Bavarian Data Protection Authority Issues Joint Controllership Guidance

On 1 June 2024, the Bavarian Data Protection Authority (BayLDA) published comprehensive guidance on joint controllership, as outlined in Article 26 of the GDPR. This guidance addresses scenarios where two or more entities collaboratively determine the purposes and means of processing personal data. It underscores the importance of a clear, transparent agreement detailing each party’s responsibilities to ensure compliance with GDPR provisions and protect the rights of data subjects.

Context and Objectives

Joint controllership, a concept introduced by the GDPR, aims to address the increasing interconnectedness of data processing activities among various organizations. The guidance seeks to clarify the application of this concept, especially given its frequent occurrence in practice. The document highlights that joint controllership agreements, while potentially complex, offer significant benefits by clearly distributing data protection responsibilities and improving transparency for data subjects.

Key Provisions

The guidance details several critical aspects:

1. Definition and Scope: Joint controllership arises when entities collaboratively decide on the purposes and means of data processing. This collaboration necessitates a joint agreement that is clear and accessible.
2. Legal Requirements: Article 26 mandates that such agreements specify each party’s GDPR obligations, ensuring transparent communication and accountability. The guidance also emphasizes the need for these agreements to reflect the actual data processing dynamics accurately.
3. Practical Recommendations: To aid implementation, the guidance offers examples of joint controllership scenarios and provides templates for drafting agreements. It also advises on handling joint responsibilities in various contexts, such as social media use and inter-organizational collaborations.

Differentiation from Other Roles

The guidance provides crucial distinctions between joint controllership and other data processing roles:

1. Individual Responsibility vs. Non-Responsibility: Joint controllership differs from individual responsibility, where multiple entities determine the purposes and means of processing together. In contrast, non-responsibility applies when no entity decides on the purposes or essential means of processing, such as employees or customers .
2. Processor Role: A processor acts on behalf of a controller, following their instructions without autonomy over the purposes and means of processing. The differentiation is essential as processors and controllers have distinct obligations under the GDPR .
3. Functional Transfer: The concept of functional transfer, previously used under German law, referred to outsourcing tasks with some decision-making freedom for the recipient. This is no longer applicable under GDPR, where clear distinctions between controllers and processors must be maintained .

Legal Consequences

The guidance outlines the legal implications of joint controllership:

1. Liability and Accountability: Joint controllers share liability for GDPR compliance. They must transparently allocate responsibilities, ensuring that data subjects can exercise their rights effectively. Each party is accountable for ensuring that data processing complies with GDPR requirements.
2. Sanctions: Non-compliance can result in significant penalties. Both joint controllers can be held liable for breaches, emphasizing the need for clear agreements and diligent adherence to data protection principles .
3. Legal Obligations: Joint controllers must maintain documentation, such as records of processing activities and data protection impact assessments. They must also implement appropriate technical and organizational measures to safeguard personal data .

Practical Recommendations

The Bavarian Data Protection Authority offers several practical recommendations for entities engaging in joint controllership:

1. Drafting Agreements: Entities should create detailed agreements specifying the roles and responsibilities of each party involved in data processing. These agreements must include provisions on data subject rights, security measures, and notification procedures in the event of data breaches.
2. Transparency and Communication: Clear communication channels should be established between joint controllers to ensure efficient coordination and compliance. Regular meetings and updates can help maintain transparency and address any issues promptly.
3. Role Clarification: Clearly define and document which party is responsible for each aspect of data processing. This includes specifying who handles data subject requests, who ensures data security, and who communicates with data protection authorities.
4. Templates and Examples: Utilize the provided templates and examples as starting points for creating joint controllership agreements. These resources can help ensure that all necessary elements are included and that the agreements meet GDPR requirements.
5. Training and Awareness: Conduct regular training sessions for employees of all involved entities to ensure they understand their roles and responsibilities under the joint controllership arrangement. This can help prevent misunderstandings and ensure consistent compliance.
6. Handling Data Subject Requests: Develop a clear process for managing data subject requests, ensuring that requests are handled efficiently and that data subjects are informed of which entity to contact for specific queries.
7. Risk Assessment and Management: Regularly assess and manage risks associated with joint data processing activities. This includes identifying potential vulnerabilities and implementing measures to mitigate them.
8. Monitoring and Auditing: Implement monitoring and auditing mechanisms to ensure ongoing compliance with the joint controllership agreement and GDPR. This can involve regular reviews of data processing activities and updating agreements as necessary .

👉 Read the guidance here in German, and you can find an English translation on my blog here.