Joint Controllers, or Separate Controllers?
Recently a number of our clients at White Wire have asked this question, and I also saw one or two discussions on Linkedin on the same topic. In my experience, there aren't a lot of decent articles on the subject and good information is scarce. So clearly this is a topic that could benefit from some clarity, and this is my attempt to do just that.
To begin with the most basic observation, joint controllers and separate controllers are two very different animals. When we talk about two controllers exchanging personal data or processing the same personal data, we are not automatically talking about joint controllers. In the vast majority of cases it’ll be about separate controllers, not joint controllers.
Joint controllership only occurs in specific situations where both controllers together (hence joint) decide on means and purpose of the processing. Decisions are made together, both share responsibilities in the processing of personal data.
Examples of joint controllers:
- A hospital and an elderly care home decide to carry out a study on senior citizen medicine use. Researchers from both organizations decide on the scope and approach for the study. Patients from both organizations participate, the data will be collected in both locations, both organizations will have access to the data, and when the time comes to publish a paper they will both write it.
- Two city councils decide to work together, instead of two small swimming pools they built one big one. Employees from both councils work in the pool, they use one cloud based system to register all visitors and process payments, and the website is managed by two webmasters (one from each council).
As you can imagine, from a data protection perspective things can get complicated quickly! Who can a data subject turn to? Which DPO is responsible for what? Who will ensure personal data is adequately protected?
This is why article 26 in the GDPR requires joint controllers to make clear arrangements on who is responsible for what. And although article 26 does not insist on a written agreement you may find it hard to stick to the accountability principle and work out any disagreements if no written agreement exists.
On the other side of the complexity spectrum: separate controllers. These controllers may exchange personal data, but that’s where it stops: neither party has anything to do with the means or purpose of the other party’s processing.
Typical examples of separate controllers:
- A private company transfers employee data to a government entity because it is a legal requirement. Both the company and the government are separate controllers, with their own purpose for the data: the company to manage their payroll and personnel files, the government to calculate unemployment benefits, tax, etc.
- A private company is subject to a financial audit by Youngloitte regarding a ESF subsidy they received, which includes a review of subsidized employee personnel files. The private company has no influence over the audit, what’s more: Youngloitte is bound to perform the audit objectively and independent. Youngloitte has no influence on how the private company stores and processes employee data, and the private company has no influence on how the audit is performed and in which way the audit data is stored.
No agreement is required, as both controllers have their own responsibility under GDPR for their own processing activities.
Some other resources:
EC article on controller processor (with an example of joint controllers!)
And of course, WP29 opinion on controllers v processors with a decent bit about joint control.
------------------------------------------------
I am a data protection enthusiast who can't believe his luck: data protection was not the envy of many when I started working in it, but then GDPR came along and look at us now: on par with sexy tech people working in AR, AI, VR, Blockchain, etc.
I have been training DPOs for a number of years at the Data Protection Institute, teach data protection at the Thomas More university college and I'm part of a terrific team of data protection consultants at White Wire. (by the way, we are looking for new colleagues!)
Want to get in touch? Just invite, but add a small note please.
I've just published an article on this subject: GDPR and B2B channel marketing https://bit.ly/2KHWqrs . Hopefully we'll start getting more press on this in 2019.
Great article Bart!
Hi Bart. Great write-up. I particularly like your emphasis on clearing roles and responsibilties when preparing and conducing GDPR assessment activities. Hoping we could connect for I believe there are some synergies in our work. Andrew
Bart, as you know this is the topic of my lecture on DPO-pro's BQ-seminar on May 25th. It's my well substantiated opinion that a) GDPR is all about transparency and accountability b) GDPR refers explicitly to controllers, joint controllers and processors, but not to separate controllers c) GDPR doesn’t implicitly refers to a possibility of separate control as did the precedent EU-Directive. Note that the Opinion 1/2010 refers to the Directive and not the GDPR d) Hence it’s absolutely not a proven fact that when controllers are sharing data they can be considered as “separate controllers”, as such. e) To conclude (and for as long as case law doesn’t clarify the situation) I do emphasize the need of a data sharing agreement/arrangement between all controllers, sharing on some level personal data. It seems the only safe manner to comply with this issues and anyway a best practice as to transparency and accountability.