Article 26

Joint controllers

1.   Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2.   The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3.   Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

What does it mean?

Article 26 of the GDPR outlines the responsibilities and regulations for situations where two or more data controllers jointly determine the processing of personal data.

Joint controllers are required to create a transparent agreement detailing each party’s responsibilities under the GDPR. They also need to inform data subjects about their specific roles and establish methods for data subjects to exercise their rights concerning their data. This includes making it clear whom data subjects should contact regarding their rights.

In practice, although each joint controller is individually accountable for GDPR compliance, they share the responsibility for ensuring that their joint processes are compliant with the GDPR. This shared responsibility means that if there is a breach of the GDPR, all joint controllers involved may be held accountable.

Yes, joint controllers must have a formal agreement that outlines the responsibilities of each party, their data protection practices, and the management of data subjects’ rights.

Data subjects can exercise their rights with any of the joint controllers. These controllers are obligated to provide clear methods for data subjects to do so, such as offering contact details or a centralized request system.

Yes, joint controllers can mutually decide how to distribute liability among themselves. However, this arrangement does not affect the rights of data subjects to seek compensation from any controller involved in the processing of their data.

Article 26 ensures that the rights and protection of data subjects are upheld when their personal data is processed by joint controllers. It establishes rules and accountability for the joint management of personal data between organisations.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.