It is also important to note that, in accordance with Article 26, paragraph 3, a person concerned may exercise his rights to the RGPD under Chapter III with regard to and against each of the common persons responsible for the treatment, regardless of the agreement reached. This can result in complexities for the common people responsible for the treatment, which facilitate the rights of the people concerned. In this regard, the PDSC recommends establishing co-operation obligations for the processing of the requests of the persons concerned in a written agreement between the common persons responsible for the processing and including a special responsibility for those who will deal with these applications. In 2014, the OIC established guidelines to help organizations decide whether they are a controller or processor, and can be accessed here (“Old Guidance”). This was updated after the implementation of the RGPD and can be accessed (here) and (here) (“New Guidelines”). We have outlined below the main points that we must keep in mind: In addition, the new guide contains different examples of common controllers, and they seem to imply that any service provider that does not present itself as a subcontractor presents itself as a common controller with its customer (and not as a separate controller). We will coordinate feedback on the new guidelines, in the hope that the ICO will provide definitive examples of common controllers. We are also aware that the European Data Protection Committee will publish guidelines on the concepts of the processing manager and the subcontractor over the next two years, which should provide further clarification. “The code is useful in clarifying the position around the publication controller`s responsibility as soon as the data has been disclosed to the receiver controller,” Wynn said. “The code makes it clear that the person in charge of the processing takes the recipient himself responsible for the personal data when shared with him, but that the person responsible for disclosure must continue to take appropriate measures to ensure that the disclosed data continues to be protected with appropriate security by the person responsible for the recipient.” Are data exchange agreements required under the RGPD? A written agreement should be reached to regulate the sharing of personal data between two independent processing officials, the UK Information Commissioner (ICO) has said. Article 26, paragraph 1, provides that joint processing officers enter into an “agreement” to fulfill each party`s respective responsibilities in meeting its common control obligations.

This regulation does not necessarily have to take the form of a written contract. While this provides flexibility for the common managers of treatment, a written contract would serve as a good basis for documenting the decision-making powers and responsibilities and responsibilities of each of the persons responsible for the treatment. However, the European Court of Justice has found that the parties are not common interpreters for operations that precede or follow these joint operations throughout the processing chain. In addition, the liability does not apply to previous or subsequent stages of the operating chain. Although the concept of common control is not particularly new, its application according to the RGPD is complex in the modern data processing ecosystem. The importance of understanding how parties are seen as joint managers of treatment is particularly important in clarifying both their respective compliance responsibilities and their shared responsibility to individuals and data protection authorities.