1. Fejn żewġ kontrolluri jew aktar jiddeterminaw flimkien l-għanijiet u l-mezzi tal-ipproċessar, huma għandhom ikunu kontrolluri konġunti. Huma għandhom b’mod trasparenti jistabbilixxu r-responsabbiltajiet rispettivi tagħhom għall-konformità mal-obbligi taħt dan ir-Regolament, b’mod partikolari fir-rigward tal-eżerċizzju tad-drittijiet tas-suġġett tad-data u l-kompiti rispettivi tagħhom biex jipprovdu l-informazzjoni msemmija fl-Artikoli 13 u 14, permezz ta’ arranġament bejniethom ħlief jekk, u sa fejn, ir-responsabbiltajiet rispettivi tal-kontrolluri jkunu stabbiliti bil-liġi tal-Unjoni jew ta’ Stat Membru li għalihom il-kontrolluri jkunu soġġetti. L-arranġament jista’ jaħtar punt ta’ kuntatt għas-suġġetti tad-data.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to articles 26(1), 26(2), and 26(3) GDPR:
7.2.7 Joint PII controller
Control
The organization should determine respective roles and responsibilities for the processing of PII (including PII protection and security requirements) with any joint PII controller.
Implementation guidance
Roles and responsibilities for the processing of PII should be determined in a transparent manner.
…
Sisään
pääset käsiksi koko tekstiin
(79) Il-protezzjoni tad-drittijiet u l-libertajiet tas-suġġetti tad-data kif ukoll ir-responsabbiltà tal-kontrolluri u l-proċessuri, ukoll fir-rigward tal-monitoraġġ mill-awtoritajiet superviżorji u l-miżuri tagħhom, tirrikjedi allokazzjoni ċara tar-responsabbiltajiet skont dan ir-Regolament, inkluż fejn kontrollur jistabbilixxi l-għanijiet u l-mezzi tal-ipproċessar flimkien ma' kontrolluri oħra jew fejn issir attività ta' pproċessar f'isem kontrollur.
(EN)
Article 29 Working Party, Opinion 1/2010 on the concepts of ”controller” and ”processor” (2010).
EDPS, Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725 (2019).
EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2021).
EDPB, Guidelines 8/2020 on the targeting of social media users (2020).
ICO, Right of Access (2020).
ICO, Data sharing: a code of practice (2020).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018).
CJEU, Tietosuojavaltuutettu v Jehovan todistajat, C-25/17 (2018):
The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. Actual access to personal data is not a prerequisite for joint responsibility (p. 68-72).
CJEU, Fashion ID GmbH & Co. KG/Verbraucherzentrale NRW eV, C-40/17 (2019).
(EN) The expression “joint controller” is one of the most difficult to grasp in practice. It is nonetheless essential to delimit the role of the parties involved in the processing of personal data to determine their responsibilities under the General Data Protection Regulation (GDPR).
…
Sisään
pääset käsiksi koko tekstiin