http://www.legislation.gov.uk/id/eur/2019/1715

CHAPTER 2General principles and data protection

Article 11Data controllers and joint controllership

1

The Commission and the competent authorities of the Member States shall be joint controllers of data processing operations in each of the components.

2

The Commission shall be responsible for:

a

determining and implementing the technical means to enable data subjects to exercise their rights, and ensuring that those rights are exercised in compliance with Regulation (EU) 2018/1725;

b

ensuring the security of processing within each component pursuant to Article 33 of Regulation (EU) 2018/1725;

c

determining the categories of its staff and external providers to whom access to the components may be granted;

d

notifying and communicating any personal data breach of the components to the European Data Protection Supervisor pursuant to Article 34 of Regulation (EU) 2018/1725 and to the data subject pursuant to Article 35 of that Regulation respectively;

e

ensuring that its staff and external providers are adequately trained to perform their tasks in accordance with Regulation (EU) 2018/1725.

3

The competent authorities of the Member States shall be responsible for:

a

ensuring that data subject’s rights are exercised in compliance with Regulation (EU) 2016/679 and this Regulation;

b

ensuring the security and confidentiality of personal data pursuant to Section 2 of Chapter IV of Regulation (EU) 2016/679;

c

designating the staff that are to have access to each component;

d

ensuring that staff accessing each component are adequately trained to perform their tasks in accordance with Regulation (EU) 2016/679 and, where relevant, Directive (EU) 2016/680.

4

The competent authorities of the Member States may designate different joint controllers within the same Member State for the purpose of fulfilling one or more of the obligations referred to in paragraph 3.