Skip to main content
Datenschutz / DSGVO

Joint Controllership

Exists when two or more controllers jointly determine the purposes and means of processing personal data, as defined in Art. 26 GDPR.

Joint controllership exists under Art. 26 GDPR when two or more controllers jointly determine the purposes and means of processing personal data. The decisive criterion is shared decision-making authority: if multiple parties act independently of one another, or on a clear principal-contractor basis, joint controllership does not apply. Distinguishing joint controllership from data processing under Art. 28 GDPR is often difficult in practice and requires careful legal analysis.

Where joint controllership exists, the parties involved must enter into an arrangement under Art. 26 GDPR that transparently sets out their respective responsibilities under the GDPR — in particular regarding the exercise of data subject rights and the provision of information under Art. 13 and 14 GDPR. The essence of this arrangement must be made available to data subjects. Importantly, data subjects may exercise their rights against any one of the controllers, regardless of the internal allocation of responsibilities.

Well-known examples of joint controllership from CJEU case law include the operation of a Facebook fan page (Fashion ID ruling, 2019) and the use of Facebook plugins on websites. For compliance officers, the assessment of joint controllership is particularly relevant for group companies sharing IT infrastructure, joint marketing activities between multiple organisations, and the use of certain social media features. Once joint controllership is identified, a joint controller arrangement under Art. 26 GDPR must be concluded without delay.

Legal Basis

Art. 26 GDPR

Practical Example

Your organisation operates a joint webinar platform together with a partner company, through which both organisations collect participant data and use it for their own marketing purposes. As compliance officer, you recognise that both organisations jointly determine the purposes and means of the processing and are therefore joint controllers under Art. 26 GDPR. You recommend concluding a joint controller arrangement that specifies which organisation handles access requests, who is responsible for drafting the privacy notice, and how data breaches will be managed. The key elements of this arrangement are incorporated into the privacy notice on the webinar registration page.

FAQ

Joint controllership exists when two or more parties jointly determine the purposes and means of a processing activity. Typical examples include the joint operation of an IT platform, group-wide processing activities, and the use of certain social media features such as Facebook fan pages.
The arrangement under Art. 26 GDPR must transparently set out the respective responsibilities of each controller, in particular regarding the handling of data subject rights and the information obligations under Art. 13/14 GDPR. The essence of the arrangement must be made available to data subjects.
In data processing, a service provider acts solely on the instructions of the controller without independent decision-making authority. In joint controllership, both parties jointly determine the purposes and means of the processing. The distinction must be carefully assessed in each case, as it has significant legal consequences.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Data Processing Agreement (DPA) Personal Data Record of Processing Activities (ROPA) Data Protection Officer (DPO) Data Subject Rights
Back to Glossary