Joint Controllership
Joint controllership arises where two or more entities jointly determine the purposes and means of processing - either by a common decision or through converging decisions (decisions that complement each other and are necessary, with a tangible impact on purposes/means). Article 26 requires joint controllers to allocate their respective compliance responsibilities by an arrangement, and to make its essence available to data subjects. Key CJEU cases: Fashion ID (a 'Like' button - joint controllers even though Fashion ID never saw the data, but only for the collection/transmission stage) and Wirtschaftsakademie (a Facebook fan-page admin was a joint controller). Sharing data or infrastructure alone is not joint controllership.
Joint controllership is assessed by the same question as controllership - who determines the purposes and means? - but requires joint determination by two or more entities. That joint determination can be a literal common decision or arise from converging decisions. Converging decisions count only when they relate to the purposes and means - converging decisions on commercial matters do not, even if the processing could not happen without the commercial deal.
| Scenario | Outcome | Why |
|---|---|---|
| Fashion ID - 'Like' button plug-in | Joint controllers (Fashion ID + Facebook) | Fashion ID had decisive influence over the plug-in and sought commercial benefit - even though it never accessed the data |
| Scope of Fashion ID's responsibility | Only collection and transmission | It had no influence over what Facebook did with the data afterwards |
| Wirtschaftsakademie - Facebook fan page | Fan-page admin is a joint controller | It defined the parameters of the audience statistics, even though Facebook 'primarily determined' purposes/means |
| Group HR database, each company sees only its own staff | Separate (independent) controllers | Each independently determines uses and retention for its own employees |
| One project partner pays another to run an analysis on a shared platform | Controller–processor, not joint | Processing is determined by and for the commissioning entity; the other's only benefit is payment |
Sharing data or infrastructure does not automatically create joint controllership. You must look stage by stage at who jointly determines purposes and means. Entities are joint controllers only for the stages where they participate in that determination - and may be separate controllers (or controller/processor) for other stages.
- Article 26 requires joint controllers to allocate their respective responsibilities by an arrangement (form unspecified; EDPB recommends a binding legal act for certainty).
- The essence of the arrangement must be made available to data subjects, who can exercise their rights against any of the joint controllers.
- Joint controllers should go beyond Articles 13/14 and allocate responsibility for all overlapping compliance areas: Article 5 principles, security, breach notification, DPIAs, use of processors, transfers and DPA contact.
- A single point of contact can be designated for convenience, but a data subject or DPA may still contact any joint controller.