When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

• Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

• Data controller or data processor

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

• an individual’s health;
• an individual’s sexual orientation;
• an individual’s racial or ethnic origin;
• an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
• an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

More information:

• Data protection basics

Pseudonymisation consists in transforming personal data so that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to individual. In practice, it may mean replacing personal data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). Pseudonymised data is still personal data and is subject to the GDPR.

Anonymised data is data that has been rendered anonymous in such a manner that the individual is not or no longer identifiable by any means that are reasonably likely to be used. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data.

More information:

• Secure personal data

   

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

• If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
• If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

• Data breaches

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

• Respect individuals’ rights

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

• if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
• if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

• Respect individuals’ rights

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

• Data Protection Officer