In detail

What are the responsibilities of joint controllers?

  • Obligations of controllers: You need to decide with your fellow joint controllers who will carry out which controller obligation under the GDPR. However, regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR.
  • Transparent arrangement: Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be made available to individuals. We recommend that you include this in your privacy information.
  • Individuals’ rights: In particular, you must decide (and be transparent about) how you will comply with transparency obligations and individuals’ rights. You may choose to specify a central point of contact for individuals. However, individuals must remain able to exercise their rights against each controller.

Can a joint controller be held liable for non-compliance?

Yes. Individuals can seek compensation from joint controllers in exactly the same way as from any sole controller. Each joint controller will be liable for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage. The arrangement made between controllers is irrelevant for these purposes.

If as a joint controller you have had to pay compensation to an individual but were not wholly responsible for the damage, you may be able to claim back from another controller or processor the share of the compensation for which they were liable.

In addition, joint controllers are each fully accountable to supervisory authorities (such as the ICO) for failure to comply with their responsibilities.

Example

A luxury car company teams up with a designer fashion brand to host a co-branded promotional event. The companies decide to run a prize draw at the event. They invite attendees to participate in the prize draw by entering their name and address into their prize draw system at the event. After the event, the companies post out the prizes to the winners. They do not use the personal data for any other purposes.

The companies will be joint controllers of the personal data processed in connection with the prize draw, because they both decided the purposes and means of the processing.

 

Example

A property management company maintains student halls of residence for the landlord, the university. The company enters tenancy agreements with the students on the university’s behalf and chases any rent arrears. It collects the rent and passes it to the university after taking a commission.

The company is a joint controller of the tenancy-related information, including regarding rental payments. It decides what information it needs from the residents to set up and manage the tenancies but will share this data with the university.