Allocating roles within a group of different actors might often become very difficult, in particular when drawing a line between joint decisions and separate ones gets tricky.
Say that a parent company offers its subsidiaries to use a new uniform online platform for the processing of orders placed by customers entering into a supply contract with a subsidiary. There are at least two actors here, so how to properly allocate roles here?
‘Guidelines’ intend to provide for some new tips helping to spot a joint controllerships in paragraphs 22.214.171.124, 126.96.36.199, but all of them still revolve around what has always been clear from Article 26: finding out how means and purposes of processing are defined requires careful case-by-case assessment. To that end, ‘Guidelines’ are more likely to be expected to outline a clear methodology of how this assessment should be performed.
Referring to the question above, e.g., it might revolve around questions like: does the parent company make it mandatory for the subsidiary to use the online platform (and thus it solely defines means and purposes)?; or can the platform only be used in case of a common decision of the parent company and the subsidiary to do so?
Instead of the methodology, we can (not only but mostly) see examples. Examples are always good but they are rarely helpful when factual picture in practice differs (even slightly) from that described in the example. In other words, examples contain an analysis of very specific facts alone, while a privacy pro needs an understanding (method, checklist, etc.) of how to properly approach every possible set of facts.
Good job, EDPB, but could you please try again?
2 Replies to “Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?”
Can you share the link to the guidelines?