What is a joint controller agreement?
A Joint Controller Agreement is a legal arrangement established between two or more data controllers who jointly determine the purposes and means of the processing of personal data. It clarifies the respective roles, responsibilities, and obligations of each data controller in relation to the processing activities they jointly undertake.
When multiple entities share decision-making authority over personal data processing, they are considered joint controllers under the GDPR. This commonly occurs when two or more organizations collaborate on a project or jointly provide services that involve processing personal data.
Georgine Berger
“A typical example where a joint controller agreement is needed is where two or more parties organize an event together. One controller might be responsible for the Marketing, another controller might be responsible for the execution.”
What does the Join Controller agreement outline?
The Joint Controller Agreement includes:
- who fulfills which obligations under the GDPR, in particular who is responsible for exercising the data subject rights
- who fulfills which information obligations according to Art 13 and 14
In Addition, the Joint Controller Agreement must be in a transparent form.
Sebastian Riedlmair
“The Joint Controller Agreement helps ensure that all parties involved in joint data processing activities have a clear understanding of their responsibilities and work together in compliance with data protection laws.”
Difference between a Joint Controller agreement and a processor agreement
A Joint Controller Agreement and a Processor Agreement are both legal agreements that govern the processing of personal data, but they differ in their purpose and the roles of the parties involved.
A Joint Controller Agreement is a legal arrangement between two or more data controllers who jointly determine the purposes and means of data processing. Each controller has shared decision-making authority and specific obligations under the agreement.
A Processor Agreement, on the other hand, is a legal contract between a data controller and a data processor, where the processor acts as a service provider processing data on behalf of the controller. The agreement outlines the responsibilities and obligations of the processor, who follows the instructions of the controller.
In summary, a Processor Agreement governs the relationship between a data controller and a data processor, while a Joint Controller Agreement governs the collaboration and shared responsibilities between multiple data controllers.
Peter Harlander
“The role of a processor is quite similar to an employee. The processor is bound by instructions, has to return data and may not bring third parties on board, unless it has the explicit consent of the controller.”
FAQs
When do I need a joint controller agreement?
Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers and must conclude a joint controller agreement.
What are the “purposes and means” of the processing activities?
The purposes are the reasons why personal data is being processed. It involves determining and specifying the intended goals, objectives, or reasons for which the data is collected and processed. The GDPR emphasizes that every processing of personal data must have one or more specific purposes. Organizations must clearly define and communicate the specific purposes for which they are collecting and using personal data to individuals (data subjects).
The means of processing are the methods, techniques, and operations used to carry out the processing of personal data. It involves the procedures and actions employed to collect, store, transmit, analyze, or otherwise manipulate personal data.
Can several parties be controllers under the GDPR?
Yes. In case that several parties are considered controllers over the same processing operations, they are joint controllers under the GDPR.
What are the different options in terms of the design of the agreement?
The joint controller agreement must duly reflect the roles and relationships of the joint controllers to data subjects. With regards to that there are two different ways to distribute roles and responsibilities. The joint controllers can agree that all of them are responsible for all processing activities, or each joint controller is responsible for one or more specific processing operations. For example, if two joint controllers cooperate regarding an event, it can be agreed that either both are responsible for all processing activities, or one controller is responsible for the processing regarding Marketing purposes and the other controller is responsible for the organization of the event for example.
However, irrespective of the terms of the agreement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. That means that the agreement between the joint controllers has only effect among themselves but none with regards to the data subjects.
What points of the joint controller agreement need to be communicated to the data subject?
The essence of the joint controller agreement must be made available to the data subject in a way, that the data subject has access to this information (e.g. through the website of the controllers).
The controllers must provide all information that is relevant and necessary for the data subject to exercise its rights under the GDPR. This includes a truthful description of the processing situation and the agreed distribution of responsibilities. However, it is not necessary to provide the entire content of the agreement, such as commercial regulations, internal liability agreements and other secret information.
What needs to be done with the data if the joint controller agreement is dissolved?
The Joint Controller Agreement is supposed to contain detailed regulation on whether personal data is allowed to be processed further on, and to what extent and what purposes. Also, the joint controller agreement must contain regulation on which controller will be responsible for data subject requests after the joint controller agreement has been dissolved.
Who among the joint controllers is responsible for requests by the data subject?
Irrespective of the terms of the joint controller arrangement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. That means that each joint controller is responsible for requests by the data subject.
What happens if I don’t have a joint controller agreement?
The conclusion of an explicit joint controller agreement is not a requirement for controllers having a joint controller relationship with each other. The mere factual existence of their roles as joint controllers leads to the obligation to conclude such agreement.
A violation against the obligation to agree on a joint controller agreement can result in an administrative fine of up to €10 million or 2% of the company’s global annual revenue of the previous financial year, whichever is higher.
In addition, according to Article 77 of the GDPR the data subject has the right to lodge a complaint with a supervisory authority if there is no joint controller agreement, if the joint controller agreement does not fulfill the legal requirements, or if the data subject cannot access the essential content of the joint controller agreement.
The data subject may file a lawsuit according to Article 79 of the GDPR if it is of the opinion that his or her rights have been violated.
In case of a material or immaterial damage as a result of the violation of the right to information, the data subject is also entitled to compensation.
The joint controllers are jointly liable.
Can the joint controller agreement be orally?
Yes, unlike the Processing Agreement, the Joint Controller Agreement can be agreed orally. However, for purposes of proof it is recommended to put the agreement in writing. Also, the transparency requirement and disclose obligations to the data subject cannot be fulfilled in the case of a merely oral agreement.
