Article 26: Joint controllers

GDPR Article 26 requires you to treat organizations as “joint controllers” when you and another party jointly decide the purpose and key means of processing, then document a transparent allocation of responsibilities in a joint controller arrangement and make the “essence” of that arrangement available to data subjects. Your job is to identify joint-controller scenarios, assign operational owners, and prove the arrangement works in practice. (Regulation (EU) 2016/679, Article 26)

Key takeaways:

• Joint controllership is triggered by shared decision-making about purposes and essential means, not by contract labels. (Regulation (EU) 2016/679, Article 26)
• You need a written Article 26 arrangement that allocates GDPR duties (notably DSAR handling and Articles 13/14 notices) and aligns to how work is actually done. (Regulation (EU) 2016/679, Article 26)
• You must be able to show operational evidence: intake, ownership, execution, and “essence” disclosure, not just a template in Legal’s folder. (Regulation (EU) 2016/679, Article 26)

Article 26 is a requirement about clarity and accountability when two or more organizations act as controllers together. If your business runs a co-branded program, shares a customer list for a joint campaign, operates a shared platform with another entity, or decides together how a data-driven product works, you may have created a joint controller relationship even if one party calls the other a “vendor.”

For a CCO or GRC lead, the practical problem is repeatability: joint-controller decisions happen in product launches, partnerships, and data-sharing deals, often before Privacy or Compliance sees the details. Article 26 expects you to (1) identify when the joint controller standard is met, (2) allocate GDPR responsibilities transparently in an arrangement, especially for data subject rights and Articles 13/14 notices, and (3) provide the “essence” of that arrangement to data subjects. (Regulation (EU) 2016/679, Article 26)

Operationalizing Article 26 means building a light but enforceable workflow: a role-and-scope register, a joint-controller determination record, an arrangement template that maps to real control owners, and evidence packets that prove it runs.

Regulatory text

Operative requirement (excerpted/paraphrased): Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. They must transparently determine their respective responsibilities for GDPR compliance, especially for exercising data subject rights and providing the information required under Articles 13 and 14, via an arrangement between them; the essence of that arrangement must be made available to the data subject. (Regulation (EU) 2016/679, Article 26)

What the operator must do:

• Decide, for each relevant processing activity, whether the facts indicate “jointly determine purposes and means.” (Regulation (EU) 2016/679, Article 26)
• Put a written, transparent allocation of responsibilities in place (the Article 26 arrangement). (Regulation (EU) 2016/679, Article 26)
• Ensure DSAR handling and privacy notice obligations are explicitly owned, executable, and aligned across parties. (Regulation (EU) 2016/679, Article 26)
• Publish or otherwise provide the “essence” of the arrangement to individuals in a workable way (usually via privacy notice language and/or a dedicated joint-controller disclosure). (Regulation (EU) 2016/679, Article 26)

Plain-English interpretation (requirement-level)

Article 26 is a “no ambiguity” rule. If two organizations are both making the important decisions about why personal data is processed and the key ways it is processed, regulators expect both to accept controller obligations and to document who does what.

A contract that labels one party a “processor” will not save you if the operating reality shows shared decision-making about purpose and essential means. Your control objective is defensible role clarity plus an arrangement that stands up during a DSAR spike, an incident, or a supervisory authority inquiry. (Regulation (EU) 2016/679, Article 26)

Who it applies to (entity + operational context)

Applies to: Any organization subject to GDPR acting as a controller where another controller is also involved in the same processing and decision-making. (Regulation (EU) 2016/679, Article 26)

Common operational contexts that trigger review:

• Joint marketing or audience-building arrangements where both parties decide targeting criteria, channels, and measurement approach.
• Co-branded or federated services where both parties set core product rules (e.g., account creation logic, eligibility, profiling, retention).
• Data-sharing partnerships where both parties decide the purpose (why) and essential means (what data, how combined, how long retained, core security approach).
• Platform or marketplace models where the platform and merchant/partner jointly shape the customer data journey.

Non-trigger (common misconception): A standard third-party processor relationship where your organization determines the purpose and essential means and the third party acts only on documented instructions typically belongs in an Article 28 processor agreement, not Article 26. Article 26 is for shared control, not outsourced execution. (Regulation (EU) 2016/679, Article 26)

What you actually need to do (step-by-step)

1) Establish an intake trigger so you find joint-controller scenarios

Create a mandatory Privacy/Compliance check for:

• New partnerships and data-sharing agreements
• Co-marketing initiatives
• Shared platforms, integrations, identity federation, analytics sharing
• Any initiative where another party proposes how data will be collected, used, or combined

Practical control: Add an intake question set to procurement, partnership approvals, and product launch checklists: “Do we and another party jointly decide purpose or essential means?” Capture the answer and route to privacy counsel/DP lead for determination. (Regulation (EU) 2016/679, Article 26)

2) Make a documented role decision for each processing activity

Maintain a role-and-scope register that is specific enough to be audited:

• Processing activity name and description
• Parties involved (legal entities)
• Role determination (controller / joint controller / processor) with rationale
• Data categories, data subjects, systems, and data flows
• Owner (business), owner (privacy/compliance), and Legal approver

This directly addresses the common failure mode: teams “know” it’s a partnership but cannot prove they assessed controllership. (Regulation (EU) 2016/679, Article 26)

3) Draft and execute the Article 26 joint controller arrangement

Your arrangement should map responsibilities to real operators. Minimum topics to include, aligned to Article 26’s emphasis: (Regulation (EU) 2016/679, Article 26)

A. Purpose/means scope

• Define in-scope processing activities and exclusions.
• Identify “essential means” that are jointly decided vs. independently decided.

B. Data subject rights (DSAR) operating model

• Single intake channel vs. multiple channels, and how requests are routed.
• Responsibility for identity verification steps.
• Timelines, handoffs, and escalation path.
• Who performs searches in which systems.
• Response ownership and approval.

C. Privacy information duties (Articles 13/14)

• Who provides the primary notice at collection.
• How each party references the other party.
• How the “essence” disclosure will be delivered to individuals.

D. Security, incident coordination, and accountability hooks Article 26’s text highlights DSARs and notice duties; you still need the arrangement to be operationally safe. Include:

• Security baseline alignment (at least at the boundary of shared processing)
• Incident notification coordination points (who informs whom, and how quickly)
• Audit/cooperation mechanism for compliance verification

Keep this tight: the goal is execution and proof, not a “deal memo” with no control mapping. (Regulation (EU) 2016/679, Article 26)

4) Publish the “essence” to data subjects

Decide where the “essence” lives:

• Privacy notice section “Joint controllers” with the core allocation points, or
• A standalone joint-controller disclosure page referenced from the notice

What you publish should be stable, readable, and consistent with the signed arrangement. If you materially change responsibilities, update both the arrangement and the public disclosure. (Regulation (EU) 2016/679, Article 26)

5) Operationalize: testing, monitoring, and exceptions

Build lightweight ongoing checks:

• DSAR tabletop test with the partner (routing, searches, draft response)
• Quarterly or deal-driven review trigger: new data sources, new purposes, system changes
• Exception process when the business wants to proceed without an arrangement (default: block launch pending sign-off)

If you use Daydream, set up a requirement-specific operating procedure with named owners, trigger events (new partnership, new data-sharing, product change), and required approvals, then attach evidence packets to each in-scope processing activity record.

Required evidence and artifacts to retain

Keep an “Article 26 evidence packet” per joint-controller relationship:

• Role-and-scope register entry with rationale and approvers
• Joint controller arrangement (executed) and redline history
• Essence disclosure text and publication location (snapshot)
• DSAR runbook for the relationship: routing, responsibilities, contact points
• Article 13/14 notice mapping showing who provides which notice elements
• Operational proof: sample DSAR tickets (sanitized), handoff logs, response approvals
• Change logs for major processing changes and arrangement updates
• Exception approvals and remediation tasks when gaps are found

Regulators and customers ask for operating evidence because Article 26 requires responsibilities to be determined “in a transparent manner” and to work for data subjects in practice. (Regulation (EU) 2016/679, Article 26)

Common exam/audit questions and hangups

Expect these:

• “Show me how you determine when a relationship is joint controllership versus controller–processor.”
• “Where is the signed Article 26 arrangement, and which processing activities does it cover?” (Regulation (EU) 2016/679, Article 26)
• “Who is responsible for DSAR intake, identity verification, and final response approval?” (Regulation (EU) 2016/679, Article 26)
• “How do you make the essence of the arrangement available to data subjects? Show me the notice.” (Regulation (EU) 2016/679, Article 26)
• “What happens when a request arrives at the ‘wrong’ party?”
• “How do you keep the arrangement current when the product or integration changes?”

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating joint controllership as a “contract type”

Avoidance: Force a factual assessment in intake. Document why you do or do not jointly determine purposes and essential means. (Regulation (EU) 2016/679, Article 26)

Mistake 2: Writing an arrangement that allocates duties to departments that do not exist in practice

Avoidance: Map each responsibility to a named operational owner and a system. If “Partner handles DSAR searches,” confirm they can actually query the relevant data stores.

Mistake 3: Forgetting the “essence” disclosure

Avoidance: Make publication a launch gate. No disclosure, no production go-live for the shared processing. (Regulation (EU) 2016/679, Article 26)

Mistake 4: Covering only DSARs and notices, ignoring day-2 operations

Avoidance: Add change-control triggers: new data categories, new matching logic, new retention rules, new recipients. Update the arrangement and register.

Mistake 5: No evidence packet

Avoidance: Treat evidence retention as part of the control, not as a scramble during diligence. In Daydream, attach artifacts directly to the processing activity record and refresh them on a recurring cadence.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog, so this page does not list case references.

From a risk perspective, Article 26 failures typically surface during DSARs and transparency reviews: inconsistent notices, both parties denying ownership, or stalled request handling. The operational impact is real: DSAR backlog, partner disputes, delayed launches, and increased regulatory scrutiny because responsibilities were not “determined” and made transparent. (Regulation (EU) 2016/679, Article 26)

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop new gaps)

• Stand up a joint-controller intake trigger for partnerships, procurement, and product launch.
• Create a role-and-scope register structure and start with the highest-risk partnerships (largest data volume, broadest sharing, or customer-facing co-branding).
• Publish an internal Article 26 SOP: who decides, who approves, what blocks a launch.
• Draft an Article 26 arrangement template with clear DSAR and notice allocations. (Regulation (EU) 2016/679, Article 26)

Next 60 days (convert priorities and make it executable)

• Execute arrangements for prioritized relationships.
• Implement DSAR routing: shared mailbox/API channel, ticket tags, handoff rules, escalation contacts.
• Update privacy notices with joint-controller “essence” disclosures for in-scope processing. (Regulation (EU) 2016/679, Article 26)
• Run one tabletop DSAR per major joint-controller relationship and document results.

By 90 days (operate, evidence, and audit readiness)

• Expand register coverage to remaining partnerships and shared processing activities.
• Establish a recurring evidence packet refresh and a change-control trigger tied to product/integration changes.
• Add partner performance checks: DSAR handoff SLAs you can meet, not promises you cannot evidence.
• Centralize everything in Daydream so a single record contains the determination, arrangement, disclosure, and operational proof.

Frequently Asked Questions

How do I tell the difference between a joint controller and a processor?

Joint controllers jointly decide the purposes and essential means of processing; processors act on documented instructions. If the other party can decide “why” the data is used or the key “how,” treat it as a joint-controller risk and document the rationale. (Regulation (EU) 2016/679, Article 26)

Do we need a separate agreement for every joint activity?

You need an arrangement that clearly covers the processing activities in scope and allocates responsibilities transparently. In practice, one master arrangement can work if it includes schedules per activity and is kept current. (Regulation (EU) 2016/679, Article 26)

What does “essence of the arrangement” mean operationally?

Provide a data-subject-facing summary of the key responsibility split, especially for rights handling and notice duties, in a place individuals will find (usually the privacy notice). Keep it consistent with the signed arrangement. (Regulation (EU) 2016/679, Article 26)

Can we assign all DSAR responsibility to the partner?

You can allocate tasks, but you still need an arrangement that works in practice and aligns to your real ability to support rights requests. If you cannot access the relevant data or coordinate responses, your allocation will fail during execution. (Regulation (EU) 2016/679, Article 26)

What evidence should we show during customer diligence?

Provide the role-and-scope register entry, the signed Article 26 arrangement, the public “essence” disclosure text, and a DSAR operating procedure with proof of execution (sanitized tickets, routing logs, or tabletop results). (Regulation (EU) 2016/679, Article 26)

We have multiple affiliates in a group. Is that joint controllership?

It can be, if separate legal entities jointly decide purposes and essential means for a shared processing activity. Treat group structures like any other third party relationship: document the role decision and implement an arrangement if the joint controller standard is met. (Regulation (EU) 2016/679, Article 26)