Key Takeaways
- Understand the joint controller relationship and why it matters.
- Identify the unique obligations joint controllers carry.
- Learn what provisions to include in your joint controller agreement.
It’s been eight years since the GDPR launched the terms controller, processor, and Data Processing Agreement (DPA) into every privacy lawyer’s vocabulary.
It’s now 2026, and many of us can draft, review, and negotiate a standard Data Processing Agreement (DPA) in our sleep. However, there is one type of privacy agreement that still catches us off guard because it’s not common: the joint controller agreement.
What are Joint Controllers?
GDPR Article 26 states that a joint controllership arises when “two or more controllers jointly determine the purposes and means of processing.” If you think that’s confusing, you’re not alone.
The European Data Protection Board (EDPB) has thankfully issued extensive guidance on this topic. They clarified that the key criteria for determining joint controllership is whether the parties jointly determine both the purpose and means of the personal data processing. To qualify as a true joint controllership, the personal data processing must be inseparable and inextricably linked – i.e., the processing is not possible unless each controller participates.
It’s imperative to note that not every multi-party data processing arrangement automatically creates a joint controllership. Examples of joint controllers include research collaborations, co-marketing campaigns, and partnerships that develop and process shared datasets.
How Joint Controller Agreements Differ From DPAs
First, the GDPR does not specifically describe the legal form of arrangement between joint controllers. However, it is inferred and strongly encouraged for joint controllers to execute a binding agreement for the purposes of legal certainty, transparency, and accountability. This diverges from the controller-to-processor relationship, where the GDPR requires a contract. While the roles and responsibilities are clearly defined in a typical DPA, the requirements for what to include in a joint controller agreement remains vague.
Second, and critically, joint controllers are jointly and severally liable for the entire processing operation. This means a data subject can legally pursue either controller for the full extent of any violations, regardless of which party is at fault. In contrast, a standard DPA typically limits the processor’s liability and is designed to allocate legal responsibility more easily.
Lastly, Article 26 requires that “the essence of the [joint controller] arrangement shall be made available to the data subject.” Although this is up for interpretation, it’s commonly understood to mean that individuals can ask for increased transparency – i.e., who the joint controllers involved are, what their respective processing activities are, and how to exercise their privacy rights. In practice, most organizations still choose to keep their joint controller agreements confidential, but upon request, will share a summary or addendum that captures these key points.
What to Include in Your Joint Controller Agreement
The elusive joint controller agreement can come in a variety of flavors due to the GDPR’s lack of prescriptive instructions. However, the two explicit provisions that must be addressed under Article 26 are how data subjects can exercise their privacy rights and who provides the transparency information required under Articles 13 and 14. The parties have control and flexibility over what else to include in their agreement.
The best practice is to follow the EDPB’s guidance, which focuses on incorporating the following provisions to ensure compliance with other GDPR controller obligations:
- General privacy principles: Include language that ensures the controllers comply with basic privacy principles such as notice, transparency, purpose limitation, data minimization, retention, and data integrity.
- Legal basis: Each controller must determine their own legal basis under Article 6 for processing personal data, and are restricted from further processing that data for secondary purposes that do not align with the data subjects’ reasonable expectations.
- Security measures: Determine which technical and organizational security measures to put in place, along with who is responsible for maintaining them.
- Data breaches: Understand who will handle specific aspects of data breach response, such as notification to the other controllers, supervisory authorities, and impacted individuals.
- Data Protection Impact Assessments (DPIAs): Where required, designate who will be responsible for conducting a DPIA, addressing the identified risks, and implementing mitigating measures.
- Subprocessors: Outline how each controller plans to engage with subprocessors, whether the other controller has approval rights, and what the onboarding process is.
- Transfers of data to third countries: If data is transferred internationally, determine who is responsible for implementing the appropriate cross-border data transfer mechanism.
- Point of contact: Designate a point of contact for regulatory inquiries and data subject access requests, outline who is responsible for responding to these external communications, and decide where to publicly post this contact information.
In summary, drafting and negotiating joint controller agreements require a different approach than standard DPAs because you are not managing a vendor, you are managing a partnership that comes with its own unique risks and considerations.
The post GDPR Joint Controller Agreements appeared first on Contract Nerds.