Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Paragraph 2.2.1  Form of the arrangement

169. Article 26 (1) of the GDPR provides as a new obligation for joint controllers that they should determine their respective responsibilities “by means of an arrangement between them”. The legal form of such arrangement is not specified by the GDPR. Therefore, joint controllers are free to agree on the form of the arrangement.

170. In addition, the arrangement on the allocation of responsibilities is binding upon each of the joint controllers. They each agree and commit vis-à-vis each other on being responsible for complying with the respective obligations stated in their arrangement as their responsibility.

171. Therefore, for the sake of legal certainty, even if there is no legal requirement in the GDPR for a contract or other legal act, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject. This would provide certainty and could be used to evidence transparency and accountability. Indeed, in case of non-compliance with the agreed allocation provided in the arrangement, its binding nature allows one controller to seek the liability of the other for what was stated in the agreement as falling under its responsibility. Also, in line with the accountability principle, the use of a contract or other legal act will allow joint controllers to demonstrate that they comply with the obligations imposed upon them by the GDPR.

172. The way responsibilities, i.e. the tasks, are allocated between each joint controller has to be stated in a clear and plain language in the arrangement. This requirement is important as it ensures legal certainty and avoid possible conflicts not only in the relation between the joint controllers but also vis-à-vis the data subjects and the data protection authorities.

173. To better frame the allocation of responsibilities between the parties, the EDPB recommends that the arrangement also provide general information on the joint processing by notably specifying the subject matter and purpose of the processing, the type of personal data, and the categories of data subjects.