image

EU GDPR – Article 26 (Joint Controllers)

Posted on January 17, 2026 by Sarah Aamir
Share
RSS
Follow by Email
Facebook
X (Twitter)
Pinterest
LinkedIn
WhatsApp
Abstract

EU GDPR Article 26 addresses situations where two or more organisations jointly determine the purposes and means of processing personal data. These organisations are known as joint controllers. The article requires joint controllers to clearly define and transparently allocate their respective responsibilities for GDPR compliance, particularly regarding data subject rights and information obligations. Article 26 promotes accountability, legal clarity, and fairness by ensuring that individuals understand who is responsible for protecting their data, even when multiple controllers are involved.

Explanation

Under the General Data Protection Regulation (GDPR), a controller is an entity that decides why and how personal data is processed. Article 26 comes into play when more than one controller jointly makes these decisions. This is common in modern data ecosystems where organisations collaborate through partnerships, platforms, shared services, or co-branded initiatives.

Article 26 requires joint controllers to enter into a transparent arrangement that determines their respective roles and responsibilities for complying with GDPR obligations. This includes defining who handles data subject requests, who provides privacy information, and how security and accountability measures are implemented.

Importantly, this arrangement must reflect the actual roles of each controller, not just contractual labels. While joint controllers can allocate responsibilities between themselves, they remain jointly liable towards data subjects. This means an individual can exercise their rights against any of the joint controllers, regardless of internal agreements.

Additionally, the essence of the arrangement must be made available to data subjects, ensuring transparency and trust in joint processing activities.

Key Points
  1. Joint control exists when decisions are made together: Organisations are joint controllers when they jointly determine the purposes and means of processing, even if their involvement is unequal.
  2. A formal arrangement is mandatory: Joint controllers must define responsibilities in a legally binding agreement or documented arrangement.
  3. Clear allocation of GDPR duties: Responsibilities for transparency, data subject rights, security, and compliance must be clearly assigned.
  4. Data subject rights remain protected: Individuals can exercise their rights against any joint controller, regardless of internal role divisions.
  5. Transparency is essential: The essence of the joint controller arrangement must be communicated to data subjects.
  6. Joint liability applies: Controllers may be held collectively responsible for GDPR violations arising from joint processing.
General Activation Steps
  1. Identify joint controller relationships: Assess whether two or more parties jointly determine why and how personal data is processed. This often occurs in partnerships, shared platforms, or collaborative marketing activities.
  2. Map processing activities: Document the flow of personal data, the purposes of processing, and each controller’s involvement in decision-making.
  3. Define responsibilities clearly: Allocate GDPR obligations such as:
    • Providing privacy notices
    • Handling data subject rights requests
    • Implementing security measures
    • Managing data breaches
  4. Draft a joint controller agreement: Create a written arrangement reflecting real practices. Whil8e GDPR does not prescribe a specific format, clarity and completeness are essential.
  5. Ensure transparency for data subjects: Update privacy notices to explain joint control and provide access to the essence of the arrangement.
  6. Review and update regularly: Joint controller relationships should be reassessed whenever processing activities or partnerships change.
Use Cases
  1. Co-branded marketing campaigns: Two companies jointly run a promotional campaign and decide how customer data is collected, shared, and used.
  2. Online platforms and partners: A digital platform and a business partner jointly determine user data processing for analytics or targeted advertising.
  3. Research collaborations: Universities or research organisations jointly define research objectives and data processing methods involving personal data.
  4. Shared IT systems: Multiple organisations use a common system where they jointly decide how employee or customer data is processed.
  5. Public sector collaborations: Government bodies jointly administering a public service involving shared personal data responsibilities.
Dependencies

Article 26 does not operate in isolation and depends on other GDPR provisions, including:

  1. Article 4 (Definitions) – clarifies the meaning of “controller” and “processing”
  2. Article 5 (Principles of processing) – lawfulness, fairness, transparency, and accountability
  3. Article 6 (Lawful bases) – joint controllers must agree on lawful grounds for processing
  4. Articles 12–22 (Data subject rights) – responsibilities for handling rights requests must be allocated
  5. Article 24 (Responsibility of the controller) – accountability obligations still apply to each controller
  6. Article 32 (Security of processing) – joint responsibility for appropriate technical and organisational measures
Tools and Technologies

To effectively manage joint controller obligations, organisations commonly rely on:

  1. Data Mapping & Discovery Tools: Identify where personal data is stored, shared, and jointly processed.
  2. Compliance Management Platforms: Centralise documentation, agreements, and accountability records.
  3. Consent Management Systems: Coordinate how consent is collected and managed across joint controllers.
  4. Privacy Notice Management Tools: Ensure transparency and consistent communication with data subjects.
  5. Access Request Management Tools: Track and respond to data subject rights requests efficiently.
  6. Security & Encryption Tools: Protect shared data and reduce the risk of breaches across systems.
Let’s Wrap

EU GDPR Article 26 recognises the reality of shared decision-making in data processing and ensures that accountability does not become diluted when multiple controllers are involved. By requiring joint controllers to clearly define and communicate their responsibilities, the article strengthens transparency, protects data subject rights, and reinforces trust in collaborative data practices.

For organisations, compliance with Article 26 is not just about drafting agreements, it is about aligning real-world practices with GDPR principles. Clear governance, accurate documentation, and open communication between joint controllers are essential to avoid legal risks and ensure fair, lawful, and transparent data processing.

In an increasingly interconnected digital environment, Article 26 serves as a critical safeguard, ensuring that shared control does not mean shared confusion, but rather shared responsibility.

For further reading:

Leave a Reply

Your email address will not be published. Required fields are marked *

eighteen + 20 =

Recent Posts

Archives

Categories