Next show!

No shows booked at the moment.

Joint Controller Agreement Sample

In light of the above, it is encouraging to see that the LfDI has introduced the first model of common controller agreement, which has been approved by a supervisory authority and which companies can use as a basis. With the exception of letter 16 of the data protection conference of 19 March 2018, which mentions certain cases of application by joint treatment managers, there are no general guidelines for supervisors on when there will actually be joint control within the meaning of Article 26 of the RGPD. First, companies must resolve the preliminary question of whether they are acting as joint treatment managers (and not just as sole processing managers or subcontractors) by verifying the entire processing of data involving more than one party. The sampling information provided by the LfDI shows that the most important content of the rules must be made available to the persons concerned proactively and independently of any investigation; However, this seems questionable in light of the wording of section 26, paragraph 2, p. 2, of the RGPD. The samples published by the LfDI are certainly a first guide for contractual agreements on joint treatment managers, but they will only be applicable in exceptional cases without major revision. The theme of “common controllers” within the meaning of article 26 of the RGPD continues to grow. The National Commissioner for Data Protection and Freedom of Information of Baden-Wuerttemberg (LfDI) has published for the first time a sample of an agreement for co-exhibitors under Article 26, paragraph 1, p. 2 of the RGPD, as well as a sample intended to meet the information obligations of the persons concerned, in accordance with Article 26, paragraph 2, of the RGPD. It should be noted that the LfDI not only published a standard agreement, but also sampling information, in accordance with Article 26, paragraph 2, of the RGPD, on the essential content of the agreement. Companies will be jointly responsible for the personal data processed as part of the draw, as they have both decided on the purpose and means of processing.

In addition, many provisions in the sample contain only general references to the RGPD, and some provisions on which unrelated companies generally agree in data protection agreements are lacking, such as control and access rights or termination options. However, with respect to the shared responsibility of joint treatment managers, such provisions are strongly recommended and encouraged. In the case of joint control, the parties must enter into an agreement in accordance with Article 26, paragraph 1, p. 2, of the RGPD, which transparently defines the data protection obligations of each person responsible person (common regime). The core of this scheme must be made available to those affected in accordance with Article 26, paragraph 2, p. 2, of the RGPD. Violations of these provisions – like all violations of the provisions of the RGPD in general – carry significant risks of fines (art.