructions to EU institutions and bodies for compliance with Regulation 2018/1725 with respect to the concepts of controller, processor and joint controllership and examine the related responsibilities and obligations concerning data subject rights, providing specific case studies for controller-processor, separate controllership and joint controllership situations. The Guidelines are intended to aid management in “supporting a culture of data protection from the top of the organization and to implement the principle of accountability.”

Regulation (EU) 2018/1725 establishes the data protection obligations for the EU institutions and bodies in their data processing activities. The Regulation aids such bodies in providing transparent information on how they process personal data and ensures that individuals are able to exercise their rights with respect to such processing.

You can read more of Paolo's insights into privacy and compliance here.