Joint controllers of personal data – situations you should bear in mind

At times organizations act together when deciding on purposes and other questions concerning personal data. In order to define who is responsible for compliance with privacy laws, it is necessary to properly define the role of entities in the processing of personal data. The data privacy legislation provides that a  joint controller relationship arises where two or more controllers jointly determine the purposes and means of the processing of personal data. The precise meaning of the joint controllership and the criteria for its correct interpretation should be sufficiently clear. However, there are numerous forms of joint control, so the concept of joint controllers is one of the most complex to implement in practice. The following are situations in which the joint involvement of two or more entities in defining the purposes and means of a data processing operation may seem less obvious or raise questions of interpretation.

Article 26 of the General Data Protection Regulation 2016/679 (GDPR) lays down rules for joint controllers and the essential principles governing their relationship. The criteria and the detailed description are also provided in the European Data Protection Board (EDPB) guidelines and recommendations and Court of Justice of the European Union (CJEU) rulings. As highlighted by the EDPB, joint controllership exists when entities involved in the same processing carry out the processing for jointly defined purposes. For instance, when they process the data for the same or common purposes. When the entities do not have the same purpose for the processing, joint controllership may also be established when the entities involved pursue purposes which are closely linked or complementary.

That may be the case, when  organizations have mutual benefits from the same processing operation, provided that each of the entities are involved in defining the purposes and means of the particular processing operation. Referring to the judgment of the CJEU in Fashion-ID,C-40/17, ECLI:EU:2018:1039, a website operator participates in the determination of the purposes (and means) of the processing by embedding a social plug-in on a website in order to optimize the publicity of its goods by making them more visible on the social network. In this case, the key criterion to conclude that the entities jointly determined the purposes seems to have been that the processing operation commercially benefitted both entities. However, the EDPB clarified that the concept of mutual benefit and economic interest is not definitive and can only be a factor to consider a joint determination of personal data processing purpose. In which circumstances this factor becomes decisive, it must be considered on a case-by-case basis.

In some situations, it may be difficult to formulate a specific purpose for the processing of personal data, so the definition of the purpose may be generalized and summarized, but it may be unclear to what extent The Article 29 Working Party (WP29) in its Opinion 03/2013 on purpose limitation stated that “the purpose of the collection must be clearly and specifically identified, it must be detailed enough to determine what kind of processing is and is not included within the specified purpose”. For these reasons, a purpose that is vague or general, such as 'improving users' experience', 'marketing purposes', 'IT-security purposes' or 'future research' will - without more detail - usually not meet the criteria of being ‘specific’. However, it could bring uncertainty whether the same principles apply in assessing the relationship between joint controllers.

Joint controllership also requires that two or more entities have exerted influence over the means of the processing. This does not mean that for joint controllership to exist, each entity involved needs in all cases to determine all of the means. Indeed, as clarified by the CJEU, different entities may be involved at different stages of that processing and to different degrees depending on who is effectively in a position to do so. It may also be the case that one of the entities involved provides the means of the processing and makes it available for personal data processing activities to other entities. The entity who decides to make use of those means so that personal data can be processed for a particular purpose also participates in the determination of the means of the processing.  

This scenario can notably arise in case of platforms, standardized tools, or other infrastructure allowing the parties to process the same personal data which have been set up in a certain way by one of the parties to be used by others, that can also decide how to set it up. The use of an already existing technical system does not exclude joint controllership when users of the system can decide on the processing of personal data to be performed in this context. As an example of this, the CJEU in Judgment in Wirtschaftsakademie, C-210/16, ECLI:EU:C:2018:388 stated that the administrator of a fan page hosted on Facebook by defining parameters based on its target audience and the objectives of managing and promoting its activities must be regarded as taking part in the determination of the means of the processing of personal data related to the visitors of its fan page.

This ruling should be considered when the organization uses third-party services (chat bots, web analytical tools, social plugins and platforms, like LinkedIn, Facebook, Instagram, etc.), because in all these situations, the organization would be defining the parameters and facilitating the collection of personal data by third parties, so acting as a joint controller. As a result, there has to be a “joint controller arrangement” between the company and the platform. Some platforms, like Facebook and LinkedIn, have prepared joint controller arrangements for company pages. But it is confusing what should be done if the platform does not have such an arrangement prepared.

Different joint controllers may define the means of the processing to a different extent, but it is not stated whether only essential means are meant or whether non-essential means are also considered. The EDPB Guidelines outline that some more practical aspects of the implementation of the processing, such as 'non-essential means' of the processing, can be left to the discretion of the data processor, for example, the choice of a particular type of hardware or software, or the details of the security measures to be implemented. This may raise some questions of interpretation as to the meaning of joint determining of the means of the processing.

To conclude, the concept of joint controllers is not simple, and there can be many doubts and divergent solutions in particular cases, as regards establishing liability, the duty to comply with transparency obligations and individuals’ rights. Consulting a professional would help to assess what is the specific situation and identify appropriate actions to be taken.

“Fondia” is always ready to answer legal questions related to your business. Therefore, we invite you to take the opportunity of a free initial consultation and consult one of our lawyers. You can assign an interview at a time convenient to you by clicking on the here.