To many data controllers, the term joint controller agreement (JCA) still conjures up something that is complicated and cumbersome in practice. But they’re wrong! If the JCA is carefully designed, responsible companies can reap many benefits, achieve efficiency gains through forward-looking process design, and operate a correspondingly effective risk management system. This is particularly true for many scenarios in the health sector, where the nature of data processing and the associated technical and organisational measures – in particular the use of encryption mechanisms, electronic signatures and acknowledgement procedures – may give rise to specific requirements (e.g. when processing the personal data of participants in clinical trials or telemedicine services). For example, in the context of clinical trials, it can be particularly beneficial to use a JCA to agree with the other controllers which parties should have what specific roles, responsibilities, and even obligations to inform and cooperate, in the event of access or erasure requests from patients, withdrawal of consent by a patient, or data breaches.
Apart from the potential benefits, organisation are in fact obliged to conclude a JCA if they are joint controllers in practice. If they don’t, they risk being fined.
In this article, we will use some examples from the health sector to show you what is meant by joint controllership, what a joint controller agreement needs to cover, and how a JCA can be structured in a sensible and profitable way for the companies involved.
When is a controller a joint controller?
Joint controllership under Art. 26 GDPR does not only exist when the parties contractually agree on it, but as soon as the conditions are actually met in practice. The specific data protection requirements thus also apply, so companies should always check whether their specific arrangement could give rise to joint controllership under the GDPR.
Unlike in the context of data processing on the controller’s behalf, where the processor is bound by the controller’s instructions, with joint controllership two or more controllers are involved in the data processing. Unlike separate controllers, they must also jointly determine the purposes and means of data processing. This follows from the wording of Art. 26 GDPR, which makes this joint determination the decisive characteristic of joint controllership. There are no fixed criteria for assessing when such joint controllership exists. According to the current Guidelines of the European Data Protection Board (EDPB), however, it exists if more than one entity has a decisive influence on the “whether” and “how” of data processing. With this in mind, it is possible to use some of the indications and clues for certain arrangements that the European Court of Justice (ECJ) has mentioned in several rulings. For example, the European judges do not assume an equal distribution of decision-making power between joint controllers. Joint controllership may also exist where each entity pursues its own purposes, or where not every controller has access to the data to the same extent or at all. It may even be sufficient for an entity to be only partly responsible for the data processing. The concept of joint controllership should therefore be understood in a very broad sense. Separate controllers are more likely to be assumed, for example, where the parties’ purposes are unrelated and one party’s purpose can be well achieved without the involvement of the other.
Identifying joint controllership and distinguishing it from processing on behalf of the controller is of practical importance, as the GDPR contains different requirements regarding the contracts that have to be concluded in each case. Moreover, in order to justify the transfer of data between joint controllers – unlike in the case of processing on the controller’s behalf –a statutory authorisation is always required. In practice, therefore, it makes sense to address the issue early on. In the health sector, particularly in the areas of clinical trials (see also the EDPB guidelines, para. 68), telemedicine, the use of a shared data pool, or when health data is shared within a group of companies, it is advisable that organisations consider whether they might in fact be joint controllers. Joint controllership under data protection law may also exist, for example, in the case of special, new forms of healthcare where the cooperation or involvement of several stakeholders from different areas is necessary or even mandatory (such as the scientific monitoring of new forms of healthcare pursuant to Sect. 92a(1) of Book V of the German Social Code).
What are the implications of a joint controller agreement?
Where data processing involves joint controllers, the parties must conclude a joint controller agreement. In addition, data subjects must be informed of the essential points of the agreement, including in particular the allocation of responsibilities. After all, joint controllers may be jointly and severally liable in the event of fines or claims for damages by data subjects as a result of data breaches. This means that, according to Art. 26(3) GDPR, data subjects can in principle claim against one of the joint controllers for the entire damage. It is up to the controllers to decide how best to share the responsibility. The JCA’s role here is one of documentation and accountability. It makes it easier to assign responsibility for any damage caused. Responsibility for specific damage can be clearly allocated and enforced. In this way, the JCA also serves to establish a balance of liability between the parties.
It is also important for controllers to note that the joint controller agreement should not be used as the sole legal basis for data processing. Although some are in favour of using the joint controller agreement as a legal basis, the overwhelming majority, including the supervisory authorities, take a different view. In practice, therefore, it is important to rely on the general legal bases under Art. 6 and 9 GDPR, as well as any specific legal bases.
What should be included in the joint controller agreement?
Where companies are joint controllers, they should seek to enter into a full joint controller agreement to avoid the risk of infringement and fines. A JCA can be used as a good opportunity to establish clear rules for cooperation between the controllers. In the event of challenges, such as dealing with data protection incidents or requests from data subjects, the agreements can help to ensure that these are dealt with quickly and in accordance with the law. Some content is mandatory in joint controller agreements. Other arrangements are voluntary but often useful.
In any case, A JCA must cover the purposes and means of the processing. The same applies to the description of the essential functions and roles of the joint controllers, such as which entity in the hospital is in contact with the patients, or which of the stakeholders involved in clinical trials should be the contact point for participating patients who wish to exercise their data protection rights or withdraw their consent. The joint controller agreement also needs to address the internal allocation of responsibilities, in particular who fulfils information obligations, obtains consent, implements and responds to withdrawals of consent, etc. It is important to clearly identify which parties are responsible for fulfilling other rights of data subjects (in particular the rights of access, rectification, restriction of data processing, and data portability). Clinical trials, for example, do not usually work with unencrypted data, but with pseudonymised data sets. In this case, only the entity that manages the pseudonymisation – and can reverse it – will be able to link the data sets to a specific individual and thus fulfil the rights of the data subject. In such scenarios, it may therefore be useful to establish precise rules regarding responsibility and cooperation. These are also helpful in light of the applicable time limits – such as the 72-hour deadline for notifying data protection incidents to the supervisory authority. In the health sector, due to the sensitive nature of the health data processed, there is usually an additional obligation to notify data subjects, which must be done without undue delay.
Above all, it makes sense to describe more precisely and concretely the subject matter, nature and scope of the data processing. In practice, it is recommended that organisations include this in their JCA in order to be able to quickly and fully identify data protection incidents and the data involved. Such clauses should ensure that, in practice, it can be determined as quickly and clearly as possible whether certain data is covered by the joint controllership or not. This is important and highly relevant in practice, for example, when a data protection incident has occurred with respect to certain data processed on certain systems (e.g. due to an attack by hackers) and the parties involved must now determine as quickly and reliably as possible – within the 72-hour notification period! – whether the incident involves the joint controllers and thus whether the provisions of the JCA apply with respect to certain responsibilities and processes.
A common contact point can also be agreed. This can be helpful in preventing certain entities involved in data processing from being bogged down by data protection incidents and requests from data subjects that they may not even be able to handle because they lack certain necessary information. For example, in the context of clinical trials, participants may typically contact the sponsor or the clinical research organisation directly to withdraw consent or request access to their data. These organisations may not even be able to relate the data to the named participants, as they only have access to the pseudonymised data. The designation of an appropriate common contact point is recommended by the EDPB (guidelines, para. 184) and may help to direct data subjects to the joint controller best placed to deal with their particular concerns. In this way, unnecessary workload can be kept away from the other controllers and the relevant processes can be designed and defined as cost-effectively and efficiently as possible.
It is also helpful to define common technical standards and technical and organisational measures (TOM). Particularly when transmitting health and patient data, but also in telemedicine, secure measures are necessary to protect the data from unauthorised access and modification and to ensure that it only reaches the intended recipient. This is important not only for data protection reasons, but also because there is a risk that, for example, the wrong patient’s data could be used for treatment, posing a direct health risk to the patient concerned.
An important issue that is of considerable practical relevance for research in the health sector (especially clinical research) is whether and to what extent data, once collected, can later be used for other research projects or evaluations related to the original research project but not specifically planned or even foreseeable at the time of the trial. In order to allow data processing for such secondary scientific purposes (within the limits of what is allowed under data protection law), it is important that all joint controllers involved prepare patient consent and information forms accordingly at the start of the trial – this is known as broad consent. However, it is often precisely the entities that have no direct contact with the patients or trial participants and are not responsible for obtaining patient consent – such as the sponsor or the CRO – that stand to gain the most from such broad consent. This is why these entities should ensure that the exact wording of the patient consent and information forms is agreed upon with the trial sites responsible for obtaining consent. An easy way of doing this is through the JCA.
Examples of other issues which could be useful to cover in the JCA include the implementation of data protection impact assessments, the use of processors, cost and liability issues, and the processing of data in third countries. The latter is already associated with strict data protection requirements, particularly in the health sector. If processing operations outside the EU are envisaged, these should be clearly set out in the joint controller agreement.
What are the challenges in terms of the rights of data subjects?
As already mentioned, the obligation to inform data subjects is a key element of data protection law. The information must be provided in accordance with the requirements of Art. 12 GDPR. In particular, the information must be complete and provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. For the health sector, additional sector-specific regulations must be observed, such as Sect. 40(2) and (2a) of the German Medicinal Products Act (AMG) for clinical trials. Controllers must also obtain the necessary consents for data processing and, where applicable, waivers of confidentiality obligations. Here, too, special standards such as Sect. 40(1) No. 3(b)(c) AMG may be relevant. In this context, data subjects may at any time withdraw their consent or object to certain data processing, both of which should be dealt with quickly and fully. Other rights of data subjects under the GDPR are the right of access (Art. 15), the right to rectification and completion (Art. 16), to erasure (Art. 17), to restriction of processing (Art. 18) and to data portability (Art. 20).
The main challenges for controllers are the sometimes very short deadlines and the fact that data subjects can contact any controller. The latter applies regardless of what is written in the joint controller agreement: each controller to whom a data subject has addressed a request is responsible for processing the request promptly and completely. This is one of the reasons why we recommend setting up a central contact point, so that participants can at least direct their enquiries to the most appropriate place for initial processing and response (in the case of clinical trials, for example, this would be the trial centre).
It should be noted that any failure to fulfil the rights of data subjects may result in fines and that data subjects may lodge complaints with the supervisory authorities. Other challenges include the definition of processes and clear responsibilities between partners, as well as the implementation of technical solutions: responsibilities and processes for handling data subject requests should be aligned as far as possible with existing pseudonymisation management, and it should be possible to search systems using unencrypted data and pseudonyms. Furthermore, it must be possible to erase data properly. For this purpose, regular erasure deadlines for specific data sets must be defined. This should be based on the statutory retention periods that apply to the stakeholders involved in data processing, which are numerous and diverse, especially in the health sector. In addition, it must be possible to export data from the systems used and the allocation of responsibilities should be reflected in appropriate access authorisation policies and the possibility of blocking data for certain data processing operations.
What are the technical requirements for data processing?
Art. 32 GDPR is decisive for the technical requirements. This requires controllers to ensure the security of processing. For this purpose, appropriate protective measures must be taken, taking into account the current state of the art. Due to the increased risk, special attention should be paid to personal data concerning health, and to data transfers. Again, there are often sector-specific requirements to bear in mind, particularly in the health sector. Fines may also be imposed for breaches of the security of data processing. The technical security requirements should be able to ensure the following objectives in particular:
- Data confidentiality (e.g. through encryption)
- Data integrity, i.e. protection against undetected change (through control and revision)
- Data authenticity and availability
- Data validity
In order to ensure technical security as a joint controller, close coordination between all controllers involved in a data processing operation is necessary. With this in mind, it is advisable to make provisions for this in the joint controller agreement as well.
Allocation of responsibilities
On the question of the allocation of responsibility, the ECJ has emphasised in its case law that joint controllership does not automatically imply equal responsibility on the part of all stakeholders. Rather, they could be “involved at different stages of that processing of personal data and to different degrees” (judgment of 5 June 2018 – C-210/16). For this reason, “the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”. According to the ECJ, an entity is responsible only for the operation or set of operations that constitute a data processing operation for which it also decides on the appropriate purposes and means. The EDPB also takes the view that joint controllers need to allocate data protection obligations according to the actual circumstances: as long as the joint controllers ensure compliance with the GDPR in the data processing process, there will be some flexibility in terms of sharing obligations. The decisive factor is which of the controllers is in a position to fulfil the corresponding obligations.
Form of the agreement
The controllers’ obligations must be laid down in a transparent manner (Art. 26(1) Sentence 2 GDPR). The standard does not contain any explicit requirement as to the form of the agreement (see also AG Mannheim, judgment of 11 September 2019 – 5 C 1733/19 WEG). Even so, due to the obligation of transparency and the threat of fines, it is advisable to play it safe and record the JCA in writing or electronically. The EDPB guidelines also suggest this for reasons of legal certainty, and to show transparency and responsibility (guidelines, para. 173). In any case, the obligation to make the content available to the data subject presupposes the existence of a durable record and thus requires more than oral communication. It is sufficient for the information to be accessible on a website (for other ways of making the information available, see the EDPB guidelines, para. 181).
Joint controller agreement: Conclusion
The joint controller agreement is more than just another data protection obligation for companies. It can also be a good tool for clearly regulated and coordinated cooperation between multiple controllers. It can help meet the many data protection requirements more quickly and easily, creating clarity between partners and avoiding subsequent costs and fines.
Joint controller agreement: Benefits and challenges of joint controllership
The Joint Controller Agreement (JCA) still seems complicated and cumbersome to many managers in practice. But wrongly so: with the careful design of the agreement, responsible companies can benefit from many advantages, achieve efficiency gains through forward-looking process design and operate a corresponding effective risk management.
The NIS 2 Directive: Key objectives and regulations
Last December, the European Council and the European Parliament adopted the Network and Information Security Directive (NIS 2 Directive), thus initiating a reform of the legal requirements for IT security in the European area. After coming into force on 2023-01-16, Germany and the other EU member states now have 21 months to transpose the regulations…
Anonymisation and pseudonymisation in practice
In this article, we look at how the supposed contradiction between data protection through pseudonymisation and the use of personal data in scientific practice can be dealt with. In addition, we take a look at the special challenges that actors in the health care sector face in this topic.