Logo Data Legal Drive, logiciel RGPD
Logo Data Legal Drive, logiciel RGPD
  • Solution
    • Solution
    • GDPR
      • Control
        GDPR diagnostic test Data Mapping Record of data processing activities
      • Automate
        Personal Data Breach management Privacy by design GDPR Management workflow
      • React
        Accountability management Data Subject Access Request (DSR) PIA – Privacy impact assessment Data governance management
      • Inform
        Clauses & contracts templates Information & Legal texts about GDPR Customer Success Support Follow-up of GDPR training
    • Sapin II
    • Control
      GDPR diagnostic test Data Mapping Record of data processing activities
    • Automate
      Personal Data Breach management Privacy by design GDPR Management workflow
    • React
      Accountability management Data Subject Access Request (DSR) PIA – Privacy impact assessment Data governance management
    • Inform
      Clauses & contracts templates Information & Legal texts about GDPR Customer Success Support Follow-up of GDPR training
  • Clients
  • Partner program
    • Partner program
    • Become partner
    • Our partners
  • Resources
  • Blog
  • About us
    • About us
    • Our team
  • En
    • Fr
Ask a demo
  • En
    • Fr
Ask a demo

The sensitive qualification of joint controller

10 March 2023

Home //Blog //GDPR //The sensitive qualification of joint controller

The concept of a joint controller is often misunderstood by companies, which generally focus on a bilateral approach of controller/sub-processor.

An opportunity to take stock of this complex concept, introduced by Regulation (EU) 2016/679 of 27 April 2016 about the protection of personal data (“GDPR”).

Definition of terms

GDPR distinguishes three legal qualifications : the Data Controller, the Data Processor and the joint controllers.

The data controller is the entity (usually the company or the administration) that decides on the key elements of a data processing operation: it determines the purposes pursued, i.e. the objective, “why” this processing is to be carried out, as well as the means devoted to it, i.e. “how” the processing is carried out.

The data processor in the context of Article 28 of the GDPR is the third party (often a service provider) appointed by the data controller to carry out all or part of the processing that he has defined (collection, analysis, storage, transmission, archiving, etc.) on behalf of the data controller. In particular, the data controller must ensure that he uses services, platforms and systems that comply with the requirements of the regulation, and the service providers who are his subcontractors are obliged to him (by contract) to respect the data protection principles.

Joint Controllers are the entities that jointly determine the purposes and means of a processing operation. In other words, several entities, together, have the role of joint controllers on the same processing. Article 26 of the GDPR requires them to organise together, in a “transparent” manner, the obligations that each of them takes on respectively to ensure compliance with the GDPR of the processing concerned. For example, the prior information to be given to data subjects (Art. 13 or 14 of the GDPR) and the determination of a contact point in the procedure for exercising the rights of individuals are particularly important points in this respect.

The necessary legal qualification of the actors of a personal data processing

The legal qualification of the actors is an essential preliminary step in the contractualisation phase, in order to allocate, in a second phase, the rights and obligations of the parties.

In fact, it is advisable to proceed with the qualification of the parties with regard to the GDPR independently of the contractual qualification that may already exist (client, principal, service provider, subcontractor, etc.). The qualification of the parties is based on operational and factual elements: it is an in-depth operation that requires a careful analysis of the role of each of the parties in determining the purposes and means of the processing.

In 2020, the EDPB published an updated version of its guidelines on the concepts of controller and processor and proposes an analysis grid in order to qualify parties as either data controllers (or joint controllers) or data processors, which takes into account, among other things:

  • The level of instruction given by the client to the service provider: how much autonomy does the service provider have in carrying out the service?
  • The level of control by the client over the execution of the service: what is the degree of “supervision” of the service by the client?
  • The added value provided by the service provider: does the service provider have in-depth expertise in the field?
  • The degree of transparency about the use of a service provider: is the identity of the service provider known to the data subjects who use the client’s services?

The qualification of joint controllers is often less easy. In short, as soon as a partner participates in determining the purposes of a processing operation and/or determines all or part of the “structuring” means of a processing operation (choice of categories of data collected, determination of data deletion periods, determination of data recipients, etc.), as opposed to purely “technical” means (choice of infrastructure and software, determination of security devices and procedures, etc.), it will probably be qualified as a joint controller of the processing of personal data.

For instance: three entities, a travel agency, a hotel chain and an airline, together create a centralised online booking service. The service optimises their commercial penetration and encapsulates customers in a package of services provided by the three of them. These three entities agree on the modalities of data collection, reservation management, customer transfer and data storage: thus jointly determining the purposes and means of these processing operations, they will be qualified as joint controllers, and the contract will have to reflect precisely the data flows and describe the areas of technical and organisational responsibility between these three entities.

For another illustration, this time drawn from European case law, note that in a decision of 5 June 2018 C-210/16, the CJEU qualified as joint liability between the administrator of a Facebook page and Facebook, for the data collections made from that page. As the publisher, Facebook remains primarily responsible for the data collection carried out via the social network. Nevertheless, the Facebook Page is set up by its administrator, who can “personalise” the statistics of the social network according to criteria that he or she determines. The administrator therefore takes the initiative in collecting data and determines the categories of data collected.

However, the qualification work is often not so simple in practice, especially in the following situations: management mandates, insurance intermediation, commercial distribution, expert platforms, commercial partnerships, company groups, etc.

For each situation, and in case of doubt, one should always (i) carry out an analysis in concreto and treatment by treatment, and (ii) look at it from the point of view of the data subject.

Contractual management impacts of the GDPR

The legal qualification of the actors has an impact on the contractual management of the GDPR. If the company has to update its standard contracts in order to comply with the GDPR obligations, this contract will include different clauses depending on the legal qualifications chosen, i.e. at least 3 clauses:

  • A clause in which the data controller uses a data processor
  • A clause in which both parties are joint controllers
  • A clause in which both parties are separate data controllers, i.e. both parties process data on their own behalf, without one processing data on behalf of the other

In the context of the relationship between joint controllers, particular attention should be paid to the definition of the obligations between each actor, and the resulting responsibilities, in particular in terms of application operation, notification of security breaches leading to a personal data breach, information of data subjects (or even collection of consent) and management of requests to exercise the rights of data subjects.

It should be remembered that Article 82 of the GDPR provides that joint controllers are jointly and severally liable for damages caused by a breach of the GDPR. This joint and several liability requires good contractual management in order to effectively apply a recourse action between the protagonists, whoever they may be.

It is therefore clear how important it is to carry out the aforementioned qualification work, since it will necessarily result from this analysis, which must reflect the real participation of the parties involved in the data processing that they implement, the contractual commitments and the areas of responsibility that may be sought in the event of non-compliance with the regulations.

À lire aussi

Yan-Krukov-pexels

Evaluation of third parties – GDPR

10 March 2023
Discover feature
snowing-freepik (JPG)

DPO and CISO: why should they work together?

10 March 2023
Discover feature
rgpd-donnees-sante

GDPR: Everything you need to know about health data processing

29 July 2021
Discover feature
Yan-Krukov-pexels

Evaluation of third parties – GDPR

10 March 2023
Discover feature
snowing-freepik (JPG)

DPO and CISO: why should they work…

10 March 2023
Discover feature
rgpd-donnees-sante

GDPR: Everything you need to know about…

29 July 2021
Discover feature

Outstanding partners

partenaire-institutionnel-dld-afje
partenaire-institutionnel-dld-dalloz
partenaire-institutionnel-dld-afje
partenaire-institutionnel-dld-irc
partenaire-institutionnel-dld-afje
partenaire-institutionnel-dld-afje
ds-avocats-logo-slide
partenaire-institutionnel-dld-ldpm

Our awards & prizes

lmdd-2020logo-slide
graine-de-boss-logo-slide
trophee-bareau-logo-slide
palmares-droit-2021-logo-slide
meilleure-legal-tech-2020-logo-slide
meilleure-legal-tech-2019-logo-slide
trophee-eurocloud
meilleure-legaltech-logo-slide
macaron-trophée-conformité-rgpd-2022
sommet-du-droit-2021-logo-slide
palmarès-du-droit-2022-logo-slide
trophée-du-droi-2022-logo-slide
tech500-logo-slide
sommet-du-droit-2022-mention-spéciale-logo-slide
  • OUR EXPERIENCE
  • More than 1500 customers
  • 25 users countries
  • ABOUT US
  • Our team
  • OUR OFFER
  • GDPR Software features
  • Join us !
  • Prices
  • Partner program
  • OUR RESOURCES
  • The GDPR
  • The DPO
A tool adapted to your company
Ask a demo
GDPR experts
Contact-us

Subscribe to our newsletter

  • Data Legal Drive collects and processes your personal data for the purposes of (i) responding to your requests for a demonstration of our services, to get in touch and/or (ii) sending you information about our services, news and privacy. Please see our Privacy Policy for more information about the data processing we do and your rights regarding your personal data.

  • This field is for validation purposes and should be left unchanged.
  • General Terms of Service
  • General Terms of Use
  • Privacy policy
  • Cookies policy
  • Legal mentions
  • Data Subject request