Key References:

  • GDPR Art. 4(7)
  • GDPR Art. 26
  • Recital 79
  • Relevant Cases: Facebook Fan Pages Case, Jehovah’s Witnesses Case

Joint Controllers

  • Art. 4(7) definition: ‘controller’ means the natural or legal person… which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • Identifying Joint Controllers: Art. 26(1).1 states that “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers“.
  • Obligations on Joint Controllers:
    1. Art. 26(1) requires that joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation” including their duties to data subjects by means of an arrangement between them.
    2. Recital 79 states that joint controllers must have “a clear allocation of the responsibilities under this Regulation” including their responsibilities and liabilities to data subjects and monitoring of their activities by supervisory authorities.
  • Data Subjects’ Rights against Joint Controllers:
    1. Transparency: Art. 26(2) states that the arrangement between joint controllers specifying their respective roles “shall be made available to the data subject”.
    2. Exercising rights: Art. 26(3) states that “the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

Cases

  • The CJEU analyzed the concept of joint controllers in two significant cases, the Jehovah’s Witnesses Case and the Facebook Fan Pages Case.
  • In both cases, the Court emphasized that in order to allocate controllership, it is important to look at Art. 4(7) and identify whether each party is determining the ‘purpose and means’ of processing.
    • a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller“. See Jehovah’s Witnesses Case, para. 68.
  • In both cases, the Court held that joint controllers do not need have equal responsibility, and that the level of responsibility for each controller must be determined on case-by-case basis depending on their role in different stages of data processing.
    • Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned“. See Jehovah’s Witnesses Case, para. 69.
  • Finally, the Court held that joint controllership can arise between natural persons, legal persons, and also between a natural and a legal person (i.e. an individual and an organization).