Lexicon > Jointly responsible

IT Glossary

Jointly responsible

Joint controllers of a personal data processing operation shall mean two or more controllers who jointly determine the purposes and essential means of the processing operation.

Joint controllers must transparently define their respective obligations, taking into account the different stages at which they operate, in order to ensure compliance with the requirements of the GDPR, including the rights of data subjects and the use of processors.

This division of obligations between the joint managers must be formalized in an agreement that properly reflects their respective roles and obligations to the individuals concerned. In addition, the outline of the agreement must be made available to them.

They are a prerequisite for the protection of the rights and freedoms of the persons concerned.

In any event, data subjects may exercise their rights against each of the data controllers, regardless of the agreement reached between the joint controllers.

Finally, it is specified as necessary that the fact that a party has access only to information that does not concern an identified or identifiable natural person, or to personal data anonymized in such a way that the data subject is not or is no longer identifiable, does not affect the situation of joint responsibility for the processing.

However, this may be important in establishing the degree of responsibility of the parties involved

RGPD Point

The responsibility of the controller should be established for any processing of personal data that he carries out himself or that is carried out on his behalf. In particular, it is important that the controller is required to implement appropriate and effective measures and is able to demonstrate the compliance of the processing activities with this Regulation, including the effectiveness of the measures. These measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Recital 74 of the GDPR

Point of jurisprudence

The Court of Justice of the European Union has recalled that ” the existence of joint responsibility does not necessarily translate into equivalent responsibility for the same processing of personal data on the part of the different actors. On the contrary, these actors may be involved at different stages of this treatment and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all relevant circumstances of the case […] “.

Court of Justice of the European Union, July 10, 2018, No. C 25/17

The Bouchara firm assists you in particular in :

  • Making your organization RGPD compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.