In practice, the question of roles, and especially joint controllership, quite often arises in corporate group structures where personal data are shared between different group entities for various purposes. Although personal data exchanges within the group usually provide more certainty than data sharing with third parties, the companies should be aware that the GDPR rules apply equally to data transfers within the group. An example from the EDPB guidelines illustrates this:
Companies X and Y form part of the Group Z. Companies X and Y both process data about their respective employees for employee administration purposes. At one point, the parent company ZZ decides to request employee data from all subsidiaries in order to produce group wide statistics. When transferring data from companies X and Y to ZZ, the latter is to be regarded as a third party regardless of the fact that all companies are part of the same group. Company ZZ will be regarded as controller for its processing of the data for statistical purposes.
Against this background, we would like to draw your attention to the concepts of the different roles in processing personal data and especially that of joint controllership. Of course, the below applies universally, not only to group structures.
Joint controllership entails the joint participation of two or more entities in the decision-making as to the purposes and means of a processing operation (the "why" and the "how" of the processing). To be regarded as joint controllers, the entities should have a decisive influence over whether and how the processing takes place. The decisions can either be common or converging. To be regarded as joint controllers, the processing should not be possible without all parties’ participation. The (joint) controller does not need to have access to the data that are being processed to be qualified as a (joint) controller and the (joint) controller does not need to participate in making all the decisions as to the purposes and means. Different (joint) controllers may be involved at different stages of processing and to different degrees. The existence of joint controllership does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.
An example from the EDPB guidelines illustrates how joint controllership can apply only regarding a specific processing activity:
Companies A and B have launched a co-branded product C and wish to organise an event to promote this product. To that end, they decide to share data from their respective clients and prospects database and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered as joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.
The fact that several actors are involved in the same processing activity does not necessarily mean that they are acting as joint controllers. Not all partnerships, cooperation, or collaboration imply joint controllership and a case-by-case analysis is needed.
The exchange of the same data between several entities without jointly determined purposes or jointly determined means of processing should be considered as the transmission of data between independent controllers, each of whom has its own purposes and means for processing that data. For instance, when an organisation processes the personal data of its employees and must share such data with the tax authorities so that the latter can enforce tax rules, the organisation and the tax authority are processing personal data for their separate purposes.
Also, the use of a common data processing system or infrastructure will not in all cases lead to qualification of the parties involved as joint controllers, in particular where the processing they carry out is autonomous and could be performed by one of the parties without intervention from the other or where the provider is a processor without a purpose of its own. By way of example provided in the EDPB guidelines:
A group of companies uses the same database for the management of clients and prospects. Such database is hosted on the servers of the mother company who is therefore a processor of the companies with respect to the storage of the data. Each entity of the group enters the data of its own clients and prospects and processes such data for its own purposes only. Also, each entity decides independently on the access, the retention periods, the correction or deletion of their clients and prospects’ data. They cannot access or use each other’s data. The mere fact that these companies use a shared group database does not as such entail joint controllership. Under these circumstances, each company is thus a separate controller.
We note that the result would be different if the parties would have access to each other’s data and use that data for their own or joint purposes. Beware—the devil is in the details!
For an entity to be regarded as a processor, instead of a (joint) controller, an entity should only process the personal data entrusted to it on behalf of and according to the instructions of the controller and not do anything else with the personal data, especially use it for its own purposes. Concerning the determination of means (the “how”), some means can be considered essential and can only be left for (joint) controllers to decide. Such means include the types of personal data processed, the categories of data subjects, the duration of the processing, and the categories of recipients. Other means, however, can be considered non-essential and can also be left for processors to decide, e.g., the choice of hardware or software or detailed security measures.
Similarly to what was explained above regarding the fact that not all partnerships should necessarily be considered joint controllerships, not all service providers act in the capacity of data processors, although it is often assumed. Even when an entity is providing a service, the entity can still determine the purposes and means of processing in the meaning of the GDPR and be qualified as a (joint) controller.
The concepts of controller, joint controller, and processor are functional, meaning that they aim to allocate responsibilities according to the actual roles of the parties and depend on the factual circumstances of the case. This means that even though the content of an agreement can be used to determine the roles, the parties cannot agree on the roles to their liking if it is not following the reality of processing. This also means that to properly determine the roles, the parties to the processing must understand the processing sufficiently. Qualification of a role must be assessed regarding each specific data processing activity, meaning that it may well be that the parties to the processing act as joint controllers only regarding certain processing activities and, for example, as separate controllers concerning other processing activities.
We strongly recommend taking the time to properly identify and document (accountability!) the roles in processing from the start of processing and try to resist the inertia-driven shortcut “we always did it that way”. Why? Because the obligations and responsibilities of the parties depend on their role. For example: