Part 2: A Guide to Multi-Controller Situations - Reduce the Risks!
As mentioned in the first article of this Guide to Multi-Controller Situations, data processing and data sharing practices are becoming more complex, not at least in our online era.
In light of the General Data Protection Regulation (or “GDPR”) which came into force last year, the roles of the various parties involved in data processing activities were clarified.
As the various roles (and determine which role a company has in any given data processing activity) is often a difficult issue for our clients, we thought that we would share our insights in this two-part article. The first part deals with the various actors in the data processing arena, as well as the related rights and obligations and why it is so important to get things right, with this second part explaining how to define the role of your business, and our tips on how risk can be reduced.
Why is the distinction between single controller and multi-controller scenarios important?
As we set out in Part 1, when you are the sole data controller of a processing activity, you and you alone are responsible for compliance. The same cannot be said for multi-controller scenarios.
In joint-controller scenarios, with the aim of empowering data subjects and facilitating their claims under the GDPR, the law allows them to exercise their rights against any data controller. This means that in the event of a non-compliant processing operation, any of the controllers in a joint-controller relationship could be held to individually pay the entirety of any sanction or fine, since they are jointly and severally liable. Being a joint-controller therefore greatly increases liability risks as you can technically be held responsible for the non-compliant activities of one of your partners.
How do you define your role?
As mentioned in Part 1, the “category” of controller you are depends on two things. Firstly, are you the only data controller in your operation? If so, you are simply a data controller with no additional obligation.
Secondly, if the answer to that first question was no, and there are other data controllers involved in your processing activity, you need to ask yourself if you are determining the purposes and means of the data processing activities together.
If you are doing so, then you are a joint controller and you need to conclude a joint controller arrangement or agreement setting out agreed practices. In terms or legal security, we would usually recommend entering into a legally binding agreement rather than relying on joint-controller guidelines or policies. This of course, can be subject to the overall relationship between the parties and any related complexity (including the number of joint-controllers).
Furthermore, it should be stated that in a case involving Facebook, a fan page, cookies and multi-controller situations, the CJEU took a very liberal stance on what constitutes a joint controller. This liberal stance was confirmed in a decision of the CJEU in July 2019 where it was held that even the owner of an online fashion retail website which had embedded a Facebook “like” on its site, was deemed to be a joint controller with Facebook of any personal data processed via that “like” button (albeit the website owner would not be a joint controller with Facebook for any subsequent processing activities carried out by Facebook alone). The European Court, at least, seems to take a fairly wide approach in finding the existence of a joint controller relationship in these situations.
In recent decisions, even if there is no sharing of personal data and only one of the parties is active in the processing activities, they will be deemed joint controllers if the other party has a certain influence on the data processing activity or is, directly or indirectly, benefiting from it.
On the other hand, if you work and share data with other data controllers but you all determined the purposes and means of processing individually, then you are part of a controller to controller relationship. In this case, you have all the added responsibilities associated with being in a multi-controller relationship without the obligation to conclude an agreement between the controllers. However, even thought there is no obligation to conclude such an agreement, it could still be wise to do so.
If you are unsure about what kind of data controller you are, it is always best to seek out professional advice.
What can you do to reduce and limit risk regardless of your situation?
It goes without saying that multi-controller relationships are very complicated situations and even though it would be useless for controllers to set up their respective liability towards data subjects for the reasons mentioned above, there are still many facets of these relationship that would benefit from an agreement. In order to reduce the organisational and monetary risks associated with having a plurality of controllers, certain processes should be put in place. As such, joint controller agreements and optional (yet encouraged) controller-to-controller agreements should include provisions relating to:
· The respective roles and relationships of the controllers vis-à-vis the data subjects.
· The purposes of the data processing activities
· The obligation of cooperation between the parties and the relevant authorities
· How the parties should exchange information between themselves and, if the case may be, third parties
· How to deal with data breaches and how to notify the other parties and relevant authorities
· Data retention and deletion policies
· Records of processing activities
· Confidentiality agreements
· The rights of data subject and how to deal with their requests
· Security measures
· The existence of processors or sub-processors
· Termination of the processing activities and the agreement
As previously stated in Part 1, the parties to a controller-to-controller relationship have no obligation to conclude a compulsory agreement or arrangement. Doing so, however, could reduce future headaches and allow you to start your relationship on the right foot. Often, setting things out at the start when the parties are getting along is much easier than trying to reconcile differences once a dispute has occurred or indeed, once fine or sanction has been issued.
Many questions surrounding multi-controller scenarios still remained unanswered – especially in regard to liability where the law remains rather vague. Of course the GDPR is a relatively new piece of legislation and so we await further guidance from the courts and supervisory authorities as they to continue to shed light on these questions. It is therefore worth remembering that compliance is an ongoing project, so it is important to set reminders to regularly review your best practices in line with the latest updates.
If you have any further questions concerning multi-controller scenarios, please do not hesitate to contact us!
Article by Justin Boileau and Charlotte Gerrish @ Gerrish Legal, September 2019