Part 1: A Guide to Multi-Controller Situations - Who's Who?
Data processing and data sharing practices are becoming more complex, not least in our online era where companies often reach out to third-parties to supply or assist with providing new AI-based solutions to facilitate administration, business development or manage customer engagement, where businesses may rely on third-party lists to enhance their marketing practices or where company groupings, networks or alliances process personal data jointly to achieve better efficiency and results.
In light of the General Data Protection Regulation (or “GDPR”) which came into force last year, the roles of the various parties involved in data processing activities were clarified.
As the various roles (and determine which role a company has in any given data processing activity) is often a difficult issue for our clients, we thought that we would share our insights in this two-part article, this first part dealing with the various actors in the data processing arena, as well as the related rights and obligations and why it is so important to get things right, with the second part explaining how to define the role of your business, and our tips on how risk can be reduced.
Who’s who? The Various Data Processing Actors
When talking about data protection under the GDPR, there are three actors whose roles must first and foremost be understood.
According to the GDPR, a data subject is a natural person (an individual) who can be identified, whether directly or indirectly, from information held about them. If you are reading this, you are a data subject. Furthermore, when the law speaks about “personal data” this means all information relating to a data subject.
The GDPR states that a processor is a natural or a legal person (meaning an individual or a corporation) or even a public authority, agency or any other body which processes personal data on the behalf of data controllers, and in accordance with their instructions.
Like data processors, data controllers can also be a natural person, a legal person, a public authority, agency or other. Data controllers, as defined by the GDPR, determine the purposes and means of the processing of personal data. Essentially, data controllers are in charge of the processing of personal data belonging to data subjects. Additionally, the GDPR states that controllers can either act alone or jointly with others.
When acting jointly with others, these multi-controller scenarios, where data is shared between several of controllers, are highly complex situations that required extra organisation, attention and foresight.
The Obligations of Data Controllers
Before we dive into the intricate topic of multi-controller situations under the GDPR, we must first properly understand the principal obligations of a data controller in general.
According to Article 5 of the GDPR, personal data must be collected for specific, explicit and legitimate purposes and then processed in a secure and transparent manner which respects the initial purposes of its collection. Data controllers must also make sure that all personal data is accurate, up to date and kept in a form which permits the identification of data subjects for no longer than necessary given the purpose of the processing. In addition, according to Article 6 of the GDPR for the data processing operation to be lawful, one of the following must be true:
· The data subjects have given their consent
· The processing is necessary for the performance of a contract of which the data subject is a party
· The processing is required by one of the controller’s legal obligations
· The processing is necessary to protect the vital interest of the data subjects or another natural person
· The processing is necessary for public interest
· The processing is necessary for legitimate interests
Data Processing Security
Article 32 of the GDPR states that data controllers (and processors) must implement technical and organisational measures to ensure the security of the personal data. Such measures will be taken by considering the context, purpose and risk associated with the data processing activities, to ensure that all personal data remains confidential and secure.
Data controllers must inform data subjects about what personal data that is being collected, the purposes of such collection and the many other modalities of their data processing activities pursuant to Articles 12, 13 & 14 of the GDPR, at the moment that the data is collected. The most efficient way of doing this is to ensure that an appropriate privacy notice is in place. This privacy notice must be concise, transparent, intelligible and easily accessible using clear language. Usually, this information will be shared in writing (including electronic means), unless the data subject requests to be informed orally (in our opinion it is always better to keep things in writing too).
Data Breach Notification
Upon discovering a data breach of personal data which is likely to put the rights and freedoms of data subjects at risk, Article 33 of the GDPR obliges data controllers to advise the relevant national authority within 72 hours.
Pursuant to Article 30 of the GDPR, data controllers must maintain records of their data processing activities.
As mentioned above, Article 4 of the GDPR states that the purposes and means of data processing can be determined by a single controller or jointly with others – the later case is what would be called a joint controller relationship. Hence, a joint controller relationship is where two or more data controllers determine the means and purposes of the data processing activities together. Joint controllers have the same obligations as any other controller, as outlined above, with the addition of Article 26 of the GDPR. Article 26 of the GDPR requires joint controllers to conclude an agreement or an arrangement (a Joint Controller Agreement, for example) which will govern their respective responsibilities and obligations under the GDPR.
This agreement or arrangement must not only lay out the data controllers’ responsibility towards each other, but also towards data subjects. Furthermore, notwithstanding any clause of the agreement, data subjects will be able to exercise their data protection rights against any of the controllers’ party to the agreement – more on that below!
Similarly to a joint controller scenario, controller-to-controller relationships also imply the presence of two or more data controllers. In this case however, separate data controllers are sharing data, but processing it individually for their own individual and distinct purposes. Although data controllers share the same general obligations as any other controller, members of a controller-to-controller relationship do not have the statutory obligation to conclude an agreement or arrangement between themselves as joint controllers do, even if it is often good sense to do so.
Hence, joint controller or controller-to-controller status is in essence determined by the decision-making process. Where there means and purposes of the data processing activities are decided together, you are joint controllers. Where the means and purposes of data processing activities are decided individually, and data is simply shared between controllers, you are in a controller-to-controller relationship.
Why is the distinction between single controller and multi-controller scenarios important?
When you are the sole data controller of a processing activity, you and you alone are responsible for compliance. The same cannot be said for multi-controller scenarios.
In joint-controller scenarios, with the aim of empowering data subjects and facilitating their claims under the GDPR, the law allows them to exercise their rights against any data controller. This means that in the event of a non-compliant processing operation, any of the controllers in a joint-controller relationship could be held to individually pay the entirety of any sanction or fine, since they are jointly and severally liable. Being a joint-controller therefore greatly increases liability risks as you can technically be held responsible for the non-compliant activities of one of your partners.
Although this information might sound unfair, it is only in order to facilitate a data subjects’ reclamations who would otherwise have to go after every single controller individually. The controller who was held to pay the entirety of the fine can after the fact turn towards the other controllers in order to share the penalty in accordance to their respective roles in its occurrence.
The only way for a joint-controller to exonerate himself from all responsibility is by proving that it was not at fault. However, as mentioned above, this only applies after the fact when the other controllers of the relationship get involved to share the penalty – this argument can never be set up as against data subjects, since one of the main features of the GDPR is to ensure accountability of those controlling and/or processing personal data and to ensure data subjects have sufficient redress.
However, if you are ever unsure about what role you are carrying out in the data processing arena, is always best to seek out professional advice. For more information generally on how to define your role and also how best to reduce risks in multi-controller processing activities, look out for our Part Two of this two-part article.
If you have any further questions concerning multi-controller scenarios, please do not hesitate to contact us!
Article by Justin Boileau, Legal consultant and Charlotte Gerrish, Founder @ Gerrish Legal, September 2019.