Log in

← Back to Glossary

Joint controller: Understanding shared responsibility in data processing

A joint controller refers to two or more entities that jointly determine the purposes and means of processing personal data. Unlike a data processor, which acts on behalf of a controller, joint controllers share decision-making power over data processing activities.

Under Article 26 of the General Data Protection Regulation (GDPR), joint controllers must establish a clear agreement outlining their roles, responsibilities, and obligations to ensure compliance with data protection laws.

When does a joint-controller relationship exist?

A joint-controller relationship occurs when:

  • Two or more organizations collaborate in defining why and how personal data is processed.
  • Both parties have an equal say in determining the processing objectives.
  • Decisions about data processing are shared, rather than dictated by one entity.

Examples of joint controllers

  • A retail chain and a financial institution jointly running a loyalty program.
  • A hospital and a research institution conducting a study on patient data.
  • Social media platforms and advertisers determining ad targeting strategies.

Try RESPONSUM for free

Set up your personalized environment and see how RESPONSUM’s powerful features simplify your compliance workflows. Our experts are here to guide you every step of the way.

Try for free
G2 badge fall 2024 easiest to do business with
G2 badge fall 2024 best support
G2 badge fall 2024 high performer
G2 badge fall 2024 high performer Europe
G2 badge fall 2024 high performer EMEA

How to establish a GDPR-compliant agreement

Organizations acting as joint controllers must clearly define responsibilities and legal obligations to ensure GDPR compliance.

1. Draft a joint-controller agreement (JCA)

  • Specify which entity handles which aspects of data processing.
  • Clearly state who manages data subject rights requests (DSRRs).
  • Define security measures and compliance procedures.

2. Inform data subjects about the joint-controller relationship

  • Update privacy policies to reflect joint data processing responsibilities.
  • Provide contact details for both controllers.
  • Ensure data subjects understand how to exercise their rights.

3. Ensure compliance and accountability

  • Conduct regular audits to monitor data processing activities.
  • Maintain records of processing activities (ROPA) for transparency.
  • Implement data breach response plans to address security risks.

Book a demo to see RESPONSUM in action

Book your free demo and discover how RESPONSUM fits your needs. Get expert insights, a live platform walkthrough, and personalized tips to boost your compliance strategy.

Book a demo

Why defining joint-controller responsibilities is essential for GDPR compliance

Establishing a clear joint-controller agreement helps organizations:

  • Avoid GDPR penalties by ensuring legal clarity.
  • Ensure transparency in data processing activities.
  • Protect data subjects’ rights with clear accountability.
  • Strengthen trust and cooperation between partnering entities.

By properly managing joint-controller relationships, businesses can reduce compliance risks, improve data governance, and build stronger partnerships while respecting GDPR requirements.

Try for free