Many are familiar with order processing from Art. 28 GDPR, but very few know what the joint responsibility under Art. 26 GDPR is all about. When the GDPR came into force in May 2018, it was often unclear to those responsible when joint responsibility could be assumed in practice. The supervisory authorities have now positioned themselves more strongly here. In our article we explain what you have to pay attention to.
Shared responsibility – what is it?
You are probably familiar with order processing according to Art. 28 GDPR. Here the processor processes personal data for a person responsible. The processor only acts on the instructions and within the scope of these instructions from the controller.
In contrast, it is possible that several controllers jointly determine the purposes and means of processing activities. Then Art. 26 GDPR applies.
So when, specifically, is there joint responsibility?
It cannot be said in general whether there is joint responsibility under Art. 26 GDPR. A closer look is worthwhile in the following cases:
E.g. If in group companies the parent company takes over HR administration for the subsidiaries, this can be a matter of joint responsibility within the meaning of the GDPR.
Workshops and manufacturers of readout devices can also be jointly responsible if the readout devices transmit the data to the manufacturer.
Another case of joint responsibility can be when several people jointly operate a platform, e.g. a booking platform for hotels and airlines.
In any case, it depends on the criteria: “several controllers” and “joint determination of purposes and means of processing”.
What should I do?
In the past, order processing was often assumed where the supervisory authorities now speak of shared responsibility. You should therefore check whether some of your data processing contracts do not need to be converted and whether contracts on joint responsibility should be concluded instead.
Specifically, this can be the case with data processing at corporations, e.g. B. in the case of personnel administration or payroll taking over by one company for the other. Where this was previously seen as order processing, we can now assume joint responsibility.
It should also be noted that in the case of joint responsibility according to Art. 26 Paragraph 2 GDPR, the essential contract content must be made available to the parties concerned. This obligation exists in addition to the information obligations according to Art. 13 and 14 GDPR.
Please do not hesitate to contact us if you would like support. We can help you check whether there is shared responsibility in your particular case. We would also be happy to advise you on drawing up the contracts and on fulfilling the information obligation in accordance with Art. 26 Paragraph 2 GDPR. Call us on 08505 919 27-0 or fill out our contact form.
Die Diplomjuristin Désirée Eder studierte Rechtswissenschaften an der Universität Passau und war mehrere Jahre in Berlin in einem landeseigenen Unternehmen für Immobilienprojekte als Projektmanagerin Recht und Datenschutzbeauftragte tätig. Désirée Eder bereichert das Team nicht nur mit ihrem juristischen Know-How sondern ist auch im Bereich der Organisation und Dokumentation, sowie im Rahmen der immer wichtiger werdenden DIN-ISO Normen und für Zertifizierungsprozesse erste Ansprechpartnerin. „Für das Wohl unserer Kunden sind mir offene Kommunikation sowie eine strukturierte, effiziente und gründliche Arbeitsweise wichtig.“
This post is also available in: German