The European Data Protection Supervisor (EDPS), which is used for the Bodies and authorities of the EU competent data protection authority, has issued a Guidance on the notions of controller, processor and joint controllers published (EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725). The guide refers to the legal definition of the Regulation 2018/1725 on the protection of personal data when processed by the bodies, institutions and agencies of the EU, i.e. not to the GDPR. However, the corresponding legal definitions are practically identical in wording (with a few differences that either relate to the scope of Regulation 2018/1725 or are not significant).
In terms of content, there is little that is new in the guide from the point of view of private-sector managers. Although the guide already takes up the current Decision of the ECJ in the case of Fashion ID but does not derive anything surprising from it. However, it is clear – once again – that the scope of joint responsibility is (very) broad.
The following flowchart in the guide is helpful: