The Privacy and Data Protection Journal has published an article by Duc Tran (Of Counsel) and Tom Cadman of our Digital TMT, Sourcing & Data team. Please click here to access the full article.
The article looks at the market's continued reluctance to embrace joint controller relationships (preferring instead to frame data-related commercial arrangements as controller-processor or independent controller relationships) and what the latest UK and EU-level regulatory guidance and case law tell us about joint controller relationships, namely that they arise far more often than the market is willing to acknowledge.
Why do organisations resist labelling their arrangements as joint controller relationships? The article highlights four challenges:
- Administrative and operational burden – the requirement to implement a joint controller agreement and allocate responsibility for compliance with DP obligations between joint controllers
- Liability – organisations are averse to the idea of being jointly liable with the other controllers
- Negotiation challenges – organisations often have a negative perception of joint controller relationships and prefer the familiarity of independent controller clauses
- Decision making challenges – joint controllers must agree on key decisions (e.g., breach notification, handling data subject requests, sub-contracting arrangements) which can complicate workflow
Recognising and properly documenting joint controller relationships presents challenges. Nevertheless, the increasingly clear messaging from regulators and courts about the prevalence of joint controller relationships is making the market's reluctance to engage with Article 26 of the GDPR increasingly untenable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
