The controller within the meaning of the GDPR is a natural or legal person, authority, institution or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

If members or affiliates of the University of Oldenburg collect personal data, the Controllership of the Presidential Board of the University of Oldenburg remains in principle.

However, compliance with data protection regulations is also the obligation and responsibility of all members and affiliates of the University (see data protection guideline).

Therefore, every person, body or institution of the University of Oldenburg that processes personal data has to fulfil the tasks and obligations to comply with the GDPR, i.e. in particular the documentation obligations, on their own Controllership and also provide evidence within the scope of accountability.

However, since the official (external) responsibility remains with the University of Oldenburg, which must also be stated in any data protection declarations, declarations of consent, etc., we speak internally of so-called "process or subject owners". These are regularly the persons in charge of the project.

This means that heads of the respective organisational unit or the project for which personal data is collected must in particular draw up a directory of processing activities (sample) if necessary, draw up a data protection concept and draw up corresponding data protection data protection or consent declarations if personal data are processed.

The GDPR recognises the so-called "joint responsibility" in the event that two or more controllers jointly determine the purposes and means of processing .

This is particularly the case when two or more persons, entities, authorities or other bodies want to process data jointly with one or another and decide on the purposes and means of the processing.

A very important case law of the ECJ on the issue of joint responsibility is hidden behind the case number C-210/16 in its judgment of 05.06.2018, where the ECJ ruled that operators of Facebook "Fanpages" and Facebook Ireland are joint controllers. If you (want to) operate a "fan page" on Facebook under the responsibility of the University, please contact the Staff Office.

Duties of joint responsible parties

If there is joint responsibility, according to Art. 26 (1) of the GDPR, an agreement must be concluded which "sets out in a transparent manner which of them [the controllers] fulfils which obligation under this Regulation [the GDPR], in particular as regards the exercise of data subjects' rights, and who fulfils which information obligations under Articles 13 and 14 [...]".