The topic of “joint controllers” according to Art. 26 GDPR continues to gain momentum. The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (LfDI) has now, for the first time, published a sample of an agreement for joint controllers under Art. 26(1) s. 2 GDPR as well as a sample relating to the fulfillment of obligations to inform the data subjects pursuant to Art. 26(2) s. 2 GDPR.
Companies are jointly responsible for data processing within the meaning of Art. 26 GDPR, when and if they jointly determine the purpose and the means of said data processing. Whether and when this is the case must be assessed for each data processing incident in the individual case. The rulings by the European Court of Justice (ECJ) made on Facebook fan pages in this regard (Ref. No. C-210/16; which we reported in Update No. 39) and the closing arguments and motions by the Attorney General regarding the integration of the “Facebook like” button on a website in the “FashionID” case (Ref. No. C-40/17; which we reported in Update No. 50) lead to the conclusion that the requirement of joint determination of purposes and means of data processing are to be construed rather broadly. In particular, it should not be required that the controllers involved have detailed knowledge of the data processing by the respective other controller or that identical joint purposes are pursued. For example, preparatory activities such as the integration of a website plugin are sufficient grounds for joint controllership. If the courts and supervisory authorities adhere to the case law, many cases of data processing by more than one controller would have to be deemed cases of joint controllership in the future and not – which has quite frequently been the practice until now – as a sole controllership or order processing.
In cases of joint controllership, the companies involved must enter into an arrangement as set forth in Art. 26(1) s. 2 GDPR, stipulating the individual controllers’ data privacy-related obligations in a transparent manner (joint controller arrangement). The essence of this arrangement must be made available to the data subjects pursuant to Art. 26(2) s. 2 GDPR. Any infringement of these provisions – as all infringements of GDPR provisions generally do – trigger major risks of administrative fines (Art. 83(4) lit. a) GDPR). It must be noted that the existence of joint controllership does not constitute any legal basis for data transfers within its scope, but a separate legal basis is required in accordance with Art. 6 or Art. 9 GDPR.
Given these facts, it is encouraging that the LfDI has provided the first sample agreement regarding joint controllers approved by a supervisory authority, which companies can use as a basis. With the exception of Brief No. 16 of the Data Protection Conference of March 19, 2018, which mentions a few application cases regarding joint controllers, there is a lack in general guidance by the supervisory authorities regarding the question of when joint controllership within the meaning of Art. 26 GDPR does indeed exist. Companies must, in a first step, resolve the preliminary issue of whether they are acting as joint controllers (and not merely as sole controllers or processors) by reviewing all data processing involving more than one party.
In cases of joint controllership, the sample published by the LfDI can be used as initial guidance for the draft of an agreement to be concluded by the controllers. However, please note that the LfDI sample merely covers the simple scenario of two companies jointly pursuing data processing, e.g., they operate a joint database. Scenarios that, in practice, are more common and much more complex, such as data processing in corporate group scenarios or joint data processing beyond the EU borders, are not considered in the sample agreement.
In addition, many provisions set forth in the sample only contain general references to the GDPR and some provisions, which non-affiliated companies typically agree upon in data privacy agreements, are missing, such as control and access rights or termination options. With regard to the joint liability of the joint controllers, however, such provisions are highly recommended and encouraged.
It is noteworthy that the LfDI has not only published a sample agreement, but also sample information in accordance with Art. 26(2) s. 2 GDPR relating to the essential content of the agreement.
For the first time, this demonstrates what the supervisory authorities consider the essence of the arrangement pursuant to Art. 26 GDPR which must be made available to the data subjects. According to the LfDI, this includes the reason for the joint controllership, the description of the individual stages of the processing, as well as the allocation of the resulting obligations to each party, and the designation of the entity where rights of the data subjects can be asserted.
Thus, the LfDI believes that the obligation to inform as set forth in Art. 26(2) s. 2 GDPR goes way beyond the opinion previously prevailing in practice, according to which the primary objective is to make it easier for the data subjects to exercise their rights. In particular, the description of the individual process stages and their allocation to the individual controllers can result in practical implementation issues and possibly the disclosure of business or trade secrets. In addition, in complex processing projects where several controllers are involved in various stages of the data processing, an “information overflow” can be triggered - this would have adverse effects on transparency, which is the key objective of Art. 26(2) s. 2 GDPR. Here, it becomes once again apparent that the sample published by the LfDI primarily aims at simple processing scenarios with a small number of controllers. The scope of the sample reaches its limit when it comes to complex practical cases of joint controllers, the number of which is expected to increase based on the most recent rulings by the ECJ.
The sample information provided by the LfDI shows that the key contents of the arrangements must be provided to the data subjects proactively and irrespective of any inquiry; however, this seems doubtful considering the wording of Art. 26(2) s. 2 GDPR.
It is appreciated that the Baden-Württemberg supervisory authority paves the way by publishing the sample regarding joint controllers pursuant to Art. 26 GDPR. However, conversely, this means that the supervisory authorities have discovered the issue and ran with it. Thus, it can be expected that joint controllers will play a more significant role in future data protection audits conducted by the supervisory authorities.
Therefore, companies should no longer delay (i) identifying joint responsibilities in their data processing projects, (ii) ensuring sufficient legal bases (in particular documenting considerations relating to Art. 6(1) lit. f) GDPR and, if required, obtaining consent of the data subjects), (iii) entering into corresponding agreements, and (iv) notifying the data subjects in accordance with Art. 26(2) s. 2 GDPR about the essence of said agreements.
While the samples published by the LfDI are a first guidance for contractual arrangements regarding joint controllers, they will be applicable without major revision in exceptional cases only.