Joint controllers

When 2 or more controllers jointly determine the purposes and means of processing, they are joint controllers.

They shall establish transparently their respective responsibilities for complying with the obligations under this Regulation, in particular in relation to the exercise of data subjects’ rights and their respective obligations to provide the information referred to in Articles 13 and 14, by means of an arrangement between them, unless and to the extent that the respective responsibilities of controllers are laid down by a provision of Union or Member State law applicable to controllers. The arrangement may designate a contact person for data subjects.

The arrangement should make clear the respective roles of the joint controllers and their respective relationships with data subjects. The substantive content of the arrangement will be made available to the individual.

Regardless of the terms of the said arrangement, the data subject may exercise his rights under this Regulation in relation to and against any controller.

When process or jointly responsible?

The relationship between 2 controllers is substantially different than between a controller and a processor. The processor is not the determining party in determining the purpose and means.

Practically, many processors will choose the means but as long as the purpose determination or final decision rests with the other party, it remains the data controller.

Both data controllers should determine between themselves who takes on which responsibilities and should provide the mandatory information regarding the data subject’s rights such as the right to access, correct, delete, etc.

Mode of establishing these responsibilities is not really defined but a written general cooperation agreement is certainly recommended in connection with accountability.

All data controllers are jointly and severally responsible to data subjects for any harm resulting from the processing regardless of which of the data controllers actually carried it out.

Thus, if several controllers or processors are involved in the same processing and are responsible for the damage caused by the processing in accordance with paragraphs 2 and 3, then each controller or processor shall be held liable for the entire damage, for the following reasons


Meer berichten

GDPR And Public Administration

Introduction: In the digital age we live in, managing personal data is becoming increasingly challenging, especially for government agencies that manage a

cybersecurity in 2024

Cybersecurity Measures In 2024

Introduction: After a challenging 2023, which saw notable events both in cybersecurity and globally, we now turn our gaze to what 2024

Meer info: