GRCWatch
Sign inStart free trial

GDPR A26-01: Joint Controllers — Defining Responsibilities & Transparency

When multiple organizations jointly control personal data processing, GDPR Article 26 mandates a clear, transparent arrangement defining each party's compliance obligations. This control ensures data subjects understand who's responsible for what—and your organization has documented proof of those divisions.

What this means

Joint controllers are two or more separate legal entities that together decide the purposes and means of processing personal data. Article 26-01 requires you to establish a written arrangement that transparently allocates GDPR responsibilities (lawfulness, consent, data subject rights, security, breach notification, etc.) between all controllers. This arrangement must be made available to data subjects in accessible terms—they need to know which organization to contact for their rights.

How to comply

  1. 1.Identify all entities that jointly determine processing purposes and means in your data flows.
  2. 2.Draft a Data Controller Agreement (DCA) or Joint Controller Arrangement (JCA) specifying each party's GDPR responsibilities.
  3. 3.Allocate accountability for key obligations: lawful basis, consent collection, data subject rights (access, deletion, portability), breach notification, DPIA, and DPA reporting.
  4. 4.Document the arrangement clearly and ensure it's legally binding—not informal or ambiguous.
  5. 5.Make the essential terms of the arrangement publicly available or provide them to data subjects upon request (privacy notice, website, app).
  6. 6.Ensure each controller has the means to fulfill their allocated obligations (processes, staff, systems).
  7. 7.Review and update the arrangement whenever processing roles or purposes change.

Evidence auditors look for

  • Signed Data Controller Agreement or Joint Controller Arrangement document with clear responsibility allocation
  • Privacy Notice or Data Subject Information Sheet naming all controllers and their respective roles
  • Website footer or app privacy policy disclosing joint control arrangement and contact details for each controller
  • Internal RACI matrix or responsibility map showing which controller owns which GDPR obligation
  • Records of updates to joint controller arrangements following business or processing changes
  • Consent forms or data collection flows that identify all joint controllers upfront
  • Documented communication to data subjects (email, privacy notice update) explaining the arrangement

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates joint controller arrangement tracking: store and version control your DCA, map responsibilities to GDPR obligations in your control matrix, flag when processing changes require arrangement updates, and generate data subject disclosures—all in one compliance hub.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR Article 5 — Lawfulness, fairness, transparencyGDPR Article 13/14 — Data subject information requirementsGDPR Article 28 — Processor agreements (contrast: controller vs. processor)GDPR Article 37 — Data Protection Officer roles (may clarify in joint arrangement)