The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.
Concept
- The concept of joint controllers is not new and already existed under the Data Protection Directive 95/4/EC. However, Article 26 GDPR introduced specific rules for joint controllers and recent CJEU judgments have clarified the concept and its implications – the findings in these judgments (Facebook Fan Pages (C-201/16), Jehovah’s Witnesses(C-25/17), and Fashion ID (C-40/17)) are broadly tracked in the Guidelines. The Guidelines also provide some useful practical examples of the joint controller relationship.
- The EDPB views the overarching criterion for joint controllership as being “the joint participation of two or more entities in the determination of the purposes and the means of a processing operation.” More specifically, the parties make decisions about key factors such as the types of personal data to be collected, the purposes for which the data should be used and the retention period for the data.
- Personal data can be shared between, and processed by multiple parties without them being deemed joint controllers – there must be a joint determination of purposes and means, otherwise the parties will be independent controllers.
- The EDPB acknowledges that joint participation can take different forms, including (i) where there is a common decision (or common understanding) by two or more entities on the purposes and means of the data processing or (ii) where they result from converging decisions on those purposes and means – this reflects recent CJEU case law on joint control. The EDPB provides that a decision can be considered as converging where the purpose and means “complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of processing.” A key criterion in assessing converging decisions is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inextricably linked or inseparable.
- The EBPB further references CJEU case law in noting that joint controllership may be established where purposes are closely linked or complementary (as opposed to being necessarily the same) – an example given is where there is a mutual benefit (e.g. commercial benefit) arising from the same processing operation, provided that both parties were involved in determining the purposes and means of processing.
- Use of a common data processing system or infrastructure will not in all cases result in the parties being joint controllers, particularly where the processing carried out is separable and could be performed by one party without intervention from the other or where the provider is a processor without any purpose of its own.
- Qualification as a joint controller does not require an organisation to exercise control over the entirety of the processing – it can exercise control over a particular stage or stages, in which case its obligations and responsibilities will be limited to those specific stages in which it is involved in the processing.
- The extent of involvement by each joint controller does not need to be equal – there can be different degrees of involvement by the parties, which will impact the level of responsibility to be imposed.
- Similarly to independent controllers, organisations do not need to have actual access to the data that is being processed to qualify as a joint controller.
Joint Controller Relationship
- Joint controllers must determine and agree on their respective obligations and responsibilities for complying with the GDPR by means of an arrangement. Although the GPDR does not prescribe the legal form that this arrangement should take, the EDBP recommends that, in the interests of transparency and accountability, the arrangement is made in the form of a binding document, such as a contract.
- The EDBP notes that the arrangement should address the allocation of responsibilities referenced in Article 26 of the GDPR (including compliance with data subject rights requests and the provision of information to data subjects) but recommends that it also cover other controller GDPR obligations, including (i) implementation of the data protection principles (Article 5 GDPR), (ii) legal basis for processing (Article 6 GDPR), (iii) implementation of data security measures (Article 32 GDPR), (iv) notification of personal data breaches to data subjects and the competent supervisory authority (Articles 33 and 34 GDPR), (vi) conducting data protection impact assessments (Articles 35 and 36 GDPR), (vi) use of a processor (Article 28 GDPR), (vii) cross-border data transfers (Chapter V GDPR) and (viii) contact with data subjects and supervisory authorities. The EDPB suggest that details of the subject matter, purpose of processing, types of personal data and categories of data subjects involved should be included.
- As mentioned above, GDPR obligations do not need to be equally distributed between the joint controllers – there may be cases where not all obligations can be allocated and joint controllers will need to comply with the same obligations (e.g. maintaining a record of processing activities and appointing a data protection officer).
- Certain factors should be taken into account when assessing and allocating responsibilities between the joint controller (e.g. which party is in the best position to comply with the relevant obligations). From an accountability perspective, the EDPB recommends that the internal analysis carried out by the parties in making this assessment is documented.
- The GDPR requires the “essence” of the arrangement to be made available to data subjects (including at least the transparency information set out in Article 13/14 GDPR and which joint controller is responsible for compliance with these elements) but is not prescriptive as to the manner in which this should be carried out. The Guidelines note that it is up to joint controllers to decide the most effective way of doing this but suggest this could be done via the joint controllers’ privacy notice or upon request to the data protection officer or other designated contact point. However, the EDPB stresses that it must be absolutely clear to data subjects how they can exercise their rights.
- Regardless of the terms of the arrangement, (i) data subjects may exercise their rights against each of the joint controllers and (ii) supervisory authorities are not bound by the terms of the arrangement and can contact any of the joint controllers to exercise their powers.