Data Controller or Joint-Controller?

In practice, sometimes it is difficult to say, whether an entity acts as a controller, or as a processor in the context of European data protection law. Now companies have to solve another one legal conundrum regarding their data processing activities – when they become joint-controllers?

For companies and data protection lawyers in Lithuania and beyond, this question became even more important when the Court of Justice of the EU (CJEU) has substantially broadened the notion of joint-controllership in its three important judgments:

  • in the first case – Wirtschaftsakademie Schleswig Holstein (C-210/16) – the Court decided that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page;
  • on 10 July 2018, in case Jehovan todistajat (C-25/17), the Court ruled that a religious community, such as the Jehovah’s Witnesses, is a joint-controller with its members (who engage in preaching) for the processing of personal data collected by those members in the context of door-to-door preaching;
  • this July, in case Fashion ID (C-40/17), the CJEU decided that an operator of the website featuring Facebook’s “Like” button (i. e. social plugin) can be considered as a joint-controller along with Facebook. The Court stated that such operator (Fashion ID in that case) should be considered as a joint-controller with Facebook Ireland in respect of processing operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue. By contrast, Fashion ID cannot be considered as a joint-controller in respect to the subsequent processing carried out by Facebook Ireland.

What guidelines did the CJEU provide in these judgments?

  • A person may be a joint-controller only in respect of those processing operations, for which it jointly determines the purposes and means. Accordingly, data protection lawyers in Lithuania and beyond should note that person cannot be considered as a joint-controller for those operations that precede or are subsequent to (in the overall chain of processing) and for which that person does not determine either the purposes or the means.
  • Joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned.
  • Joint controllership does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, joint-controllers may be involved at different stages of that processing and to different degrees.
  • With regard to the cases in which the processing is necessary for the purposes of legitimate interest, each of the joint-controllers must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.

What are the key implications for business?

It could be concluded that the threshold for joint controllership seems to be low. However, a joint-controller’s liability is always limited to the processing operations in respect of which it actually determines the purposes and means.

In any case, data protection lawyers in Lithuania and beyond believe that such complex matters regarding personal data protection will be more resolvable with the assistance of aforementioned guidelines provided by the Court. Accordingly, the experience “Motieka” has gained while handling similar complicated cases can, without doubt, help businesses to comply with the data protection requirements newly explained by the CJEU.