The European Data Protection Board (EDPB) has published guidelines on the concepts of controller, processor and joint controller under the General Data Protection Regulation (GDPR). These new guidelines not only replace the guidance on the same concepts published by the Article 29 Working Party in 2010, but also broaden the scope of joint controllership.
What is a joint controller?
Article 26(1) of the GDPR provides that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Joint controllers therefore decide the purposes and means of processing together (i.e. they share the same purposes). Controllers will not be joint controllers if they are processing the same data for different purposes.
What does the new guidance say?
The guidelines, drawing on recent rulings of the European Court of Justice (ECJ) make three distinguishing points on the concept of joint controllers, namely:
1. Access to personal data
The EDPB make clear that it is not sufficient to exclude joint controllership in situations where one of the entities involved in the processing operation does not have access to the personal data being processed.
The EDPB provide an example in the Jehovah’s Witness case, where the ECJ ruled that it was not necessary that the community involved had access to the data in question. Rather, the community’s participation in the determination of purposes to achieve the underlying objective, as well as their awareness of processing being carried out, was enough to establish joint controllership.
2. Joint responsibility vs. equal responsibility
The guidelines note that joint responsibility does not necessarily imply equal responsibility of the various entities involved in the processing of personal data. Using the Fashion ID case as an example, the EDPB recognise that entities may be involved at different stages of processing and to various degrees. Therefore, when assessing responsibility, processing must be assessed with regard to all of the circumstances of the particular scenario.
The website operator that incorporated Facebook’s ‘Like’ button on its website was found to be jointly responsible for the collection and transmission of an end user’s personal data to Facebook, but was not jointly responsible for what Facebook did with that personal data.
3. Jointly determined purpose
The guidelines further extend the definition of joint controller in respect of jointly determined purposes. The guidelines establish that even where the same or common purpose of processing is not met, controllership may be established when the entities involved pursue purposes which are closely linked or complementary (i.e. when there is a mutual benefit arising from the same processing operation).
This was the case in Wirtschaftsakademie, where the processing of personal data through statistics of visitors to a Facebook fan page allowed both parties to pursue their own interests whilst participating in the determination of the purposes (and means) of the processing of personal data.
Points to note
The guidelines provide some useful clarity on the application of this broadened concept of joint controller, at the same time noting key decisions made by the ECJ. They remain open for consultation and feedback until 19 October 2020.