One of these possibilities is joint controllership. This is a constellation provided for in Article 26 of the RGPD, which allows several companies to share and share their customer or other data. At the same time, the Institute of Common Responsibility provides clients with details of who they can contact for data protection issues. Whether there is a shared responsibility depends on the parties` joint determination of the purposes (and means) of data processing. In practice, the new legal institute of common responsibility for German officials faces additional requirements for companies. As part of their projects to implement the DMPR, many companies underestimate the resulting efforts. To avoid fines or possible civil liability, companies must carefully consider whether it is a joint processing, order processing or data transmission to another manager when transferring data to third parties. To the extent that, for certain treatments, companies are not sure how they should assess the different roles, they should, if necessary, coordinate their assessment with the relevant supervisory authority before the application of the RGPD. In addition to shared responsibility, the RGPD primarily distinguishes order processing and individual responsibility.
In addition, for German companies, the question also arises as to how they should in the future classify transfers of functions under the RGPD. The Legal Institute for the Transmission of Functions has consisted of the old German data protection legislation and has designated the outsourcing of certain data processing operations with a certain margin of decision of the recipient with regard to specific tasks. With the application of the RGPD, there is no longer a legal institute comparable to the transmission of functions. The brief document specifies that shared responsibility must be delineated in the processing of orders (Article 28 of the RGPD). With respect to the processing of orders, the parties do not jointly define the purposes and means of processing personal data. The German specificity of the « transmission of functions » must therefore no longer exist under the RGPD. In the wake of the European Court of Justice`s (« ECJ ») joint controllership decision last year, many were left in a state of confusion. What is this new legal concept of « joint controllership » and how does one structure the required contractual agreement between responsible parties? As a refresher, the ECJ held that under the concept of joint controllership, all parties involved in determining the purposes and means for data processing are jointly responsible for complying with the GDPR. How such responsibility is allocated must be agreed to in what is known as a Joint Controller Agreement. But what constitutes a sufficient Joint Controller Contract under Article 26 of the GDPR? The Commissioner of Data Protection and Freedom of Information Baden-Wuerttemberg provides a guiding light for navigating this world of joint controller agreements-the first model joint controller contract.