Skip to main content
Data Protection / GDPR

Joint controller arrangement

A joint controller arrangement transparently sets out, under Art. 26 GDPR, who fulfils which data protection obligations when two or more parties jointly determine the purposes and means of a processing operation.

A joint controller arrangement is mandatory under Art. 26 GDPR whenever two or more controllers jointly determine the purposes and means of processing personal data. Unlike processing on behalf of a controller, no party acts solely on the instructions of another; instead, all parties share responsibility. The arrangement must set out in a transparent manner who fulfils which obligations under the GDPR, in particular with regard to exercising the rights of data subjects and meeting the information duties under Art. 13 and 14 GDPR.

The arrangement must duly reflect the respective actual roles and relationships of the joint controllers vis-à-vis the data subjects. It must designate a point of contact for data subjects, and the essence of the arrangement must be made available to them. Crucially, data subjects may exercise their rights against each individual controller regardless of the internal allocation of tasks (Art. 26(3) GDPR); the arrangement therefore does not limit liability in the external relationship with data subjects.

Distinguishing joint controllership from processing on behalf of a controller and from separate controllership is decisive in practice and often difficult. What matters is the factual co-determination of purposes and means, not the contractual label. The CJEU has interpreted the concept of joint controllership broadly (for example in the Wirtschaftsakademie and Fashion ID rulings). A missing or inadequate arrangement can be sanctioned with fines under Art. 83(4) GDPR and regularly creates legal uncertainty when data subjects seek to exercise their rights.

Legal Basis

Art. 26 GDPR (in conjunction with Art. 13, 14, 24, 83(4) GDPR)

Practical Example

A company jointly operates a campaign website with a marketing partner, where both parties co-determine the analysis of user data for their own purposes. The data protection officer recognises that this constitutes joint controllership and initiates an arrangement under Art. 26 GDPR. It allocates responsibilities: the marketing partner informs data subjects at first contact, while the company centrally handles access and erasure requests. The essence of the arrangement is made transparent in the website's privacy notice, so that data subjects know whom to contact.

FAQ

It is mandatory under Art. 26 GDPR whenever two or more controllers jointly determine the purposes and means of a processing operation. What matters is the factual co-determination, not the contractual label. Unlike processing on behalf of a controller, no party acts purely on the instructions of another.
In joint controllership, several parties jointly determine purposes and means and share responsibility. In processing on behalf of a controller, a service provider processes data on the controller's instructions. Accordingly, the first situation requires an arrangement under Art. 26 GDPR, the second a data processing agreement under Art. 28 GDPR.
Yes. Under Art. 26(3) GDPR, data subjects may exercise their rights against each individual controller, regardless of how the internal allocation of tasks is set out in the arrangement. The arrangement therefore does not limit liability in the external relationship.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Joint Controllership Data Processing Agreement (DPA) Data Subject Rights Transparency obligations Controller
Back to Glossary