Joint Controllership Report

20.01.2019

EuroCloud Europe will establish a European database of case-studies describing sector specific joint-controllership relations, as well as controller-processor and processor-processor relations"

This report presents the key findings on the joint controllership concept as a result of a comparative survey conducted by the members of the EuroCloud Europe Cloud Privacy Check Network, as well as the action plan of the CPC Members for 2019. Author: Agostini Chiara, R&P Legal, Italian member of the EuroCloud Europe CPC Network. Editor: Dr. Tobias Höllwarth.

1. No established case law 

The comparative analysis shows that joint controllership was not a frequently used arrangement within the CPC member states before the GDPR; as a consequence, apart from the famous Belgian case concerning SWIFT (the Belgian non-profit association in charge of managing electronic financial transaction processing) in 2008, there is no established case law on this matter to help professionals regulate the relationship between joint controllers.

2. DPA interpretations of joint controllership

From an institutional perspective, only the local DPAs in Norway and in Belgium provide general guidelines on joint controllership, under which they:

  • generically indicate when the organizations involved in a data processing operation should be considered individual controllers, joint controllers, or organizations operating under a controller-processor relationship;
  • stress the importance of implementing an arrangement between joint controllers to clearly define their respective obligations, with particular regard to the obligations related to transparency and the rights of data subjects.

Moreover, the Belgian DPA emphasized that, notwithstanding a joint controllership agreement, joint controllers remain individually liable for compliance with the GDPR. The Dutch DPA made clear in the UBER case that joint controllers are separately liable.

3. No standard clauses to regulate the relationship between joint controllers are available

No local DPA has provided a standard model for contracts between joint controllers. The CPC Members recommend that such a contract should include clauses on the following elements: distribution of liability; definition of the purposes and means of the processing; procedures for data breach notifications and liability in the event of a data breach; proper application of security measures; appointment of a Data Protection Officer (where applicable); specification of a main contact point for data subjects; regulation of possible transfers of personal data to third countries or international organizations.

4. Action plan for 2019 

With the aim to provide practical support for the interpretation of this concept, the CPC network decided during its annual conference on 24 November 2018 to merge the Joint Controller Sub-Group with the Processor Sub-Group supervised by Bulgarian CPC Member Kambourov & Partners in order to establish a CPC database of use-cases describing concrete configurations related to specific market sectors and explaining when organizations involved in a data processing operation should be considered individual controllers, joint controllers, or organizations operating under a controller-processor relationship. 

 

ABOUT CPC

Following the advancement of European data protection legislation with the entering into force of the GDPR, the elimination of geo-blocking, and the establishment of the ePrivacy framework and the new Electronic Communications Code, it may be expected that businesses, regulators, individuals, and advisors will enter a new era of treating data flows and data protection.

Having considered these trends, CPC - comprising experts from more than 30 European countries - established a network of independent lawyers, IT specialists, advertising experts and media with the aim of analysing and guiding the practical impact of this evolution of European practice in applying the various regulations relating to data, and especially to personal data.

As a result, the CPC Network was founded by EuroCloud Europe in 2015 with the main focus of identifying simplified solutions for dealing with data in a cloud environment and making them available to the public. The CPC is a trusted, not-for-profit international network of qualified legal professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. The mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.

Over the past years, the CPC Network has compiled and released more than 200 short treatises dedicated to improving understanding of legal and practical aspects of data, technology, and the relation between them. In addition, the CPC Network has launched the Internet platform www.cloudprivacycheck.eu, as part of eurocloud.org an independent web resource dedicated to another way of optimizing the time of all people involved with data protection—namely to understanding data transfers in the cloud in four simple and easily identifiable steps. The above material has attracted several hundred thousand readers from all over the world.

The CPC Network’s plan for 2019 is to further elaborate on certain practical aspects of data protection. A CPC group tentatively entitled “Joint Controllers and Processors as per the GDPR” is in the process of drafting materials covering case studies in various industries as well as some thoughts on how to treat different business flows from a data protection perspective.

The main idea of this group is to identify and explain various issues caused by the assignment of roles in a data processing relationship with multiple participants. In its preliminary studies, the group has come to the conclusion that a unified approach cannot be adopted and that each such relationship must be dealt with on an individual basis. 

The group is seeking appropriate mechanisms to propose the compilation of guidance documents to make it easier for companies to settle their role assignments when dealing with a controller-processor or joint controller relationship. 

A second CPC-Sub-group of EuroCloud Europe will undertake to create a European database of data-breach-related DPA decisions and court judgments. The CPC Network intends to gather information on the volume, type and business sectors of occurring data breaches as well as the regulatory response to data breach notifications, and to draft a relevant report. Furthermore, to the extent it is possible, the CPC Network will undertake to create a concise database of data-breach-related DPA decisions and court judgments. 

CPC member countries

Austria: Götzl Thiele EUROLAWYER® Rechtsanwälte

Belgium: Astrea Advocaten

Belgium: Time.lex

Bulgaria: Kambourov & Partners

Czech Rep.: Nielsen Meinl 

Cyprus: tassos papadopoulos & associates LLC

Germany: Derra, Meyer & Partner

Denmark: NJORD Advokatpartnerselskab

Estonia: PwC Legal

Spain: Andersen Tax & Legal

Finland: Hannes Snellman Attorneys Ltd

France: Alain Bensoussan Avocats Lexing

Greece: Zepos & Yannopoulos

Ireland: William Fry

Italy: C-LEX STUDIO LEGALE

Italy: R&P legal

Latvia: Njord Latvia

Monaco: Monaco Giaccardi

Malta: Malta IT Law Association

Macedonia: Directorate for Personal Data Protection

Netherlands: Cordemeyer & Slager

Norway: Grette

Poland: Bird & Bird 

Portugal: Abreu Advogados 

Romania: Wolf Theiss

Slovenia: JK Group d.o.o. /  JK Group ltd

Slovakia: Bukovinsky & Chlipala, s.r.o.

Turkey: Gün + Partners

 

CPC members: cloudprivacycheck.eu/who/ 

Please feel free to nominate additional CPC partners

 

Disclaimer

The information and suggestions contained herein are for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Accordingly, the information herein is provided with the understanding that the authors and publishers are not herein engaged in rendering legal or other professional advice and services. As such, it should not be used as a substitute for consultation with professional legal or other competent advisers. Before making any decision or taking any action, you should consult a professional.

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.