This is the first post of the new series “Privacy basics”. As a privacy and data protection consultancy, we know the challenges of this field can be highly complex, but the first step to efficiently tackle them is to understand the core concepts.
The purpose of this blog series is to explain in a simple and engaging manner the most important privacy concepts. Stay tuned: we will continue to publish more bite size articles in due course.
“Am I a controller?”
How many times do we hear this question? As mentioned by our Partner Magdalena Goralczyk in a previous blog, correctly choosing your data protection role is important not only from a compliance perspective. It should take into consideration the future needs for data for your product and will largely direct its development.
Controllers determine the purposes and means of the processing of personal data. Essentially, controllers are in charge of the processing activities.
Additionally, the GDPR states that controllers can either act alone or jointly with others.
When acting jointly with others, these multi-controller scenarios, where data is shared between several controllers, are highly complex situations that required extra attention and prudence.
A joint-controller relationship is where two or more controllers determine the means and purposes of the data processing activities together. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inextricably linked.
Take the following example:
Companies A and B have launched a co-branded product and wish to organise an event to promote their product. They decide to share data from their respective clients and prospects database and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. These two companies are joint controllers as they decide together on the jointly defined purpose and essential means of the data processing in this context.
Joint controllers have the same obligations as any other controller, with the addition that they are required to conclude a legal arrangement that governs their respective responsibilities and obligations. The legal form of the arrangement among joint controllers is not specified by the GDPR but for the sake of legal certainty, and in order to ensure transparency and accountability, the EDPB recommends for such arrangement to be made in the form of a binding document such as a contract or other legal binding act.
This agreement or arrangement must not only lay out the controllers’ responsibility towards each other, but also towards data subjects. Additionally, notwithstanding any clause in the agreement, data subjects will be able to exercise their data protection rights against any of the controllers’ party to the agreement.
Controller-to-controller relationships also imply the presence of two or more controllers. In this case however, separate controllers are sharing personal data, but processing it individually for their own distinct purposes.
Although members of a controller-to-controller relationship share the same general obligations as any other controllers, they do not have the statutory obligation to conclude an agreement between themselves as joint controllers do.
The joint-controller or controller-to-controller status is revealed by the decision-making process. Where the means and purposes of the data processing activities are decided together, the parties are joint controllers. Where the means and purposes of data processing activities are decided individually, and data is simply shared between controllers, it is a controller-to-controller relationship.
On this point, the EDPB gives the example of a travel agent. It will send personal data to airlines and hotels to enable reservations to be made. However, each entity is processing for its own purpose and uses its own means. Each is a controller in its own right and there is no joint controllership.
Why does this distinction matter?
When a controller is the sole controller of a processing activity, it is the only responsible for GDPR compliance.
In joint-controller situations, with the goal of enabling data subjects’ rights, the GDPR allows them to exercise them against any controller. This implies that in the event of a non-compliant processing activity, any of the controllers in a joint-controller relationship could be held to individually pay the entirety of any sanction or fine, since they are jointly liable.
Being a joint-controller therefore significantly increases liability risks as a controller can be held responsible for the activities of one of its partners.
The controller who was held to pay the entirety of the fine can after the fact turn towards the other controllers in order to share the penalty in accordance to their respective roles in its occurrence.
The only way for a joint-controller to exonerate himself from all responsibility is by proving that it was not at fault. However, as mentioned above, this only applies after the fact when the other controllers of the relationship get involved to share the penalty.
What can your organisation do to reduce and limit risk?
Multi-controller relationships are complicated situations and even though it would be useless for controllers to set up their respective liability towards data subjects for the reasons mentioned above, there are still many aspects of these relationship that would benefit from an agreement. In order to reduce the organisational and monetary risks associated with having a plurality of controllers, joint-controller agreements and optional, yet advisable, controller-to-controller agreements should be put in place.
Dealing with multi-controller scenarios starts with assessing the situation and figuring what is your organisation relationship with another controller. When your organisation has defined the relationship (joint-controllers or controller-to-controller), it can determine what risks accompany this type of relationship.
In the case of a joint-controller setup, there is a greater risk of paying for someone else’s errors. Some important examples of risk are liability damages, the possibility of fines and reputational harm. The most important tool for mitigating the risks involved is to allocate responsibilities by way of an agreement. The agreement should duly reflect the respective roles, be made available to the data subjects, and designate a contact point to facilitate data subject rights. For example, if only one of the controllers communicates with the data subjects for the purpose of the joint processing, this controller might be in a better position to inform the data subjects and to answer their requests.
P.S. If you require any help understanding whether you are a joint-controller or a separate controller, we offer face to face online conversations to help you make the right strategic choices.