Overview

This article ensures that when two or more controllers jointly determine the purposes and means of processing, they must define GDPR compliance responsibilities transparently. This includes clearly outlining each controller’s obligations regarding data subject rights and information duties, and making the arrangement accessible to data subjects, who can exercise their rights against any of the controllers.


Key Principles

  • Transparency: Joint controllers must clearly define responsibilities and communicate them to data subjects.

  • Accountability: Each controller is responsible for compliance with GDPR obligations within their scope.

  • Data Subject Rights: Individuals can exercise their rights against any joint controller.

  • Accessibility: Agreements specifying roles and responsibilities must be available to data subjects.

Organizational Applicability

This article applies to all organizations acting as joint controllers within the EU:

  • Organizations jointly determining the purposes and means of personal data processing.

  • Public and private sector entities engaged in collaborative processing arrangements.

  • Teams responsible for compliance, legal agreements, and data governance in joint processing scenarios.

Implementation Requirements

  • Draft and maintain a written agreement specifying the responsibilities of each joint controller.

  • Ensure the agreement clearly covers data subject rights, information duties, and GDPR compliance obligations.

  • Make the agreement accessible to data subjects.

  • Document and regularly review joint controller responsibilities for compliance.

Implementation Guidance

  • Establish clear roles and tasks for each controller, including handling access, rectification, and erasure requests.

  • Communicate to data subjects which controllers are responsible for different aspects of data processing.

  • Train staff on joint controller arrangements and responsibilities.

  • Review agreements periodically to reflect changes in processing or regulatory requirements.

Periodic Review

  • Frequency: Annually or when joint processing arrangements change.

  • Responsible Role: Data Protection Officer (DPO), Compliance Team, or legal counsel.

  • Outcome: Ensure joint controllers’ roles are clear, responsibilities are met, and data subjects’ rights can be exercised effectively.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover for failing to define or communicate responsibilities.

  • Legal Exposure: Complaints, enforcement actions, or disputes among controllers.

  • Reputational Damage: Loss of trust from data subjects and regulatory authorities.

  • Operational Risk: Mismanagement of joint processing responsibilities can lead to non-compliance and ineffective handling of data subject rights.