Expert Advice Community

Guest

Joint Controllers

  Quote
Guest
Guest user Created:   Jan 09, 2023 Last commented:   Jan 12, 2023

Joint Controllers

Could you help me understand who is responsible for a data breach if there are more than one controller?

Example Scenario:

  • Company A and B have a joint controller or data sharing agreement (controller to controller). User to provide similar customer services, CRM, email, billing etc.
  • Company A collects customer information and shares it with Company B.
  • Company B subsequently suffers a data breach exposing the shared data.

Who is responsible for this breach Company A or B?

If required who reports the breach to the customers/commissioner?

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Jan 12, 2023

According to article 26 of GDPR, the joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation […] by means of an arrangement between them […]  The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects”. So, since you mentioned that joint controllers A and B have such an agreement, the agreement should include each controller’s responsibilities related to each phase of personal data processing. If Company B suffered a data breach, then company B should be held accountable, but it depends a lot on what is exactly written in the data sharing agreement related to responsibilities, who is doing the reporting to the relevant data protection authority, and of course to what was communicated to the data subjects, as requested by Art 26 GDPR: “The essence of the arrangement shall be made available to the data subject.”.

Please check these links:

Tudor Galos
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 09, 2023

Jan 12, 2023

Suggested Topics

Dana Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Controller and Processor

wasima Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Data subject Rights

Guest user Created:   Jan 19, 2023 EU GDPR
Replies: 1
0 0

GDPR in Sweden