One of the above study group was based on the interpretation of the joint controllership concept in each Member State and its practical implication (“Joint Controllership Group”).
The Joint Controllership Group was supervised by the Italian CPC member, Chiara Agostini, as group leader, and its results are based on the contributions of the CPC members of the following countries: Belgium, Bulgaria, Cyprus, Italy, Latvia, Netherlands, Norway, Portugal, Slovenia and Spain.
From the comparative analysis carried out by this group, it results that joint controllership was not a frequently used arrangement within the Member States before the GDPR; as a consequence, apart from the famous Belgian case in 2008 concerning SWIFT (the Belgian non-profit association in charge of managing electronic financial transaction processing), there is not an established case-law on this matter that can help professionals in regulating the relation between joint controllers.
From an institutional perspective, only in Norway and in Belgium, the local DPA provided general guidelines on Joint Controllership, under which, these authorities:
- generically indicated when the subjects involved in a data processing shall be considered as individual controllers, joint-controllers or subjects operating under a controller-processor relationship;
- stressed the importance of implementing an arrangement between joint controllers to clearly define their respective obligations, having particular regard to the fulfilments related to data subject rights and on transparency.
The Belgian DPA, moreover, underlined that, notwithstanding the joint controllers agreement, joint controllers remain separately liable for compliance with the GDPR.
From this comparative study, moreover, it results that no local DPA has provided a standard model of the contract between joint controllers. On the basis of their experience, the majority of the CPC members have in any case agreed on the necessity to draft this contract by providing clauses on the following elements: the distribution of liability; the definition of the purposes and of the means of the processing; procedures for data breach notifications / liability in data breach cases; proper application of security measures; appointment of Data Protection Officer (where applicable); the individuation of a main contact point for data subjects and the regulation of possible transfers of personal data to third countries or international organizations.
With the aim to give a practical help on the interpretation of this concept, during its annual conference on 24 November 2018, CPC network decided to merge the Joint Controller Group with the Processor one, supervised by the Bulgarian CPC Member, Mitko Karushkov, in order to draft, during 2019, a memo with the indication of some concrete cases, related to specific market sectors, where subjects involved in a data processing shall be considered as individual controllers, joint-controllers or subjects operating under a controller-processor relationship.
Article provided by: Chiara Agostini (R&P Legal, Italy)