Joint controllers: What does the GDPR say?

What are ‘joint controllers’?

When can we speak of joint controllers? Think, for example, of:

• a holding structure;
• a joint venture;
• a (sub)contracting structure;
• employers’ groups;
• multiple companies located at a shared business park.

These are all situations in which two or more controllers jointly determine the purposes and means of processing personal data. Concrete example: security cameras are installed at a business park used jointly by several companies.

These companies together are then joint controllers.

Is your company in such a situation? Then you are obliged to establish the respective responsibilities for compliance with the GDPR rules in a transparent and clear manner.

What does this mean in practice?

More specifically, together with the other joint controllers, you must agree who will take on which responsibilities and obligations with regard to the exercise of the rights of the natural persons whose data they process. In particular, the right to information and access to personal data must be guaranteed.

Thus in the case of two controllers, while both can make specific agreements among themselves, this does not prevent natural persons holding both parties individually accountable if the other party does not comply with the agreements made.

Conclusion?

Check whether you are in a situation where you process personal data together with other companies. If that is the case, make clear arrangements: who does what, where and when? Include this in your own register of processing activities.

Do you still have questions? As trusted partner, we of course would be happy to assist you.