In addition, the essential content (for example. B the part from which data subjects can deduct rights) will be made available to data subjects. This obligation is most reasonably assumed by the body collecting data or is the point of contact for the data subjects. If a request is made by a non-EEA authority requesting a restrictive transfer under this derogation and there is an international agreement such as a Mutual Legal Assistance Agreement (MLAT), you should consider referring the request to the MLAT or the existing agreement. 3.1 Notion of shared responsibility is present when two or more controllers jointly designate the purposes and means of data processing (Art. 26 GDPR). The term «together» should be interpreted as «with» or «not alone».[7] It is sufficient to make a minimum contribution to the determination of the object and means[8]. It is therefore not necessary for the joint controllers to have the same degree of participation in the entire data processing. However, mere cooperation without participation in objectives and means cannot in principle justify shared responsibility[9]. In each case, it is necessary to examine, taking into account all the circumstances, whether or not there is a common responsibility. In particular, the global (macro) vision of data processing should be taken into account, even if the parties at the micro-economic level pursue their own objectives[10].

On 5 June 2018, the Court of Justice of the European Communities (ECJ) recognised the shared responsibility of an operator of a Facebook and Facebook fan page[11]. This decision shows that shared responsibility requires little impact on the processing of data by either party. It should be noted that the ECJ continues to find that it is not essential for all controllers to have access to personal data. [12] 3.2 Intra-group link The GDPR does not grant an intra-group exemption. Therefore, any intra-group transmission of data must be analysed separately on the basis of compliance[13]. In a group, one of the group units often provides centralized services to all other entities in the group (for example. B centralised processing of customer or employee data). If such a service is included in the decision on the means and purposes of data processing or if it is granted to pursue its own interests, it must be considered a shared responsibility. On the other hand, it is likely that a processor contract is established where a unit of the group determines only the technical means of data processing, but does not have a real impact on the purpose or essential means of the processing. 4 Agreement between the joint controller Pursuant to Article 26(1) of the GDPR, in so far as there is shared responsibility, an agreement must be concluded between the joint controllers, which governs the distribution of GDPR obligations between the parties concerned. Article 26(1) and (2) of the GDPR determines its content. 4.1 Formal requirements There is no legal obligation for a written agreement.

However, due to the transparency rule and the obligation to make available to data subjects the essential content of such an agreement, a written agreement is usually required for evidentaary reasons. . . .