Article 26: Joint controllers

To meet the article 26: joint controllers requirement, you must (1) confirm when you and another party jointly decide the purposes and means of a processing activity, (2) document a transparent joint-controller arrangement that assigns GDPR responsibilities (especially DSAR handling and Articles 13/14 notices), and (3) make the arrangement’s “essence” available to data subjects. (Regulation (EU) 2016/679, Article 26)

Key takeaways:

• Joint controllership is triggered by shared decision-making over purposes and means, not by contract labels. (Regulation (EU) 2016/679, Article 26)
• You need a written arrangement allocating responsibilities for core GDPR obligations, with clear DSAR and notice ownership. (Regulation (EU) 2016/679, Article 26)
• Publish or otherwise provide the “essence” of the arrangement to data subjects, and align operations to match it. (Regulation (EU) 2016/679, Article 26)

Article 26 is operationally simple but easy to fail in practice: if two organizations co-design how and why personal data is processed, regulators expect you to treat the relationship as joint controllership and run it like a managed compliance interface, not an informal partnership. Your risk is not limited to paperwork. If DSAR routing breaks, if privacy notices are inconsistent, or if accountability gaps appear during an incident, the absence of a functioning Article 26 arrangement becomes a force-multiplier for enforcement and customer trust issues.

For a CCO or GRC lead, the fastest path is to treat joint controllership as a repeatable decision and contracting workflow tied to specific processing activities. You need three things that stand up under scrutiny: (1) a defensible role determination, (2) an “arrangement” that assigns responsibilities in plain terms, and (3) operating procedures and evidence that show the assignment works in day-to-day handling of rights requests and disclosures. Article 26 also requires transparency to individuals: you must make the essence of the arrangement available to them. (Regulation (EU) 2016/679, Article 26)

This page gives requirement-level implementation guidance you can apply immediately across partnerships, platform integrations, co-marketing programs, joint research, and shared customer journeys.

Regulatory text

Excerpted requirement (operator-relevant): Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers and must transparently determine their respective responsibilities for GDPR compliance, especially for data subject rights and Articles 13/14 information duties, by means of an arrangement. The essence of the arrangement must be made available to data subjects. (Regulation (EU) 2016/679, Article 26)

What the operator must do:

1. Identify processing activities where your organization and another party jointly decide “why” (purpose) and “how” (key means) personal data is processed. (Regulation (EU) 2016/679, Article 26)
2. Put in place a written, transparent joint-controller arrangement that allocates GDPR responsibilities, with explicit coverage for DSAR execution and privacy notice responsibilities. (Regulation (EU) 2016/679, Article 26)
3. Provide data subjects access to the “essence” of that arrangement, and ensure your real operations match the allocation. (Regulation (EU) 2016/679, Article 26)

Plain-English interpretation (what “joint controllers” means)

You are a joint controller when you and another entity co-decide the processing: you both shape the objectives and the major design choices. The label in the contract (“processor,” “service provider,” “partner”) does not control the outcome if the facts show shared decision-making. Article 26 then requires you to write down who does what for GDPR, so individuals and regulators don’t face a responsibility vacuum. (Regulation (EU) 2016/679, Article 26)

A practical mental model: joint controllership often appears where data moves across organizations but neither party is acting purely “on instructions.” If both parties influence what data is collected, how it’s used, and for which business goals, assume you must run the Article 26 analysis. (Regulation (EU) 2016/679, Article 26)

Who it applies to (entity + operational context)

Entities: Any organization acting as a controller that engages in processing where another controller also participates in determining purposes and means. (Regulation (EU) 2016/679, Article 26)

Common operational contexts where Article 26 shows up:

• Joint marketing / co-branded lead gen where both parties define targeting, fields collected, and downstream uses.
• Platform integrations where both parties decide event tracking, identity matching, and measurement logic.
• Joint research / product development where both parties define datasets, selection criteria, and reuse.
• Shared customer administration (e.g., benefits administration ecosystems) where multiple parties shape the workflow and data model.
• Marketplace models where the platform and seller both shape customer communications, fraud controls, and analytics.

What you actually need to do (step-by-step)

Step 1: Stand up a role-and-scope register for joint controllership

Create a register at the processing-activity level (not just by third party), capturing:

• Processing activity name and business owner
• Other party legal entity
• Purpose(s) and key means (what choices each party makes)
• Data categories and data subject groups
• Systems involved and data flows
• Your preliminary role view: controller / processor / joint controller, with rationale
• Link to contract(s) and privacy notice(s)

This directly supports the Article 26 trigger test: “jointly determine the purposes and means.” (Regulation (EU) 2016/679, Article 26)

Step 2: Run a joint-controller determination using a decision record

For each candidate activity, document a short determination memo:

• What decisions does each party make about purpose?
• What decisions does each party make about means (key elements like categories collected, sharing logic, retention drivers, and disclosure recipients)?
• Where does one party merely follow instructions versus co-designing the processing?

Output: “Joint controllers: yes/no” plus a rationale and approver sign-off. If you use Daydream, store this as an evidence packet tied to the processing activity for retrieval during diligence and regulator inquiries.

Step 3: Draft the Article 26 arrangement (the operational contract schedule)

Article 26 requires an “arrangement” that allocates responsibilities transparently, especially DSARs and Articles 13/14 notice obligations. (Regulation (EU) 2016/679, Article 26)

Use a schedule or annex that is explicit and testable. Minimum clauses to include:

A. Allocation matrix (who does what) Cover, at minimum:

• Data subject rights intake (who receives requests, channels monitored)
• Identity verification (method, owner)
• Data retrieval and response drafting (system owners, timelines, handoffs)
• Objection/consent signals (where stored, how propagated)
• Articles 13/14 disclosures (which notice covers which processing)
• Security and incident cooperation (who investigates, who notifies, how you coordinate)
• Records of processing alignment (who maintains which entries, how changes are shared)

B. Single point of contact (operational) Even if both remain responsible, name a primary operational contact for DSAR coordination and regulator communications to avoid dropped handoffs. Article 26 anticipates clarity for rights exercising. (Regulation (EU) 2016/679, Article 26)

C. Change control Define triggers that require revisiting the arrangement: new purposes, new data categories, new recipients, major system changes. This is how you keep the arrangement aligned to actual processing decisions. (Regulation (EU) 2016/679, Article 26)

Step 4: Publish/provide the “essence” to data subjects

Article 26 requires making the “essence of the arrangement” available to data subjects. (Regulation (EU) 2016/679, Article 26)

Operationalize this as:

• A short public-facing statement in the relevant privacy notice(s) describing:
  • That you act as joint controllers for the specific processing
  • The main allocation of responsibilities (who handles DSARs, who provides notices)
  • How to contact the responsible party/parties
• A support playbook so customer support and privacy ops can route questions consistently.

Step 5: Implement the operating procedure (make the contract real)

Build a requirement-specific SOP with:

• Intake workflow for DSARs that may involve the other joint controller
• A standard handoff template (request ID, scope, identity status, deadline, systems implicated)
• An escalation path for disputes (e.g., disagreement on identity, scope, exemptions)
• A periodic check that published “essence” still matches the arrangement and current data flows

Step 6: Test it

Run tabletop exercises:

• A DSAR that requires data from both parties
• A request to delete/erase where one party argues a retention need
• A scenario where the individual contacts the “wrong” party first

Capture test results and remediation actions as evidence that responsibilities are operational.

Required evidence and artifacts to retain

Keep an “Article 26 evidence packet” per joint processing activity:

• Role determination memo and approvals (why this is joint controllership) (Regulation (EU) 2016/679, Article 26)
• Joint-controller arrangement (executed) plus any schedules/annexes (Regulation (EU) 2016/679, Article 26)
• Responsibility allocation matrix (RACI-style) mapped to DSARs and Articles 13/14 duties (Regulation (EU) 2016/679, Article 26)
• Copy/link to the privacy notice language that provides the essence (Regulation (EU) 2016/679, Article 26)
• SOP and workflow screenshots/tickets showing DSAR routing and fulfillment handoffs
• Evidence of periodic review and change control (meeting notes, approvals, updated versions)
• Exceptions log where responsibilities deviated, with remediation

Daydream fits naturally here as the system of record for the register, decision records, and recurring evidence packets across third parties and processing activities.

Common exam/audit questions and hangups

Auditors and regulators tend to probe for execution gaps:

1. Show me how you decided this relationship is joint controllers, not controller-processor. Provide the decision record tied to the actual processing activity. (Regulation (EU) 2016/679, Article 26)
2. Where is the arrangement, and how does it allocate DSAR handling? They will look for a concrete allocation, not general cooperation language. (Regulation (EU) 2016/679, Article 26)
3. Where is the “essence” disclosed to individuals? Point to the notice text and the exact processing context. (Regulation (EU) 2016/679, Article 26)
4. Prove the arrangement works operationally. Expect requests for DSAR tickets, correspondence, and timelines across parties.
5. What happens when the other joint controller fails to respond? Have escalation and documented attempts.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	How to avoid
Treating “partner” language as enough	Article 26 requires allocating responsibilities in an arrangement, not vague collaboration language. (Regulation (EU) 2016/679, Article 26)	Use a responsibility matrix with named owners for DSARs and notices.
One global joint-controller addendum for all processing	Joint controllership is activity-specific; responsibilities often differ by workflow. (Regulation (EU) 2016/679, Article 26)	Create per-activity schedules or clearly scoped appendices.
Publishing nothing about the arrangement	Article 26 requires making the essence available to data subjects. (Regulation (EU) 2016/679, Article 26)	Add a concise “joint controllership” section to the relevant notice.
DSAR workflow assumes the other party will “do their part”	Operational failures create rights-handling risk and accountability gaps. (Regulation (EU) 2016/679, Article 26)	Build SLAs, escalation steps, and ticket-based handoffs.
No change control	Processing drifts; the arrangement becomes stale and defensibility collapses.	Add triggers tied to product changes, new data categories, or new purposes.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this page, so this section is omitted by design.

From a risk perspective, Article 26 failures usually show up as:

• Individuals cannot tell who to contact, or get inconsistent answers.
• DSAR timelines slip because each party waits on the other.
• Notices fail to describe shared controllership and responsibilities.

Those are high-friction issues during regulator inquiries and enterprise customer diligence, because they signal weak accountability for shared processing. (Regulation (EU) 2016/679, Article 26)

Practical 30/60/90-day execution plan

First 30 days (triage and decisions)

• Build your joint controller candidate inventory from: partnerships, adtech/analytics, co-marketing, platform integrations, shared service models.
• Stand up the role-and-scope register and require it for new third party intake.
• Complete determination memos for the highest-risk flows (customer data, tracking, profiling, cross-context sharing).
• Identify where privacy notices need an “essence” disclosure. (Regulation (EU) 2016/679, Article 26)

Days 31–60 (contracting and operational wiring)

• Draft and negotiate the Article 26 arrangement (or update existing agreements) with a responsibilities matrix. (Regulation (EU) 2016/679, Article 26)
• Implement DSAR handoffs: ticketing, secure exchange, escalation, ownership.
• Update privacy notices (or layered notices) to provide the arrangement essence for the relevant processing. (Regulation (EU) 2016/679, Article 26)

Days 61–90 (evidence and testing)

• Run DSAR and incident cooperation table-tops and fix gaps.
• Establish periodic review of joint-controller arrangements tied to change management.
• Create a repeatable evidence packet export for audits, customers, and regulator questions.

Frequently Asked Questions

How do we tell joint controllers from a controller-processor relationship?

Focus on facts: if both parties jointly determine the purposes and key means of processing, Article 26 applies. Labels in the contract do not resolve the analysis. (Regulation (EU) 2016/679, Article 26)

Do we need one agreement per joint controller relationship?

You need an “arrangement” that transparently allocates responsibilities for the relevant processing. A master agreement can work if it clearly scopes responsibilities by processing activity and stays accurate as processing changes. (Regulation (EU) 2016/679, Article 26)

What does “essence of the arrangement” mean in practice?

Publish a short, understandable summary: that you act as joint controllers for the specific processing, which party is the main contact for rights requests, and how Articles 13/14 information is provided. Keep it aligned with your executed arrangement. (Regulation (EU) 2016/679, Article 26)

Can we assign all DSAR responsibility to the other joint controller?

Article 26 allows allocating responsibilities, but you still need a transparent arrangement and a working process so data subjects can exercise rights effectively. If your operations depend on the other party, build escalation and proof of cooperation. (Regulation (EU) 2016/679, Article 26)

We have multiple products with the same partner. Do we need multiple “essence” disclosures?

If the purposes/means and responsibility allocation differ by product workflow, treat them separately so the disclosure remains accurate for each processing context. Over-broad disclosures create mismatch risk. (Regulation (EU) 2016/679, Article 26)

What evidence should we expect to produce during customer diligence?

Provide the joint-controller arrangement, the role determination, the public “essence” disclosure language, and sample operational records (redacted) showing DSAR routing and completion across both parties. (Regulation (EU) 2016/679, Article 26)