Joint Controller Agreement: Benefits and challenges of shared responsibility

Why are Joint Controller Agreements useful?

In practice, the Joint Controller Agreement (JCA) still seems complicated and cumbersome to many managers.

But they are wrong: by carefully structuring the agreement, responsible companies can reap many benefits, realise efficiency gains through forward-looking process design and implement effective risk management. This is particularly true in the healthcare sector in many cases (e.g. when processing data from clinical trial participants or in the case of telemedicine services), as there are often special requirements regarding the nature and manner of data processing and the relevant technical and organisational measures (such as the use of encryption mechanisms, electronic signatures and confirmation procedures).

In the context of clinical trials, for example, it may be particularly important to agree with the other responsible parties, in the form of a JCA, which party should have which specific roles, responsibilities, information and cooperation obligations in the event of patient requests for information or deletion, withdrawal of consent or data breaches.

When does Joint Controllership exist?

Joint controllership under Art. 26 GDPR does not only exist when the parties contractually agree to it, but already when the requirements are actually met in practice. This means that the specific data protection requirements also apply, which is why companies should always check whether their specific constellation could constitute joint controllership under the GDPR.

In contrast to commissioned processing, where the processor is bound by the instructions of the controller, joint controllership involves two or more controllers in the data processing. Unlike separate responsibility, they must also jointly determine the purposes and means of the data processing.

This follows from the wording of Art. 26 GDPR, which makes this joint determination the decisive characteristic of joint control. There are no fixed criteria for assessing when there is such joint control. However, according to the current guidelines of the European Data Protection Board (EDPB), this is the case when more than one entity exercises a decisive influence on the 'whether' and 'how' of data processing. There are a number of indications and clues in favour of one or the other constellation, which have been identified by the European Court of Justice (ECJ) in a number of judgments. For example, the European judges do not require an equal distribution of decision-making powers.

There may also be joint control where each body has its own purposes or where each controller does not have access to the data to the same extent or at all. In certain circumstances, it may even be sufficient for one body to be only partly responsible for the processing. The concept of joint controllers must therefore be understood very broadly. Separate responsibility is more likely, for example, if the purposes of the parties are unrelated and the purpose of one party can be easily achieved without the involvement of the other.

Identifying joint controllers and distinguishing them from commissioned processing is of practical importance, as the GDPR contains different requirements for the contracts to be concluded in each case. In addition, the justification of data transfers between joint controllers - unlike in the case of commissioned processing - always requires authorisation. In practice, therefore, it makes sense to address this issue at an early stage. In the healthcare sector, joint controllers should be considered in particular in the context of clinical trials (see also the EDPB Guidelines, paragraph 68), telemedicine, the use of a shared data pool or the sharing of healthcare data within a group.

Joint controllers may also exist under data protection law, for example in the case of special, new forms of healthcare, where the cooperation or involvement of several actors from different areas is required or even prescribed (such as in the scientific monitoring of new forms of healthcare pursuant to Section 92a (1) of the German Social Code, Book V).

What are the consequences of the Joint Controller Agreement?

In the case of joint responsibility, the joint controller agreement must be concluded between the parties involved. In addition, the data subjects must be informed of the key points of the agreement, in particular the allocation of responsibilities. Finally, joint control may result in joint and several liability of the controllers involved in the event of breaches of the law by the data subjects, if fines are imposed or claims for damages are asserted as a result of data breaches.

This means that in accordance with Art. 26 para. 3 GDPR, data subjects can generally hold one of the joint controllers liable for the entire damage. Compensation within the internal relationship is left to the controllers themselves. The JCA performs an evidentiary and attribution function. It facilitates the attribution of responsibility for certain damages. It allows responsibility for certain damage to be clearly assigned and enforced. In this way, the JCA also facilitates the settlement of liability between the parties involved.

It is also important for controllers to note that the Joint Controller Agreement should not be used as the sole legal basis for data processing. Although there are those who support the Joint Controller Agreement as a legal basis, the vast majority, including the supervisory authorities, take a different view. In practice, the general legal bases under Art. 6 and 9 GDPR, as well as any specific legal bases, should therefore be used.

What should be included in the Joint Controller Agreement?

As soon as there is joint responsibility, the responsible companies should seek to enter into a full joint controller agreement to avoid the risk of non-compliance and fines. This can be a good opportunity to establish clear rules for cooperation between the controllers involved. This is because the agreements can help to deal quickly and legally with challenges such as dealing with data protection incidents or requests from data subjects. There is some content that must be included in the joint controller agreement and some that is optional but often useful.

Mandatory content

In any case, the purposes and means of processing must be included in the agreement. The same applies to the description of the main functions and roles of the joint controllers, e.g. which office in the hospital maintains contact with the patients or which of the parties involved in clinical trials should act as the contact point for the participating patients for the assertion of their data protection claims or for the declaration of withdrawal of consent.

The internal allocation of responsibilities must also be addressed in the Joint Controller Agreement, i.e. in particular the question of who fulfils the information obligations, obtains consent, implements and responds to withdrawals of consent, etc. It is important that the other rights of the trial participants are also addressed in the Joint Controller Agreement. It is important that the other rights of data subjects (in particular the rights to information, rectification, restriction of data processing and data portability) are also subject to clear responsibilities. For example, clinical trials usually do not work with data in plain text, but with pseudonymised data sets. In this case, only the entity that manages the pseudonymisation and can remove the pseudonymisation is able to link the data sets to a specific individual and thus fulfil the rights of the data subject.

In such constellations, it may therefore be useful to establish precise rules on responsibilities and cooperation. These are also helpful in view of the applicable time limits, such as 72 hours for reporting data protection incidents to the supervisory authority. In the healthcare sector, there is usually an additional obligation to notify data subjects immediately, due to the sensitive nature of the health data processed.

Useful content

In particular, it is useful to provide a more precise and concrete description of the purpose, nature and scope of the data processing. In practice, the regulation is recommended for companies to be able to identify data protection incidents and the data concerned quickly and completely. Such a regulation should ensure that, in practice, it can be determined as quickly and unambiguously as possible whether or not a certain data falls within the scope of joint responsibility.

This is important and very relevant in practice, for example, if a data protection incident (such as a hacking attack) has occurred with respect to certain data processed on certain systems and the parties involved now need to determine as quickly and reliably as possible within the 72-hour reporting period whether or not there is joint responsibility for the incident and thus whether or not the JCA rules apply with respect to certain responsibilities and processes.

A single point of contact may also be agreed. This may be helpful in order to avoid the situation where those entities involved in data processing are faced with dealing with data protection incidents and requests from data subjects that they may not be able to deal with because they do not have certain information necessary to do so. This may be the case, for example, in the context of clinical trials, when the trial participants concerned contact the sponsor or the clinical research organisation itself with requests to withdraw consent or for information, which may not even be able to link the data to a trial participant known by name due to the pseudonymisation of the data.

The appointment of an appropriate joint contact point is recommended by the EDPB (Guidelines, paragraph 184) and can help to direct data subjects to the joint controller who is best placed to deal with their concerns. In this way, unnecessary workloads can be avoided for the other controllers involved and the relevant processes can be organised and defined as economically and efficiently as possible.

It is also helpful to define common technical standards and technical and organisational measures (TOM). Particularly in the transfer of health and patient data and in telemedicine, secure measures are needed to protect the data from unauthorised access and modification and to ensure that only the right recipient receives it. This is important not only for data protection reasons, but also because there is a risk that, for example, the wrong patient's data could be used for treatment, posing a direct health risk to the patient(s) concerned.

An important and very practical issue in the field of health research (especially clinical research) is whether and to what extent the data collected can later be used for other research projects or analyses that are related to the original research project but were not specifically planned or even foreseeable at the time the study was started. In order to allow data processing for such secondary scientific purposes (within the limits of what is allowed under data protection law), it is important that all co-responsible parties organise patient consent (so-called 'broad consent') and patient information accordingly at the beginning of the study.

However, it is often those parties (such as the sponsor or the CRO) who have no direct contact with the patients or trial participants concerned and who are not responsible for obtaining patient consent, who have a correspondingly strong interest in doing so. For this reason, it will be important for these bodies to agree the exact wording of the consents and patient information with the trial sites responsible for obtaining them. This may also take the form of a JCA.

Other issues that could usefully be agreed in the context of the JCA include, for example, the implementation of data protection impact assessments, the use of processors, cost and liability issues, and the processing of data in third countries. The latter is already subject to high data protection requirements, particularly in the health sector. Where processing outside the EU is envisaged, this should be clearly set out in the joint controller agreement.

What are the challenges in terms of data subjects' rights?

As mentioned above, information obligations are central to data protection law for data subjects. The information must be provided in accordance with the requirements of Art. 12 GDPR; in particular, it must be complete and provided in a 'concise, transparent, intelligible and easily accessible form, using clear and plain language'. For the healthcare sector, sector-specific regulations such as Section 40(2) and (2a) of the German Medicines Act (AMG) on clinical trials must also be observed.

Data controllers must also obtain the necessary consent for data processing and, where applicable, releases from confidentiality obligations. Special standards such as Section 40 para. 1 No. 3 lit. b, c AMG may also be relevant. In this context, data subjects may withdraw their consent at any time or object to certain data processing; both should be implemented quickly and in full. Other rights of data subjects under the GDPR include the right of access (Article 15), the right to rectification and completion (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18) and the right to data portability (Article 20).

The main challenges for controllers are the sometimes very short deadlines and the fact that data subjects can contact any controller. The latter applies regardless of the provisions of the Joint Controller Agreement: the controller to whom a data subject has turned is responsible for dealing with the request quickly and completely. This is one of the reasons why it is advisable to establish a central contact point, so that data subjects can at least direct their enquiries to the most appropriate body for initial processing and response (e.g. the relevant trial centre in the case of clinical trials).

It should be noted that any failure to comply with the rights of data subjects can result in fines and that data subjects can lodge complaints with the supervisory authorities. Other challenges are the definition of processes and clear responsibilities between partners and the implementation of technical options: Responsibilities and processes for handling data subject requests should be aligned with existing pseudonymisation management where possible, and systems should be searchable using unique data and pseudonyms.

In addition, it must be possible to delete data effectively, for which standard deletion periods must be defined and the records concerned identified. This should be based on the legal retention periods of the actors involved in data processing, which are very numerous and diverse, especially in the health sector. It must also be possible to export data from the systems used, and the distribution of responsibilities should be reflected in appropriate access authorisation concepts and the possibility of blocking data for certain data processing.

What are the technical requirements for data processing?

The technical requirements are laid down in Art. 32 GDPR. This requires data controllers to ensure the security of data processing. To this end, appropriate security measures must be taken in accordance with the state of the art. Particular attention should be paid to health data and data transfers due to the increased risk. Here too, special sector-specific requirements often apply and must be taken into account, especially in the health sector. Violations of the security of data processing may also be punishable by fines. In particular, the technical security requirements should be able to ensure the following objectives

• Confidentiality of data (e.g. through encryption)
• Data integrity, i.e. protection against undetected changes (through monitoring and auditing)
• Authenticity and availability of data
• Validity of the data
• Interoperability

Ensuring technical security in the context of joint controllers requires close coordination with the other joint controllers involved in data processing. It is therefore advisable to make provisions for this in the joint controller agreement.

Allocation of responsibility

With regard to the allocation of responsibilities, the ECJ has emphasised in its case law that joint responsibility does not automatically mean that the parties involved are equally responsible. Instead, they may be 'involved in the processing of personal data at different stages and to different degrees' (judgment of 5 June 2018 - C-210/16). In this context, "the degree of responsibility of each of them must be assessed in the light of all the relevant circumstances of the individual case".

According to the CJEU, an institution is only responsible for the data processing operation(s) for which it also decides on the relevant purposes and means. According to the EDPB, even in the case of joint controllers, it is important to allocate data protection obligations according to the actual circumstances. As long as the joint controllers ensure compliance with the GDPR in the data processing process, there is some flexibility in the allocation of obligations. What matters is which of the controllers is in a position to fulfil the relevant obligations.

Form of the agreement

The obligations of the controller must be transparent, Art. 26 para. 1 sentence 2 GDPR. The standard does not contain any explicit requirements regarding the form of the agreement (most recently also AG Mannheim, judgement of 11 September 2019 - 5 C 1733/19 WEG). However, due to the transparency obligation and the threat of fines, it is advisable to record the agreement in writing or electronically. The EDPB Guidelines also recommend this for reasons of legal certainty and to demonstrate transparency and responsibility (Guidelines, paragraph 173). In any case, the obligation to communicate the content to the data subject presupposes the possibility of a durable record and thus requires more than oral communication. It is sufficient for the information to be accessible on a website (for other ways of making the information available, see Guidelines, paragraph 181).

Joint Controller Agreement - Conclusion

The Joint Controller Agreement is not only an additional data protection obligation for responsible companies, but can also be a good instrument for clearly regulated and coordinated cooperation between several responsible parties. The many data protection regulations can be implemented more quickly and easily, clarity in cooperation can be created and subsequent costs and fines can be avoided.