One of these possibilities is joint controllership. This is a constellation provided for in Article 26 of the RGPD, which allows several companies to share and share their customer or other data. At the same time, the Institute of Common Responsibility provides clients with details of who they can contact for data protection issues. Whether there is a shared responsibility depends on the parties` joint determination of the purposes (and means) of data processing. The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller. Your company/organization is a joint controller when together with one or more organizations it jointly determines `why` and `how` personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
Dr. Data Protection, I dare again: Example No. 6 (“headhunters”) postulated in the WP169 link – too little for me – a joint control between the client and the headhunters, apparently because the headhunter can have matching enhancen by accessing his own contact database. Wouldn`t it be possible to argue that B, if file B does not contain the number of people A wants with the criteria of A, could expand its own file through free search (cold acquisition) in order to find the number of participants desired by A? And does the relationship between A and B change if B is supposed to interview the identified participants immediately after receiving an A questionnaire and send to A only the recorded interview and not the contact details of the participants? Thank you very much. Your company/organisation offers babysitting services via an online platform. At the same time your company/organization has a contract with another company allowing you to offer value-added services. These services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share customers` names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of `combined services` but they also design and use a common platform.
The answer to the question above is clearly no. The model contract cannot be applied to all cases of the application of shared responsibility and inevitably reaches its limits. For example, in the area of conducting a clinical trial, a contract must, under Article 26, take a position, in addition to a wide range of responsibilities and contracting parties, on the obligations and rights related to this specific sector. In summary, several joint managers/controllers define in principle the purposes and means of treatment. This is a possibility of decision-making by the parties involved. However, a functional and reality-appropriate approach should not be based solely on contractual agreements.