LfDI Baden-Würt­tem­berg: Tem­p­la­te for Joint Con­trol­ler Contracts

The Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on of Baden-Würt­tem­berg has Tem­pla­tes for agree­ments bet­ween joint­ly respon­si­ble par­ties published. Accor­ding to its release, the docu­ments were “deve­lo­ped based on joint deli­be­ra­ti­ons with a num­ber of com­pa­nies and public agencies.”

They include the agree­ment within the mea­ning of Artic­le 26 (1) of the GDPR and the infor­ma­ti­on of the data sub­jects about the essence of this agree­ment as pro­vi­ded for in Artic­le 26 (2) of the GDPR.

The docu­ments are well sui­ted as a start­ing point and are the­r­e­fo­re to be wel­co­med. Howe­ver, they cle­ar­ly go bey­ond the mini­mum. Moreo­ver, the con­tract tem­p­la­te is tail­o­red to two – i.e. not three or more – joint con­trol­lers and, wit­hout adap­t­ati­ons, is only con­di­tio­nal­ly sui­ta­ble for regu­la­ting joint respon­si­bi­li­ty in the intra-group rela­ti­on­ship. Adap­t­ati­ons are also neces­sa­ry in the event that one of the par­ties is not sub­ject to the GDPR for the pro­ce­s­sing in question.