On June 17, 2024, the Bavarian data protection authority (BayLfD) announced that it published a guide on joint controllership under the General Data Protection Regulation (GDPR). The guide provides a comprehensive overview of joint controllership, including requirements for joint controllership such as jointly deciding on the purposes and means as well as examples of joint controllership. 

What are the highlights of the guide?

The guide explains that Article 26 of the GDPR does not constitute a legal basis for processing operations carried out under joint controllership. The admissibility of processing operations must result from a legal basis. The guide also clarifies that the concept of responsibility is generally understood broadly in order to ensure effective and comprehensive protection for the data subject. 

The guide illustrates the difference between individual and joint responsibility with examples such as:

• a public body that collects and processes the personal data of its employees for the purpose of managing remuneration, health insurance, etc., and shares this data with the competent tax authorities are not joint controllers as the data processing is not common. The two organizations are therefore classified as two separate data controllers; and 
• a bank that uses a financial communications transmitter to carry out its financial transactions and agrees on the means of data processing with the transmitter. The processing of personal data relating to financial transactions is carried out first by the bank for the purpose of carrying out the transactions themselves and only later by the transmission service for other purposes. Although each of the actors at the micro level pursues its own purposes, the different purposes of processing are closely linked at the macro level. Therefore, the bank and the transmission service can be considered joint controllers.

The guide advises joint controllers and processors to systematically and clearly define their respective roles and responsibilities before starting a processing activity and document them to be able to meet their data protection obligations.

You can read the press release here and the guide here, both only available in German.