Skip to content
AuditFront
Art.26 GDPR

GDPR Art.26: Joint Controllers

What This Control Requires

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

In Plain Language

When two or more organisations jointly decide why and how personal data gets processed, they become joint controllers - whether they realise it or not. It's the factual reality that matters, not what the contract says. Shared marketing platforms, collaborative research projects, integrated service offerings - if both sides have a say in the purposes and means, you're in joint controller territory.

Joint controllers need a transparent arrangement that spells out who is responsible for what. The arrangement must cover which party handles data subject rights (access, rectification, erasure, and so on) and which party provides the Article 13/14 privacy information. You can designate a single contact point for data subjects to simplify things.

Here's the part that catches people off guard: no matter what your internal arrangement says, a data subject can exercise their rights against either controller. If someone sends a deletion request to you but the arrangement says the other party handles that, you can't just bounce the request. Each joint controller needs to be ready to facilitate compliance, regardless of how you've split responsibilities behind the scenes.

How to Implement

Review your data sharing and collaborative processing relationships to spot any that are actually joint controllership. Look for situations where you and another organisation together decide the purposes of processing, jointly determine the key aspects of how it's done, or where your processing activities are so interlinked they can't be separated. Shared databases, coordinated campaigns, and integrated platforms are all strong indicators. Document your reasoning for each assessment.

Draft a joint controller arrangement for each relationship you've identified. Cover the shared purposes and means of processing, each party's compliance responsibilities, how data subject rights will be handled (or divided), who provides Article 13/14 information, the designated contact point for data subjects, and how you'll coordinate on data breaches affecting jointly controlled data.

Make the arrangement operational, not just contractual. Both organisations need to actually carry out their assigned responsibilities. Set up communication channels for coordinating on data subject requests, breach notifications, and ongoing compliance activities. Create shared procedures for anything that requires both parties to act - like responding to access requests that span both controllers' systems.

Give data subjects enough information to understand the arrangement. You don't need to publish the full document, but your privacy notices should explain the joint controllership, summarise who is responsible for what, and provide clear contact details. People need to know who to reach out to and what to expect.

Review your joint controller arrangements regularly. Business relationships evolve, processing activities change, and regulatory expectations shift. Check that the arrangement still reflects reality and that coordination is working smoothly in practice. Address any gaps or friction points promptly.

Evidence Your Auditor Will Request

  • Assessment of processing relationships identifying joint controllership situations
  • Documented joint controller arrangements compliant with Article 26
  • Privacy notices reflecting joint controllership and providing data subject contact information
  • Procedures for coordinating data subject requests between joint controllers
  • Records of regular reviews of joint controller arrangements

Common Mistakes

  • Failing to recognise joint controllership situations, treating the other party as a processor instead
  • No formal arrangement between joint controllers defining respective responsibilities
  • Data subjects unable to effectively exercise their rights due to unclear allocation of responsibilities
  • Arrangement exists but is not operationalised - neither controller takes responsibility for compliance
  • Privacy notices do not disclose the joint controllership or the allocation of responsibilities

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.8 Related

Frequently Asked Questions

How do we determine if we are joint controllers or controller-processor?
Ask who decides the why and how. If both organisations have genuine influence over the purposes and means of processing, you're joint controllers. If one organisation only processes data under the other's instructions, that's a controller-processor relationship. Focus on the reality of how decisions are made, not the label on the contract. Regulators will.
Can a data subject exercise their rights against either joint controller?
Yes, and this is non-negotiable. Article 26(3) is explicit: data subjects can go to either joint controller to exercise their rights, regardless of what your internal arrangement says. So even if you've agreed that the other party handles access requests, you still need to be able to facilitate one if it lands on your desk.
Does the joint controller arrangement need to be a single document?
No. It can be a formal agreement, a set of interlocking agreements, or even binding corporate rules for intra-group arrangements. What matters is that the allocation of responsibilities is clear and transparent, and that the key points are communicated to data subjects in an accessible way.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment