(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
There is no recital in the Directive related to article 26.
Article 26 of the Regulation provides a specific legal regime in relation to joint controllers.
First, the article clarifies - by repeating what was already provided for in the controller definition (see Article 4 (7)) - the conditions for the application of this qualification: joint controllers are where two or more controllers jointly determine the purposes and means of processing (see G29, opinion of 16 February 2010 on the terms of “controller” and “processor”, p. 19 et seq.).
These joint controllers must enter into an arrangement to determine in a transparent manner their respective responsibilities and roles in the performance of the obligations imposed in application of the Regulation (such as the allocation of tasks in the case of the exercise by the data subjects of the rights provided for by the Regulation) or also the provision of information under Articles 13 and 14). A single point of contact should be determined to enable facilitating the exercise of rights of the data subject (access, rectification, etc.).
The second paragraph specifies that the agreement shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. . An obligation of transparency is imposed to the controllers who have to inform the data subjects of the "basic lines" of their agreement, their respective roles and the relationship with them.
The joint controllers are however exempted from entering into such an arrangement if their respective obligations are defined by the law of the Union or by the law of the Member State to which the controllers are subject.
Of course, the data subject may exercise his or her rights in respect of and against each of the controllers, whatever the terms of the arrangement between them are.
The definitions of the controller allowed, as the Directive did, to qualify as "joint controllers" several people who jointly define the purposes and the means of the processing (see Article 2, d)) of the Directive.
The Regulation will not give an answer to the identification of the existence of two or more joint controllers, which in practice is difficult, particularly with regard to the relations with certain technical processors. The boundary between the two concepts is, as we know, sometimes very tenuous (see the Swift case).
It also remains very vague as to the content of the arrangement between the joint controllers. This imprecision is most marked in the division of responsibilities between the controllers, which does not indicate how far they can go in this one.
Also, a question may arise whether a controller can completely waive its responsibility with regard to the other (being understood that he could not do so with regard to the data subject). The answer may depend on the liability regimes of national laws that can impose a more accurate allocation. In this regard, the provision takes into account only the assumption that the joint controllers are subject to the same national law, which in practice often will not be the case.
Guidelines on Personal data breach notification under Regulation 2016/679 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.
The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.
Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.
The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.
In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.
The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
Opinion 1/2010 on the concepts of "controller" and "processor" (16 February 2010)
The concept of data controller and its interaction with the concept of data processor play a crucial role in the application of Directive 95/46/EC, since they determine who shall be responsible for compliance with data protection rules, how data subjects can exercise their rights, which is the applicable national law and how effective Data Protection Authorities can operate.
Organisational differentiation in the public and in the private sector, the development of ICT as well as the globalisation of data processing, increase complexity in the way personal data are processed and call for clarifications of these concepts, in order to ensure effective application and compliance in practice.
The concept of controller is autonomous, in the sense that it should be interpreted mainly according to Community data protection law, and functional, in the sense that it is intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis.
The definition in the Directive contains three main building blocks:
- the personal aspect ("the natural or legal person, public authority, agency or any other body");
- the possibility of pluralistic control ("which alone or jointly with others"); and
- the essential elements to distinguish the controller from other actors ("determines the purposes and the means of the processing of personal data").
The analysis of these building blocks leads to a number of conclusions that have been summarized in paragraph IV of the opinion.
This opinion also analyzes the concept of processor, the existence of which depends on a decision taken by the controller, who can decide either to process data within his organization or to delegate all or part of the processing activities to an external organization. Two basic conditions for qualifying as processor are on the one hand being a separate legal entity with respect to the controller and on the other hand processing personal data on his behalf.
The Working Party recognises the difficulties in applying the definitions of the Directive in a complex environment, where many scenarios can be foreseen involving controllers and processors, alone or jointly, with different degrees of autonomy and responsibility.
In its analysis, it has emphasized the need to allocate responsibility in such a way that compliance with data protection rules will be sufficiently ensured in practice. However, it has not found any reason to think that the current distinction between controllers and processors would no longer be relevant and workable in that perspective.
The Working Party therefore hopes that the explanations given in this opinion, illustrated with specific examples taken from the daily experience of data protection authorities, will contribute to effective guidance on the way to interpret these core definitions of the Directive.
1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.
1st proposal close
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
2nd proposal close
1. Where two or more controllers jointly determine the purposes and means of the processing of personal data, they are joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the (...) exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 14 and 14a, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement shall designate which of the joint controllers shall act as single point of contact for data subjects to exercise their rights.
2. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the (...) controllers.
3. The arrangement shall duly reflect the joint controllers’ respective effective roles and relationships vis-à-vis data subjects, and the essence of the arrangement shall be made available for the data subject. Paragraph 2 does not apply where the data subject has been informed in a transparent and unequivocal manner which of the joint controllers is responsible, unless such arrangement other than one determined by Union or Member State law is unfair with regard to his or her rights (...)
No specific provision
(2) If the data of the data subject are stored by means of automated procedures such that several bodies are entitled to store and if the data subject is unable to ascertain which body has stored the data, he may approach any of these bodies. Such body is obliged to forward the request of the data subject to the body which has stored the data. The data subject shall be informed of the forwarding of the request and of the identity of the body concerned. The bodies listed in Section 19 (3) of this Act, public prosecution and police authorities as well as public finance authorities may, in so far as they store personal data in performing their legal duties within the area of application of the Fiscal Code for monitoring and control purposes, inform the Federal Commissioner for Data Protection and Freedom of Information instead of the data subject. In such case the further procedure shall be as described in Section 19 (6) of this Act.