Control area: 7.2.7 Joint PII Controller

Joint data controller situations are always an interesting debate. In simplistic terms it means that both entities ‘control purpose and means’ of the PII.

The control intimates that the joint data controllers should determine their roles and responsibilities for processing. Nothing much revealing here, in the GDPR Article 24 explains the responsibilities and Article 28 requires the development of a contract. Again, in some other jurisdictions this may be different.

ISO 27702 states that a PII agreement should be in place and recommends the following elements be addressed:

  • Roles responsibilities
  • Purpose of sharing
  • Identity of both organisations
  • Categories of PII
  • Transfer protocols
  • Description of activities
  • Technical and security measures to be deployed
  • Retention of PII
  • Deletion of PII
  • Liabilities of both parties
  • Failure to adhere to agreement
  • Dealing with subject access to data
  • Data breaches
  • Contact points for PII

Again, there is nothing significant here, except that it is wise to review existing arrangements between two data controllers. 

For further information and to book your ISO27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.