On September 7, 2020 the European Data Protection Board (EDPB) publish guidelines on “data processing agreements vs Joint Controller Agreements”. I link it to the source document each time. Here are some of my initial thoughts on them.
Data Processing Agreements vs Joint Controller Agreements
What I found most interesting about the EDPB Guidelines on the concepts of controller and processor were the comments related to joint controllers. Joint controllers need to conclude an agreement – separate controllers do not. So what does a joint controllers data processing agreement look like? Most is similar to what is in a processing agreement:
- both parties are in compliance with GDPR,
- have a legal basis for processing,
- have adequate security measures,
- will notify each other in the case of data breaches,
- the use of sub-processors and third parties,
- they’ll be involved in the DPIAs.
Additionally, it must set out clearly “who does what” – who is the point of contact for individuals and recording all relevant information on the joint processing – such as
- the processing purpose,
- the individuals who’s data is being processed
- what data is being processed.
If you’re only documenting your processors and ensuring you have Data Processing Agreements with them then you’re not compliant. You need to assess where you might be a joint controller and make sure you’ve got adequate agreements in places with your other joint controllers.
Using social media for targeted advertising? It’s probably a joint controller relationship
It’s not a surprise the guidance on the targeting of social media users came out on the same day as the guidance on joint controllers. Read on to see why. Given the pervasiveness of social media on our lives, the documented ways in which it has a toxic effect on politics are heightened awareness of the fact we’re being targeted through documentaries like Netflix’s Social Dilemma – I’ve got to say this is fairly timely. The guidelines explain how social media and targeters use provided, observed and inferred data to target people. Targeters are the people or organisations using social media platforms to push their message to selected people based on criteria.
The guidelines contend that social media and targeters are joint controllers in most cases. This means that a Joint Controller Agreement (JCA)- what I just wrote about above – needs to be in place. This agreement would need to be sufficiently detailed to separate responsibilities between the social media platform and the targeted. Therefore, both of them would remain responsible.
So I want to echo my previous point. If you’ve only got a processing agreement in place with social media platforms you’re using – you probably need to re-examine the relationship and consider getting a JCA in place.