Authors: Jos Dumortier and Pieter Gryffroy

 

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

 

A. Preliminary remarks

Art. 26 GDPR obliges joint controllers to determine their respective responsibilities under the GDPR by means of an arrangement. In particular, they must agree on how to inform the data subject and grant data subject rights and must inform the data subject about these arrangements.

This obligation did not exist under the DPD, at least not explicitly. The DPD did already acknowledge in its definition of controller that processing operations are sometimes set up by two or more entities but left the consequences of such a finding largely unregulated.[1]

The absence of such an obligation was problematic because it could easily lead to a negative conflict of competence, i.e., a situation where (some of) the obligations of data protection law are not complied with by any of the controllers, because they all refuse or fail to recognize responsibility. This issue became increasingly relevant during the years following the adoption of the DPD in 1995, because since then the complexity in the types of processing and cooperation forms that are found in practice has increased exponentially, which still is a continuing trend. Such complexity of cooperation forms leads to various situations of pluralistic control, i.e., situations where different parties are involved to a different extent in exerting the control over (a part of) the processing.

Hence, the reality of joint controllership was and often is not that of a simple joint venture for the processing of personal data, where two or more parties are equally involved in all parts of the processing and equally represented in determining the means and the purposes of the processing. Rather, joint control often exists in varying degrees, with different controllers involved at different stages of the processing and to differing extents. Under such circumstances it is easy to understand that situations can arise where none of the controllers feel responsible to carry out a given duty under data protection law. A typical example would be the situation where two or more joint controllers fail to inform the data subject about the intended processing, each assuming that the other(s) would or being convinced that the other(s) is/are better placed to do so, leading to an uninformed data subject and a lack of transparency. Absent any specific obligation for the joint controllers to sit down and define their respective responsibilities and approach to data protection compliance, joint controllership is liable to complicate the data subject’s position, which is contrary to the idea of effective data protection, as already indicated by the Art. 29 WP in its 2010 opinion on the concepts of controller and processor.[2] While that guidance of the Art. 29 WP was already an important step in addressing this issue, the codification in the GDPR of an explicit obligation was nonetheless still necessary to strengthen the data subject’s position.

Against that backdrop the main purpose of Art. 26 GDPR can be understood quite clearly: to ensure that the data subject enjoys effective data protection by making sure that joint controllers clearly allocate the responsibilities under data protection law between them, without any gaps and hence without any reduction on the level of data protection.[3] Or as the EDPB puts it in its recent guidance on the topic: “The objective of these rules is to ensure that where multiple actors are involved, especially in complex data processing environments, responsibility for compliance with data protection rules is clearly allocated in order to avoid that the protection of personal data is reduced, or that a negative conflict of competence lead to loopholes whereby some obligations are not complied with by any of the parties involved in the processing. It should be made clear here that all responsibilities have to be allocated according to the factual circumstances in order to achieve an operative agreement.”[4] As the EDPB also echoes, the increasing complexity of data processing in the digital age strengthens the need for a clear allocation between controllers at all times.

 

 

 

[…]

 

 

 

 

[1]See i.a. Van Alsenoy, ‘Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation’ (2016), 7(3) JIPITEC, para. 32 et seq.; Van Alsenoy, Data Protection Law in the EU: Roles, Responsibilities and Liability (2019), para. 140; Petri, ‘Art. 26’, in Simitis/Hornung/Spiecker, para. 8 in fine.

[2]Art. 29 WP, Opinion 1/2010 on the concept of “controller” and “processor” (adopted on 16 February 2010; 00264/10/EN; WP 169), pp. 17–23.

[3]Millard/Kamarinou, ‘Art. 26’, in Kuner/Bygrave/Docksey, p. 587, at fn. 35 and 36; see also Petri, ‘Art. 26’, in Simitis/Hornung/Spiecker, para. 16; see also recital 79 GDPR.

[4]EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 2 September 2020, p. 41, para. 160.