A significant share of those enforcement actions traced back to the same structural failure: organizations that were, in legal reality, joint controllers with a third party — Google, Meta, a franchise partner, a co-marketing organization — and had no Article 26 arrangement in place.
Your organization may already be a joint controller right now. If you embed Facebook's Like button, operate a Facebook Page, use Google Analytics with data sharing enabled, run a co-branded loyalty programme, or share a CRM with a business partner, you have likely crossed the joint controller threshold. The CJEU established this in three landmark rulings. Whether your contracts acknowledge it is a different question.
Key Takeaways
- Joint controller status is determined by conduct, not contract: if two organizations jointly decide the purposes or means of processing, they are joint controllers regardless of how their contract labels the relationship.
- GDPR Article 26 requires a transparent written arrangement covering how responsibilities are allocated, how data subjects can exercise their rights, and who provides the Articles 13/14 transparency notice — the essence of that arrangement must be made available to data subjects.
- Data subjects can exercise their full GDPR rights against any joint controller individually, irrespective of how the Article 26 arrangement divides internal responsibility.
What "Joint Controller" Actually Means Under GDPR
GDPR Article 4(7) defines a controller as any entity that "alone or jointly with others, determines the purposes and means of the processing of personal data." Joint controllership arises when that determination is shared.
The critical point, confirmed by the CJEU in C-210/16 (Wirtschaftsakademie Schleswig-Holstein, June 2018), is that joint controllership does not require equal control. An entity can be a joint controller even without having access to the personal data being collected. What matters is participation in the decision about why the data is collected and broadly how it is processed — not necessarily a symmetric or symmetrical share of that decision.
In Wirtschaftsakademie, Facebook fan page operators were held to be joint controllers with Facebook because, by creating a fan page, they enabled and shaped the conditions under which Facebook collected visitor data through the Page Insights tool. They did not collect the data themselves. They still became joint controllers.
The Three CJEU Rulings That Define the Scope
C-210/16 Wirtschaftsakademie (June 2018). The Court found that a company operating a Facebook fan page is a joint controller with Facebook for the processing of personal data collected through Page Insights cookies. The ruling established that the element of "joint" control does not require symmetry — the fan page operator influenced the purposes and means of processing by configuring the page settings and choosing to use the tool, even without access to the underlying data.
C-40/17 Fashion ID (July 2019). A German clothing retailer that embedded the Facebook Like button on its website was held to be a joint controller with Facebook, but only for the specific phase of processing triggered by the plugin — the collection and transmission of the visitor's IP address and browser string to Facebook when the page loaded. Fashion ID was not a joint controller for what Facebook subsequently did with that data. The ruling introduced phase-specific joint controllership: you can be a joint controller for one stage of a processing chain and a mere third party for others.
C-645/19 Facebook Ireland v. Gegevensbeschermingsautoriteit (June 2021). The CJEU clarified that lead supervisory authority jurisdiction under the one-stop-shop mechanism applies to joint controllers, but each controller's home DPA retains jurisdiction over processing for which that controller bears primary responsibility. Joint controllership complicates the one-stop-shop model — your enforcement exposure may involve multiple DPAs.
When Your Organization Becomes a Joint Controller
Joint controller status is triggered by function, not by what your vendor contract says. A data processing agreement that labels your vendor a "processor" does not prevent a regulator or court from determining that the relationship is actually one of joint controllership — or independent controllership — if the conduct warrants it.
Common scenarios where joint controller status applies or is disputed:
| Scenario | Joint Controller Determination | Basis |
|---|---|---|
| Facebook Like button on your website | Joint controller with Meta for initial data collection | Fashion ID (C-40/17) |
| Facebook Page operation | Joint controller with Meta for Page Insights processing | Wirtschaftsakademie (C-210/16) |
| Google Analytics with data sharing enabled | Potentially joint controller with Google | Hamburg DPA guidance, 2022 |
| Google Analytics without data sharing | Google acts as processor | Google's Controller-Controller Terms |
| Co-branded loyalty programme | Joint controllers if both parties set programme purposes | EDPB guidelines on joint controllership |
| Franchise arrangement (shared customer data) | Typically joint controllers for central processing | EDPB enforcement guidance |
| Joint marketing event with shared attendee list | Joint controllers for event processing | EDPB guidelines |
| B2B SaaS tool processing your customers' data | Processor relationship (vendor follows your instructions) | Not joint controller |
| CDN or hosting provider | Processor relationship | Not joint controller |
The diagnostic question is whether both parties made decisions about why the data is processed (purposes) or how it is fundamentally structured (essential means). Infrastructure-level decisions — storage format, hardware used, security measures — do not trigger joint controllership. Decisions about the type of data collected, which individuals are targeted, and what the processing achieves are the ones that count.
What GDPR Article 26 Requires
Once joint controller status is established — and the GDPR enforcement context in 2026 makes misclassification a live risk — Article 26 creates a concrete obligation: the controllers "shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14."
An Article 26 arrangement must address at minimum:
1. Allocation of GDPR compliance obligations. The arrangement must specify which controller is responsible for which GDPR obligations: breach notification under Article 33 (who reports to the DPA?), data subject request handling under Articles 15-22 (who responds?), maintaining the records of processing activities under Article 30 (each controller's own processing activities), and DPIA obligations under Article 35 (when required by the joint processing activity).
2. Data subject rights handling. The arrangement must establish a clear workflow for how data subjects can exercise their rights (access, rectification, erasure, restriction, portability, objection) in relation to the joint processing activity. This includes who receives the request, who investigates it, who responds, and within what timescale. Article 26(3) is clear: regardless of how the arrangement divides this responsibility, data subjects retain the right to exercise their rights against each controller individually.
3. Transparency information for Articles 13 and 14. The arrangement must specify which controller provides the required transparency notice to data subjects at the time of collection (Article 13) or as soon as reasonably practicable when data is not collected directly from them (Article 14). Responsibility for this notice can be split — one controller handles the initial collection notice, the other handles their own subsequent processing purposes — but the split must be documented.
4. The contact point for data subjects (optional but recommended). Article 26 allows the arrangement to designate a single point of contact for data subjects. This is not mandatory, but in practice it reduces the friction of multi-controller request handling and reduces the risk of a data subject having to approach two separate organizations.
5. Internal liability allocation. While not explicitly required by Article 26's text, a complete arrangement should address how compensation costs are split if a data subject succeeds in an Article 82 claim against one controller for damage caused by the joint processing. Each controller can be held liable for the full amount; the arrangement governs the internal recourse between them. Without a clause addressing this, one controller may bear costs that should be shared.
The "Essence" Disclosure Requirement
Article 26(2) states: "the essence of the arrangement shall be made available to the data subject." This does not require publishing the full contract. It does require that data subjects can access a summary of the arrangement — specifically, which controller is responsible for what in relation to their rights and the transparency obligations.
The practical implementation is a sentence or short paragraph in your privacy notice explaining the joint controller relationship: who your joint controllers are, what processing is covered by the arrangement, and how data subjects can contact each controller (or the designated single point of contact) to exercise their rights.
Most organizations' current privacy notices do not include this. That is an Article 26(2) violation — separate from and independent of any issue with the Article 26 arrangement itself.
Internal Audit: Finding Unmarked Joint Controller Relationships
Most organizations that need Article 26 arrangements do not know they need them. The shadow data and untracked processing risks in your processing inventory often reveal the gaps. A practical audit covers three areas:
Third-party tools embedded in your web or app properties. Any third-party plugin, widget, tag, or SDK that collects data from your users at the point of interaction warrants a joint controllership analysis. The Fashion ID ruling means even standard social sharing buttons trigger the question. Review your cookie audit for all third-party scripts that fire before consent — those are the highest-risk joint controllership exposure points.
Business partnerships involving shared customer data. Co-marketing arrangements, referral partnerships, loyalty programmes, and B2B data-sharing agreements where both parties determine how the shared data is used are candidates for joint controller analysis. The diagnostic: does your partner have any say in what data is collected, who it targets, or what it is used for? If yes, the relationship requires analysis.
Platform-specific arrangements. If your organization operates a Facebook Page, participates in Google's account-level data sharing, or uses advertising tools where a platform jointly benefits from the processing, you need either a documented joint controller arrangement or a clear position from your DPA on how the relationship is classified. Google and Meta both publish standard Controller-Controller terms to address this; verify whether those terms constitute an Article 26 arrangement or merely an independent controller relationship.
Liability: Why the Internal Agreement Doesn't Bind Data Subjects
Article 26(3) creates a rule that practitioners frequently underestimate: "irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers."
This means a data subject making a GDPR data subject access request can direct that request to either joint controller, and that controller must respond — even if the Article 26 arrangement assigns responsibility to the other party. Article 82 similarly allows data subjects to seek compensation from either joint controller for the full amount of any damage. Internal recourse between controllers — the right to seek contribution from the other party — exists under Article 82(5), but it is an internal matter; the data subject's claim is against either controller, full stop.
This asymmetry has a practical consequence: even if your Article 26 arrangement assigns data subject request handling to your joint controller partner, your legal team needs a triage workflow for requests received directly, because regulators and courts will not treat "our contract says it's their job" as a valid defense.
Building the Article 26 Arrangement
An Article 26 arrangement does not need to be a standalone formal contract. It can be incorporated into a broader partnership or services agreement. What it cannot be is absent or implicit. Regulators have found violations where organizations relied on standard vendor terms (not negotiated to address Article 26) or on the assumption that the joint controller relationship was obvious without documentation.
A compliant Article 26 arrangement contains:
- Identification of both (or all) joint controllers by name, legal entity, and DPA registration
- Description of the joint processing activities covered (specific enough to exclude activities where one party acts as an independent controller)
- Allocation table: which controller handles each GDPR compliance obligation for the covered activities
- Data subject rights workflow: how requests are received, investigated, and responded to, with timelines
- Contact point designation (recommended: a single email or portal for data subjects)
- Transparency responsibility clause: which controller provides the Articles 13/14 notice, with draft text or reference to an existing privacy notice that covers the joint processing
- Internal liability allocation for Article 82 claims
- Duration and review trigger (the arrangement should be revisited when the joint processing changes materially)
Once the arrangement is in place, update your privacy notice to include the "essence" disclosure required by Article 26(2). Secure Privacy's Privacy & AI Governance Platform includes a structured processing activity register that supports documentation of both independent controller activities and joint controller arrangements — including the party allocation fields required for Article 26 compliance.
Frequently Asked Questions
Does a joint controller arrangement need to be a separate signed document?
No. Article 26 requires a "transparent" arrangement but does not specify form. It can be a dedicated agreement, a module within a broader contract, or documented through an exchange of emails — provided it covers the mandatory content and can be produced to a DPA on request.
What happens if we don't have an Article 26 arrangement?
Operating as joint controllers without a documented arrangement is a breach of Article 26(1), subject to GDPR enforcement. More practically, it means your Article 30 records of processing activities are incomplete, your privacy notice lacks the required "essence" disclosure, and you have no agreed workflow for data subject requests relating to the joint processing — each of which creates independent compliance exposure.
Can a data processor agreement double as a joint controller arrangement?
Only if the relationship is actually that of joint controllers. If you label a joint controller as a "processor" and execute a DPA rather than an Article 26 arrangement, the formal agreement does not match the legal reality — and if a DPA investigates, the mislabeling itself is a compliance failure. The CJEU has been clear that legal classification follows conduct, not contract labels.
Does every third-party cookie trigger a joint controller relationship?
Not automatically. The analysis turns on whether both parties jointly determine the purposes and means of the specific processing. A third-party cookie set entirely for the vendor's own separate purposes (independent controller relationship) is different from a cookie set as part of a shared analytics or advertising activity where both parties benefit from and influence the processing outcomes.
How do we handle the situation where our partner refuses to sign an Article 26 arrangement?
If a third party with which you have a joint controller relationship refuses to document it, your options are: (1) stop using the tool or relationship that creates joint controllership, (2) obtain DPA guidance on whether the vendor's standard published terms constitute an adequate Article 26 arrangement, or (3) document your own unilateral position and notify your DPA. Continuing without an arrangement while knowing one is required is knowing non-compliance.
Does Article 26 apply to joint controllers outside the EU?
GDPR's territorial scope applies to the processing itself, not the legal seat of the controller. If one or both joint controllers process EU residents' data in a way that triggers GDPR, Article 26 applies regardless of where the controllers are established.




