Joint controllers

When 2 or more controllers jointly determine the purposes and means of the processing, they are joint controllers.

They shall establish, in a transparent manner, their respective responsibilities for the fulfillment of the obligations under this Regulation, in particular with regard to the exercise of the rights of the data subject and their respective obligations to provide the information referred to in Articles 13 and 14 , by arrangement, unless and to the extent that the respective responsibilities of the controllers are established by a provision of Union or Member State law applicable to the controllers. A contact person for those involved can be designated in the scheme.

The regulation must clearly indicate the respective roles of the joint controllers and their respective relationship with the data subjects. The essential content of the regulation will be made available to the person concerned.

Irrespective of the terms of the said arrangement, the data subject may exercise his or her rights under this Regulation in relation to and against any controller.

When to process or jointly responsible?

The relationship between 2 controllers is essentially different from between a controller and a processor. The processor is not the determining party in determining the purpose and means.

Practically, many processors have to choose the means but as long as the purpose of determining whether a final decision is the remains of the other party controller .

Both controllers must establish mutually who will assume which responsibilities and, among other things, with regard to the rights of the data subject such as the right of access, correction, deletion, etc. or also to provide the mandatory information.

The method of recording these responsibilities is not really determined, but a written general cooperation agreement is certainly recommended in connection with accountability.

All controllers are jointly and severally responsible towards data subjects for any damage resulting from the processing, regardless of who actually carried out the processing.

Thus, where several controllers or processors are involved in the same processing and are responsible for the damage caused by the processing in accordance with paragraphs 2 and 3, each controller or processor shall be held liable for the entire damage.