According to the GDPR, a data subject is a natural person (a natural person) who can be identified directly or indirectly on the basis of information stored about him. If you are reading this, you are a concerned person. When the law speaks of “personal data”, it means all information relating to a data subject. A luxury car company collaborates with a design fashion brand to organize a co-branding promotional event. The companies decide to organize a draw during the event. They invite participants to enter the draw by entering their name and address into their contest system at the event. After the event, the companies send the prizes to the winners. You do not use the personal data for any other purpose. A house administration runs dormitories for the owner, the university.

The company enters into rental agreements with students on behalf of the university and chases away any rent arrears. She collects the rent and transmits it to the university after taking a commission. While this information may seem unfair, it only serves to facilitate claims by a data subject who would otherwise have to sue each person responsible individually. The person in charge who has been ordered to pay the full fine may apply a posteriori to the other officials to share the sentence according to their respective role in their action. Maybe as a controller who transmits data to another controller, you should only choose companies that subscribe to your rules? Which, sometimes, is not really possible. The European Union`s General Data Protection Regulation (“GDPR”) is probably the most comprehensive – and complex – data protection regulation in the world. Although the GDPR has adopted, on the 25th The entry into force of May 1, 2018 remains a great confusion as to the requirements of the GDPR. On the other side of the complexity spectrum: separate controllers.

These managers can exchange personal data, but it stops there: neither party has anything to do with the means or purpose of the processing by the other party. If you are solely responsible for a processing activity, you and you are solely responsible for compliance with the rules. The same is not true for multi-controller scenarios. In light of the General Data Protection Regulation (or “GDPR”) that came into force last year, the roles of the different parties involved in data processing have been clarified. One of the practical characteristics of joint managers is to “divide among themselves and among themselves their respective responsibilities for compliance” with the GDPR. 4 In other words, if two companies are separate controllers, each company is responsible for meeting all the requirements of the GDPR independently of each other. If two companies are jointly liable, the companies can contractually agree to assign and allocate these responsibilities in such a way that the companies, when considered together, comply with all the obligations of the GDPR, but if the companies have been considered in isolation, one or the other may not be compliant.