The data controller is a central player in data protection regulation. The data controller is the one who determines the purposes and means of data processing and makes substantive decisions about the data processing activities.
However, the data controller can not only act independently of a given data processing, but it may be that more data controllers jointly make decisions regardinf the data processing. This is also expressly clear in the definition of controllers set out in the GDPR, which provides that the data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (This is, of course, not a novelty, current data processing rules contains similar definitions, so it is possible that multiple data controllers jointly define the purpose of data processing.) On the other side, GDPR makes the situation quite clear when it states that if the purposes and tools of data processing are jointly determined by two or more controllers, they shall be joint controllers (see Article 26 of the Regulation).
Ok, but what is new in the GDPR?
In addition to referring to the possibility of joint data processing, the GDPR addresses the most basic rules of joint data processing activities (see Article 26 of the Regulation).
The GDPR requires joint data controllers to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under the Regulation (in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14) by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
The agreement shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
However, irrespective of the terms of the agreement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. This means that the level of protection regarding the rights of data subjects cannot be lowered in case of joint data processing.
Joint data processing in practice
Opinion no. 1/2010 of Article 29 Working Party (WP29) alco covers the issue of joint control over personal data. It is important to note that "in the context of joint control the participation of the parties to the joint determination may take different forms and does not need to be equally shared."
The fact itself that more actors are involved in the processing of personal data does not necessarily mean that there are joint controllers, on the one hand, data transfers between separate data controllers may occur (e.g. "a travel agency sends personal data of its customers to the airlines and a chain of hotels, with a view to making reservations for a travel package. The airline and the hotel confirm the availability of the seats and rooms requested. The travel agency issues the travel documents and vouchers for its customers. In this case, the travel agency, the airline and the hotel will be three different data controllers, each subject to the data protection obligations relating to its own processing of personal data."- see Example no. 7 on page 20 of the Opinion) and on the other hand, it is also possible that there is a single data controller that uses a data processor or more data processors for its data processing activities.
However, the aforementioned scenario may change if the players decide to create a common infrastructure to achieve their separate goals, i.e., the tools for data processing are jointly defined. (By using the same example:, "The travel agency, the hotel chain and the airline decide to set up an internet-based common platform in order to improve their cooperation with regard to travel reservation management. They agree on important elements of the means to be used, such as which data will be stored, how reservations will be allocated and confirmed, and who can have access to the information stored. Furthermore, they decide to share the data of their customers in order to carry out integrated marketing actions."- see Example no. 8 on page 21 of the Opinion)
As data processing operations become more and more complex, we are likely to see a wider range of different castings related to data processing in the future. In many cases, it is also expected that the preliminary decided roles between the parties should be reconsidered and, where appropriate, a data controller-data processesor relationship can be reclassified as joint controller relationship. As WP29 also states in the Opinion: "A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor." (see p. 26 of the Opinion)
Why do the roles in data processing matter?
Different roles may be of importance for determining the responsibilities for the data processing between the parties. It is particularly important when the data processing is very complex and the chain of actors is very complicated, since data subjects shall be provided with the same level of protection and an effective way to enforce their rights, irrespectively from the different structures of data processing.