Joint controllership under the GDPR

What is joint controllership and who is a (joint) controller?

Joint controllership applies if various entities together determine “the purposes and means of processing”. Those entities will share data protection obligations under the GDPR in terms of data subject’s rights and their informational duties under Art. 13 and 14 GDPR. The legislature aimed for clear and transparent allocation of responsibilities and thus introduced the concept of joint controllership in Art. 26 GDPR.

However, it is not always entirely clear whether joint controllership applies as it may take different forms. The controllers at stake might have a very close relationship, meaning they share all purposes and means of processing activities, or a more distant relationship, in which they only partially share purposes. Nonetheless, the responsibilities must be determined and allocated.

Controllers versus processors

For joint controllership to apply, each entity involved must first meet the requirements to qualify as a controller according to Art. 4 (7) GDPR, i.e., the entity must be a

“natural or legal person, public authority, agency or other body that, along or jointly with others, determines the purposes and means of the processing of personal data”.

Thus, if two parties cooperate in specific processing operations, it must be determined if they are a controller or processor and in the case that both are controllers, if they qualify as joint controllers.

As mentioned above, joint control can take a wide variety of forms and multiple parties may interact or be linked with one another when it comes to the processing of personal data. Before the GDPR was introduced, the concept of joint controllership was not clearly defined by law and not commonly referenced. Instead, whenever faced with multiple data processing actors, data processing on behalf of a controller, in which one entity delegates the tasks to processors, was presumed.

The GDPR brings in the concept of joint controllership under Art. 26 GDPR resulting in increased relevance and the possibility of a clear differentiation between joint controllership and data processing on behalf of a controller, as envisaged in Art. 28 GDPR.

Joint controllership or data processing on behalf of a controller – what’s at stake?

Most notably, in the case of data processing on behalf of a controller as laid down in Art. 28 (3) GDPR, a data processor may only process data to the extent and in the way as decided by the controller and as determined in the contract that is binding on the processor. Art. 26 (2) GDPR in turn clearly refers to an arrangement in which one party alone does not decide on the purpose of the processing; rather, they do so together.

For example: a university designs a research plan together with another university or research centre, but one university alone does not supply data or carry out a specific contract for subcontracting. On the other hand, researchers may contract with a company to send surveys to data subjects or to analyse certain results of interviews. That would be processing on behalf of the researchers, although both parties contribute to one project.

Actual influence as criteria for joint controllership

While it is not easy to assess whether joint controllership or data processing on behalf of a controller is at stake, it can be generally determined by the level of influence an entity has on the purposes and/or the means of the processing. The following points can help assess whether a processor is, in fact, a controller.

• Freedom from instructions: The contracting party that delegated the data processing does exercise direct influence on the entity processing the data.
• Merging of data: Data received is blended with an entity’s own databases.
• Use of data for an entity’s own purposes: The data processing serves a goal for the entity that was not explicitly agreed upon with the contracting party.
• Legal relationship with data subjects: The processing entity obtains data directly by way of a legitimate connection with the data subject.
• Responsibility: The processing entity is responsible for the lawfulness and accuracy of the data processing.

Therefore, as demonstrated, the status of data controller is determined based on his decision-making power rather than the execution of data processing. The EU’s Art. 29 Data Protection Working Party (WP) published the following maxim to determine controllership: “Why does the processing take place and who initiated it?” Therefore, according to the WP, the controller chooses which data shall be processed, for how long, who has access and what security measures need to be taken. At the same time, the technical and organisational means of processing, such as the choice of hard- or software, can be delegated to another entity.

It is essential to point out that actual influence does not require that both entities have the full scope of control over all phases of processing, nor is an equal level of control of the controllers necessary. The contribution of the controlling entities in the determination of the purposes and means of processing can take various forms and does not have to be equally distributed. However, the assignment of roles and responsibilities must be clearly defined in an agreement, according to Art. 26 (1) GDPR.

The allocation of responsibilities

Once joint controllership is established, the legislature demands that the entities allocate responsibilities, especially in terms of the data subject’s rights and the controller’s informational duties under Art. 13 and 14 GDPR. The rationale is that data subjects shall not be placed in a less favourable position regarding their protection when they are faced with a plurality of entities processing their data. While equal controllership means equal responsibility, the entities can split the process and take responsibility for the respective steps of the processing. The conclusion of an arrangement ensures the specification of the allocation of duties for fulfilling GDPR obligations. Thus, the distribution must be in a transparent manner, especially as to the responsibilities towards the data subjects. Accordingly, they may designate a contact point for data subjects to exercise their rights, such as requests for data erasure.

A transparent arrangement is crucial, as controllers that fail to conclude such an undertaking may be punished with a fine according to Art. 83 (4)(a) GDPR: up to EUR 10,000,000 or 2% of the total worldwide annual turnover. This risk can easily be avoided if companies ensure that a transparent arrangement with joint controllers is in place. An internal or external data protection officer (DPO) can help set up such arrangements in compliance with the GDPR obligations.

Obligations of joint controllers

As joint controllers automatically also qualify as controllers under the GDPR, each has to fulfil the organisational and material requirements under the GDPR. Accordingly, each controller must also ensure that he has a legal basis for the data transfer under Art. 6 (1), and in the case of special categories of personal data, under Art. 9 (2) GDPR. Additional special obligations for joint controllers include the need to set up a transparent arrangement, to allocate the responsibilities (as mentioned above) and ensure each party fulfils their requirements. Further, the critical points of the agreement need to be made available to the data subject, thereby fulfilling the GDPR’s information obligations. According to Recital 58 GDPR, it suffices to make the key information available via the controllers’ websites.

Furthermore, please note that according to Art. 82 GDPR, each controller can be held liable for the entire damage caused by processing that infringes GDPR obligations, to ensure adequate compensation of the data subject. Thus, despite the allocation of responsibilities, each controller can be held fully liable, unless he can prove that he is not in any way responsible for the damage.

Lastly, controllers should verify whether or not a data protection impact assessment may be required, as in some cases joint controllership may pose higher risks for the rights and freedoms of data subjects.

Examples for joint controllerships

Below are several examples to illustrate what could qualify for joint controllership.

• Clinical medical studies could involve several controllers, including sponsors, research centres, and doctors, who are each responsible for a specific phase of the processing. Here, the division of responsibilities would be distinguishable.
• To promote e-cars, a car producer teams up with some fellow car producers, who collectively create a commercial website that collects user data, such as IP addresses. Accordingly, all car producers involved would jointly agree upon which and whose data shall be processed, thus jointly determining purpose and means.
• An airline and a hotel reservation platform together run a website to attract more customers. If a user searches for accommodation on the hotel reservation platform and corresponding flight connections are proposed, both hotel room and flight can be booked together. Thus, they jointly agree on the data processing means, such as storage duration, to enable both parties to access the data for the booking purpose.
• In a far-reaching decision by the European Union Court of Justice in the FashionID case, the Court concluded that the operator of a website that contains a ’Facebook Like-Button‘ could be jointly responsible with Facebook for collecting and transmitting the personal data of its users.

Recommendations for joint controllers

As a joint controller, an entity is required to set up an arrangement allocating the responsibilities to fulfil data protection obligations, to ensure data subjects can fully exercise their rights and are sufficiently informed. This arrangement must be transparent and made available to the data subjects, for instance, via the company’s website. Both controllers must accordingly fulfil their data protection obligations, which could include a data protection impact assessment. A DPO can support the controllers in fulfilling these duties.