For the existence of joint controllership, it is sufficient that both controllers determine purposes and means of processing in one or more segments of processing activity. Lack of control over data flow in other segments of processing activities does not release controllers from responsibility for the part/s where they determine purposes and means of processing jointly. This means that in one part of processing activity, controllers can act as joint, while in other parts they can act as independent controllers. The purposes and means of processing for controllers can be different. It is important that decisions of both controllers on purposes and means of processing are inextricably linked, meaning that processing of personal data in the particular case would not be possible without the said decisions of the controllers.
1. Introductory Remarks
In order to differentiate situations where parties involved in processing of personal data act as joint or independent controllers, in this text we analyse the opinion of the Serbian SA and ECJ judgment. The opinion of the Serbian SA sets criteria for independent controllership – when the company engages a business partner which processes personal data within its registered activity, both parties act as independent controllers as the party which provides services processes personal data exclusively to perform its registered business activity. On the other side, when the decisions of the parties involved substantially affect purposes and means of processing, in the manner that decisions of both parties have overarching influence on purposes and processing, the parties act as joint controllers. Further, when one the parties involved makes the platform available to the other party involved in processing for its own purposes and the other party involved accepts such means of processing, the parties are considered as joint controllers. It is sufficient for the party involved to be considered as controller when it sets parameters for processing and, therefore, decides which personal data will be processed, how long and for which purposes – this reasoning is confirmed by ECJ.
Ratio legis of joint controllership is to determine responsibility for processing of different entities in different stages of processing and to enable data subject to exercise their rights at all entities involved in the processing operations. For this reason, the controllers are advised to execute data processing agreements where they shall define responsibilities for providing information to data subjects (Art 13 and 14 of GDPR) and responsibilities for particular stages of processing. Joint controllers shall make available relevant parts of data processing agreement to data subjects (Article 26 para 4 of GDPR).
Opinion of Serbian SA
The Serbian SA has recently issued important opinion related to capacity of public or private entities performing postal services (postal operators) – whether postal operators, when providing postal services under request of the companies, i.e., deliver products or documents of these companies to their customers, are considered as processors or joint or independent controllers. The reasoning of the Commissioner is that postal operators act as independent controllers as they offer their services to all companies within their registered business activity and, therefore, companies which use their services have no influence on the purposes and manner of processing. In simple words: postal operators do not act as processors as they do not process any personal data on behalf of companies (controllers), but rather personal data which are necessary to provide services within their business activity. Further more, companies and postal operators do not act as joint controllers – they do not determine purpose and means of processing jointly. In other words, postal operators process companies’ customer personal data within their registered activity – under the same conditions to all market participants and therefore companies have no influence on determination purposes and means of processing.
2. Opinion of ECJ
ECJ, in its case Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, Case C-210/16, dated on 05.06.2018 (“ECJ Judgement”) expressed the opinion that administrator of Facebook fan page acts as joint controller with Facebook. The ECJ argued that administrator of Facebook fan page “by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, takes part in the determination of the purposes and means of processing the personal data of the visitors to its fan page”. The ECJ argues “that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”
In the particular case, fan page administrator determines the purpose of processing of the visitors – promotion and managing its business activities by creation of fan page. Furthermore, it determines means of processing since creation of the fan page itself includes setting parameters for targeting audience and therefore influences processing of personal data – which statistical data to receive to promote and manage its business activities. However, the responsibility of fan page administrator is limited to setting parameters for processing and use of statistical data, while the responsibility of Facebook is related to other phases and aspects of processing personal data in connection to fan page – using its own cookies and processing personal data on Facebook platform - irrespective of processing related to fan page.
3. Joint Controllership and Processors in Employment Relations
Voluntary Collective Health Insurance
Voluntary collective health insurance exists in case when employer decides to grant additional benefits to employees and enables employees to use extra medical services at certain health care institution/s. To achieve this goal, employer executes contract on voluntary collective health insurance with insurance company. The employer agrees with insurance company on the level insurance fee and types of health care service covered by insurance. Based on the contract on voluntary collective health insurance, health care institutions provide medical services to employees which are covered by collective health insurance.
In regard to processing of employees’ personal data, employer acts as joint controller with insurance company. Employer defines purpose of processing as it decides to grant benefits to its employees to use extra medical services – employees would not have had right to additional health protection if the employer had not rendered decision to grant benefits to them. Since employer reaches arrangement with insurance company on the level of insurance fee and, accordingly, on types of health care services which are covered by insurance fee, it participates in definition of parameters processing, i.e., affects categories of data that are to be processed by insurance company and health care institutions. This reasoning is based on arguments in ECJ Judgement – when legal entity decides on parameters of processing meaning which categories of personal data and of which data subjects, it determines means of processing. In addition, the employers influence the duration of processing of employees’ personal data for the reason it agrees with the insurance company on this matter. The main difference between collective health insurance and provision of services by our market operators which process personal data of customers of market operators to perform it business activity (please see the opinion of the Serbian SA) is that both employer and insurance company agree on the level of insurance fee which directly affects the sort of medical services covered by insurance fee and accordingly to categories of personal data. Whether the employer has access to employees’ personal data processed by the insurance company is irrelevant for being joint controller. The employer would not be responsible for all stages of processing related to consumption of the agreement on collective health insurance – it would be responsible for transferring relevant data to insurance company and to ensure that processing employees’ personal data resulting from the agreed insurance fee are exclusively processed for implementation of the contract within the agreed period. On the other side, insurance companies act as independent controller in regard to processing of employees’ personal data to fulfill its legal obligations.
In accordance with our professional experience, employers, when need new employees, send profiles of job candidates to employment agencies. Employment agencies search their data bases candidates which correspond to required profile and perform interviews with selected candidates. After completion of interviews, employment agencies send employers the list of job candidate which most likely correspond to required profiles and then employers either interview job candidate themselves or inform employment agencies which job candidates to contact for interview. At the end, either employer agencies or employers inform job candidates on results of recruiting. Decisions of employers and employment agencies in regard to purpose and means of processing are inextricably linked – employer determines profiles of candidates for recruiting while employment agencies render decision to process personal data from their own data basis and perform interviews to determine which candidates most likely correspond to required profile/s. Processing of personal data of job candidates would not be possible without participation of both parties, whereas both parties have overarching influence on purposes and means of processing – employers determine profiles and employment agency processes personal data of potential candidates (upon obtaining their consent for processing) from its own data base to determine whether the potential candidates correspond to required profiles. Both employers and employment agencies determine manner of processing – which categories of personal data and of which potential candidates to be processed. In cases when employment agencies publish job advertisement according to instruction of employers, they act as processors as they perform certain processing operations on behalf of controllers
The analysis related to employment agencies is applied to staff leasing companies in case when they process personal data of job candidates from their own data bases and publish job advertisement on behalf of employer. As per business relationship between two entities related to assignment of employees to the company which uses services of the staff leasing company – these act as independent controllers. The staff leasing company and company which uses its services conclude agreement in which they define business cooperation related to assignment. An employee concludes employment contract with staff leasing company and is assigned to work at company which uses services of staff leasing company under conditions defined by two entities. Both entities process personal data independently meaning that they process personal data within their registered activities and have no overarching influence on purposes and means of processing. The fact that the entities agree on business cooperation does not automatically mean that they determine purposes and means of processing – purposes and means of processing are in both cases defined by respective regulations. However, the parties are advised to execute data processing agreements in which they define rights and obligations for processing of personal data, in particular in regard to obligation of the parties to process personal data exclusively for business cooperation and to apply adequate technical and organisational measures.
Meals to Employees
In case when employee provide meals to employees and for this reason engage catering agency, the parties involved may act as joint controller. In this particular case, employer maintains application where employees enter their personal data to access application, payment details and chosen food. The catering agency has access to this application, i.e., to personal data of employees - payment details and the food ordered to deliver the food and to issue invoices to employees. Employer determines purposes and means of processing – it decided to provide possibility employees to order food and for this reason enabled both employees and catering to use application for this own purposes. The fact that employer enabled the catering agency to use application and that the catering accepted to use this application for its own purposes make both parties joint controllers.
By Ivan Milosevic, Partner, JPM Jankovic Popovic Mitic