KEEPING DATA PROTECTION SIMPLE Episode 1: Joint Controllers

By Andrew Harvey and Barry Moult

Recently Andrew and Barry have been discussing how complex Data Protection can be for people not working in the field, so they have decided to make it their mission to help simplify things, to encourage themselves and their colleagues to explain things even more simply.

Alongside these conversations something that has repeatedly come up is the concept of Joint Controllers, so it is this that will form the first of these irregularly-timed articles.

If in the future you would like them to put their heads together on something else that’s bothering you, drop a Direct Message to Andrew. However, they won’t be dealing with questions such as “why is orange jam called marmalade?” or “why aren’t fish electrocuted when lightning hits the sea?”.

So before we get to Joint Controllers, let’s look first at the definition of a Controller (which does itself mention Joint Controllers). Within the General Data Protection Regulation (GDPR) the concept is defined at Article 4(7) as the ‘natural or legal person, public authority, agency or other body which, [which] alone or jointly with others, determines the purposes and means of the processing of personal data’. So here is our first stumbling block, what is meant by ‘natural or legal person’? Simply a natural person is a human being, whereas a legal person is an individual, company, or other entity with legal rights and obligations. So a simpler way of putting the Controller concept could be:

A person/organisations that decides how personal data is used. This decision can be either on their own or with another person/organisation. Either or both can be a private individual, a private company or a public sector organisation.

So far, so good.

What of Joint Controllers? We have already seen that multiple individual Controllers can be Joint Controllers. When this is the case, it is clear at Article 26(1) that they must clearly define their separate tasks for compliance with the GDPR, particularly around the Data Protection rights of Data Subjects (at GDPR Article 15-22) and their individual duties to provide clear information to them about how their data is used, generally known as a Privacy Notice. A Joint Controller, therefore is:

Multiple people or organisations that decide how personal data is used. They can be either a private individual, a private company or a public sector organisation. Between them they will clearly define their separate tasks for compliance with the GDPR, particularly around the Data Protection rights of Data Subjects, as well as the individual duties to provide clear information to them about how their data is used, known as a Privacy Notice. 

Again, so far so good, but it’s not always that easy.

To help with keeping this simple, in her excellent book, GDPR for Dummies (2020), Suzanne Dibble very helpfully gives two scenarios where organisations either are or are not Joint Controllers:

ARE: A luxury shopping brand, a luxury car manufacturer, and a bank together create an event page that people can sign up to attend. Using the data collected, they communicate event details (and other event related matters) to the people who have signed up. The data isn’t used for any other purpose. The brand, car manufacturer, and the bank are joint controllers of the data.

ARE NOT: After the event, each organisation uses (within their own organizations) the personal data of those data subjects who opted in to receive more information from that organization. They are not joint data controllers in relation to that data, because it isn’t being processed for a common purpose.

There, simple.

However, Barry and Andrew’s friend and colleague, Stephen Massey, author of The Ultimate GDPR Practitioner Guide (2nd Ed, 2020), helpfully quotes a case where it is not quite as clear cut as this:

Fashion ID [a German online clothing retailer] included a like button from the social network Facebook, through which users can indicate their liking to a particular content. When a user accesses the Fashion ID website, regardless of whether or not the user is a Facebook member, and without having to click the ‘like’ button, their personal data are transmitted to Facebook (IP & browser details). [/] The [Court of Justice of the European Union] held that Fashion ID is a Joint Controller with Facebook Ireland as it coded the ‘like’ button into its website. However, Fashion ID is the controller for the collection and transmission aspect of this data to Facebook.

The international law firm Bird & Bird concluded on its website that there were two main lessons about Joint Controllership to learn from this case when deciding if the proposed arrangement either is or is not a Joint Controllership one. The first is that the threshold is low, not needing the parties to share responsibility equally, nor requiring that both have access to the data. The second is that it can potentially exist for some activities at one point in the processing, but revert to sole Controllership at other stages.

When it comes to it, Joint Controllership is about having two people or entities making a decision as to how data is being used. However, if it is not completely apparent if this is a Joint Controllership arrangement or whether one of the parties is a Data Processor, Stephen’s advice is probably best, ‘consider taking legal advice to determine an appropriate approach’.