On occasion, two or more entities (e.g. commercial companies) cooperate together in order to achieve a common purpose. This situation is frequently observed in different contexts of daily life routine. As a mere example, it is possible that an airline, who wants to promote a new destination, contracts services from several hotels in order to provide lodging for its clients. In such a case, the clients’ personal data is collected by the airline company, and by the hotels as well, which means that both entities act together for the purposes of their clients’ data processing.
Under the General Data Protection Regulation (GDPR), in particular in light of Art. 26, Sec. 1, the EU legislator has introduced the concept of joint controllers. As stated by the aforementioned article, «Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers». In these terms, the concept of joint controllers is fulfilled whenever the following elements are observed:
- Each entity is a controller in the sense given by Art. 4, Sec. 7 GDPR;
- The entities share the purposes and the means, i.e., they act together for a specific purpose;
- The entities (jointly) determine the purposes and means of processing.
In order to qualify as joint controllers, the first criterion requires that it should be possible to qualify each entity as an individual controller. This implies that the entities fall within the scope of application of the GDPR and each one of them has to fulfil the data protection obligations.
The second requirement stems from the rationale of things. If the purposes and the means are not shared, any cooperation that involves data exchange between entities should be considered a transfer of personal data between individual controllers. That is case when a travel agency, for example, sends personal data of its clients to a chain of hotels and airlines, in order to make reservations for a travel package. The hotels and the airlines confirm their availability for the travel agency’s request and the latter issues the travel documents for its customers. In such case, there are three different data controllers, each subject to data protection obligations relating to their own processing of personal data. However, when they share the same means or infrastructure to pursue their common purposes, they should be considered joint controllers. Please consider the following example: a French bank and a recruitment agency have established a contract to recruit new professionals for the bank. The recruitment agency is responsible for publicizing the offer and conducting the first selection interviews. At the end of this process, the recruitment agency should present 50 candidates to the French bank, who will conduct the final job interviews. In this example, the French bank and the recruitment agency are joint controllers, since they act together, sharing a specific purpose.
Nevertheless, the aforementioned article sets another requirement: the purposes and the means of the data protection’s processing should be jointly determined between the entities. As mentioned in the Article 29 Data Protection Working Party, «in the context of joint control, the participation of the parties to the joint determination may take different forms and does not need to be equally shared». The spectrum of relations between entities can be quite ample. Sometimes they might have a close relationship, in which they share all purposes and means of data processing; or they might have a loose relationship, in which they only share a small percentage of the purposes and the means. In this respect, joint control will arise when different entities determine, with regard to specific processing operations, either the purpose or the essential elements of the means that characterise a controller.
According to Rec. 79 GPDR, the responsibility and liability of controllers and processors requires a clear allocation of the responsibilities, including a step where a controller determines the purposes and means of the processing jointly with other controllers. This idea is reinforced by Art. 26 Sec. 1 Phrase 2 GDPR, which asserts that joint controllers should determine their respective responsibilities under GDPR in a transparent manner, in particular when referring to who will provide information to the data subject. This should be achieved through an arrangement between the (joint) controllers, in which the responsibilities of each for fulfilling which obligations under the GDPR are clearly fixed. In others words, this arrangement should allocate the responsibilities and liabilities of each controller.
As set by the Art. 26 Sec. 2 Phrase 2 GDPR, the key points of this arrangement must be available and joint controllers are obligated to provide adequate information to data subjects, in a way that allows them to exercise their rights. In order to fulfil this obligation, joint controllers could, for instance, provide detailed information on their website, if the data is being received through that platform, or provide a detailed written form, if the personal data is collected in some other way. However, the obligation to clearly provide information about the allocation of the responsibilities and liabilities of each controller is not the only requirement that they should observe. When the data processing affects minors, the joint controllers must provide information about the processes concerning their personal data, in a way that minors could understand.
Contrary to the previous Directive, where joint controllers were only liable for the damage related to data they were directly responsible for, each of the joint controllers is fully liable to the data subject in any case under GDPR. As stated by Art. 26 Sec. 3 GPDR, «the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers». This new approach brought the regime of joint liability to data protection. This aspect is particularly visible in light of Art. 82 Sec. 4 GPDR, which mentions that «Where more than one controller or processor, (…), are involved in the same processing and where they are, (…), responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject». This means that the data subjects are entitled to act against any of the joint controllers as they wish, even if the controller in question has had minimal responsibility for that damage. As is typical of the regime of joint liability, the controller who paid full compensation for the damage has the right of recourse over the other(s) controller(s) involved in the processing. The right of recourse is provided in Art. 82 Sec. 5 GPDR, which indicates that «Where a controller or processor has, (…), paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage (…)».
Nevertheless, one exception needs to be made. According to the Art. 82 Sec. 3, a controller shall be exempt from liability, if it proves it is not, in any way, responsible for the event that caused the damage. This is why the allocation of responsibilities between joint controllers is so important. More than provide useful (and lawful) information to data subjects, the agreement established between joint controllers is necessary when one (or more) controller wants to prove that it is not responsible for any damage. Considering the dimension of the fines under GDPR, the allocation of responsibilities and liabilities between joint controllers has economic repercussions that could be avoided by clearly defining the scope of responsibility of each controller.