Update Data Protection No. 39
Clarification of "Joint Controllership" by the CJEU
Under Art. 26 GDPR, "joint controllers" must find an agreement on the data protection obligations between themselves. If they do not do so, they risk a fine pursuant to Art. 83 (4) GDPR. However, the question of when Joint Controllership applies is still a matter of dispute.
Requirements for a Joint Controllership
Under Art. 26 (1) GDPR, where two or more Controllers jointly determine the purposes and means of processing, they must be classified as "Joint Controllers". In this respect, the institute of Joint Controllership must be differentiated from Processing (Art. 28 GDPR) and the transfer between several Controllers who do not determine the purposes and means jointly, but rather independently of one another.
Authoritative criterion: actual influence on the purposes and means of processing
The authoritative criterion for ascertaining whether there is joint determination by two or more Controllers, is the presence of a determining actual influence on the processing. The Art. 29 Working Party first concerned itself with the institute of shared responsibility under the old law (WP169, see also Data Protection Update 26). Following on from this, the German supervisory authorities expressly emphasized within the Data Protection Conference ("DSK") that a determining influence does not require each of the parties involved to have extensive control over all circumstances and phases of the processing. Complete and equal-ranking control by all parties involved is likewise not necessary. Rather, the participation of the parties in determining the purposes and means can take very differing forms, and does not have to be evenly spread. Accordingly, the existence of shared responsibility does not necessarily mean equal-ranking responsibility (see DKS Short Paper No. 16).
In practice, above all with interrelated processing procedures involving two or more parties, the frequently difficult question of demarcation arises in terms of whether the specific collaboration already creates Joint Controllership or not. Joint Controllership given the uncertainty of the criteria stated by the DSK, a wide application of Joint Controllership is fundamentally conceivable here.
Through its judgment dated June 5, 2018 (case C-210/16)), the CJEU has now confirmed the requirements for Joint Controllership, set out by the Advocate General in his opinion dated October 24, 2017: it is sufficient if the Controllers are pursuing common interests. By contrast, the even spreading of the contributions, simultaneous processing or a common definition of the means of processing are not decisive.
Note: even if not every collaboration constitutes Joint Controllership, the threshold is nevertheless quickly exceeded based on the requirements of the CJEU. Consequently and in order to avoid fines, a thorough check must always be made in terms of whether an agreement pursuant to Art. 26 GDPR is required.
Legal consequence: joint and several liability, determination of responsibilities in a transparent agreement.
If Joint Controllership applies, not only is the agreement required, but the controllers are also jointly and severably liable.
This joint and several liability also applies if the controllers misjudge the situation and do not conclude an agreement. In view of this and certainly for the purpose of simplifying the balancing of liability between the Controllers, careful drafting of the agreement pursuant to Art. 26 GDPR is advisable.