Not all vendors that you share data with are data processors. In cases where the vendor processes personal data for their own purposes, the vendor is also considered to be a joint controller.
Not all vendors that you share data with are data processors. In cases where the vendor processes personal data for their own purposes, the vendor is also considered to be a joint controller. An example could be the Facebook “Like” widget, a website operator that embeds the Facebook “Like” widget on its website is considered a joint data controller with Facebook.
Joint controllers are governed by Article 26 of the GDPR. They are not required to have a contract in place, but they must, in a transparent manner, determine their respective responsibilities. However, each controller remains responsible for complying with all the obligations of controllers under the GDPR.
A hotel and a car rental company decide to set up an online platform. They agree on which data will be stored and who can have access to the information stored. Furthermore, they choose to share the data of their customers to carry out marketing actions.
In this case, the parties will have joint control over how personal data of their respective customers are processed and will therefore be joint controllers regarding processing that relates to the platform.
What is important here is that both parties jointly determine the purposes and means of the processing.
Each joint controller is responsible as controllers and must comply with and be able to demonstrate compliance with all GDPR data protection principles. Furthermore, data controllers are also responsible for the compliance of the vendors that process personal data on the controllers’ behalf.
To determine if you are a joint controller. You need to look at who determines the purposes and means of the processing. If you jointly determine the purposes and the means, you could be both acting as joint controllers.
For more information read our dictionary entry regarding the responsibilities of data controllers.
Joint controllers are a specific type of GDPR-role. However, there are many roles in regards to GDPR.
Read more about the different roles and their respective responsibilities.
Learn more about Privacy Hub →