GDPR Basics: Joint Controllers

Under the General Data Protection Regulation (GDPR), it is possible for two or more organizations to be considered joint controllers when they jointly determine the purposes and means of processing personal data.

A joint controller is an organization that shares responsibility with one or more other organizations for the processing of personal data. This means that the joint controllers are both responsible for determining the purposes and means of processing the data, as well as ensuring that the processing is carried out in a lawful and fair manner.

Some of the key responsibilities of joint controllers under the GDPR include:

1. Determining the purposes and means of processing personal data: Joint controllers must determine the purposes for which personal data will be processed and the means by which it will be processed. This includes deciding what personal data will be collected, how it will be used, and who it will be shared with.
2. Ensuring compliance with the GDPR: Joint controllers must ensure that their processing of personal data complies with all relevant provisions of the GDPR. This includes complying with principles such as transparency, fairness, and data minimization, as well as fulfilling their obligations with respect to rights such as the right to access, rectify, erase, or restrict processing.
3. Establishing and maintaining appropriate safeguards: Joint controllers must put in place appropriate technical and organizational measures to ensure the security and confidentiality of personal data. This includes measures such as encryption, access controls, and regular data backups.
4. Providing information to data subjects: Joint controllers must provide clear and concise information to data subjects about their rights and how their personal data is being processed. This includes information about the purposes of the processing, the legal basis for the processing, and the rights of the data subjects.
5. Cooperating with supervisory authorities: Joint controllers must cooperate with supervisory authorities in the event of an investigation or complaint related to the processing of personal data. This may include providing information and assisting in the resolution of any issues that arise.
6. Designating a representative: If either joint controller is established in a third country (i.e., a country outside of the European Union) and the processing of personal data takes place in the context of the activities of this controller, it must designate a representative in the European Union. The representative acts as a point of contact for data subjects and supervisory authorities.
7. Entering into a joint controller arrangement: Joint controllers must enter into a written agreement specifying the nature and extent of their respective responsibilities for the processing of personal data. This agreement must be made available to data subjects upon request.
8. Providing evidence of compliance: Joint controllers may be required to provide evidence of their compliance with the GDPR, including their joint controller arrangement, to supervisory authorities upon request.

It is important for joint controllers to clearly define their respective roles and responsibilities, as well as to establish clear and transparent processes for the processing of personal data. This helps to ensure that the rights of individuals are protected and that the processing of personal data is carried out in a lawful and fair manner.

In summary, the concept of a joint controller refers to an organization that shares responsibility with one or more other organizations for the processing of personal data under the GDPR. Joint controllers have specific responsibilities under the GDPR to ensure that the processing of personal data is carried out in a lawful and fair manner.