UK GDPR: Joint Controllers
Joint Controllers [Art 26]
Rule: Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers and must determine their respective responsibilities by transparent arrangement.
26.1 — Joint Controllership Test
Joint controllers exist when:
- Joint determination of purposes and means
- Participation in decision-making about processing
- Common purpose for processing (even if each has separate purposes too)
Examples of Joint Controllership
| Scenario | Joint Controllers? |
|---|---|
| Two companies share CRM for joint marketing | ✅ Yes |
| Hospital and research institute jointly run study | ✅ Yes |
| Company uses processor for payroll | ❌ No (controller-processor) |
| Franchisees using franchisor’s centralized system | ✅ Likely yes |
| Social media plugin (Like button) on website | ✅ Yes (website + platform) |
| Companies sharing customer leads | ✅ Yes |
Key question: Do both parties have a say in “why” (purpose) or “how” (means) of processing?
26.2 — Joint Controller Arrangement
Controllers must determine in a transparent manner:
| Requirement | Detail |
|---|---|
| Respective responsibilities | Who does what (collection, storage, deletion, etc.) |
| GDPR obligations | Who handles data subject rights, breach notification, etc. |
| Relationship to data subjects | How data subjects can exercise rights |
| Form | Written agreement recommended (not legally required) |
| Essence made available | Summary provided to data subjects |
Required Content
At minimum, arrangement must cover:
- Which controller does what processing operations
- Who is contact point for data subjects
- Who handles data subject rights requests
- Who notifies breaches to ICO
- Security responsibilities
- Liability allocation (internal, not binding on data subjects)
26.3 — Data Subject Rights
Critical: Data subject may exercise rights against either or both joint controllers, regardless of internal arrangement.
| Right | Data Subject Can Exercise Against… |
|---|---|
| Access | Either controller |
| Erasure | Either controller |
| Rectification | Either controller |
| All other rights | Either controller |
Internal arrangements do not limit data subject rights.
26.4 — Essence Available to Data Subjects
Controllers must make essence of arrangement available to data subjects:
- In privacy notice
- On website
- On request
“Essence” means:
- Who the joint controllers are
- How to contact each one
- How responsibilities are divided
- How to exercise rights
Not required: Full legal agreement text (can be internal).
Liability and Compensation [Art 82]
| Internal Arrangement | External Liability |
|---|---|
| May allocate liability between controllers | Data subject can claim against ANY controller for full damage |
| Can agree indemnity/contribution | Controller who pays can recover from others |
Key principle: Joint and several liability to data subjects. Internal cost allocation is separate matter.
Common Joint Controller Scenarios
1. Marketing Partnerships
Example: Two retailers share customer data for joint loyalty program.
Arrangement must specify:
- Who collects data initially
- Who sends marketing communications
- Who handles opt-outs
- How data is deleted when partnership ends
2. Social Media Plugins
Example: Website embeds Facebook Like button.
Joint controllers: Website + Facebook
Arrangement must specify:
- What data is collected by plugin
- Who is contact for privacy questions
- How users can object to tracking
CJEU case law: Fashion ID (C-40/17) — website + Facebook are joint controllers for data collected by plugin.
3. Research Collaborations
Example: University and hospital jointly conduct clinical trial.
Arrangement must specify:
- Who recruits participants
- Who stores data
- Who analyzes results
- Who handles data subject rights
- Data retention after study ends
4. Franchise Relationships
Example: Franchisor provides centralized booking system for franchisees.
May be joint controllers if:
- Both determine purposes of processing
- Franchisor has access to customer data
- Both use data for own purposes
Arrangement must specify:
- Who owns customer relationship
- Who handles complaints
- Who deletes data
Distinction from Processor Relationship
| Joint Controller | Processor |
|---|---|
| Determines purposes and means | Only processes per controller’s instructions |
| Own purposes for processing | No own purposes |
| Joint liability | Controller remains responsible |
| Art 26 applies | Art 28 applies (DPA required) |
Example — Joint Controllers: Two companies share leads database for mutual benefit.
Example — Controller-Processor: Company uses Mailchimp to send newsletters.
Designation of Contact Point
Joint controllers may designate one controller as contact point:
- For data subjects to exercise rights
- For supervisory authority communications
BUT:
- Does not change joint liability
- Data subjects can still contact either controller
- Designated contact must coordinate with other controller
Audit and Accountability
Joint controllers should:
- Document the arrangement in writing
- Review arrangement periodically
- Maintain records of processing (Art 30)
- Conduct joint DPIA if high risk (Art 35)
- Coordinate breach response (Art 33-34)
ICO Guidance
ICO recommends:
- Clear agreement — even if not legally required, put it in writing
- Regular review — arrangements may change over time
- Practical allocation — be specific about who does what
- Data subject focus — ensure rights can be easily exercised
Citation
Article 26 — Joint controllers
Related ICO guidance: Data sharing: a code of practice