A real estate management company manages university residences for the owner, the university. The company enters into lease agreements with students on behalf of the university and chases all rent arrears. She collects the rent and hands it to the university after a commission. Companies are jointly responsible for data processing within the meaning of Article 26 of the RGPD, when and if they jointly determine the purpose and means of data processing. Whether and when should be assessed on a case-by-case basis for each data processing incident. The judgments of the European Court of Justice (ECJ) on Facebook fan pages in this context (ref.C-210/16; which we reported in Update 39) and closing arguments and requests by the Attorney General for the inclusion of the “Facebook like” button on a website in the “FashionID” case (Ref.C-40/17; which we reported in Update 50) suggests that the requirement for the common definition of data purposes and means of processing must be interpreted in a fairly broad way. In particular, it should not be required that the interpreters concerned have a detailed knowledge of the treatment of the data by the other person responsible for the treatment or that identical common purposes be pursued. For example, preparatory activities such as the integration of a website plugin are reason enough for common control. If courts and supervisory authorities comply with the case law, many cases of data processing by more than one person in charge of processing should in future be considered as cases of joint control, not as exclusive control or enforcement of orders, as was often the case until now.
Yes, yes. Individuals can seek redress from common controllers, just like any chief. Each common manager is responsible for all the damage caused by the treatment, unless he can prove that he is in no way responsible for the event that caused the damage. The intermediate regime is not relevant to these purposes. In the case of a joint check, the sample published by the LfDI can serve as the first guide for the draft agreement to be concluded by the treatment managers. Please note that the LfDI sample only covers the simple scenario of two companies that jointly operate data processing, for example. B a common database. The sampling agreement does not take into account more frequent and much more complex scenarios in practice, such as data processing in business group scenarios or common data processing across EU borders. It should be noted that the LfDI not only published a standard agreement, but also sampling information, in accordance with Article 26, paragraph 2, of the RGPD, on the essential content of the agreement.
In addition, joint controllers are fully accountable to the supervisory authorities (for example. B.dem ICO) for not respecting their responsibilities. The sampling information provided by the LfDI shows that the most important content of the rules must be made available to the persons concerned proactively and independently of any investigation; However, this seems questionable in light of the wording of section 26, paragraph 2, p. 2, of the RGPD. The company is a common manager of rental information, including rents. It will decide what information it needs from residents to establish and manage leases, but will share this data with the university.