Joint processors

Where 2 or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

They shall establish transparently their respective responsibilities for complying with the obligations under this Regulation, in particular as regards the exercise of data subjects’ rights and their respective obligations to provide the information referred to in Articles 13 and 14, by means of an arrangement between them, unless and to the extent that the respective responsibilities of the controllers are laid down by a provision of Union or Member State law applicable to the controllers. The arrangement may designate a contact person for data subjects.

The arrangement shall make clear the respective roles of the joint controllers and their respective relationships with data subjects. The essential content of the arrangement shall be made available to the data subject.

Regardless of the terms of the said arrangement, the data subject may exercise his rights under this Regulation in relation to and against any controller.

When processing or joint controller?

The relationship between 2 controllers of processing is substantially different from that between a controller and a processor. The processor is not the determining party in determining the purpose and means.

In practical terms, many processors will choose the means, but as long as the purpose or final decision lies with the other party, that party remains the data controller.

Both parties responsible for processing should determine which of them will take on which responsibilities and also provide the necessary information regarding the rights of the data subject such as the right to inspection, correction, deletion, etc.

Methods of establishing these responsibilities are not really determined but a written general cooperation agreement is certainly recommended in connection with accountability.

All controllers are jointly and severally responsible towards data subjects for any damage resulting from the processing regardless of which of the controllers actually carried it out.

Thus, if several controllers or processors are involved in the same processing and are responsible, in accordance with paragraphs 2 and 3, for the damage caused by the processing, then each controller or processor will be held liable for the entire damage, for the whole damage.


Meer berichten

cyber security tips

10 Cyber Security Tips for SMEs

Cyber security is critical for SMEs. A cyber attack can have serious consequences, from data loss to financial and reputational damage. Here

de toekomst van GDPR

The Future of Data Protection

Introduction: Since its implementation in 2018, the General Data Protection Regulation (GDPR) has had a significant impact on how organizations worldwide collect,


©DPO Associates Alle rechten voorbehouden. Privacy verklaringCookie verklaring | Algemene voorwaarden