The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a law firm is a controller of the personal data that it receives from a client as part of a representation is it a “separate controller” or a “joint controller?”
Answer: A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.” 1
There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. While regulatory authorities have not offered guidance as to whether the term does, or does not, apply to attorneys/solicitors/barristers when they perform services on behalf of a client, the Article 29 Working Party has suggested in the context of barristers that they may view a joint controller relationship as unlikely referring to them as “independent” controllers. 2 Similarly the UK ICO – the supervisory authority for the United Kingdom – also implied as part of a discussion of data subject rights that attorney solicitors may not be joint controllers by stating that a client and a solicitor “each have their own data controller responsibilities.” 3
One of the defining practical characteristics of joint controllers is that they allocate “their respective responsibilities for compliance” with the GDPR between and among themselves. 4 Put differently, when two companies are separate controllers each company is responsible for independently fulfilling all of the requirements imposed by the GDPR. When two companies are joint controllers, the companies can agree by contract to allocate and distribute those responsibilities so that the entities when viewed together address all of the GDPR obligations, but if the entities were viewed in isolation one, or both, might be out-of-compliance. As a practical matter, therefore, whether a law firm and its client are separate controllers or joint controllers may be determined by whether the law firm is relying upon its client to satisfy an obligation of the GDPR on the law firm’s behalf, or whether the client is relying upon the law firm to satisfy an obligation of the GDPR on its behalf. As an example, if the law firm’s processing of personal information is premised upon the client having a lawful purpose, or the law firm intends to rely upon a record of processing kept by a client (e.g., the law firm does not intend to keep its own record of processing), the law firm and client would be acting as joint controllers. Conversely if the law firm’s processing of personal information is premised upon its own lawful purpose (e.g., the law firm’s legitimate interest in representing its client), and the law firm has processes in place to comply in its own regard to the obligations of the GDPR (e.g., maintaining its own record of processing) its actions would be consistent to those of a separate controller.