The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.
The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity.
2) Quotes from the Judgment (emphasis added)
65 “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29).