Table of Contents
If your organisation processes personal information about individuals, it must comply with data protection laws. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) is the main law governing the use of personal data. Most of the UK GDPR rules apply to ‘data controllers’. Data controllers are organisations that decide how to process personal data. If two or more data controllers jointly agree on how personal data is processed, they will be deemed ‘joint data controllers’. This article will explore what a joint controller is under the UK GDPR.
What is a Data Controller Under the UK GDPR Rules?
A data controller is a person or organisation that (alone or jointly with others) determines the purposes and means of processing personal data.
In a commercial context, a data controller is a business that chooses how to use personal information.
For example, a business may:
- choose how to process personal information about its staff to deal with its employer obligations; or
- choose how to process personal data about its clients, for example, to deliver services or send them marketing information.
A data controller will generally:
- control the personal data they process;
- make decisions about how to process personal data; and
- decide how long to retain personal data before deleting it.
This significantly contrasts with the role of a ‘data processor’ who does not control personal data but acts on a controller’s instructions. Service providers often act as data processors by following the instructions of their customers regarding how to use personal data.
What is a Joint Controller?
Often, commercial organisations will share personal data with other organisations. For example, this may occur for joint collaboration projects or research purposes.
Two scenarios could arise if your organisation shares personal data with another data controller.
Firstly, you can share personal data with another data controller, and both parties jointly determine the purposes and means of processing. In this case, you will be joint controllers. Accordingly, both parties will process the same personal data for a joint purpose. This could be for a collaboration project between two commercial entities.
Alternatively, you can also share personal data with another controller to use for its own individual purpose. For example, where a university shares staff data with potential sponsors to assess for their own purposes. In this case, the two organisations sharing personal data have entirely different objectives for using the data.
In a joint controller scenario, additional rules and considerations apply under the UK GDPR. If you act as a joint data controller, you must carefully consider and comply with the relevant rules. You should seek legal advice if you need clarification on the applicable rules.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Are There Additional Considerations For Joint Controllers?
Joint controllers act as data controllers. As such, the UK GDPR rules for data controllers will apply to them.
However, further specific and additional considerations will apply if you are a joint data controller as opposed to an independent controller. You must consider these obligations and your general obligations as a data controller.
As a joint data controller, you must consider additional issues. Let us explore these further below.
Documenting Your Data Sharing
It is a requirement to have an arrangement in place between joint controllers, setting out their respective roles and responsibilities. The best way to do this is to enter into a data-sharing agreement. The agreement should cover various provisions, including the types of personal data you are sharing, any restrictions on how it should be used, apportionment of liability if things go wrong and how to deal with data subject rights. You must also consider specifying a point of contact for data subjects.
Complying With the ICO’s Guidance
The UK ICO has published a Data Sharing Code of Practice. Where your organisation is sharing personal data, you should carefully consult the code and work to ensure that your data-sharing arrangements reflect its guidance. For example, there is a requirement to carry out a Data Protection Impact Assessment to consider the risks of data sharing.
You should also consider other requirements in the UK GDPR – for example, documenting the lawful basis you rely upon for the purposes of sharing personal data.
This factsheet sets out how your business can become GDPR compliant.
Considering Liability Issues
You should note that you may be liable for non-compliance as a joint controller. A data subject could take action against your organisation for the joint data processing, even if you are not at fault. This gives rise to additional risks to consider. For example, in the worst case, you may have to pay compensation due to the fault of the other joint controller. As such, it is vital to consider the risks associated with joint data processing and how to protect against them. For example, carry out thorough due diligence on the other joint controller and seek contractual protection (such as indemnities) to recover any losses you suffer due to their breaches.
The considerations around being a joint data controller can be complicated. You should seek legal advice if you are unsure about your obligations and how to protect your business from risk.
Key Takeaways
The UK GDPR sets out stringent rules for data controllers to comply with. If your organisation shares personal data with another controller, you should consider this carefully. As a priority, you must determine whether you are acting as a joint controller. If so, you will need to ensure that you can demonstrate compliance with the UK GDPR rules as a joint data controller. One of the key ways to demonstrate compliance is to have a robust data-sharing agreement in place to help evidence your accountability. However, there are also various other compliance obligations to consider. If you require support to understand your legal obligations as a joint data controller, you should seek legal advice from a data protection solicitor.
If you need help understanding whether you are a joint controller or your legal obligations, our experienced IT Lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.