The EU General Data Protection Regulation (GDPR) defines the conditions and requirements under which enterprises may process personal data, whether as controller or processor.
Whereas solely the controller was subject to legal obligations – and thus sanctions – under the former Data Protection Act of 8 December 1992 (implementing Directive 45/96/CE), the GDPR expressly imposes obligations on both controller and processor, each being liable for complying with its respective duties. Proper assessment and determination of the role of each party involved in personal data processing activities is therefore of primary importance to properly allocate responsibilities.
In light of the growing number of decisions taken by the litigation chamber of the Belgian Data Protection Authority (DPA) and the actual risk of sanctions, enterprises’ liability for privacy practices should definitely not be pushed into the background. For example, the DPA imposed, in May 2020, an administrative fine of 50.000,00 EUR to the operator – and thus the controller – of a social network website.
In today’s digital economy where technologies equal to profit and where (personal) data management is a crucial asset, enterprises collect and process information but also joint forces in such tasks to optimize costs, profits, time, etc. It is well established that personal data processing may – not to say that it usually – involve the intervention of several actors. The controller-processor relationship naturally comes to mind. Practice however reveals that this is far from being the sole existing interaction.
The processor processes personal data on behalf of and under the instruction of the controller, to achieve the latter’s defined purposes. That being said, in many instances, companies involved in personal data processing activities work together to reach a common purpose or, while pursuing their own purpose, they share the processing means and/or the same dataset. In such cases, the companies may act as joint controllers or independent controllers processing separately the same personal data.
Legal literature and guidance have extensively focused on the controller-processor. On the other hand, much less has been written about the interaction between controllers.
Still, the contemporary forms of business are full of situations in which parties dealing with personal data act in a horizontal relationship. Let’s take for example the online platforms connecting restaurants, couriers and consumers such as Uber Eats, Deliveroo or Takeway. These platforms’ operators process their members’ personal data for their own purposes with their own means. They do not act under the instruction of the restaurants while doing so. The restaurants, for their part, process the data accessible on the platform to prepare the consumers’ orders and thus for their own purposes. In such case, are they acting under the instruction of the platform? Are the platforms’ operators and the restaurants joint controllers? Or do they qualify as independent controllers processing separately the same dataset?
The recent publications of the European Data Protection Board (EDPB) allow to answer to these questions. On 2 September 2020, the EDPB adopted the “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”. The EDPB guidelines replace the previous opinion WP169 of the Working Party 29 on the same subject matter. These guidelines aim at providing further clarifications as well as more developed and specific guidance.
The EDPB has dedicated several pages to the relationships between controllers, defining and illustrating among others the concept of joint controllership and the legal consequences thereof.
We summarize below the EDPB guidelines on relationships between data controllers:
Definition of joint controllership. Pursuant to Article 26 of GDPR, “[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. The controller being the legal entity determining the purposes and means of the processing, the joint controllership logically refers to the situation where such determination is jointly made by two or more legal entities.
According to the EDPB, the assessment of joint controllership must be carried out on a factual basis rather than being subjected to a formal analysis. In other words, one must consider the actual role played by each party in the determination of the processing purposes (“why” the processing takes place) and means (“how” the processing takes place), as opposed to the formal appointment or designation as joint controller. The joint participation in the aforesaid determination is the “overarching” criterion. It enables to distinguish
- between the joint controller and the processor. Indeed, the processor exclusively processes personal data on behalf of and under the instruction of the controller. Unlike the joint controller, the processor has no say as to the determination of the processing purposes and means;
- between joint controllers and several independent controllers that process the same dataset or that process personal data while simply sharing processing infrastructure.
Assessment of joint participation. The joint participation means that all entities involved have a decisive influence over the determination of the purposes and means of the processing. This can happen
- through a common decision. E.g. two research institutes decide to carry our together a joint research project. Together, they decide to launch an online survey and define the questions to be asked to the potential participants; or
- through converging decisions. The entities’ decisions are converging when “they complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing”. The processing cannot take place without each entity’s participation. They are inseparable and inextricably linked. E.g. company A calls upon the services of company B, which is a headhunter bureau owning and managing its own platform and CVs database. To help company A finding the suitable profiles for open positions, company B processes the data from its database as well as the CVs directly received by company A. Such CVs are being added to company B’s database. Company B’s decision to manage its database and company A’s decision to enrich said database with the CVs it directly receives are converging decisions. They are indeed both necessary to find the suitable profiles for company A. With respect to that specific processing operation, company A and company B are joint controllers.
The joint determination (and thus participation) must also be assessed per specific processing activity and not as a global mechanism that encompasses all processing activities undertaken by a legal entity. In other words, a company can act as joint controller with respect to processing operation 1 and act as independent controller with respect to processing operation 2. In that respect, the EDPB adopts a pragmatic approach by providing quite a lot of examples as well as a flowchart for applying the concepts of controller, processor and joint controller.
One of the most relevant examples provided by the EDPB is the relation between the travel agency, airline and hotel with the view of booking for travel packages:
- Scenario 1: the airline and the hotel confirm to the travel agency the availability of the seats and the hotel rooms. The travel agency issues the travel documents and vouchers to its customers. However, each actor processes the customers’ personal data for their own activities (thus purposes) and using their own means. They are, in that specific situation, acting as independent controllers and not as joint controllers.
- Scenario 2: the travel agency, the airline and the hotel decide jointly to launch a web platform for the common purpose of offering and booking travel package deals. The three actors have a decisive influence on the purpose (i.e. carrying out joint marketing actions) and the mean (i.e. via the web platform) of the processing. They are, for that specific processing operation, joint controllers. They remain however each sole controller for their respective other processing activities outside the web platform.
By analogy, one can conclude that (i) the operators of platform to connect restaurants, couriers and consumers on the one hand and (ii) the restaurants using such platform to deliver meals to consumers on the other hand, act as independent controllers with respect to such specific situation. Indeed, neither party participates to the determination of the purposes and the means of each party’s respective processing activity. The mere fact that the restaurants use the processing infrastructure (thus means) of the platform operator does not challenge that qualification. Furthermore, the transfer of consumers’ data from the platform operator to the restaurants is a transfer between controllers and not from a controller to a processor. Neither party acts on behalf and under the instruction of the other party, in such specific situation.
Consequences of joint controllership. As a principle, the joint controllers must determine and agree on their respective responsibilities with respect to compliance with the GDPR obligations (e.g. regarding the exercise of data subjects’ rights and the provision of mandatory information), in a transparent manner.
The allocation of responsibilities is not limited to the joint controllership. All other obligations imposed upon controllers are to be covered. Accordingly, each joint controller must ensure that it complies therewith.
Unlike the provisions governing the (contractual) relationship between controller and processor, the GDPR does not specify the legal form of the arrangement between joint controllers. The EDPB recommends that the aforesaid arrangement “be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject”.
The arrangement must duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. That means that the essence must be available to the data subjects. These are furthermore entitled to exercise their rights in respect of and against each of the joint controllers, irrespective of the arrangement between them.
Finally, the DPA, as well as any competent supervisory authority, is not bound by the qualification of joint controller, the terms of the joint controllership arrangement or the designated point of contact.
The assessment of the role of the parties involved in processing activities is one of the fundamental steps in implementing compliant privacy policies and practices. The consequences in terms of liabilities and sanctions are far from negligible. We are of course at your disposal to answer any question you may have and assist you with that particularly technical exercise.