Skip to content

A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. Legal professional organizations in some countries have indicated that barristers and solicitors rarely function as joint controllers when involved in the representation of a matter. For example, The Bar Council in the UK has taken the following position:

Article 26 applies only where “two or more controllers determine the purpose and means of processing”. Other than in exceptional circumstances, this will not be the case in relation to a barrister and their instructing solicitor concerning a typical set of instructions or a typical brief. Instead, the barrister will (and will be professionally obligated to) form their own opinion as how the personal data should be used, hand and where it should be stored, and as to the period for which it should be retained. The barrister and the solicitor will therefore be processing a pool of data “independently of each other”, and will not be joint controllers.”[2]

While situations in which a barrister and a solicitor may be joint controllers “are likely to be rare” they are, however, not inconceivable.[3] For example, it may be possible that if a barrister or a solicitor are jointly involved in the “drafting of letters or witness statements,” they form a joint controller relationship. Even in that situation, however, if one of the parties may need independence concerning the use, retention, or deletion of the data a joint controller relationship is unlikely to form. [4]


[1] GDPR, Art. 26(1).

[2] See Memorandum issued by UK Bar Council on May 2018 (last viewed 8 October 2020).

[3] Id. at ¶ 7.

[4] Id.

Print:
EmailTweetLikeLinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).