Joint controller meaning

This Checklist Use this Checklist when a customer appoints a supplier to process data on its behalf—for instance, a payroll or payment processing business operating under a stand-alone agreement. It addresses common issues encountered during the negotiation and preparation of data processing services agreements, covering both personal data and other data (eg statistical). The Checklist also contemplates agreements that involve processing personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR). For an introduction to the UK GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR). Where personal data is in scope, the assumption is that the supplier acts as processor (and not as controller) for the customer, who is the sole controller. For additional guidance on the terms ‘controller’ and ‘processor’, see Practice Note: Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller). It is also assumed that both parties are acting in the course of business...

In this issue: E-commerce Public procurement Sale and supply of goods Supply chain Daily and weekly news alerts New and updated content Dates for your diary Trackers Latest Q&A E-commerce EU GDPR obligations and platform liability (X v Russmedia) The operator of an online marketplace where a listing appeared was held to have breached its duties under the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), even though it removed the advert swiftly, in under an hour after receiving a takedown request. The court concluded it acted as a joint controller of the sensitive personal data within the advert and should, before publication, have put in place measures to: (i) detect adverts containing sensitive personal data; (ii) confirm that the advertiser is the individual whose sensitive personal data features in the advert and, if not, ensure the data subject’s explicit consent has been obtained; and (iii) implement safeguards to stop any further...

How has the exemption available for controllers under the GDPR in relation to liability to compensate data subjects changed? Under the earlier Data Protection Directive 95/46/EC (Article 23(2)), where a person was entitled to damages from a controller due to unlawful processing, the controller could rely on a potential exemption if it was not responsible for the event that caused the loss. Recital 55 offered two illustrations of situations for which the controller would not bear responsibility: a mistake by the data subject, and a case of force majeure The language of these provisions lacked clarity, and the concept of ‘force majeure’ has no consistent definition across EU legal systems (it does not even carry a settled meaning in English law, depending heavily on contractual wording). Unsurprisingly, this carve-out, and the reference to force majeure, was therefore loosely carried across into national implementing legislation. For example, the Data Protection Act 1998 (DPA 1998) gave a controller a defence in claims for compensation...

In this issue: Data protection Daily and weekly news alerts New and updated content Data protection EU GDPR obligations and platform liability (X v Russmedia) The host of an online marketplace that carried an advert was held to have breached its duties under the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), although it took down listing within an hour of a removal request. The court determined it acted as a joint controller for the sensitive personal data in the advert and ought to have had pre-publication safeguards in place to (i) detect advertisements before any listing went live online...

This Practice Note examines matters and recommended approaches for sharing personal data between controllers (including joint controllers and independent controllers) in general business-to-business commercial situations, under Regulation (EU) 2016/679, the EU’s General Data Protection Regulation (EU GDPR). It proceeds on the basis that readers already understand the main data protection notions and terminology, and the function of key supervisory organisations. For a broad overview of the EU GDPR and connected topics, see Practice Note: The EU’s General Data Protection Regulation (EU GDPR). In brief—summary of steps controllers should often take before data sharing The EU GDPR is designed to ensure information about living individuals (within the meaning of ‘personal data’) is handled fairly and responsibly. A central safeguard is the set of duties imposed on ‘controllers’—generally those determining why and how processing occurs. ‘Processing’ is widely construed to cover almost any operation on data, such as storing, deleting, collecting, disclosing or using it. In short, before commencing any routine controller-to-controller sharing, commercial organisations should usually: ...

The EU’s General Data Protection Regulation (Regulation (EU) 2016/679) took direct effect and became fully enforceable across EU Member States on 25 May 2018. As the EU GDPR has been incorporated into the EEA Agreement and applies in every EEA country, references within it to EU Member States can generally be read as also covering EEA members. Enforcement under the EU GDPR has largely centred on elevating sanctions for breaches, with the expectation that tougher penalty provisions—particularly the higher administrative fines of up to the greater of 4% of worldwide annual turnover or €20m—will encourage stronger compliance. The Regulation also established the European Data Protection Board (EDPB) to promote a more uniform interpretation of the EU GDPR and the penalties issued under it. This Practice Note examines: the approach to sanctions and enforcement under the EU GDPR, including the role of the lead supervisory authority the role of the EDPB in seeking a more consistent application of the EU GDPR the role and powers...

UK GDPR This Practice Note outlines the key data protection considerations under the UK General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), where personal data is exchanged in connection with creating or running a joint venture, or with investing in a private equity fund. It summarises the issues to be considered whenever such sharing occurs around formation, operation and related diligence activities. In the context of a joint venture, personal data can be disclosed between prospective joint venture participants as part of pre-entry due diligence, or between the existing joint venture parties and a party contemplating admission to that joint venture, for diligence purposes and before entering into the arrangement. After establishment, the joint venture parties may go on sharing personal data (with one another and potentially with the joint venture company (JVC)) on an ongoing basis to progress the JVC's business. For this Practice Note, it is assumed that, following formation, the joint venture parties who share personal data act as controllers in relation to that...

This Agreement is dated [ insert date ] Parties 1 [ insert name ] [ of OR a company incorporated in [ England and Wales ] under number [ insert registered number ] with its registered office at ] [ insert address ] ( Licensor ); and 2 [ insert name ] [ of OR a company incorporated in [ England and Wales ] under number [ insert registered number ] with its registered office at ] [ insert address ] ( Licensee ), each of the Licensor and the Licensee is a party and together the Licensor and the Licensee constitute the parties. Background (A) The Licensor owns the copyright and database rights in the Licensed Data and acts as Controller of the Shared Personal Data. (B) The Licensee is [ insert background to licence/relevant transaction ]. (C) The Licensor has agreed to grant the Licensee a licence to use the Licensed Data and to provide the Shared...

This Agreement is entered into on [ date ]. Parties [ Insert name of party ] [ of [ insert address ] OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Recipient); and [ Insert name of party ] [ of [ insert address ] OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Discloser), Each of the Discloser and the Recipient is a party and, collectively, the Discloser and the Recipient are the parties. Background The Recipient conducts the business of [ insert details ], and the Discloser engages in the business of [ insert details ]. The Discloser intends to disclose Shared Data to the Recipient for the Purpose...