Joint controllers: What does the GDPR say?
The GDPR will enter into force on 25 May 2018. The responsibility of a controller is clearly defined. But the notion of ‘joint controllers’ is more complex. Allow us to explain.
The controller is required to compensate all damage suffered by natural persons due to the processing of their data in an unlawful way. Therefore it goes without saying that it is recommended to limit the risk of errors by acting in accordance with the GDPR.
The responsibility of a controller is clear. But the situation becomes more complex if two or more controllers jointly define the purposes and means of the processing. In such cases, the provisions of the Regulation speak of “joint controllers”.
What are ‘joint controllers’?
When can we speak of joint controllers? Think, for example, of:
- a holding structure;
- a joint venture;
- a (sub)contracting structure;
- employers’ groups;
- multiple companies located at a shared business park.
These are all situations in which two or more controllers jointly determine the purposes and means of processing personal data. Concrete example: security cameras are installed at a business park used jointly by several companies.
These companies together are then joint controllers.
Is your company in such a situation? Then you are obliged to establish the respective responsibilities for compliance with the GDPR rules in a transparent and clear manner.
What does this mean in practice?
More specifically, together with the other joint controllers, you must agree who will take on which responsibilities and obligations with regard to the exercise of the rights of the natural persons whose data they process. In particular, the right to information and access to personal data must be guaranteed.
Thus in the case of two controllers, while both can make specific agreements among themselves, this does not prevent natural persons holding both parties individually accountable if the other party does not comply with the agreements made.
Check whether you are in a situation where you process personal data together with other companies. If that is the case, make clear arrangements: who does what, where and when? Include this in your own register of processing activities.
Do you still have questions? As trusted partner, we of course would be happy to assist you.