The joint controller relationship arises more commonly than many people realize. For example, simple activities like running a Facebook Page or displaying the Facebook "Like Button" plugin on your website make you a joint controller with Facebook.
In this article, we'll look at how to define joint controllers, joint controller GDPR requirements, and how to create a "joint controller agreement." We'll be incorporating some of the recent guidance from the European Data Protection Board (EPDB).
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
You'll be able to instantly access and download your new Privacy Policy.To help you understand joint controllers, we need a quick refresher on the GDPR's definition of a "controller."
Most of the GDPR's provisions are aimed at "data controllers" (controllers). Here's a quick re-cap on controllers, at Article 4 (7) of the GDPR:
For example, when Amazon personalizes recommended items based on previous purchases, it is acting as a controller.
Here's the GDPR's definition of "joint controllers," at Article 26:
A joint controller is a member of a group of controllers that "jointly determine the purposes and means of processing."
Article 26 also tells us that:
The relationship between joint controllers is very different from the relationship between a controller and a data processor.
Here's how the two types of GDPR relationships compare:
| Joint controllers | Controller and processor | |
| Determining the purposes and means of the processing of personal data | Each group member determines the purposes and means of the processing of personal data. | Only the controller determines the means and purposes of the processing of personal data. The data processor processes personal data on the controller's behalf. |
| Allocating GDPR duties | The group members can decide their respective roles and responsibilities among themselves. | The roles and responsibilities of the data processor are strictly defined at Article 28 of the GDPR. |
| Written agreement between parties | The group members must create a transparent "joint controller agreement" that is made available to data subjects. This joint controller agreement does not have to be a legally-binding contract. | The controller and the data processor must create a "data processing agreement," containing mandatory clauses that set out the scope of the processing, the duties of the processor, the processor's security standards, etc. The data processing agreement is a legally binding contract. |
| Liability of each party | All group members are liable to data subjects for any GDPR violations that arise out of the processing. | Processors are only liable for violating their data processing agreement or violating the limited number of direct processor responsibilities under the GDPR. |
The types of activities that might give rise to a "joint controller" relationship include:
Here are some real and hypothetical examples of the joint controller relationship.
In 2018, a case at the Court of Justice of the European Union (CJEU) found that Facebook is in a joint controller relationship with Facebook Page admins when they use Facebook's "Page Insight" tool.
Here are some of the reasons that the CJEU decided that Facebook and Facebook Page admins are joint controllers:
The upshot of this is that:
For more information, see our article: Privacy Policy for Facebook Pages.
In 2019, another CJEU ase determined that where a website operator displays the "Facebook Like Button" plugin on its website, it enters into a joint controller relationship with Facebook.
The upshot of this is that:
In this hypothetical example, three companies decide to undertake a study on workplace stress among their employees. Employees from each company can participate in a survey and the data is combined to create a report.
Each of the three companies is a controller, responsible for:
The companies' joint controller agreement should set out the roles and responsibilities of each group member, including:
Here's an example provided by the European Commission of how a joint controller relationship can arise between two companies offering "combined services."
The European Commission says that Company A and Company B are joint controllers because "not only do they agree to offer the possibility of 'combined services' but they also design and use a common platform."
Joint controllers must divide their GDPR compliance responsibilities "in a transparent manner" via what we're calling a "joint controller agreement." The "essence" of this arrangement must be made available to data subjects.
Remember that this joint controller agreement doesn't have to be a contract. However, it can form part of a contract, and joint controllers may wish to enter into a contract to establish the extent of each party's liability.
Let's look at some joint controller agreements to see how controllers approach this GDPR duty.
When the CJEU decided that Facebook and Facebook Page admins were joint controllers, Facebook had to act to ensure it was complying with Article 26 of the GDPR. This meant setting up a joint controller agreement with Page admins.
To this end, Facebook created its Page Insights Controller Addendum. Here's an excerpt from this joint controller agreement:
There are some important things to note about this agreement:
Facebook's Controller Addendum covers any of its products that transmit "Business Tools Data," including the Facebook Like Button plugin.
The Addendum includes a table that designates GDPR responsibilities:
Website operators must comply with the following parts of the GDPR:
Here's an example of a joint controller agreement between Ireland's Central Applications Office (CAO) and the Higher Education Institutions (HEIs) with which CAO jointly processes personal data.
This excerpt from the agreement shows how the two controllers divide up some of the GDPR's responsibilities:
In the above excerpt, we can see that:
Comply with the law with our agreements, policies, and consent banners. Everything is included.
Disclaimer
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
Last updated on
Appears in
Related articles
The EU-U.S. Data Privacy Framework, or EU-U.S. DPF, is a new agreement designed to facilitate cross-border data transfers between the European Union and the United States. With the downfall of Safe Harbor and, subsequently, the EU-U.S. Privacy Shield, it remains to be seen whether the EU-U.S. DPF will conclusively solve the.
Data protection law can be a quagmire of clauses, contradictory court precedents and confusing terminology. For a business owner seeking to limit her own liability in the case of a future data breach, the best risk-mitigation strategy is not always clear, especially in light of the GDPR. This article will discuss.
The European Union's General Data Protection Regulation (GDPR) has indirectly led to tighter rules in Canada for getting "meaningful consent." Federal and provincial regulators issued more explicit guidelines on making sure individuals really do understand the permission they give. Despite the GDPR connection, these guidelines involve domestic laws that Canadian.
Comply with the law with our agreements, policies, tools and cookie consent banners. Everything you need is included.
Disclaimer: Legal information is not legal advice, read the disclaimer. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site.
Copyright © 2012 - 2024 TermsFeed ® . All rights reserved.
