The summary document specifies that the shared responsibility must be delimited from the processing of orders (Article 28 GDPR). With regard to the processing of orders, the parties concerned do not jointly determine the purposes and means of the processing of personal data. The German particularity of the “functional transmission” must therefore no longer exist under the GDPR. Following last year`s judgment of the Court of Justice of the European Communities (“ECJ”) on joint control, many were in a state of confusion. What is this new legal notion of “shared responsibility” and how to structure the necessary contractual agreement between those responsible? As a reminder, the ECJ found that, according to the concept of shared responsibility, all parties to the definition of the purposes and means of data processing are jointly responsible for compliance with the GDPR. The manner in which this responsibility is assigned must be agreed in what is called an agreement on common officials. In addition to shared responsibility, the GDPR distinguishes order processing and individual responsibility in the first place. In addition, for German companies in particular, the question also arises as to how, in the future, they will classify so-called functional transfers under the GDPR. The Legal Institute for the Transfer of Functions consisted of the former German data protection legislation and referred to the outsourcing of certain data processing operations with a certain margin of decision by the recipient with regard to specific tasks. With the application of the GDPR, there is no longer a legal institute comparable to the transfer of functions. Dr.
Data protection, I dare once again: Example No. 6 (“Headhunters”) in the O.G. WP169-Link postulates – by not explaining enough to me – a joint control between the principals and the headhunters, apparently because the headhunter can do the matching enhancen by accessing his own contact database. As for the B-A ratio, can it be argued that B, unless file B contains the number of people desired by A with A`s criteria, can expand its own file by free search (cold battery) in order to find the number of participants desired by A? And does the relationship between A and B change if B is to interview the participants identified immediately after the questionnaire defined by A and send A only the recorded interview and not the participants` contact details? Thank you very much. The German data protection supervisory authorities consider that a shared responsibility does not in itself constitute an authorisation for data processing. Therefore, each of the joint controllers needs its own legal basis for the joint processing of personal data. In addition, joint controllers are also recipients of data between them. Therefore, the DSK considers that the transfer of personal data between joint controllers also constitutes a separate processing operation which, as such, also requires a legal basis on a case-by-case basis. But what makes a joint controller contract sufficient under Art. 26 GDPR? The Head of Data Protection and Freedom of Information of Baden-Württemberg offers a guidance guide for navigating this world of joint manager agreements – the first model contract for joint managers. The first model contract for joint managers, drafted in German, was developed in collaboration with companies and authorities and offered a glimmer of hope to many parties who moved into the waters of compliance with the common responsibilities of the GDPR.
. . .