Openli logo

Joint controllers

Not all vendors that you share data with are data processors. In cases where the vendor processes personal data for their own purposes, the vendor is also considered to be a joint controller.

What are joint controllers?

Not all vendors that you share data with are data processors. In cases where the vendor processes personal data for their own purposes, the vendor is also considered to be a joint controller. An example could be the Facebook “Like” widget, a website operator that embeds the Facebook “Like” widget on its website is considered a joint data controller with Facebook.

Joint controllers are governed by Article 26 of the GDPR. They are not required to have a contract in place, but they must, in a transparent manner, determine their respective responsibilities. However, each controller remains responsible for complying with all the obligations of controllers under the GDPR.

Example of a Joint controller

A hotel and a car rental company decide to set up an online platform. They agree on which data will be stored and who can have access to the information stored. Furthermore, they choose to share the data of their customers to carry out marketing actions.

In this case, the parties will have joint control over how personal data of their respective customers are processed and will therefore be joint controllers regarding processing that relates to the platform.

What is important here is that both parties jointly determine the purposes and means of the processing.

What are the duties of joint controllers?

Each joint controller is responsible as controllers and must comply with and be able to demonstrate compliance with all GDPR data protection principles. Furthermore, data controllers are also responsible for the compliance of the vendors that process personal data on the controllers’ behalf.

Is your company a joint controller?

To determine if you are a joint controller. You need to look at who determines the purposes and means of the processing. If you jointly determine the purposes and the means, you could be both acting as joint controllers.

For more information read our dictionary entry regarding the responsibilities of data controllers.

Further reading

Joint controllers are a specific type of GDPR-role. However, there are many roles in regards to GDPR.

Read more about the different roles and their respective responsibilities.

Watch a free video on Data Controller

Visit our Complaince School and learn about the different GDPR-related terms, including data controller, data processor and data subject, through a series of free video lectures.

image Watch now

Join our free GDPR & compliance webinars

Ask question, learn from experts and become smarter about GDPR and privacy compliance by joining our free webinars.

See upcoming webinars

Vet vendors with Privacy Hub

Find GDPR information about all your vendors in one place.

Learn more about Privacy Hub

Join our newsletter

Join our free bi-weekly newsletter focused on news and updates from the legal landscape of data privacy.