The classic trap
Recital 79 sets a simple principle in theory, devastating in practice: each actor must know exactly what they are accountable for. The CNPD and CNIL regularly sanction organisations unable to produce, during an inspection, the written mapping of their shared responsibilities. The typical trap: a company uses a SaaS marketing tool that is actually a joint controller (article 26), but the signed contract is a simple article 28 DPA. Result: incorrect legal qualification, blurred allocation, and full liability flowing back to the client.
How this recital shapes the interpretation of articles 26 and 28 in practice
Recital 79 acts as the reading key supervisory authorities use to judge whether you have actually allocated responsibilities or merely copy-pasted a contract. Three tests are systematically applied by the CNPD and the EDPB (guidelines 07/2020):
- Qualification test: for each third-party relationship, are you sole controller, joint controller, or processor? Have you documented the reasoning?
- Clarity test: can a third party (data subject, authority) identify in less than 5 minutes who is accountable for what (collection, retention, security, data subject rights, breach notification)?
- External transparency test: is the essence of the article 26 arrangement effectively published and accessible to data subjects?
Recital 79 is not decorative: it grounds the joint and several liability of article 82(4) and justifies an authority sanctioning an actor who failed to delimit their perimeter, even if the initial fault came from the partner.
How Luxgap automates this risk
Our Luxgap Controllership Mapper eliminates the grey zone that brings organisations down: for each third-party relationship detected in your IT landscape, the tool automatically determines the legal qualification (sole controller, joint controller, processor) and generates the adapted contractual framework. A specialised LLM agent analyses real data flows detected in Microsoft Purview, Salesforce, Odoo, AWS and your contracts stored in SharePoint, then applies the EDPB 07/2020 framework to propose the correct qualification with a written, defensible justification.
- Classifies each third-party relationship by cross-checking who-decides-what on purposes and means, following the EDPB 07/2020 methodology.
- Detects frequent qualification errors (article 28 DPA signed when it should be joint controllership, or vice versa) and flags contracts to renegotiate.
- Generates ready-to-sign article 26 arrangement templates, tailored by typology: advertising pixel, shared platform, research consortium, joint venture, loyalty programme.
- Automatically publishes the /joint-controllers/ essence page required by article 26(2), updated whenever a contract changes.
- Maps in real time the responsibility chain with an exportable visual diagram, showing who answers for what on each processing activity.
- Produces a time-stamped, cryptographically sealed PDF report demonstrating the clear allocation required by recital 79, defensible before the CNPD during an inspection.
Available as part of a Luxgap DPO mandate or as a dedicated SaaS module depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your real third-party relationships, with a free blind audit within 48h to identify your mis-qualifications before any commitment.
