1 minute read
Further guidance may be found in the decisions of the DPC
regulates the relationship between Data Controller and Data Processor is of pivotal importance (see A Practical Guide to Controller-Processor Contracts).
If the Data Controller jointly determines the purposes and means of processing and is therefore a Joint Controller, the Data Subjects may exercise their access rights in respect of and against each of the Joint Controllers (Article 26(3) GDPR) notwithstanding any different provision existing in the legal document governing the relationship between them (Article 26(1) GDPR). This ultimately means that an access request may be validly lodged to one Joint Controller in respect of data that may be solely processed by the other Joint Controller and vice versa. It is therefore important that technical and organisational measures between Joint Controllers are in place to ensure that every request related to personal data processed by a Joint Controller, different to the Controller which received the access request, is dealt with within the deadlines. This can be facilitated by an in-depth consideration of the processing activities in the legal document governing the relationship between Joint Controllers.
Advertisement
Groupon International Limited - December 2020
Ryanair DAC - November 2020
