Why should organisations assess whether they are joint controllers?

We help you analyse collaborations to determine whether you jointly decide the purposes and means of processing, so responsibilities can be allocated correctly, communication to data subjects stays clear, and compliance risk is reduced.

What does joint controllership mean under GDPR?

Joint controllership means that two or more actors together determine the purposes and means of processing personal data under GDPR, and we help you document this and structure the allocation of responsibilities under Article 26.

When are parties considered joint controllers?

Parties are joint controllers when both influence how and why personal data are processed, and we help you assess the actual influence in the collaboration so the correct GDPR setup is used.

Joint controllership

Joint controllership means that two or more actors jointly determine the purposes and means of processing personal data.

Glossary
Joint controllership

Explained – whats is a joint controller agreement?

Joint controllership arises where several parties together decide how and why personal data are processed. This follows from Article 26 GDPR and requires the joint controllers to allocate their obligations in a clear and transparent manner. A GDPR lawyer can help design a joint controller agreement that meets these requirements. Joint controllership commonly occurs in collaborations between companies, public authorities or organisations that handle personal data for shared purposes.

When does joint controllership become relevant?

The question arises when several actors collaborate and share responsibility for personal data. This may cover anything from joint marketing activities to shared IT systems or shared customer databases. If more than one party influences how personal data are collected, used or stored, they may be joint controllers under GDPR. This calls for a clear agreement on each party’s responsibilities and how to communicate with data subjects about joint controllership.

Two business hands holding a shield with a checkmark, symbolising GDPR joint controllership and shared responsibility for data protection compliance.

Key considerations for a joint controller agreement

Where there is joint controllership, it is essential to regulate the division of responsibilities between the parties. The following points are central to consider in such situations:

Put in place a written joint controller agreement specifying who is responsible for each part of the processing.
Ensure data subjects are transparently informed about whom to contact with questions.
Make sure each party fulfils its GDPR obligations, for example the information duties in Articles 13–15.
Carry out a joint data protection risk assessment to identify any gaps in data protection.
Establish procedures for handling personal data breaches and data subject rights.
Agree a common understanding of lawful basis, retention periods and appropriate security levels.

A well-designed allocation of responsibilities strengthens trust and facilitates supervision by the Data Protection Agency.

Joint controllership

Why is joint controllership important?

Joint controllership ensures that all actors who determine the purposes and means of processing accept their responsibilities. It prevents gaps in compliance, avoids any party evading its obligations, and clarifies rights and duties towards data subjects. When responsibility is shared, it supports better GDPR compliance and reduces the risk of unclear communication to data subjects, consistent with the accountability principle GDPR.

For organisations that collaborate on personal data, this is critical to maintaining proper compliance with the GDPR and strengthening trust between the parties. It is also a prerequisite for avoiding administrative fines and ensuring that all parties act in line with the GDPR’s core principles.

Organisations should analyse their collaborations to determine whether they jointly decide the purposes and means of any processing.

It facilitates a correct division of responsibilities.
It supports clear communication to data subjects.
It reduces the risk of sanctions for non-compliance.
It strengthens trust in collaborations involving personal data.

It means that two or more actors together determine the purposes and means of processing personal data (joint controllers GDPR).

Parties are joint controllers when both influence how and why personal data are processed. Merely using the same system or platform is not sufficient to establish joint controllership.

The agreement must clearly regulate each party’s responsibilities. It should, among other things, specify who maintains systems for handling data subject rights and what information must be provided to data subjects.

Set out the division of responsibility for different types of processing.
Describe procedures for handling personal data breaches.
Ensure contact details for the joint controllers are available to data subjects.

To meet accountability requirements under GDPR, controllers must document their agreement on the division of responsibilities, preferably in a joint controller agreement. If responsibilities are unclear, matters may fall between the cracks and lead to infringements, administrative fines and reputational harm.

With joint controllership, both parties determine the processing. A processor only processes personal data on behalf of a controller.

Joint controllership: both determine purposes and means.
Processor: acts solely on the controller’s instructions.
A data processing agreement is required where there is a processor relationship.