For joint control to be a control application, each company must first meet the requirements to be a responsible manager in accordance with Article 4, paragraph 7, of the RGPD, i.e. that the company must, as mentioned above, take a wide range of forms of control and that several parties may interact or be associated with the processing of personal data. Prior to the introduction of the RGPD, the concept of common control was not clearly defined legally and was not mentioned in general. Instead, for the processing of multiple IT operators, data processing was required on behalf of a processor, in which an entity delegates tasks to processors. However, it is not always entirely clear whether the common control applies, as it can take different forms. Treatment managers may have very close relationships, i.e. they share all the objectives and means of processing activities or a more distant relationship in which they only partially share purposes. Nevertheless, responsibilities must be defined and assigned. In this agreement on joint controllers, the following definitions and rules of interpretation apply: In addition, co. B.dem are fully responsible for failing to meet their responsibilities before the control authorities (z.B.dem ICO). Therefore, when two parties cooperate on certain treatment operations, it is necessary to determine whether they are a treatment manager or a subcontractor and whether they are both responsible for the treatment when they are considered responsible for the treatment. Please also note that, in accordance with Article 82 of the RGPD, anyone responsible for the treatment may be held responsible for all damage caused by treatment that violates the obligations of the RGPD in order to ensure adequate compensation for the person concerned.
Thus, despite the division of responsibilities, any person responsible for the treatment may be held fully responsible, unless he can prove that he is not in any way responsible for the damage. In particular, on behalf of a person in charge of processing under Section 28, paragraph 3 of the RGPD, a data processor can process data only to the extent and to the same extent as the person in charge of the processing, as defined by the person in charge of the processing. Article 26, paragraph 2, of the RGPD, on the other hand, clearly refers to a regime in which a party does not decide on its own the purpose of the treatment; On the contrary, they do it together. (i) in the event of termination or expiry of the agreement, for any reason; As a common processing officer, a company is required to enter into an agreement that assumes responsibility for the performance of data protection obligations, to ensure that those affected can fully exercise their rights and that they are sufficiently informed. This scheme must be transparent and made available to the people concerned, for example via the company`s website. As a result, both processing managers must meet their data protection obligations, including a data protection impact analysis. A DSB can help those in charge of these tasks. Data Protection Statement: A statement provided instead of data collection, which informs the person concerned of the means by which the processing manager will use, transmit and manage his or her data. It is important to note that real influence does not require that both companies have complete control over all stages of treatment and that there is no need to control the treatment managers equally. The contribution of supervisory bodies to the determination of the purposes and means of treatment can take different forms and should not be evenly distributed.
However, the allocation of roles and responsibilities must be clearly defined in an agreement within the meaning of Article 26, paragraph 1, of the RGPD. Therefore, as has been demonstrated, the status of the person in charge is determined on the basis of his decision-making power and not on the basis of the execution of the data processing. The One Working Group