Article 26-Joint controllers

In the previous article, we read about the controller and their responsibility to uphold the various provisions of the GDPR. In this article, we shall learn about another provision that the GDPR enumerates i.e. of joint controllers. 

For the smooth functioning of an organization, it might be necessary to collaborate or tie up with another entity in order to collect and process data. In such a scenario, the controller can be more than one and shall jointly determine the purpose and means of processing as per Article 26. 

For the controllers to be deemed joint, they shall have a common purpose of processing the data along with a joint method of processing. It is very important to understand that a mere partnership or joint venture shall not make the arrangement to be a joint controllership. The arrangement shall only be a joint controllership when the controllers have a common objective and purpose in relation to the processing. Also, a common database being used by the controllers is an important factor to term the arrangement as a joint controllership. 

An example of a joint controller arrangement is a travel agency collaborating with a hotel and creating a common database of its travellers in order to facilitate the process of hotel bookings. Here, the database is common and the purpose and means of processing is also joint. 

When there are more than one controllers, each of them shall be liable for any kind of data breach that shall possibly occur during the processing of the data. The data subject can hold any one of the controllers liable for any kind of violation of the GDPR.

The joint controllers cannot shirk from any of their obligations that a data controller must comply with and shall through the form of an arrangement decide their duties and responsibilities. This arrangement shall be made available to the data subjects. Irrespective of the arrangement, the data subject can exercise all of its rights as deployed by the GDPR and the data controller cannot contract out of any of its obligations. 

The CJEU has through some of its judgements made the meaning of joint controllers clear and spelt out the implications of this kind of an arrangement. 

References:

https://gdpr.eu

https://www.termsfeed.com

https://ico.org.uk

https://edpb.europa.eu

https://www.arthurcox.com