Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Section 2.1 Determining in a transparent manner the respective responsibilities of joint controllers for compliance with the obligations under the GDPR
158. Article 26 (1) of the GDPR provides that joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the Regulation.
159. Joint controllers thus need to set “who does what” by deciding between themselves who will have to carry out which tasks in order to make sure that the processing complies with the applicable obligations under the GDPR in relation to the joint processing at stake. In other words,a distribution of responsibilities for compliance is to be made as resulting from the use of the term “respective” in Article 26(1).
160. The objective of these rules is to ensure that where multiple actors are involved, especially in complex data processing environments, responsibility for compliance with data protection rules is clearly allocated in order to avoid that the protection of personal data is reduced, or that a negative conflict of competence lead to loopholes whereby some obligations are not complied with by any of the parties involved in the processing. It should be made clear here that all responsibilities have to be allocated according to the factual circumstances in order to achieve an operative agreement.
161. More specifically, Article 26 (1) specifies that the determination of their respective responsibilities (i.e. tasks) for compliance with the obligations under the GDPR is to be carried out by joint controllers “in particular” as regards the exercising of the rights of the data subject and the duties to provide information referred in Articles 13 and 14, unless and in so far as the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject.
162. It is clear from this provision that joint controllers need to define who respectively will be in charge of answering to requests when data subjects exercise their rights granted by the GDPR and of providinginformation to them as required by Articles 13 and 14 of the GDPR. However, the use of the terms “in particular” indicates that the obligations subject to the allocation of responsibilities for compliance by each party involved as referred in this provision are non-exhaustive. It follows that the distribution of the responsibilities for compliance among joint controllers is not limited to the topics referred in Article 26 (1) but extends to other controller’s obligations under the GDPR. Indeed, joint controllers need to ensure that the whole joint processing fully complies with the GDPR.
163. In this perspective, the compliance measures and related obligations joint controllers should consider when determining their respective responsibilities, in addition to those specifically referred in Article26(1), include amongst others without limitation:
Implementation of general data protection principles (Article 5)
Legal basis of the processing (Article 6)
Security measures (Article 32)
Notification of a personal data breach to the supervisory authority and to the data subject (Articles 33 and 34)
Data Protection Impact Assessments (Articles 35 and 36)
The use of a processor (Article 28)
Transfers of data to third countries (Chapter V)
Organisation of contact with data subjects and supervisory authorities