Joint processors

Where 2 or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

They shall establish transparently their respective responsibilities for complying with the obligations under this Regulation, in particular as regards the exercise of data subjects’ rights and their respective obligations to provide the information referred to in Articles 13 and 14, by means of an arrangement between them, unless and to the extent that the respective responsibilities of the controllers are laid down by a provision of Union or Member State law applicable to the controllers. The arrangement may designate a contact person for data subjects.

The arrangement shall make clear the respective roles of the joint controllers and their respective relationships with data subjects. The essential content of the arrangement shall be made available to the data subject.

Regardless of the terms of the said arrangement, the data subject may exercise his rights under this Regulation in relation to and against any controller.

When processing or joint controller?

The relationship between 2 controllers of processing is substantially different from that between a controller and a processor. The processor is not the determining party in determining the purpose and means.

In practical terms, many processors will choose the means, but as long as the purpose or final decision lies with the other party, that party remains the data controller.

Both parties responsible for processing should determine which of them will take on which responsibilities and also provide the necessary information regarding the rights of the data subject such as the right to inspection, correction, deletion, etc.

Methods of establishing these responsibilities are not really determined but a written general cooperation agreement is certainly recommended in connection with accountability.

All controllers are jointly and severally responsible towards data subjects for any damage resulting from the processing regardless of which of the controllers actually carried it out.

Thus, if several controllers or processors are involved in the same processing and are responsible, in accordance with paragraphs 2 and 3, for the damage caused by the processing, then each controller or processor will be held liable for the entire damage, for the whole damage.