Data processing in the form of a so-called “joint control” is characterized by two or more companies who process personal data on the basis of co-defined purposes and co-defined processing measures.

An example for such a joint control processing is the usage of a common storage infrastructure. The controllers might store different data categories on this server and pursue different purposes with the data. However, as long as they together define the purposes and means of the processing, a joint control processing prevails and a contract between the parties must be concluded.

The requirement’s purpose is to ensure that the segregation of modern business solutions does not lead to a state in which it becomes unclear who is in charge of a certain processing activity. The contract establishes clarity between the responsible parties and allows for an allocation of legally defined tasks with respect to the fulfillment of data subject rights (e.g. right to access personal information). The disclosure of essential elements of this agreement to the data subject enables the latter to identity the responsible parties and address their concerns accordingly.

In particular, the JCA agreement must regulate which party assumes which data protection obligations (e.g. carrying out a data protection impact assessment). In addition, a so-called contact point for the data subject can be defined. In other words, a point to which data subjects can turn in order to exercise their data protection rights vis-à-vis the controller.

The essential contents of the JCA contract must be made available to the data subjects, which can be done via a website, for example. The data protection notices must also specify the controller responsible for the respective processing (name, address, contact details).