Joint Controllership - What is this and what has to be done?

Art. 26 GDPR establishes specific legal consequences and obligations, previously unknown in this form, for so-called joint controllers. Companies must therefore clarify for themselves whether they are joint controllers with others when processing personal data, and whether the new requirements are applicable to them as a result.

Joint controllership applies if two or more companies jointly determine the purposes and means for the processing of personal data, Art. 26 (1) Sentence 1 GDPR. This is the case if they jointly decide the purposes, i.e. the reasons, the occasion, the nature and the scope as well as the objectives of the data processing - put another way, whether, for what reason and to what extent –, and if they jointly define the material technical means and methods – the how – of the data processing. In other words: joint controllership as per Art. 26 GDPR applies if companies determine jointly – for example within the scope of cooperation arrangements – to process specific personal data for the purposes of their cooperation, and use jointly defined technical means for this.

Such a situation can exist if a company markets its products via internet platforms, or also if the company works with authorized dealers or commercial agents. The crucial aspect is that the marketing instrument – the platform or the authorized dealer – also has an own interest in the personal data and the joint processing.

In this respect, the concept of joint controllership must be interpreted broadly. According to prevailing opinion, the decisive factor is not a joint decision on both, the purposes and the means of processing. Rather, it is sufficient if each of the parties involved decides on one of these factors. This means that joint controllership, as defined in Section 26 (1) Sentence 1 GDPR, can also be given if one cooperation partner decides on the purposes of the data processing, with the other deciding freely on the means of the data processing.

A consequence of the joint responsibility is that the parties concerned by the data processing can assert their respective rights against each individual controller, Art. 26 (3) GDPR. There is therefore a situation of joint and several liability, where one controller must be liable in full for data protection infringements of the other (jointly) controller.

Art. 26 (1) Sentence 2 GDPR also obliges the parties to make an agreement laying down the data protection obligations resulting from their cooperation. Art. 26 (1) Sentence 2 GDPR describes the data subjects’ rights under the GDPR, as well as the obligations to inform as per Art. 13, 14 GDPR, as examples of the content of such an agreement. In addition, the material content of such an agreement must be made available to the data subjects, Art. 26 (2) Sentence 2 GDPR.

In practice, the problem frequently arises of defining the limits of the institute of joint controllership compared to the respective independent responsibility of the controllers, as well as of any processor bound by instructions. For companies, this means that they must check their cooperation arrangements and distribution channels precisely in terms of whether joint controllership exists. If this is the case, corresponding agreements must be made concerning the joint controllership - similar to those with processors as per Art. 28 GDPR. In this respect, account must be taken of the mandatory content as per Art. 26 (1) Sentence 2 GDPR. The conclusion of a corresponding agreement is also strongly recommended in view of the joint and several external liability. The parties can use the agreement to determine who is liable for an infringement in the internal relationship, irrespective of who is claimed against in the external relationship with the data subject.

As the instrument of joint controllership and the need for a written agreement under the GDPR were not previously known in this form under German data protection law, companies should concern themselves with the subject as early as possible, particularly as the preparation of standard agreements and their negotiation and conclusion with the respective cooperation partner can take time. The corresponding agreements must be concluded by the time the GDPR becomes applicable on May 25, 2018.