What are ‘joint controllers’ (a.k.a. ‘co-controllers’)?
Key points:
(1) Entities that jointly determine the “means and purposes” of the processing are joint controllers. The participation of parties in the determination of purposes and means of processing in the context of joint control may take different forms and does not need to be equally shared.
(2) A broad variety of typologies for joint control exists and their legal consequences vary.
(3) Joint controllers have a certain degree of flexibility in distributing and allocating obligations and responsibilities but, as a general rule, will be jointly and severally responsible for compliance vis-à-vis the data subject.
(4) Joint controllers should enter into agreements to determine their respective responsibilities but, if the factual factual circumstances of the underlying data processing are the key factor in any determination or liability under the law.
(5) Striking a balance that ensures compliance with data protection rules while avoiding multiplication of controllers that may lead lack of clarity is key.
Data protection law typically defines controllers as individuals or entities that, alone or in jointly with others, determine the purposes and the means of the processing of personal data. The reference “alone or with…
