On the other side of the complexity spectrum: separate controllers. These processers may exchange personal data, but they stop there: neither party has anything to do with the means or purpose of the treatment by the other party. The following checklists indicate whether you are a common controller, processor or controller. The more you check the boxes, the more likely you are to enter the corresponding category. Individuals and supervisory authorities (such as the OIC) can hold both processors and processors to account if they do not fulfill their responsibilities under the RGPD. That is why section 26 of the RGPD requires common officials to make clear arrangements as to who is responsible for what. And while Article 26 does not require a written agreement, it can be difficult to respect the principle of accountability and to draw up differences of opinion in the absence of a written agreement. The RGPD stipulates that a subcontractor is a natural or legal person (i.e. a natural or legal person), or even an authority, agency or other agency that processes personal data on behalf of those responsible for processing and in accordance with its instructions. ☐ We use the same set of personal data (for example). B a database) than another person in charge of the processing. Before we address the complex issue of multi-control situations in the RGPD, we must first understand the primary responsibilities of a person in charge of treatment in general. As I said, Article 4 of the RGPD stipulates that the purposes and means of data processing can be determined by one person in charge of the processing or with others – the subsequent case is what is called a common controller relationship.
A common controller relationship is therefore that two or more processing managers jointly determine the means and purposes of data processing activities. Joint treatment managers have the same obligations as all other treatment managers, as noted above, with the addition of section 26 of the RGPD. Article 26 of the RGPD requires co-responsible to enter into an agreement or agreement (for example. B an agreement on the common controller) regulating their respective responsibilities and obligations under the RGPD. The only way for a joint controller to be free of liability is to prove that he or she is not responsible. However, as has already been mentioned, this only applies after the other persons responsible are involved in the relationship to share the penalty – this argument can never be made with regard to the individuals concerned, since one of the main features of the RGPD is to ensure the responsibility of those who control and/or process personal data and to ensure that the persons concerned have sufficient remedies.