EuroCloud Europe will establish a European database of case-studies describing sector specific joint-controllership relations, as well as controller-processor and processor-processor relations. This report will present the key findings on the joint controllership concept as a result of a comparative survey conducted by the members of the EuroCloud Europe Cloud Privacy Check Network, as well as the action plan of the CPC Members for 2019.

1. No established case law

The comparative analysis shows that joint controllership was not a frequently used arrangement within the CPC member states before the GDPR; as a consequence, apart from the famous Belgian case concerning SWIFT (the Belgian non-profit association in charge of managing electronic financial transaction processing) in 2008, there is no established case law on this matter to help professionals regulate the relationship between joint controllers.

2. DPA interpretations of joint controllership

From an institutional perspective, only the local DPAs in Norway and in Belgium provide general guidelines on joint controllership, under which they: generically indicate when the organizations involved in a data processing operation should be considered individual controllers, joint controllers, or organizations operating under a controller-processor relationship; and stress the importance of implementing an arrangement between joint controllers to clearly define their respective obligations, with particular regard to the obligations related to transparency and the rights of data subjects. Moreover, the Belgian DPA emphasized that, notwithstanding a joint controllership agreement, joint controllers remain individually liable for compliance with the GDPR. The Dutch DPA made clear in the UBER case that joint controllers are separately liable.

3. No standard clauses to regulate the relationship between joint controllers are available

No local DPA has provided a standard model for contracts between joint controllers. The CPC Members recommend that such a contract should include clauses on the following elements: distribution of liability; definition of the purposes and means of the processing; procedures for data breach notifications and liability in the event of a data breach; proper application of security measures; appointment of a Data Protection Officer (where applicable); specification of a main contact point for data subjects; regulation of possible transfers of personal data to third countries or international organizations.

4. Action plan for 2019

With the aim to provide practical support for the interpretation of this concept, the CPC network decided during its annual conference on 24 November 2018 to merge the Joint Controller Sub-Group with the Processor Sub-Group supervised by Bulgarian CPC Member Kambourov & Partners in order to establish a CPC database of use-cases describing concrete configurations related to specific market sectors and explaining when organizations involved in a data processing operation should be considered individual controllers, joint controllers, or organizations operating under a controller-processor relationship.

Contributed by Magdalena A K Muir