Sometimes the division between Data Processors and Data Controllers is not simple. Where more than one entity has control in determining the processing requirements, there can be multiple Data Controllers. This situation can lead to “Joint Controllers” which needs to be managed carefully.
To recap: the Data Controller determines the purposes for which and the manner in which personal data is processed. Whereas a Data Processor processes data on behalf of a Data Controller. Traditionally its viewed as a “split architecture” model with a brain (the Data Controller) in charge and a body (the Data Processor) doing the work.
In some cases the split of responsibilities is not so clear cut and Art. 26 GDPR introduces the concept of a Joint Controller. In which concept the Joint Controllers work together to determine how personal data should be processed, and the manner of processing.
If you think about what this means, both parties are now somehow responsible to vindicate a Data Subject rights. For example Art. 13 GDPR specifies that when data is collected from a Data Subject the identity of the Data Controller must be disclosed, should two or more Joint Controllers be specified? A more complex issue is posed by Art. 17 GDPR (the right to erasure) can one of the two or more Joint Controllers delete the other’s data in response to a legitimate SAR?
The answer is that specific arrangements need to be drawn up where Joint Controllers are identified. These arrangements are to be made available to the data subject Art 26(2) GDPR. The term used is agreement and not contract. The agreement needs to be agreed by both parties and monitored over time as per agreement.
The language about Joint Controllers in Article 26 only specifies a minimal amount of information. In practice it is not always assured that Controllers who are driven by widely different agendas can agree on common goals. When it comes to making an agreement practitioners should not under estimate the amount of work that may be required to develop a workable agreement.
It should also be noted that Joint Controllers are not the same as Data Controllers-in-Common, who process the same data in different ways. There is no requirement for alignment or agreements to be in place for Controllers-in-Common.
For further reading see:
Working Party 29 http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
UK’s ICO https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf