To know what a joint controller is you must know what the GDPR defines as a controller to begin with. A controller is the party that decides how the personal data will be processed. A controller can use another party to process the personal data on their behalf. We call them Processors. If you’re a controller and need to work with another party who is also a controller, you’re considered either Multi Controllers or Joint Controllers.
You’re booking your holiday through an agency. You need a flight and hotel. The agency will use your personal data to order your flight ticket and book your hotel for you. Both parties are controllers but they’re not joint controllers.
If the travel agency and the hotel, for instance, create a website together and share the personal data for marketing reasons, then they are considered joint controllers. They both decide how the personal data will be used.
Two startups join forces and host an event. They create an online platform where they advertise their event and where people can register for this event. To register people must provide their name, address and VAT number for invoice purposes and just their name and company name to print on the badges that will be handed out during the event. Both parties have a say in what data they will request from participants and how they will use it for marketing reasons before, during and after the event. Because both parties decide on the processing, they’re considered joint controllers.
Two startups join forces and host an event. Bob and Katy. Katy creates an online platform and takes care of the technical side of the online platform. Katy also pays for the location of the venue and arranges the badges and guestlist. Bob promotes the event and collects the data to use for his own company’s marketing. They both have access to the personal data and both use the data for their own reasons. In case they are still considered multi controllers because they both decide on the purpose of the processing. If Katy had hired Bob, or Bob hired Katy, then one of them would be considered a processor of the other.
Under the GDPR you are a joint controller when both of you jointly determine the purposes and means of processing. Key factor here is the joint decision-making that determines the joint controllership. Each party must have a say in the collection and processing of the data.
Well, you’ll both have the obligations that come with being a controller. Like in an equal marriage, for better or worse. Which in this case means: for better: positive reviews and other benefits gained. For worse: your reputation could be affected if there are complaints or bad reviews etc. And it’s not just the other party but both of you are liable too. So, really ask yourself if the benefits outweigh the risks of liability or if it’s better handled in a processor agreement. Even in a joint controllership you’ll have to have a contract and make sure to define roles and responsibilities (and liability when possible).
If you like the blog posts in this series, let me know in the comments below. I’d like to know what your thoughts are, if you find it useful, if you’d like to suggest topics, and so on.
Sign up for the 60 Day Privacy & Risk Challenge, starting February 3rd 2020. More info: www.60daychallenge.eu