Joint controllership also requires that two or more entities have exerted influence over the means of the processing. This does not mean that for joint controllership to exist, each entity involved needs in all cases to determine all of the means. Indeed, as clarified by the CJEU, different entities may be involved at different stages of that processing and to different degrees depending on who is effectively in a position to do so. It may also be the case that one of the entities involved provides the means of the processing and makes it available for personal data processing activities to other entities. The entity who decides to make use of those means so that personal data can be processed for a particular purpose also participates in the determination of the means of the processing.
This scenario can notably arise in case of platforms, standardized tools, or other infrastructure allowing the parties to process the same personal data which have been set up in a certain way by one of the parties to be used by others, that can also decide how to set it up. The use of an already existing technical system does not exclude joint controllership when users of the system can decide on the processing of personal data to be performed in this context. As an example of this, the CJEU in Judgment in Wirtschaftsakademie, C-210/16, ECLI:EU:C:2018:388 stated that the administrator of a fan page hosted on Facebook by defining parameters based on its target audience and the objectives of managing and promoting its activities must be regarded as taking part in the determination of the means of the processing of personal data related to the visitors of its fan page.
This ruling should be considered when the organization uses third-party services (chat bots, web analytical tools, social plugins and platforms, like LinkedIn, Facebook, Instagram, etc.), because in all these situations, the organization would be defining the parameters and facilitating the collection of personal data by third parties, so acting as a joint controller. As a result, there has to be a “joint controller arrangement” between the company and the platform. Some platforms, like Facebook and LinkedIn, have prepared joint controller arrangements for company pages. But it is confusing what should be done if the platform does not have such an arrangement prepared.
Different joint controllers may define the means of the processing to a different extent, but it is not stated whether only essential means are meant or whether non-essential means are also considered. The EDPB Guidelines outline that some more practical aspects of the implementation of the processing, such as 'non-essential means' of the processing, can be left to the discretion of the data processor, for example, the choice of a particular type of hardware or software, or the details of the security measures to be implemented. This may raise some questions of interpretation as to the meaning of joint determining of the means of the processing.
To conclude, the concept of joint controllers is not simple, and there can be many doubts and divergent solutions in particular cases, as regards establishing liability, the duty to comply with transparency obligations and individuals’ rights. Consulting a professional would help to assess what is the specific situation and identify appropriate actions to be taken.
“Fondia” is always ready to answer legal questions related to your business. Therefore, we invite you to take the opportunity of a free initial consultation and consult one of our lawyers. You can assign an interview at a time convenient to you by clicking on the here.