Companies often need to understand the concept of a joint controller, which generally focuses on a bilateral approach of controller/sub-processor.
An opportunity to take stock of this complex concept, introduced by Regulation (EU) 2016/679 of 27 April 2016 about the protection of personal data (“GDPR”).
Definition of terms
GDPR distinguishes three legal qualifications: the Data Controller, the Data Processor, and the joint controllers.
The data controller is the entity (usually the company or the administration) that decides on the key elements of a data processing operation: it determines the purposes pursued, i.e., the objective, “why” this processing is to be carried out, as well as the means devoted to it, i.e. “how” the processing is carried out.
The data processor in the context of Article 28 of the GDPR is the third party (often a service provider) appointed by the data controller to carry out all or part of the processing that he has defined (collection, analysis, storage, transmission, archiving, etc.) on behalf of the data controller. In particular, the data controller must ensure that he uses services, platforms, and systems that comply with the requirements of the regulation, and the service providers who are his subcontractors are obliged to him (by contract) to respect the data protection principles.
Joint Controllers are the entities that jointly determine the purposes and means of a processing operation. In other words, several entities have the role of joint controllers in the same processing. Article 26 of the GDPR requires them to organize together, in a “transparent” manner, the obligations that each of them takes on respectively to ensure compliance with the GDPR of the processing concerned. For example, the prior information to be given to data subjects (Art. 13 or 14 of the GDPR) and the determination of a contact point in the procedure for exercising the rights of individuals are essential points in this respect.
The necessary legal qualification of the actors in a personal data processing
The legal qualification of the actors is an essential preliminary step in the conclusion of the contract phase to allocate, in a second phase, the rights and obligations of the parties.
It is advisable to proceed with the qualification of the parties concerning the GDPR independently of the contractual qualification that may already exist (client, principal, service provider, subcontractor, etc.). The qualification of the parties is based on operational and factual elements: it is an in-depth operation that requires a careful analysis of the role of each of the parties in determining the purposes and means of the processing.
In 2020, the EDPB published an updated version of its guidelines on the concepts of controller and processor and proposes an analysis grid in order to qualify parties as either data controllers (or joint controllers) or data processors, which takes into account, among other things:
- The level of instruction given by the client to the service provider: how much autonomy does the service provider have in carrying out the service?
- The level of control by the client over the execution of the service: what is the degree of “supervision” of the service by the client?
- The added value provided by the service provider: does the provider have in-depth expertise in the field?
- The degree of transparency about using a service provider: is the service provider’s identity known to the data subjects who use the client’s services?
The qualification of joint controllers is often more challenging. In short, as soon as a partner participates in determining the purposes of a processing operation and/or determines all or part of the “structuring” means of a processing operation (choice of categories of data collected, determination of data deletion periods, determination of data recipients, etc.), as opposed to purely “technical” means (choice of infrastructure and software, determination of security devices and procedures, etc.), it will probably be qualified as a joint controller of the processing of personal data.
For instance: three entities, a travel agency, a hotel chain, and an airline, create a centralized online booking service. The service optimizes its commercial penetration and encapsulates customers in a package of services the three provide. These three entities agree on the modalities of data collection, reservation management, customer transfer, and data storage. Thus, jointly determining the purposes and means of these processing operations, they will be qualified as joint controllers, and the contract will have to reflect precisely the data flows and describe the areas of technical and organizational responsibility between these three entities.
For another illustration, this time drawn from European case law, note that in a 5 June 2018 C-210/16 decision, the CJEU qualified as joint liability between the administrator of a Facebook page and Facebook for the data collections made from that page. As the publisher, Facebook remains primarily responsible for collecting data via the social network. Nevertheless, the Facebook Page is set up by its administrator, who can “personalize” the social network statistics according to the criteria they determine. The administrator, therefore, takes the initiative in collecting data and determines the categories of data collected.
However, the qualification work is often more complex in practice, especially in the following situations: management mandates, insurance intermediation, commercial distribution, expert platforms, commercial partnerships, company groups, etc.
For each situation, and in case of doubt, one should always (i) carry out an analysis in concreto and treatment by treatment and (ii) look at it from the point of view of the data subject.
Contractual management impacts of the GDPR
The legal qualification of the actors has an impact on the contractual management of the GDPR. Suppose the company has to update its standard contracts to comply with the GDPR obligations. In that case, this contract will include different clauses depending on the legal qualifications chosen, i.e., at least 3 clauses:
- A clause in which the data controller uses a data processor
- A clause in which both parties are joint controllers
- A clause in which both parties are separate data controllers, i.e., both parties process data on their behalf, without one processing data on behalf of the other
In the context of the relationship between joint controllers, particular attention should be paid to the definition of the obligations between each actor, and the resulting responsibilities, in particular in terms of application operation, notification of security breaches leading to a personal data breach, information of data subjects (or even collection of consent) and management of requests to exercise the rights of data subjects.
It should be remembered that Article 82 of the GDPR provides that joint controllers are jointly and severally liable for damages caused by a breach of the GDPR. This joint and several liability require good contractual management to effectively apply a recourse action between the protagonists, whoever they may be.
It is, therefore, clear how important it is to carry out the qualification mentioned above work since it will necessarily result from this analysis, which must reflect the actual participation of the parties involved in the data processing that they implement, the contractual commitments, and the areas of responsibility that may be sought in the event of non-compliance with the regulations.
