The qualification as joint controllers may arise where more than one actor is involved in the processing. This qualification will mainly have consequences in terms of allocation of obligations for compliance with data protection rules and in particular with respect to the rights of individuals.
Qualification:
Joint participation in the determination of purposes and means implies that more than one entity have a decisive influence over whether and how the processing takes place. In practice, joint participation can take several different forms. For example, joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities regarding the purposes and essential means.
The situation of joint participation through converging decisions results more particularly from the
case law of the CJEU on the concept of joint controllers. Decisions can be considered as converging on purposes and means if they complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing. As such, an important criterion to identify converging decisions in this
context is whether the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked.
The fact that one of the parties does not have access to personal data processed is not sufficient to exclude joint controllership.
For example, in Jehovah’s Witnesses (C-25/17, ECLI:EU:C:2018:551.), the CJEU considered that a religious community must be considered a controller, jointly with its preaching members, of the processing of personal data carried out in the context of door-to-door preaching. The CJEU considered that it was not necessary that the community had access or not to the data in question, or had given its members written instructions in relation to the data processing. The community participated in the determination of purposes and means by organising and coordinating the activities of its members. In addition, the community had knowledge on a general level of the fact that such processing was carried out in order to spread its faith.
The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, the CJEU has clarified that those operators may be involved at different stages of that processing and to different degrees so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.
Joint controllership exists when entities involved in the same processing operation process such data for jointly defined purposes. This will be the case if the entities involved process the data for the same, or common, purposes.
When the entities do not have the same purpose for the processing, joint controllership may also, in light of the CJEU case law, be established when the entities involved pursue purposes which are closely linked or complementary. Such may be the case, for example, when there is a mutual benefit arising from the same processing operation, provided that each of the entities involved participates in the determination of the purposes and means of the relevant processing operation.
In Fashion ID, for example (Judgment in Fashion ID, C-40/17, ECLI:EU:2018:1039, paragraph 80.), the CJEU clarified that a website operator participates in the determination of the purposes (and means) of the processing by embedding a social plug-in on a website in order to optimize the publicity of its goods by making them more visible on the social network. The CJEU considered that the processing operations at issue were performed in the economic interests of both the website operator and the provider of the social plug-in.
Likewise, as noted by the CJEU in Wirtschaftsakademie (C-210/16, ECLI:EU:C:2018:388, paragraph 34 and 39.), the processing of personal data through statistics of visitors to a fan page is intended to enable Facebook to improve its system of advertising transmitted via its network and to enable the administrator of the fan page to obtain statistics to manage the promotion of its activity. Each entity in this case pursues its own interest but both parties participate in the determination of the purposes (and means) of the processing of personal data as regards the visitors to the fan page.
Furthermore, the choice made by an entity to use for its own purposes a tool or other system developed by another entity, allowing the processing of personal data, will likely amount to a joint decision on the means of that processing by those entities. This follows from the Fashion ID case where the CJEU concluded, that by embedding on its website the Facebook Like button made available by Facebook to website operators, Fashion ID has exerted a decisive influence in respect of the operations involving the collection and transmission of the personal data of the visitors of its website to Facebook and had thus jointly determined with Facebook the means of that processing (C-40/17, ECLI:EU:2018:1039, paragraphs 77-79.)
The CJEU held in Wirtschaftsakademie that the administrator of a fan page hosted on Facebook, by defining parameters based on its target audience and the objectives of managing and promoting its activities, must be regarded as taking part in the determination of the means of the processing of personal data related to the visitors of its fan page.
It is important to underline that the use of a common data processing system or infrastructure will not in all cases lead to qualify the parties involved as joint controllers, in particular where the processing they carry out is separable and could be performed by one party without intervention from the other or where the provider is a processor in the absence of any purpose of its own (the existence of a mere commercial benefit for the parties involved is not sufficient to qualify as a purpose of processing).
Examples (provided by the EDPB) of situations where there is joint controllership:
Travel agency
A travel agency sends personal data of its customers to the airline and a chain of hotels, with a view to making reservations for a travel package. The travel agency issues the travel documents and vouchers for its customers. Each of the actors processes the data for carrying out their own activities and using their own means. In this case, the travel agency, the airline and the hotel are three different data controllers processing the data for their own purposes and there is no joint controllership.
If the travel agency, the hotel chain and the airline then decide to participate jointly in setting up an internet-based common platform for the common purpose of providing package travel deals. They will be joint controllers if they agree on the essential means to be used, such as which data will be stored, how reservations will be allocated and confirmed, and who can have access to the information stored.
Research project by institutes
Several research institutes decide to participate in a specific joint research project and to use to that end the existing platform of one of the institutes involved in the project. Each institute feeds personal data it holds into the platform for the purpose of the joint research and uses the data provided by others through the platform for carrying out the research. In this case, all institutes qualify as joint controllers.
Each of the institutes however is a separate controller for any other processing that may be carried out outside the platform for their respective purposes.
Marketing operation
Companies A and B have launched a co-branded product C and wish to organise an event to promote this product. To that end, they decide to share data from their respective clients and prospects database and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered as joint controllers.
Clinical Trials
A health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with the same purpose. They collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.). They may be considered as joint controllers, for this clinical trial as they jointly determine and agree on the same purpose and the essential means of the processing. In the event that the investigator does not participate to the drafting of the protocol (he just accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the investigator should be considered as a processor and the sponsor as the controller for this clinical trial.
Headhunters
Company X helps Company Y in recruiting new staff- with its famous value-added service « global matchz ». Company X looks for suitable candidates both among the CVs received directly by Company Y and those it already has in its own database. Such database is created and managed by Company X on its own. This ensures that Company X enhances the matching between job offers and job seekers, thus increasing its revenues. Even though they have not formally taken a decision together, Companies X and Y jointly participate to the processing with the purpose of finding suitable candidates based on converging decisions: the decision to create and manage the service “global matchz” for Company X and the decision of Company Y to enrich the database with the CVs it directly receives. Such decisions complement each other, are inseparable and necessary for the processing of finding suitable candidates to take place. Therefore, in this particular case they should be considered as joint controllers of such processing.
However, Company X is the sole controller of the processing necessary to manage its database and Company Y is the sole controller of the subsequent hiring processing for its own purpose (organisation of interviews, conclusion of the contract and management of HR data).
Examples (provided by the EDPB) of situations where there is no joint controllership:
Transmission of employee data to tax authorities
A company collects and processes personal data of its employees with the purpose of managing salaries, health insurances, etc. A law imposes an obligation on the company to send all data concerning salaries to the tax authorities, with a view to reinforce fiscal control. In this case, even though both the company and the tax authorities process the same data concerning salaries, the lack of jointly determined purposes and means with regard to this data processing will result in qualifying the two entities as two separate data controllers.
Marketing operations in a group of companies using a shared database
A group of companies uses the same database for the management of clients and prospects. Such database is hosted on the servers of the mother company who is therefore a processor of the companies with respect to the storage of the data. Each entity of the group enters the data of its own clients and prospects and processes such data for its own purposes only. Also, each entity decides independently on the access, the retention periods, the correction or deletion of their clients and prospects’ data. They cannot access or use each other’s data. The mere fact that these companies use a shared group database does not as such entail joint controllership. Under these circumstances, each company is thus a separate controller.
Independent controllers when using a shared infrastructure
Company XYZ hosts a database and makes it available to other companies to process and host personal data about their employees. Company XYZ is a processor in relation to the processing and storage of other companies’ employees as these operations are performed on behalf and according to the instructions of these other companies. In addition, the other companies process the data without any involvement from Company XYZ and for purposes which are not in any way shared by Company XYZ.
Statistical analysis for a task of public interest
A public authority A has the legal task of making relevant analysis and statistics on how the country’s employment rate develops. To do that, many other public entities are legally bound to disclose specific data to Authority A. Authority A decides to use a specific system to process the data, including collection. This also means that the other units are obligated to use the system for their disclosure of data. In this case, without prejudice to any attribution of roles by law, Authority A will be the only controller of the processing.
Of course, the other public entities, as controllers for their own processing activities, are responsible for ensuring the accuracy of the data they previously processed, which they then disclose to Authority A.
Consequences of the qualification of joint controllers
Article 26(1) of the GDPR provides that joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the GDPR. The determination of their respective responsibilities must in particular concern the exercise of data subjects’ rights and the duties to provide information.
It is clear from this provision that joint controllers need to define who respectively will be in charge of answering to requests when data subjects exercise their rights granted by the GDPR and of providing information to them as required by Articles 13 and 14 of the GDPR. However, the use of the terms “in particular” indicates that the obligations subject to the allocation of responsibilities for compliance by each party involved as referred in this provision are non-exhaustive.
Then, the contract must also define the responsibilities concerning:
- Implementation of general data protection principles (Article 5)
- Legal basis of the processing56 (Article 6)
- Security measures (Article 32)
- Notification of a personal data breach to the supervisory authority and to the data subject57 (Articles 33 and 34)
- Data Protection Impact Assessments (Articles 35 and 36)58
- The use of a processor (Article 28)
- Transfers of data to third countries (Chapter V)
- Organisation of contact with data subjects and supervisory authorities
The EDPB recommends documenting the relevant factors and the internal analysis carried out in order to allocate the different obligations. This analysis is part of the documentation under the accountability principle.
Each joint controller has the duty to ensure that:
- they have a legal basis for the processing
- the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data
- they maintain a record of processing activities
- they have appointed a Data Protection Officer (DPO) if the conditions of Article 37(1) are met.
The contract:
Article 26(1) of the GDPR provides as an obligation for joint controllers that they should determine their respective responsibilities “by means of an arrangement between them”.
The EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject. The use of a contract or other legal act will allow joint controllers to demonstrate that they comply with the obligations imposed upon them by the GDPR.
The EDPB recommends that the arrangement also provide general information on the joint processing by notably specifying the subject matter and purpose of the processing, the type of personal data, and the categories of data subjects.
The joint controllers must therefore organise and agree on how and by whom the information will be provided and how and by whom the answers to the data subject’s requests will be provided.
Irrespective of the content of the arrangement on this specific point, the data subject may contact either of the joint controllers to exercise his or her rights.
The obligation to make the essence of the arrangement available to data subjects is important in case of joint controllership in order for the data subject to know which of the controllers is responsible for what.
The EDPB recommends that the essence cover at least all the elements of the information referred to in Articles 13 and 14 that should already be accessible to the data subject, and for each of these elements, the arrangement should specify which joint controller is responsible for ensuring compliance with these elements. The essence of the arrangement must also indicate the contact point, if designated.
The way such information shall be made available to the data subject is not specified. Article 26 does not indicate that the availability should be “upon request” nor “publicly available by way of appropriate means”. Therefore, it is up to the joint controllers to decide the most effective way to make the essence of the arrangement available to the data subjects (e.g. together with the information in Article 13 or 14, in the privacy policy or upon request to the data protection officer, if any, or to the contact point that may have been designated). Joint controllers should respectively ensure that the information is provided in a consistent manner.
Last but not least, the joint controllers should organise in the arrangement the way they will communicate with the competent supervisory data protection authorities.
Charlotte GALICHET
Extraits et synthèse des lignes directrices du CEPD sur les notions de responsable de traitements, sous-traitants et responsables conjoints