Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Paragraph 2.2.2. Obligations towards data subjects
174. The GDPR provides several obligations of joint controllers towards data subjects:
The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à-visthe data subjects
175. As a complement to what is explained above in section 2.1 of the present guidelines, it is important that the joint controllers clarify in the arrangement their respective role, “ ” as regards theexercise of the rights ofthe data subject and their duties to provide the information referred to in Articles 13 and 14. Article 26 of the GDPR stresses the importance of these specific obligations. The joint controllers must therefore organise and agree on how and by whom the information will be provided and how and by whom the answers to the data subject’s requests will be provided. Irrespective of the content of the arrangement on this specific point, the data subject may contact either of the joint controllers to exercise his or her rights in accordance with Article 26(3) as further explained below.
176. The way these obligations are organised in the arrangement should “duly”, i.e. accurately, reflect the reality of the underlying joint processing. For example, if only one of the joint controllers communicates with the data subjects for the purpose of the joint processing, such controller could be in a better position to inform the data subjects and possibly to answer their requests.
The essence of the arrangement shall be made available to the data subject
177. This provision is aimed to ensure that the data subject is aware of the “essence of the arrangement”. For example, it must be completely clear to a data subject which data controller serves as a point of contact for the exercise of data subject rights (notwithstanding the fact that he or she can exercise his or her rights in respect of and against each joint controller). The obligation to make the essence of the arrangement available to data subjects is important in case of joint controllership in order for the data subject to know which of the controllers is responsible for what.
178. What should be covered by the notion of “essence of the arrangement” is not specified by the GDPR. The EDPB recommends that the essence cover at least all the elements of the information referred to in Articles 13 and 14 that should already be accessible to the data subject, and for each of these elements, the arrangement should specify which joint controller is responsible for ensuring compliance with these elements. The essence of the arrangement must also indicate the contact point, if designated.
179. The way such information shall be made available to the data subject is not specified. Contrary to other provisions of the GDPR (such as Article 30(4) for the record of processing or Article 40 (11) for the register of approved codes of conduct), Article 26 does not indicate that the availability should be “upon request” nor “publicly available by way of appropriate means”. Therefore, it is up to the joint controllers to decide the most effective way to make the essence of the arrangement available to the data subjects (e.g. together with the information in Article 13 or 14, in the privacy policy or upon request to the data protection officer, if any, or to the contact point that may have been designated). Joint controllers should respectively ensure that the information is provided in a consistent manner.
The arrangement may designate a contact point for data subjects
180. Article 26(1) provides the possibility for joint controllers to designate in the arrangement a contact point for data subjects. Such designation is not mandatory.
181. Being informed of a single way to contact possible multiple joint controllers enables data subjects toknow who they can contact with regard to all issues related to the processing of their personal data. In addition, it allows multiple joint controllers to coordinate in a more efficient manner their relations and communications vis-à-vis data subjects.
182. For these reasons, in order to facilitate the exercise of data subjects’ rights under the GDPR, the EDPB recommends joint controllers to designate such contact point.
183. The contact point can be the DPO, if any, the representative in the Union (for joint controllers not established in the Union) or any other contact point where information can be obtained.
Irrespective of the terms of the arrangement, data subjects may exercise their rights in respect of and against each of the joint controllers.
184. Under Article 26 (3), a data subject is not bound by the terms of the arrangement and may exercise his or her rights under the GDPR in respect of and against each of the joint data controllers.
185. For example, in case of joint controllers established in different Member States, or if only one of thejoint controllers is established in the Union, the data subject may contact, at his or her choice, either the controller established in the Member State of his or her habitual residence or place of work, or the controller established elsewhere in the EU or in the EEA.
186. Even if the arrangement and the available essence of it indicate a contact point to receive and handle all data subjects’ requests, the data subjects themselves may still choose otherwise.
187. Therefore, it is important that joint controllers organise in advance in their arrangement how they will manage answers to requests they could receive from data subjects. In this respect, it is recommended that joint controllers communicate to the other controllers in charge or to the designated contact point, the requests received in order to be effectively handled. Requiring data subjects to contact the designated contact point or the controller in charge would impose an excessive burden on the data subject that would be contrary to the objective of facilitating the exercise of their rights under theGDPR.