The concept of joint controllers in EU law, in contrast to a distinction between controllers and processors, has not been seen thus far as particularly controversial nor widely discussed. However, it is now explicitly provisioned by the GDPR that joint controllers are two or more controllers that jointly determine the purposes and means of processing.
Article 29 Data Protection Working Party Opinion 1/2010 on the concepts of "controller" and "processor" mentions that there may be various situations when data controllers are acting together. This may lead in some circumstances to joint and several liabilities, but this is not necessarily a rule.
Some situations are discussed when various actors simultaneously perform business operations on personal data that are complementary in nature to providing services to consumers. But no clear delineation on when this should be seen as joint controllership or a separate one is provided. On the contrary, it is clearly said that because of the multitude of possible arrangements, it is not possible to draw up an exhaustive list or categorization of the different kinds of "joint control."
The U.K. Information Commissioner's Office elaborates further on some of the issues in its guide, "Key definitions of the Data Protection Act," in particular by providing a distinction between what is a joint controller and a controller in common. The joint controllers would be acting together to decide the purposes and manner of data processing, whereas the data controllers in common would simply share a pool of personal data that they process independently of each other. This may be easy in theory or for typical cases described by ICO but extremely difficult in practice.
Why is it important under the GDPR?
This issue may become much more relevant under the GDPR, which imposes, via Article 26, some specific obligations on joint controllers but not on controllers in common.
This will result in a practical need to evaluate and assess all kinds of business relationships that involve personal data, not only with regard to the controller-to-processor framework but also, in cases of parties being controllers in their own right, whether they do act in fact as joint controllers for the particular set of data.
It should be noted that no explicit administrative penalties have been provisioned in the GDPR for violating these obligations. On the other hand, as some of the basic principles (e.g., transparency) are involved and that carry potential fines of up to 4 percent of the total worldwide annual turnover, utmost caution rather than lax approach is recommended.
What are the obligations of joint controllers under the GDPR?
The GDPR imposes quite a lot of compliance obligations while being somewhat vague about how to achieve these objectives. As if this was not complicated enough, whenever companies will act as joint controllers, they will need to clearly define their respective responsibilities for compliance with the obligations imposed by the GDPR. This includes but is not limited to responsibilities toward the data subjects in exercising their rights and providing them with the relevant information. The controllers may in such situation designate one contact point for the data subjects.
For this reason, the joint controllers are required to enter into a specific arrangement that needs to reflect their roles and relationships toward the data subjects. This determination needs to be done in a transparent manner, which not only speaks against convoluted and lengthy contractual provisions but requires a really good understanding of the business needs and actual data flows. The transparency goes further than that, however, as the essence of this arrangement itself needs to be made available to the data subjects, which would call for using accessible form, together with clear and plain language.
It should be remembered that irrespective of the terms of such arrangement, the data subjects will be fully entitled to exercise their rights against each of the controllers. Not surprisingly, these provisions are taking data subjects’ perspectives and are imposed to their benefit, so even if B2B arrangement requires one of the companies to handle all data subjects’ requests, the data subjects themselves may still choose otherwise.
What form of arrangement is needed?
The GDPR asks for an arrangement and not for a contract. This is in contrast to the controller-to-processor relationship, where the GDPR clearly requires a contract or other legal act under EU or Member State law, binding the processor to the controller.
This may suggest that more freedom is left to the parties in determining the form, structure and legal nature, as long as responsibilities are clearly and transparently defined. It may also seem that, in most cases, this would be interpreted as some kind of agreement under relevant laws. However, EU lawmakers being purposely silent on this issue suggests that rather the essence of such arrangement and not specific formalities are important.
In result, some kind of joint privacy statements, terms and conditions, or policies, if being specific enough, may satisfy this requirement. Of course, it is far too soon to predict what kind of standard business practices will be developed in this scope during subsequent years and what will be the opinion of data protection authorities.
How to find out if the parties act as joint controllers?
This may seem quite obvious, but first of all, you need to find out if this is controller-to-controller or controller-to-processor framework. The level of control over the data and not just that some company provides services to other should be a decisive factor. As indicated before, there is a lot of guidance on that, and practical examples are provided in abundance in particular by Article 29 Data Protection Working Party Opinions and ICO guidance.
Then, if this is a controller-to-controller relationship, ask yourself what kind of relationship it is: whether it involves joint participation in a business activity that requires processing the same personal data, or if you are just sharing the same pool of personal data for different and distinct purposes. What’s more, you should consider if and to what extent relevant decisions are taken together by the parties and how the processes themselves are intertwined. Is it really possible to distinguish and single out the decisional processes and business logic behind the activities of different parties in a way that proves that they determine the means and purposes, or is it not possible altogether? Irrespective of your final conclusion, the principle of accountability will require that you are able to demonstrate that you have actually made this evaluation and what arguments you have considered before coming to the final conclusion.
What else should be done to ensure compliance?
Naturally, none of this concept is simple, and there will be many doubts and divergent solutions in particular situations.
It is recommended, however, that such situations and relationships should be monitored and analyzed as they evolve in time, and not only once when the contracts are signed.
The contractual language, as much as it delineates specific obligations and activities, also needs to be considered, but only as much as it corresponds to the business reality and not just suits the parties to satisfy their risk avoidance approaches.
Last but not least, keep in mind that transparency is the keyword here. Be open to all kinds of relationships involving sharing of personal data with other companies. By doing this, you satisfy not only the specific requirements of the GDPR, but most importantly, you create trust and put yourself under public scrutiny that will enable you to evaluate and excel your privacy practices in the long term.