Context:
The GDPR recognises that there will be situations where there are 2 or more ‘joint’ controllers. All controllers have a responsibility to ensure that the requirements of GDPR are delivered. Where this situation exists the regulation requires that arrangements are transparent and made available to the data subject.
Considerations:
All of the requirements that apply to a single controller also apply to joint controllers. The themes of transparency, accountability and individual rights continue to apply.
Additionally the GDPR introduces the requirement to have the responsibilities and agreements between controllers documented in some form of contract.
It should also be noted that the GDPR states that all controllers have joint liability where legal or compensatory matters are concerned.
How to:
Implement the following systems and process to ensure that the respecitve positions of each controller are defined:
- Make available to data subjects, in a transparent manner a description of the responsibilities of each controller
- Reaffirm that each controller recognises and supports the rights of data subjects as defined under GDPR
- Document agreements and responsibilities in a contract
- Make available the contact details of both controllers and who the main contacts are
- Identify the main establishment of the group of controllers. This is the main location or country that governs overall operations
- Allocate responsibilities for reporting to and being the contact for the Supervisory Authority
Common Scenarios:
Organisations partner to offer technical and professional services
- Begin by documenting what each controller is responsible for and make this available in a transparent manner to those individuals whose personal information is being processed. Establish contacts and reporting mechanisms so that communications with the supervisory authority can be effectively maintained.
A data breach occurs
- All controllers are responsible. The supervisory authority should be notified in the appropriate way at the correct time. All controllers should support the rights of the individuals whose data has been comprimised.
References:
- GDPR Recitals: 36, 37, 79, 146, 61
- GDPR Articles: 26