Joint Controller

Two or more entities that jointly determine the purposes and means of processing personal data. Joint controllers share responsibility for compliance rather than one acting as controller and the other as processor. The arrangement requires controllers to jointly determine essential processing elements, though they may have different roles in practice. Common examples include website operators and social media plugins, co-branded services, research collaborations, and business partnerships involving shared databases. GDPR Article 26 requires joint controllers to transparently determine respective responsibilities through arrangement, designate a contact point for individuals, and ensure data subject rights can be exercised. Each joint controller remains liable for entire compliance, though they can allocate liability internally. Organizations should recognize when joint controller relationships exist, establish clear arrangements defining responsibilities, ensure transparent communication to data subjects, implement mechanisms for exercising rights, and document the joint controller arrangement.