I’m currently engaged in a ‘stand off’ with a marketing company. We are using them to generate ‘marketing qualified leads’ that we follow up. We are not sharing any data with the marketing company ie not providing any names etc. How the marketing company ‘generate’ these leads is unknown to us.
I’m repeatedly being asked to sign a joint controller agreement however fail to see how we are joint controllers. I do not want to accept any liability if the data has been collected in a manner inconsistent with GDPR and as a joint controller I’m worried this may be the case.
BlueBottle
OP – I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you.
The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, once you get a lead you’re paying a fee for it, and it’s up to you to convert that into a sale? If so, there’s a clear line in the sand between their and your responsibilities. Theirs end when they transfer data to you, yours begin when you receive it. This is very ordinary in a controller-to-controller transfer.
DP-Pro
Since the GDPR there is no longer the distinction between JOINT CONTROLLERS and CONTROLLERS IN COMMON. However, each of you are responsible for the processing that you undertake for your own purposes. They, for example are controllers for the lawful collection and provision of personal data, you will be responsible for your receipt, follow ups and retention of the personal data thereafter. They would not be providing you with any personal data if you hadn’t asked/contracted/paid for it; therfore you are also determining the PURPOSES for processing. How you go about acquiring and using the data also speaks to the MEANS criterion of being a controller. Welcome to the world of being a controller, jointly or alone!