Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Joint Controllership Sub-group News


During 2018, the Not-for-Profit International Network CPC set up some study groups with the aim to analyze and compare the Member States laws and Data Protection Authorities’ interpretations on some specific legal arrangements provided by the EU Regulation 679/2016, GDPR.

One of the above study group was based on the interpretation of the joint controllership concept in each Member State and its practical implication (“Joint Controllership Group”).

The Joint Controllership Group was supervised by the Italian CPC member, Chiara Agostini, as group leader, and its results are based on the contributions of the CPC members of the following countries: Belgium, Bulgaria, Cyprus, Italy, Latvia, Netherlands, Norway, Portugal, Slovenia and Spain. 

From the comparative analysis carried out by this group, it results that joint controllership was not a frequently used arrangement within the Member States before the GDPR; as a consequence, apart from the famous Belgian case in 2008 concerning SWIFT (the Belgian non-profit association in charge of managing electronic financial transaction processing), there is not an established case-law on this matter that can help professionals in regulating the relation between joint controllers.

From an institutional perspective, only in Norway and in Belgium, the local DPA provided general guidelines on Joint Controllership, under which, these authorities: 

  • generically indicated when the subjects involved in a data processing shall be considered as individual controllers, joint-controllers or subjects operating under a controller-processor relationship;
  • stressed the importance of implementing an arrangement between joint controllers to clearly define their respective obligations, having particular regard to the fulfilments related to data subject rights and on transparency.

The Belgian DPA, moreover, underlined that, notwithstanding the joint controllers agreement, joint controllers remain separately liable for compliance with the GDPR.

From this comparative study, moreover, it results that no local DPA has provided a standard model of the contract between joint controllers. On the basis of their experience, the majority of the CPC members have in any case agreed on the necessity to draft this contract by providing clauses on the following elements: the distribution of liability; the definition of the purposes and of the means of the processing; procedures for data breach notifications / liability in data breach cases; proper application of security measures; appointment of Data Protection Officer (where applicable); the individuation of a main contact point for data subjects and the regulation of possible transfers of personal data to third countries or international organizations.

With the aim to give a practical help on the interpretation of this concept, during its annual conference on 24 November 2018, CPC network decided to merge the Joint Controller Group with the Processor one, supervised by the Bulgarian CPC Member, Mitko Karushkov, in order to draft, during 2019, a memo with the indication of some concrete cases, related to specific market sectors, where subjects involved in a data processing shall be considered as individual controllers, joint-controllers or subjects operating under a controller-processor relationship.


Article provided by: Chiara Agostini (R&P Legal, Italy)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.