• 2 min read

What does it mean if my organisation is a joint controller of personal data with another organisation?

Cyber Security Data Protection Business Privacy concept

When considering the roles of organisations who are sharing personal data between them, it is often the case that one is a controller whilst the other is a processor, but in other cases both parties may be a controller, as neither is processing the personal data on behalf of, or on the instructions of, the other. However, once we have established both are a controller there is another consideration which is whether the parties are independent controllers (which is generally preferable) or joint controllers. 

Controllers are joint controllers when they “jointly determine the purposes and means” of processing the same personal data, for example, if two organisations collaborate to create a joint database of information. This can be distinguished from independent controllers who may hold the same personal data but process it for differing purposes, for example, an organisation holds information about its employees as a controller and may provide some of that information to the organisation’s pension provider in order for the pension provider to establish and run a pension scheme for the employees. In this example, the two organisations are independent controllers as they use the same personal data but for divergent purposes. 

The main concerns with a joint controller arrangement are:

  1. Each joint controller is responsible for compliance with data protection law and can be held liable for non-compliance by the other joint controller. This means data subjects can claim compensation from either joint controller regardless of where fault / responsibility may lie (unless one of the joint controllers is able to prove it is not in any way responsible for the issue which has arisen or the joint controller who pays the compensation can later prove it was not entirely responsible in which case it can try and claim some of the damages back from the responsible joint controller). 
  2. Joint controllers are each fully accountable to the UK data protection regulator, the Information Commissioner’s Office (ICO), for failure to comply with data protection law.
  3. Data protection issues can be reputationally damaging for organisations, and in becoming a joint controller each organisation is potentially exposing itself to reputational damage caused by the other. 

If an organisation is a joint controller with another organisation it is important that the organisations contractually agree (usually in a document called a data sharing agreement) how they will use the relevant personal data and comply with their obligations under data protection law to seek to avoid data protection compliance issues arising and to demonstrate compliance to the ICO and data subjects. 

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact us.

Answers are just a click away