The common controller relationship occurs more often than many people realize. Simple activities such as operating a Facebook page or displaying the Facebook plugin “Like Button” on your website, for example, make you a joint controller with Facebook. Allocation of responsibilities – Agreement on joint supervisory bodies The European Data Protection Board recommends that the agreement on the joint supervision of controllers required by Article 26 take, for reasons of legal certainty and as evidence of transparency and accountability, the form of a binding document, such as a . B a contract. The core of this joint controller agreement is provided to the data subject. With regard to the division of competences, art. 26 para. 1 GDPR, according to which joint controllers must “in particular” take into account their obligations with regard to the exercise of the rights of data subjects and the information obligations referred to in Articles 13 and 14. Joint controllers shall ensure that any joint processing is in full compliance with the GDPR and, where appropriate, shall take into account, inter alia, the obligations relating to the notification of a personal data breach to the supervisory authority and the data subject (Articles 33 and 34 of the GDPR), data protection impact assessments (Articles 35 and 36) and transfers of data to third countries ( chapter V). In addition, the relevant factors that led to the division of responsibilities between the joint controllers should be documented. In addition to determining these non-essential means, a processor can offer a service that is provisionally defined, e.B.
the cloud hosting service can offer a globally standardized service. However, the controller must be able to authorise the method of processing and, if necessary, request changes. A property management maintains student dormitories for the owner, the university. On behalf of the university, the company enters into rental agreements with students and pursues rent arrears. She collects the rent and passes it on to the university after receiving a commission. The types of activities that could lead to a “joint controller” relationship include: Facebook and Page administrators process the personal data collected by these cookies for various (but closely related) purposes: Some data controllers may be subject to a legal obligation to collect and process personal data. In accordance with Article 6(2) of the Data Protection Act 2018, if an organisation is subject to such an obligation and processes personal data to comply with the regulations, it will be classified as a controller. The guidelines stress that shared responsibility is not synonymous with equal responsibilities. The degree of responsibility shall be assessed in the light of all the relevant circumstances of an individual case and in relation to each processing operation carried out.
In this hypothetical example, three companies decide to conduct a study on workplace stress among their employees. Employees of any company can participate in a survey and the data is combined in a report. Under the GDPR, the ICO and other supervisory powers can sue subcontractors and controllers for infringement. There are also specific requirements for joint controllers under the GDPR. The ICO provided guidance on joint controllers and noted that the parties will not be joint controllers if they process the same data, but for different purposes. It provided a checklist that provides potential indicators of shared responsibility, such as: In 2018, a case before the Court of Justice of the European Union (CJEU) concluded that Facebook had a shared liability relationship with Facebook page administrators when they used Facebook`s “Page Insight” tool. The EDPS recently published his “Guidelines on the concepts of controller, processor and shared responsibility under Regulation (EU) 2018/1725”. Although Regulation 2018/1725 refers specifically to the EU institutions, it contains an almost identical provision on joint controllers, focusing on the crucial element of the parties who must “jointly determine the purposes and means of the processing”. The EDPS guidelines provide useful guidance. The EDPS notes that the concept of a common provision may arise where each controller has the possibility to determine the `purposes and essential elements` of processing operations, which could be the case, for example, by simply concluding an agreement on those elements.
However, in order to create joint responsibility, the purposes and means of processing operations must be determined jointly. The EDPS also relied on the reasons for the fan page case and noted that, if access only to anonymised data does not affect the situation of joint liability, this will be important in determining the degree of responsibility. The controller is responsible for compliance with the GDPR, in particular the requirements of Articles 24 and 25. This includes the implementation and demonstration of technical and organisational measures to implement the principles of the GDPR, including data minimisation, purpose limitation and storage limitation. This requires taking into account the scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. A processor may be a person, public authority, agency or organisation that processes data in accordance with the controller`s instructions. These instructions usually take the form of an addendum to the data processing, which may still leave the processor a margin of discretion in determining certain aspects of the processing. The agreement must specify “the object and duration of the processing, the nature and purpose of the processing, the nature of the personal data and the categories of data subjects, as well as the obligations and rights of the controller”.
At the end of the contract, the processor is often required to delete all personal data and return it to the controller. The processor must also be able to prove compliance with the GDPR to the controller. Joint controllers must allocate their GDPR compliance responsibilities “transparently” through a “joint controller agreement”. The “essence” of this agreement must be made available to the persons concerned. Not all service providers who process personal data in connection with the provision of a service are “processors” within the meaning of the GDPR. The Guidelines emphasise that the role of the processor derives from the specific activities in a particular context and not from the nature of that entity, and emphasise that, in cases where a service is not specifically intended for the processing of personal data or where such processing is not a key element of the service, may be able to independently determine the purposes and means of such processing. In this case, the service provider should be considered as a separate controller and not as a processor. The key terms defined by the European Data Protection Board were what it means to determine the “purposes and means” of data processing. Article 26(1) provides that the joint controller must establish and agree in a transparent manner on its respective compliance responsibilities. This is the obligation to provide information to data subjects in accordance with Articles 13 and 14 and to respond to requests from data subjects.
.