Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Section 2.1  Determining in a transparent manner the respective responsibilities of joint controllers for compliance with the obligations under the GDPR

158. Article 26 (1) of the GDPR provides that joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the Regulation.

159. Joint controllers thus need to set “who does what” by deciding between themselves who will have to carry out which tasks in order to make sure that the processing complies with the applicable obligations under the GDPR in relation to the joint processing at stake. In other words,a distribution of responsibilities for compliance is to be made as resulting from the use of the term “respective” in Article 26(1).

160. The objective of these rules is to ensure that where multiple actors are involved, especially in complex data processing environments, responsibility for compliance with data protection rules is clearly allocated in order to avoid that the protection of personal data is reduced, or that a negative conflict of competence lead to loopholes whereby some obligations are not complied with by any of the parties involved in the processing. It should be made clear here that all responsibilities have to be allocated according to the factual circumstances in order to achieve an operative agreement.

161. More specifically, Article 26 (1) specifies that the determination of their respective responsibilities (i.e. tasks) for compliance with the obligations under the GDPR is to be carried out by joint controllers “in particular” as regards the exercising of the rights of the data subject and the duties to provide information referred in Articles 13 and 14, unless and in so far as the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject.

162. It is clear from this provision that joint controllers need to define who respectively will be in charge of answering to requests when data subjects exercise their rights granted by the GDPR and of providinginformation to them as required by Articles 13 and 14 of the GDPR. However, the use of the terms “in particular” indicates that the obligations subject to the allocation of responsibilities for compliance by each party involved as referred in this provision are non-exhaustive. It follows that the distribution of the responsibilities for compliance among joint controllers is not limited to the topics referred in Article 26 (1) but extends to other controller’s obligations under the GDPR. Indeed, joint controllers need to ensure that the whole joint processing fully complies with the GDPR.

163. In this perspective, the compliance measures and related obligations joint controllers should consider when determining their respective responsibilities, in addition to those specifically referred in Article26(1), include amongst others without limitation:

• Implementation of general data protection principles (Article 5)

• Legal basis of the processing (Article 6)

• Security measures (Article 32)

• Notification of a personal data breach to the supervisory authority and to the data subject (Articles 33 and 34)

• Data Protection Impact Assessments (Articles 35 and 36)

• The use of a processor (Article 28)

• Transfers of data to third countries (Chapter V)

• Organisation of contact with data subjects and supervisory authorities

164. Other topics that could be considered depending on the processing at stake and the intention of theparties are for instance the limitations on the use of personal data for another purpose by one of the joint controllers. In this respect, both controllers always have a duty to ensure that they both have a legal basis for the processing. Sometimes, in the context of joint controllership, personal data are shared by one controller to another. As a matter of accountability, each controller has the duty to ensure that the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data.

165. Joint controllers can have a certain degree of flexibility in distributing and allocating obligations among them as long as they ensure full compliance with the GDPR with respect of the given processing. The allocation should take into account factors such as, who is competent and in a position to effectively ensure data subject’s rightsas well as to comply with the relevant obligations under the GDPR. The EDPB recommends documenting the relevant factors and the internal analysis carried out in order to allocate the different obligations. This analysis is part of the documentation under the accountability principle.

166. The obligations do not need to be equally distributed among the joint controllers. In this respect, the CJEU has recently stated that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”

167. However, there may be cases where not all of the obligations can be distributed and all joint controllers may need to comply with the same requirements arising from the GDPR, taking into account the nature and context of the joint processing. For instance, joint controllers using shared data processing tools or systems both need to ensure compliance with notably the purpose limitation principle and implement appropriate measures to ensure the security of personal data processed under the shared tools.

168. Another example is the requirement for each joint controller to maintain a record of processing activities or to designate a Data Protection Officer (DPO) if the conditions of Article 37 (1) are met. Such requirements are not related to the joint processing but are applicable to them as controllers.