Joint Controllership Under Art. 26: When It Applies and What to Regulate

Why joint controllership matters

In data protection practice, two constellations dominate: the controller processes data itself, or it engages a processor under Art. 28 GDPR. The third constellation — joint controllership under Art. 26 GDPR — leads a shadow existence. Many organizations have never concluded an Art. 26 agreement, even though they should have.

This has consequences. If joint controllership exists but you do not recognize and treat it as such, the required agreement is missing. Data subjects are not correctly informed. Obligations are not allocated. And during an audit by the supervisory authority, a violation of Art. 26 GDPR is on the table.

The European Court of Justice has interpreted the concept of joint controllership significantly more broadly in several landmark rulings than many organizations expected. The topic therefore affects far more scenarios than are immediately apparent.

Definition: When does joint controllership exist?

Art. 26(1) sentence 1 GDPR defines: "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers."

The three key terms:

Jointly: The determination does not need to be consensual. It is sufficient if the parties factually collaborate and do not make processing decisions independently of each other. Even one-sided dominance by a partner does not exclude joint controllership.

Purposes: Why is the data processed? If both sides have their own interest in the processing and the processing serves these shared or complementary interests, this points to joint controllership.

Means: How is the data processed? If both sides influence the technical and organizational means of processing — the systems used, the data categories, the retention period — that is an indicator of joint controllership.

Important: It is not required that both sides equally determine purposes and means. It is sufficient if each side co-determines at some phase of the processing. Controllership can be asymmetrically distributed.

CJEU case law: Broad interpretation

Wirtschaftsakademie Schleswig-Holstein (C-210/16, 2018)

A company operated a Facebook fan page. The CJEU ruled that the fan page operator and Facebook are joint controllers, even though the operator had no access to the raw user data. Reasoning: by setting up the fan page and configuring the target audience parameters, the operator co-determines what data Facebook collects and how it is processed. The mere fact that the operator uses Facebook Insights (anonymized statistics) establishes co-responsibility.

Jehovan todistajat (C-25/17, 2018)

The religious community of Jehovah's Witnesses coordinated the preaching activities of its members, who noted personal data during house visits. The CJEU considered the community and the individual members as joint controllers, even though the community had no direct access to the notes. What was decisive was the organizational control: the community assigned territories, gave instructions on data collection, and benefited from the collected information.

Fashion ID (C-40/17, 2019)

An online retailer had embedded the Facebook Like button on its website. The CJEU ruled that the online retailer and Facebook are joint controllers — at least for the phase of data collection and transmission to Facebook. The retailer benefits from the data collection (reach measurement, advertising opportunities) and actively contributed to the data collection by embedding the button.

What these rulings mean for you

The threshold for joint controllership is significantly lower than most organizations assume. You do not need to jointly operate a database or jointly access records. It is sufficient if your decisions contribute to a data processing activity taking place and you benefit from it.

Practically relevant scenarios that frequently qualify as joint controllership:

• Operating social media fan pages (Facebook, Instagram, LinkedIn)
• Embedding social media plugins and buttons on your own website
• Shared customer databases within corporate groups
• Cooperations in sweepstakes or joint marketing campaigns
• Shared service centers processing data for multiple group companies
• Research cooperations with shared data use
• Platforms where multiple parties provide and use data

Distinguishing from data processing

The distinction between joint controllership (Art. 26) and data processing (Art. 28) is often the most difficult topic in practice. Both constellations require a contractual arrangement, but the obligations and liability consequences are fundamentally different.

The decisive difference

Data processing (Art. 28): The processor processes data exclusively on behalf and under the instructions of the controller. It has no own interest in the processing and does not co-determine purposes or essential means. Example: a hosting provider that stores data and makes it technically available but has no substantive influence on the processing.

Joint controllership (Art. 26): Both sides have their own interest in the processing and co-determine purposes and/or means. Example: two companies that jointly operate a customer loyalty program and both use the collected data for their own marketing purposes.

Decision tree for classification

Ask yourself the following questions:

1. Does the service provider have its own interest in the processing? If yes, it is not pure data processing.
2. Does the service provider co-determine the purposes of the processing? If yes, joint controllership is likely.
3. Does the service provider independently determine essential means of processing? If they only determine technical detail means (which server, which database), it remains data processing. If they determine substantive means (which data is collected, how long it is stored, who has access), this points to joint controllership.
4. Does the service provider also process the data for its own purposes? If yes, it is definitively not data processing.

Gray area: Independent third parties

There is a third possibility that is often overlooked: two controllers process data in connection but independently of each other. Each determines their own purposes and means without any joint determination taking place. In this case, there is neither data processing nor joint controllership, but a transfer between independent third-party controllers. This requires a legal basis for the transfer but no agreement under Art. 26 or Art. 28.

Contents of the Art. 26 agreement

Art. 26(1) sentence 2 GDPR requires that joint controllers "in a transparent manner determine their respective responsibilities for compliance" by means of an arrangement. The agreement must in particular regulate:

Mandatory contents

Allocation of GDPR obligations: Who fulfills which information duties (Art. 13, 14)? Who handles data subject requests (Art. 15 to 22)? Who reports data breaches (Art. 33, 34)? Who maintains the records of processing activities (Art. 30)? Who conducts a DPIA (Art. 35)?

Exercise of Data Subject Rights: The agreement must define whom data subjects can contact and who handles requests. Note: the internal agreement does not change the data subjects' rights. Art. 26(3) GDPR clarifies that the data subject may exercise their rights against each of the controllers, regardless of what the agreement states.

Contact point for data subjects: Art. 26(1) sentence 3 requires the agreement to duly reflect the respective "roles and relationships" of the joint controllers vis-a-vis the data subjects. Data subjects must know whom they can contact.

Recommended additional provisions

Beyond the mandatory contents, a good Art. 26 agreement should also address the following points:

• Description of the joint processing: What data is processed, for what purposes, on what legal basis?
• Technical and organizational measures: Who is responsible for which security measures?
• Sub-processors: May the joint controllers engage processors? Under what conditions?
• Internal liability allocation: Art. 82(4) GDPR enables a right of recourse. The agreement should clarify internal liability allocation.
• Term and termination: What happens to the data when joint controllership ends?
• Instructions and escalation: How are disagreements on data protection issues resolved?

Transparency toward data subjects

Art. 26(2) sentence 2 requires that the "essence of the arrangement" be made available to data subjects. This typically happens in the privacy notice. The TOMs of both sides should also be documented. You must disclose that joint controllership exists, with whom, and who fulfills which obligations.

Liability in joint controllership

The liability regime in joint controllership is particularly relevant for organizations because it is joint and several.

External relationship: Vis-a-vis data subjects, each joint controller is liable for the entire damage (Art. 82(4) GDPR). The data subject can choose which controller to claim compensation from. It does not matter which controller actually committed the violation.

Internal relationship: The controller that paid the full compensation can claim reimbursement of the other joint controllers' share. The shares are determined by the agreement and, if the agreement contains no provision, by the degree of respective responsibility for the damage.

Practical consequence: If you are jointly responsible with a financially weak partner, you bear the full liability risk in the worst case, because the data subject sues you as the solvent partner and you cannot effectively seek recourse from the insolvent partner.

Practical example: Social media fan page

The most common example of joint controllership is operating a company page on Facebook, Instagram, or LinkedIn. Following the CJEU's Wirtschaftsakademie ruling, joint controllership exists between the page operator and the platform.

Facebook subsequently published a "Page Insights Addendum" intended to serve as an Art. 26 GDPR agreement. German supervisory authorities have repeatedly criticized this addendum as insufficient, particularly because:

• Obligations are allocated one-sidedly to the detriment of the page operator
• Facebook does not transparently disclose its own processing purposes
• The page operator has practically no influence on Facebook's data processing but is still co-responsible

For you as a page operator, this means an unsatisfying situation: you are jointly responsible but have barely any design options. Nevertheless, you must reference the joint controllership in your privacy notice, have the addendum available, and be able to handle data subject requests.

Practical example: Intra-group shared service center

A mid-sized corporate group with five subsidiaries operates a central shared service center for HR administration. The SSC processes personnel master data, runs payroll, and manages time tracking for all subsidiaries.

Is this data processing or joint controllership? That depends on the specific setup:

Data processing: If the SSC works strictly under instructions and the subsidiaries specify every processing activity in detail, it is data processing. The SSC has no own interest in the processing and determines neither purposes nor essential means.

Joint controllership: If the SSC independently decides on processing workflows, software selection, retention periods, or access rights, and if it pursues its own purposes (e.g., group-wide HR statistics, benchmarking), joint controllership is likely.

In practice, many shared service centers are hybrid forms: partly instruction-bound, partly autonomous. The clean solution is an agreement that covers both aspects and clarifies for each processing activity whether it is classified as data processing or joint controllership.

Checklist: Reviewing an Art. 26 agreement

If you need to create or review an Art. 26 GDPR agreement, work through the following points:

• Is joint controllership correctly identified and distinguished from data processing?
• Are the jointly responsible entities named?
• Is the joint processing fully described (data, purposes, legal bases)?
• Is it clarified who fulfills each GDPR obligation?
• Is a contact point for data subject requests defined?
• Is it regulated how data subject requests are forwarded and handled?
• Is the breach notification obligation allocated?
• Are the technical and organizational measures described?
• Is the internal liability allocation regulated?
• Is the essence of the agreement disclosed in both parties' privacy notices?
• Are the term and data handling upon termination regulated?

In ISMS Lite, you can manage Art. 26 agreements together with DPAs centrally and keep track of obligations, deadlines, and contact persons.

Further reading

• Data processing: Reviewing DPAs and evaluating service providers
• DPIA (Data Protection Impact Assessment): When required and how to conduct one
• Implementing Data Subject Rights: Access, erasure, and data portability
• International data transfers: Standard contractual clauses and adequacy decisions
• Records of processing activities (RoPA) under Art. 30 GDPR

Joint controllership is not an exotic special case. It is the norm in a connected economy where organizations share data, use platforms, and collaborate in value chains. Those who recognize and properly regulate it have an advantage over the vast majority that still ignores the topic.