Joint Controllers Under GDPR: Data Processing Responsibilities
Introduction
Joint controllers are two or more controllers that jointly determine the purposes and means of processing personal data under GDPR, creating shared responsibility for compliance obligations and liability. This arrangement differs fundamentally from independent controller relationships and requires specific legal agreements to manage shared data protection responsibilities.
Joint controller relationships arise when companies decide together how and why to process the same personal data, making both parties liable for GDPR compliance across the entire processing activity.
What This Guide Covers
This guide covers joint controller definitions, legal requirements under Article 26 GDPR, practical implementation steps, and compliance frameworks. It excludes general GDPR basics for single controllers or standard data processor arrangements.
Why This Matters
Joint controllers face joint and several liability, meaning each party can be held liable for the entire damage resulting from non-compliance. They must establish joint controller agreements, coordinate data subject rights responses, and maintain transparency obligations across both organisations.
What You’ll Learn:
• How to identify when joint controller relationships exist
• Legal obligations under Article 26 GDPR and UK GDPR
• Creating compliant joint controller agreements
• Managing shared liability risks and compliance responsibilities
Understanding Data Controller Roles and Relationships
A data controller determines the purposes and means of processing personal data, bearing primary responsibility for GDPR compliance and data protection obligations.
The controller decides why personal data is processed (purposes) and how it is processed (means), distinguishing them from processors who act solely on the controller’s behalf. Understanding controller classification matters because it determines your compliance obligations, liability exposure, and relationship with data subjects.
Independent Controllers vs Joint Controllers
Independent controllers process personal data for their own purposes, with each controller responsible only for their separate processing activities and compliance obligations.
When companies operate as independent controllers, they maintain distinct lawful basis requirements, privacy notices, and data subject rights procedures. This connects to joint controller concepts because independent arrangements contrast sharply with shared decision-making scenarios where responsibilities become interlinked.
Controllers vs Processors
Data processors act on a data controller’s behalf under specific contractual instructions, without determining processing purposes or essential means of processing.
Processors have limited compliance obligations compared to controllers, primarily focusing on security measures and following the instructions of controllers. Building on controller concepts, understanding processor roles helps distinguish scenarios where parties act under instruction from joint controller relationships involving shared decision-making authority.
Joint Controllers in Practice
Joint controllership emerges when two or more controllers jointly determine the purposes and means of processing the same personal data through converging decisions or inextricably linked processing activities.
When Joint Controllership Arises
Joint controller relationships emerge when companies jointly determine the purposes of data collection, processing methods, or data use strategies, thereby creating a shared influence over the same personal data processing activity.
Controllers don’t need identical purposes to be joint controllers – their processing activities must be closely linked, complementary, or result from converging decisions that have a tangible impact on how personal data is processed. Joint controllership can arise from explicit agreements, collaborative arrangements, or technological integrations that create shared decision-making.
Common Joint Controller Examples
The European Data Protection Board has identified several scenarios where joint controllership commonly occurs:
Facebook Pages and administrators become joint data controllers when using Facebook’s Page Insights tool, as both parties jointly decide on targeted advertising and analytics purposes using visitor data collected through Facebook pixels.
Website operators using certain social media plugins may be considered joint controllers with the social media provider, but only for the initial collection and transmission of user data to the platform. The operator does not share responsibility for how the platform processes the data thereafter.
Joint research projects between multiple organisations establish joint controllership when companies decide together on research objectives, data collection methods, and analysis purposes for the same datasets.
Combined service offerings using shared data platforms create joint controller arrangements when each party’s business purposes are closely linked and require shared decision-making over customer data processing.
Key Determining Factors
Joint controllership requires the joint determination of both the purposes and means of processing, which goes beyond simply having shared access to the same data.
The key point is whether parties jointly determine processing objectives and methods, not whether they process data for identical reasons. Controllers must assess whether their decisions about personal data processing are made independently or through collaboration that influences how data subjects’ information is collected and used.
Once joint controller relationships are identified, specific legal requirements under Article 26 of the GDPR must be implemented.
Legal Requirements and Compliance
Joint data controllers must comply with Article 26 GDPR requirements, establishing transparent arrangements that allocate respective responsibilities and ensure coordinated compliance across both organisations.
Step-by-Step: Creating Joint Controller Agreements
When to use this: Required under Article 26 GDPR for all joint controller relationships involving the processing of personal data.
1. Map data flows and processing activities: Document how each party collects, uses, and shares personal data, identifying where joint decision-making occurs and respective roles in the data processing activity.
2. Allocate specific GDPR compliance responsibilities: Assign obligations for privacy notices, lawful basis documentation, data protection impact assessments, and transparency obligations between parties in a transparent manner.
3. Designate contact points for data subject rights: Establish which party will serve as the primary contact for data subject requests, ensuring both controllers can demonstrate compliance with exercise of rights procedures.
4. Define liability arrangements and compensation terms: Specify how parties will handle joint and several liability, including indemnification clauses and procedures for when one party must pay compensation for entire damage claims.
5. Make arrangement essence available to data subjects: Ensure data subjects can access information about their respective responsibilities and contact details for exercising their rights under data protection law.
Comparison: Joint Controller Agreements vs Processor Contracts
| Feature | Joint Controller Agreements | Processor Contracts |
| Decision-making authority | Both parties jointly determine purposes and means | The processor follows controller instructions only |
| Liability allocation | Joint and several liability for the entire damage | Limited processor liability for security breaches |
| GDPR obligations | Both parties must comply with full controller obligations | The processor has specific Article 28 requirements |
| Data subject rights | Either party can receive and respond to requests | The processor assists the controller with responses |
Joint controller agreements address scenarios where parties jointly determine the purposes and essential means of processing. In contrast, processor contracts are used when one party (the processor) acts on the documented instructions of another (the controller) regarding those purposes and means.
Even with proper agreements, joint controllers face ongoing compliance challenges requiring practical solutions.
Common Challenges and Solutions
Joint controller arrangements create complex compliance scenarios that require proactive management of shared responsibilities and coordinated responses to data protection requirements.
Challenge 1: Determining Controller Status in Complex Partnerships
Solution: Conduct a detailed assessment of each party’s actual decision-making authority over data processing purposes and means, focusing on substance rather than contractual labels.
Assess whether parties make independent decisions about their own purposes or whether their decisions are inextricably linked such that processing wouldn’t occur without both parties’ involvement.
Challenge 2: Managing Joint and Several Liability
Solution: Implement comprehensive indemnification clauses and due diligence procedures in joint controller agreements to manage exposure to entire damage compensation claims.
Establish clear procedures for liability assessment, including insurance arrangements and risk allocation based on each party’s respective responsibilities and control over processing activities.
Challenge 3: Coordinating Data Subject Rights Across Multiple Controllers
Solution: Establish clear procedures for request handling, response coordination, and data consistency between joint controllers to ensure effective exercise of data subject rights.
Establish communication protocols with defined response timelines, shared databases for tracking requests, and procedures to ensure consistent responses when data subjects contact either controller.
Successful joint controller compliance requires an understanding of these frameworks and the implementation of appropriate governance structures.
Conclusion
Joint controllers share both decision-making authority and compliance responsibilities under the GDPR, creating shared liability for entire damage claims, while requiring specific agreements to manage their respective roles and obligations.
Data sharing agreements for independent controllers, data processor contracts under Article 28, and GDPR compliance auditing for controller relationships.