The increasing diversification of technical and operational know-how in business life often requires the involvement of service providers or other cooperation partners.

While for some business relationships the exchange of mere contact data related to the business partners themselves suffices (to enable communication), the focus of other relationships lies on the processing of personal data itself. This is particularly the case where personal data needs to be collected, structured and/ or analyzed by a service provider to meet marketing, sales or other needs. Storage capacity for a growing amount of personal data is another prominent reason for many companies to entrust a contractor with access to personal data.

If such services are being provided only for the principal’s purpose(s) and the sovereignty over the definition of essential processing circumstances such as retention periods, data categories, data subjects and access rights, remains, contractually safeguarded, with the principal, the cooperation must be considered as a controller-processor-relationship according to Art. 28, 29 GDPR.

In contrast, a joint controllership characterizes that both partners, having agreed contractually on essential processing circumstances, pursue their own business goals which do not need to be identical but must be defined together.

The “common horizon of meaning” that is characteristic for both the controller-processor-relationship and the joint-controllership is lacking in a separate controllership: Here, both parties may adjust essential processing circumstances as well as their respective purposes independently of the other partner – the processing horizons are not connected to eachother.

If the company transfers data to another company or authority, this may entail an increased risk for the data subject, as the transferring company relinquishes some control over the data processing with the data transfer. The longer the “processing chain” - i.e. the more (sub)companies involved in the data processing - the greater the loss of control. Against this background, the law prescribes certain obligations for different cooperation constellations.

According to Art. 28 Para. 3 S. 1 GDPR, the processing of a service provider in the role of a data processor “shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Moreover, the contract must, inter alia, contain regulations on the involvement of subprocessors – entities that are commissioned not by the principal but by the processor for the achievement of the purposes set forth in the data processing agreement. Art. 28 Para. 2 GDPR stipulates that the controller must approve such subprocessors either by giving specific authorization or by having the contractually granted possibility to object an intended involvement based on the processor’s prior notification.

Last but not least, the processor, according to Art. 29 GDPR, “shall not process […] data except on instructions from the controller, unless required to do so by Union or Member State law.”

An agreement must also be concluded by the parties of a joint controllership in order to determine “in a transparent manner […] their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14” (Art. 26 Para. 1 S. 2 GDPR).

Art. 26 Para. 3 clarifies that, independently of the agreement’s role description, the data subject “may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

On that point, the joint controllership does not differ from the separate controllership where, other than for the controller-processor and the joint-controller-relationship, dedicated regulations on data protection are not needed despite being recommendable from an organizational point of view.

The company responsible for the processing must first determine which of the three processing constellations described above applies. If there is commissioned processing or joint responsibility, a data protection agreement must be concluded with the cooperation partner. In addition, the implementation of technical and/or organizational measures may be required.