
The GDPR usually covers one organization processing somebody's personal data. In some cases, two organizations work together to process the same data. Special "joint controller" rules may apply in this case.
Here's what you need to know about what being joint controllers means under the GDPR, and what is required for joint controllers.
- 1. What is a Data Controller Under the GDPR?
- 2. What are Joint Controllers Under the GDPR?
- 3. How Do We Manage Being Joint Controllers?
- 4. What are the Legal Consequences of Being Joint Controllers?
- 5. How Do Privacy Policies Work with Joint Controllers?
- 6. Are There Any Restrictions on Joint Controller Agreements?
- 7. Examples of GDPR Joint Controller Agreements
- 8. Summary
What is a Data Controller Under the GDPR?
The data controller is the person or organization that decides what personal data is processed and how it is processed.
A data controller may carry out the processing themselves or get somebody else to do it. What matters is that they make the key decisions about the processing.
This contrasts with a "data processor" who carries out processing on behalf of, and under the instructions of, a data controller.
What are Joint Controllers Under the GDPR?
The GDPR has special rules when "two or more controllers jointly determine the purposes and means of processing" for the same personal data. They are then both known as joint controllers.
Some examples of joint controllers include:
- An airline and a car rental company running a joint website where customers can book flights and cars with one account.
- A social media platform that lets organizations run their own page using data from user accounts.
- A landlord and a property management company that both use a renter's personal data.
The threshold for being joint controllers can feel a little unclear at time, but these are the key principles:
- If two businesses both decide how to process the data, they are joint controllers.
- If one business sells personal data to another business to use however it chooses, they are not joint controllers. Instead, they are both data controllers in regard to their own specific data use.
- If one business pays another to process personal data on its behalf, they are not joint controllers. Instead, the first business is the data controller and the second is their data processor.
It is possible to have more than two joint controllers for the same data. What matters is whether each organization has any say over what data to process and how and why to process it.
How Do We Manage Being Joint Controllers?
Joint controllers must reach an agreement dividing up who is responsible for individual requirements of the GDPR.
These include:
- Providing required information to data subjects (the people the data is about), usually through a Privacy Policy.
- Making it possible for data subjects to exercise their data rights (including handling data access requests.
- Meeting the data controller's obligations under the GDPR, such as having a lawful basis for data processing, securing the data, and dealing with national data regulators.
This is very different to the arrangement between data controllers and data processors, where the GDPR strictly sets out both side's legal responsibilities.
The GDPR says that the joint controller agreement must be reached "in a transparent manner" and that "the essence of the arrangement shall be made available to the data subject."
This doesn't mean that if you draw up a lengthy legal agreement for your joint controller arrangement you must publish the entire agreement. However, you should publish enough detail that data subjects understand who is responsible for what elements. In particular, they should know who to go to with any questions or data access requests, including to delete or correct any data.
A business in Germany was fined for failing to publish a joint controller agreement for data subjects to read.
What are the Legal Consequences of Being Joint Controllers?
Under the GDPR, both (or all) joint processors are equally liable for any violations regarding the data processing covered by the arrangement. This is the case regardless of how they arrange to divide up responsibilities.
In other words, if companies A and B agree that company A will take care of securing the data and it fails to do so, company B could still face fines or other punishment for a data breach.
For this reason, companies should only agree to work together in a joint controller situation when they trust one another to follow the rules.
How Do Privacy Policies Work with Joint Controllers?
Joint controllers have several options for handling Privacy Policies. These include:
- Both (or all) controllers publish their own Privacy Policies and then publish a joint controller agreement that details how they work together on data processing.
- Both (or all) controllers publish an identical Privacy Policy that applies only to the situation where they jointly control the processing.
- One controller publishes a Privacy Policy covering the relevant data use and the other controller clearly refers data subjects towards this Privacy Policy.
The first of these options will normally be best unless you don't process any personal data outside of the situation covered by the joint controller agreement.
iRISE mentions the joint controller agreement at the very start of its full Privacy Policy:
It then goes into more detail in a section dedicated to joint controllers:
ZwickRoell's Privacy Policy details a specific joint controller situation and then links to more details:
Dealfront's Privacy Notice also mentions its joint controller agreement and then links to an "Essential Content" summary which covers the key points that data subjects need to know:
Are There Any Restrictions on Joint Controller Agreements?
A joint controller agreement does not remove or restrict any of the data subject's rights. These still apply to both controllers individually.
As an example, your joint controller agreement may say that company A will handle data access requests. However, the data subject still has the right to ask company B to delete the data it holds about them. Company B must comply with this request in the same way as if it was a single data controller without any joint controller arrangement.
Examples of GDPR Joint Controller Agreements
Here's how several organizations have complied with the GDPR rules on joint controller agreements.
Nogar Group clearly explains which data processing activities come under joint control rather than just one organization. It then explains what this means for data subjects:
Paysera, which provides card payment services, uses a joint controller agreement that directly addresses the data subject. (In this context, the "Coordinator" is Paysera, "Partners" are businesses that use its services, and the data subject is the customer making the payment).
After detailing the effects for data subjects of the joint processing, the agreement links to the full Paysera Privacy Policy:
EIT Food and LfL clearly break down who carries out which processing under their joint control agreement:
They then explain who is responsible for which areas of compliance with the GDPR:
Galperti Group publishes an excerpt of its Joint Controller Agreement. This includes specific details that data subjects need to know:
Globus, a software platform for staffing agencies, has a Joint Controller Agreement with the users of its platform. This includes clear examples of how the two sides will work together to comply with the GDPR:
Summary
Under the GDPR, data controllers decide what data to process and how and why to process it. In some cases, two or more controllers may work together to process the same data in a particular context.
The GDPR covers this situation through "joint controller" rules. These apply where the controllers jointly make the decisions about processing.
Under the GDPR the joint controllers must agree who is responsible for individual elements of GDPR compliance. They don't have to publish the full agreement but must tell data subjects about the key points. Data subjects can still exercise their rights against either controller, regardless of the agreement.
The best way to highlight the joint controller agreement will depend on the length of the joint controller agreement and the situations in which it applies. Often the best approach will be to mention it in the controller's respective Privacy Policies, note when the agreement applies, and then link to either the full agreement or a detailed summary.