GDPR template joint controllership agreement

| Sieuwert van Otterloo | Privacy Templates

When two companies process personal data together in an equal relationship, they must sign a join controllership agreement, We made a free template for such an agreement.

What is a GDPR joint controllership?

When two parties share personal data, they must sign an agreement to make sure each party handles the personal data properly. What type of agreement is needed, depends on which party determines the purposes and means of processing:

  • If one party determines the means and purposes (e.g. one party leads the project, the other party is a supplier), a data processing agreement must be signed. One party is the controller (verantwoordelijke), the other is processor (verwerker).
  • if the parties determine the means and purposes together (e.g. it is a collaboration between equal parties). They are both controller and need to sign a joint controllership agreement.

Joint controllerships are common in research collaborations and can also occur when parties organize an event together. It is important that it must be an equal relationship. If one party tells the other what to do, that party is the controller.

GDPR articles and requirements

Article 26 of the GDPR describes what you need to do in case of a joint controllership. Article 26.1 states the following:

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects

Firstly, parties must determine their responsibilities, and the joint controllership agreement is the best way to do this. The agreement must at least describe how the rights of data subjects are handled. These rights are: the right of access to data, rectification, erasure, restriction of processing and data portability.

Secondly, parties must make sure that data subjects are informed about the data processing when their data is collected (article 13 and 14 of the GDPR). This is often done using a privacy statement. Parties must have a privacy statement that clearly informs the data subjects about the processing and their rights.

Free template

You can download the free template Joint Controllership here. The template can be used by two or more parties. It contains the following main clauses:

  • All parties are aware of the General Data Protection Regulation and will endeavor to meet all requirements of the GDPR.
  • Each party will make sure that data subjects receive the required information (as described in article 13 and 14 of the GDPR) when personal data is collected by that party. They will make sure that data subjects have the name of the controller, the data protection officer, the purposes of data processing, the legal basis for processing and who receives the data. This can for instance be done in a privacy statement.
  • Each party agrees to takes reasonable, appropriate technical and organizational measures to protect the personal data, so that the risk of data breaches in minimized.
  • Each party will inform all other parties immediately in the case of a serious information security incident. This way, each party can determine if the serious information security incident is a data breach that must be reported. Parties will keep each other informed whether they have reported the data breach as the controlling party, and if and how they have informed data subjects.
  • Each party will make sure that that data subjects can make a request to exercise their GDPR rights, including the right of access to data, rectification, erasure, restriction of processing and data portability if applicable.
  • Whenever a party receives a GDPR request from a data subject, it will inform all other parties of the request. All parties will then work together so that the request is fully and completely handled. The first party receiving the request will communicate with the data subject.
  • If one party is audited by their supervisory authority (e.g. the Autoriteit Persoonsgegevens) for a joint activity, the other parties will support the audited party, for instance by providing information that is requested by the supervisory authority.

According to our analysis, these are the essential items. It is possible to include additional terms based on other GDPR requirements, but these are already implied by point one.

More information

if you are working on your GDPR compliance, do not forget to check our other templates, including for the register of data processing activities, the DPIA and the data processing agreement. If you want to know more about joint controllership, please check the joint controllership page from the British ICO and this model joint controllership template from SURF.

img src: Van Tay Media

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.