Most GDPR guidance focuses on the controller–processor relationship, but a third arrangement — joint control — is increasingly common and easy to stumble into. Recognising it and structuring it properly is an often-overlooked part of GDPR compliance, especially for organisations that collaborate or share data.
This guide explains what joint controllers are, how they differ from separate controllers and processors, the Article 26 arrangement, shared liability, and how to set the relationship up correctly.
What joint controllers are
Most organisations think in terms of a single controller and its processors. But GDPR recognises a third pattern: joint controllers. Under Article 26, where two or more organisations jointly determine the purposes and means of processing, they are joint controllers and share responsibility for it.
This is easy to fall into without realising — through shared platforms, co-branded activities or pooled data — and it brings specific obligations that catch many businesses by surprise.
Joint vs separate vs processor
It helps to distinguish three situations. If you decide purposes and means together with another organisation, you are joint controllers. If each of you decides independently for your own purposes, you are separate controllers. If one of you simply acts on the other’s instructions, that one is a processor.
The dividing line is whether the determination of purposes and means is genuinely shared, or kept separate, or delegated.
Free resource
GDPR Policy Templates
Get joint-controller arrangement and role-allocation templates.
The Article 26 arrangement
Joint controllers must put in place a transparent arrangement that allocates responsibilities — in particular for exercising data subject rights and providing the required information to individuals. The arrangement should reflect each party’s real role in the processing.
This is not optional paperwork: it is how GDPR ensures someone is clearly responsible for each obligation, so individuals are not bounced between organisations.
Transparency to individuals
The essence of the joint-controller arrangement must be made available to the individuals whose data is processed, typically through the privacy notice. People need to understand who is responsible for what, and who they can approach.
You cannot hide a joint-controller relationship behind the scenes — transparency about it is a specific requirement.
Individuals can choose who to approach
Crucially, regardless of how you allocate responsibilities between yourselves, a data subject can exercise their rights against any of the joint controllers. The internal arrangement governs who handles what between the parties, but it cannot limit the individual’s ability to choose.
So each joint controller must be ready to receive and route requests, even those that the arrangement assigns to the other party.
Liability is shared
Joint control comes with shared exposure. Individuals can claim compensation, and regulators can act, against any joint controller for the processing. The internal arrangement may govern how costs are apportioned between the parties, but it does not reduce each party’s responsibility to the outside world.
This is why you should not enter joint control casually — you take on liability for processing you only partly control.
Common examples
Joint control often arises in: co-branded marketing campaigns where two companies jointly decide how to use shared customer data; industry platforms or consortia that pool data for a common purpose; and certain uses of social media plugins and shared analytics, where both the site operator and the platform shape the processing.
If a collaboration involves jointly deciding why and how personal data is used, joint control is likely in play.
When it is not joint control
Not every collaboration creates joint control. If you simply pass data to a partner who then uses it for their own separate purposes, you are usually separate controllers in a controller-to-controller transfer. If a partner only processes on your instructions, they are a processor.
The label matters because it dictates which contracts and obligations apply, so assess the substance of the relationship rather than assuming.
Setting up a joint-controller relationship
To do it properly: confirm that you genuinely jointly determine purposes and means; agree a written arrangement allocating responsibilities (especially transparency and rights); designate a contact point for individuals if helpful; reflect the essence of the arrangement in your privacy notices; and align your security and breach processes.
The arrangement should be practical, not just a formality — people need to be able to act on it when a request or incident arrives.
Allocating responsibilities sensibly
Allocate each obligation to whichever party is best placed to handle it. The organisation with the direct customer relationship might own transparency and rights requests, while another with the technical platform might own security. What matters is that every obligation has a clear owner.
Gaps — where neither party owns an obligation — are exactly where joint-controller arrangements fail.
Documenting and reviewing
Record the arrangement, the rationale for the allocation, and how it is communicated to individuals. Review it when the processing or the relationship changes, because roles can shift over time — what began as joint control may become separate control, or vice versa.
Keeping the documentation current is part of demonstrating accountability for the shared processing.
Common pitfalls
Typical mistakes include not recognising joint control at all, having no Article 26 arrangement, failing to tell individuals about the relationship, and assuming the internal allocation limits what data subjects can do. Each leaves a gap that surfaces when a request or complaint arrives.
The fix is to identify joint control early and paper it properly, before data starts flowing.
How ISpectra helps
Recognising and structuring joint-controller relationships correctly is an advanced but important part of GDPR compliance. ISpectra Technologies helps organisations identify where joint control exists, draft Article 26 arrangements that allocate responsibilities clearly, and align transparency, rights and breach processes between the parties.
If you run shared platforms or co-branded activities, a short review will tell you whether joint control applies and how to handle it.
In one paragraph
Joint controllers are two or more organisations that jointly determine the purposes and means of processing. Article 26 requires them to agree a transparent arrangement allocating responsibilities — especially for transparency and data subject rights — and to make its essence available to individuals, who can exercise their rights against any joint controller regardless of the internal split. Liability is shared. Joint control commonly arises in co-branded campaigns, shared platforms and certain analytics, but not where parties act independently or one merely processes on instruction. Identify it early, allocate every obligation a clear owner, document it, and reflect it in your privacy notices.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
A worked example
Imagine two companies launching a joint loyalty programme. They agree together what data to collect from members, how it will be analysed, and how rewards will be targeted — a textbook case of jointly determining purposes and means, and therefore joint control. They draft an Article 26 arrangement: Company A, which owns the customer-facing app, will handle privacy notices and most data subject requests; Company B, which runs the analytics platform, will own security and breach detection and will support A on any request touching its systems.
The essence of this split is summarised in the loyalty programme’s privacy notice so members know who does what. Critically, a member can still send an erasure request to either company, and whichever receives it must act — routing to the other where the arrangement requires. If a breach occurs on B’s platform, B alerts A immediately so A can meet the 72-hour deadline. Mapped out this way, the relationship is clear, every obligation has an owner, and neither company is left exposed by an unallocated duty.