Is a contract necessary between controllers who are not joint controllers?
If personal data is exchanged between companies or if two or more companies use a common data pool, which is often found in group constellations, the GDPR regulates two case constellations: processor (Art. 28 GDPR) and joint controllers (Art. 26 GDPR).
A company is a processor (for definition see Art. 4 No. 8 GDPR) if it processes personal data for the purposes of a controller in accordance with instructions. In this case constellation, the GDPR provides that the controller and the processor conclude a contract, the elements of which are listed in Art. 28 para. 3 GDPR.
If the two companies each also pursue their own purposes or if they are not bound by instructions, then these companies are both controllers within the meaning of Art. 4 No. 7 GDPR. However, they could be jointly responsible as so-called joint controllers. For joint controllers, the conclusion of a corresponding contract is mandatory pursuant to Art. 26 GDPR. Joint controlling pursuant to Art. 26 para.1 GDPR exists if two or more controllers jointly determine the purposes and means of processing.
If, on the other hand, two or more controllers do not jointly determine the purposes and means of processing, Art. 26 GDPR does not apply. Rather, the legislator sees in this case constellation two or more controllers who access or disclose personal data to each other without a contractual arrangement. Of course, each controller must be authorized to process the personal data in accordance with data protection law, that is, have a corresponding legal basis.
Nevertheless, it can make sense for (non-jointly) controlling companies to voluntarily put the joint use of data on a contractual basis and conclude a so-called controller-controller agreement. I will explain below that this can have a whole range of advantages with regard to meeting the requirements of the GDPR.
Advantages of a controller-controller agreement
A controller-controller agreement for data sharing:
- Helps the controllers involved be clear about their roles;
- Defines the purpose of the data sharing;
- Governs what happens to the data at each stage; and
- Establishes standards (including with regard to technical and organizational measures to be implemented).
A controller-controller agreement between different controllers thus simultaneously justifies the sharing of data and demonstrates that the relevant compliance aspects are observed and documented. This aspect in particular should not be underestimated, especially since such a controller-controller agreement can be set as a positive argument in favour of the controller in the context of the balancing of interests pursuant to Art. 6 para.1 (f) GDPR (balancing test).
In this way, a controller-controller agreement for data sharing provides a framework that helps to meet the requirements of the GDPR and, in particular, the data protection principles formulated therein. Concluding a controller-controller agreement even between two (non-joint) controllers is therefore expressly recommended.
What should be included in a controller-controller data sharing agreement?
The following questions should be clarified in a controller-controller data sharing agreement:
- Who are the parties to the contract and who is a controller when?
The controller-controller agreement should specify who the controllers are at each stage, including after sharing.
- What is the purpose of data sharing?
The controller-controller agreement should clarify what the specific goals are and why data sharing is necessary to achieve those goals, as well as explain the benefits that will result. It is important that all parties are absolutely clear about the purposes for which they may share the data.
- What other companies or organizations will be involved in the data sharing?
The controller-controller agreement should clearly identify all entities that will be involved in the data sharing and include contact information for the data protection officer or a designated contact person responsible for the data sharing and other key contacts as appropriate. If applicable, the controller-controller agreement (e.g., in a group environment) should include a contractual mechanism for including additional entities or for dealing with cases in which an entity must be excluded from sharing.
- What data elements will be shared?
The controller-controller agreement should specify the types of data that will be shared. This specification may need to be very detailed, as in some cases it may be appropriate to share only certain information about an individual and omit other, more sensitive data about the individual. In addition, it may be appropriate to assign “permissions” to certain data so that only certain employees or employees in certain roles can access it (for example, employees in certain departments or employees who have received appropriate training).
- What is our lawful basis for sharing?
There must be a lawful basis for sharing data. It is important to note that the lawful basis for one party may not be the same as for the other party. If the data is processed based on consent as the legal basis, the controller-controller agreement should be a sample of the consent as an attachment. The processes related to refusal or withdrawal of consent should also be clarified. In any case, the legal basis on the basis of which the data may be disclosed should be outlined. This applies in particular to the processing of special categories of personal data pursuant to Art. 9 and 10 GDPR.
- What about access and individual rights?
The processes and responsibilities for compliance with data subject rights pursuant to Art. 12 et seq. GDPR (right of access, right to object, right to erasure and rectification, etc.) must be defined. It must be made clear in the controller-controller agreement that all parties remain responsible for compliance with the data subject rights, even if processes have been defined that specify who among the parties is to assume certain tasks.
- What governance arrangements should be in place?
The controller-controller agreement should also address the key practical issues that may arise when sharing personal data. Appropriate arrangements should be in place to ensure that all parties:
- Have detailed information about what data sets they can share to prevent irrelevant or excessive information from being disclosed;
- The data they share is accurate, e.g., via sampling or data quality analysis;
- Store the data in the same format, adhering to open standards where possible. The controller-controller agreement could include examples of how certain data elements, such as birth dates, should be recorded or converted;
- Use common, reasonable rules for retention and deletion of shared data, and that a process exists for dealing with cases where different controllers may have to comply with different legal or technical retention or deletion periods;
- Have common technical and organizational safeguards in place, including a procedure to promptly pursue breaches of duty by either party;
- Have adequately trained their staff and are aware of their responsibilities for all shared data to which they have access;
- Implement or comply with processes for data subject inquiries, complaints and requests from supervisory authorities;
- Adhere to an auditing process for agreed-upon policies and processes; and
- Are aware of termination of the collaboration, including deletion of shared data or its return to the party that originally provided it.
What other details can be included in the controller-controller agreement?
It is helpful if the controller-controller agreement includes an appendix or attachment that includes the following:
- A summary of key statutory and other legal requirements, e.g., relevant sections of the GDPR; laws that provide your legal authority for data sharing; links to authoritative professional guidance;
- A model form for obtaining consent from individuals for data sharing where this is the legal basis;
- Decision-making tools on whether specific data may be shared;
- If applicable, a data sharing request form and a data sharing decision form.
The controller-controller agreement should be reviewed periodically, especially if circumstances or reasons for data sharing change. Complaints from data subjects or a data privacy incident should also always be a reason to review the controller-controller agreement.
Summary
- In constellations in which companies constantly use shared data without being joint controllers, it is advisable to conclude a controller-controller agreement.
- The controller-controller agreement defines the purpose of data sharing, regulates what happens to the data at each stage of processing, establishes standards, and creates clarity and transparency for all parties involved in sharing, about the roles and responsibilities of those involved.
- With a controller-controller agreement, you can demonstrate that you are meeting your accountability obligations under the GDPR.
- The controller-controller agreement should also be reviewed regularly.
If you need help, contact us.