The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has Templates for agreements between jointly responsible parties published. According to its release, the documents were “developed based on joint deliberations with a number of companies and public agencies.”
They include the agreement within the meaning of Article 26 (1) of the GDPR and the information of the data subjects about the essence of this agreement as provided for in Article 26 (2) of the GDPR.
The documents are well suited as a starting point and are therefore to be welcomed. However, they clearly go beyond the minimum. Moreover, the contract template is tailored to two – i.e. not three or more – joint controllers and, without adaptations, is only conditionally suitable for regulating joint responsibility in the intra-group relationship. Adaptations are also necessary in the event that one of the parties is not subject to the GDPR for the processing in question.