GDPR Article 26 Explained: Joint Controllers, Responsibilities, and Real-World Examples

Dec 16, 2025

The General Data Protection Regulation (GDPR) establishes a clear framework for how personal data must be processed, protected, and governed across the European Union. While much attention is usually given to data controllers and data processors individually, real-world data processing is often more complex. In many cases, two or more entities jointly determine the purposes and means of processing personal data. This is where GDPR Article 26 becomes critically important.

Article 26 addresses the concept of joint controllers. It defines when organizations are considered jointly responsible for data processing and sets out strict rules on how responsibilities must be allocated between them. Misunderstanding or ignoring Article 26 is a common source of GDPR non-compliance, particularly in partnerships, marketing collaborations, SaaS integrations, franchise networks, and shared platforms.

This article provides a full explanation of GDPR Article 26, breaks down its legal meaning in practical terms, clarifies common misconceptions, and illustrates compliance through five detailed real-world examples.

What Is GDPR Article 26?

GDPR Article 26 applies when two or more controllers jointly determine:

  • the purpose of processing personal data, and

  • the means by which that processing takes place.

In such situations, the GDPR considers all involved parties to be joint controllers.

Unlike a controller-processor relationship, joint controllers are equally responsible for compliance, even if their internal roles differ. Article 26 does not allow organizations to avoid responsibility by contract alone. Instead, it requires transparency, accountability, and clarity—both internally and toward data subjects.

Legal Text of Article 26 (Simplified Interpretation)

Article 26 requires joint controllers to:

  1. Determine their respective responsibilities for GDPR compliance.

  2. Define these responsibilities in a transparent arrangement.

  3. Specify which controller handles:

    • data subject rights,

    • GDPR information duties (Articles 13 and 14),

    • security and compliance obligations.

  4. Make the essence of the arrangement available to data subjects.

  5. Ensure that data subjects can exercise their rights against any controller.

In short, Article 26 ensures that accountability cannot be fragmented or hidden.

When Are Organizations Considered Joint Controllers?

Organizations become joint controllers when they co-decide essential elements of data processing. This does not require equal power or identical roles.

Joint controllership exists when:

  • Both parties influence why data is processed.

  • Both parties influence how data is processed.

  • Decisions are taken together, even if operational execution differs.

What Does NOT Create Joint Control?

  • A pure service provider acting strictly on instructions (processor).

  • One controller merely using another controller’s publicly available data.

  • Independent controllers using the same dataset for unrelated purposes.

The focus is not on contracts, but on factual influence over processing.

Why Article 26 Exists

Article 26 was introduced to prevent:

  • Responsibility gaps in complex data ecosystems.

  • Finger-pointing between organizations.

  • Situations where data subjects do not know who is responsible.

  • Attempts to contractually escape GDPR obligations.

Without Article 26, multi-party data processing would undermine GDPR’s core principles of transparency, accountability, and enforceability.

The Joint Controller Arrangement: Core Requirements

1. Clear Allocation of Responsibilities

Joint controllers must define who is responsible for:

  • Providing privacy notices.

  • Responding to access, erasure, and objection requests.

  • Managing security measures.

  • Reporting data breaches.

  • Handling lawful bases and retention periods.

This allocation must be documented.

2. Transparency Toward Data Subjects

Data subjects must be informed that:

  • Multiple controllers are involved.

  • Their data is jointly processed.

  • They can exercise rights against any controller.

The GDPR does not require publication of the full contract, but the essence of the arrangement must be accessible.

3. No Limitation of Data Subject Rights

Even if responsibilities are split internally:

  • A data subject may contact any joint controller.

  • Each controller remains fully liable toward the data subject.

  • Internal arrangements do not affect external liability.

This is one of the most important aspects of Article 26.

Joint Controllers vs Controllers and Processors

Understanding the difference is crucial.

  • Controller: decides purpose and means.

  • Processor: acts strictly on instructions.

  • Joint controllers: co-decide purpose and means.

Misclassifying a relationship as controller-processor when it is actually joint control is a frequent GDPR violation.

Liability Under Article 26

Under GDPR Article 82:

  • Any joint controller can be held fully liable for damages.

  • A controller that pays compensation may seek contribution from the other joint controllers internally.

  • Supervisory authorities may investigate all joint controllers, regardless of internal arrangements.

Joint controllership increases risk exposure, which is why Article 26 compliance is critical.

Common Scenarios Where Article 26 Applies

  • Co-branded marketing campaigns.

  • Shared customer databases.

  • Online platforms with embedded third-party tracking.

  • Franchises with centralized CRM systems.

  • Joint research projects.

  • Advertising technology ecosystems.

Example 1: Joint Marketing Campaign Between Two Companies

Scenario

Company A (an online retailer) and Company B (a loyalty program provider) run a joint promotional campaign. Customers sign up via a shared landing page, and both companies decide:

  • what data is collected,

  • how long it is stored,

  • how it will be used for marketing.

Why Article 26 Applies

Both companies jointly determine the purpose (marketing) and means (data fields, tools, retention). This is not a controller-processor relationship.

Compliance Measures

  • A joint controller agreement defines responsibilities.

  • Company A handles privacy notices.

  • Company B handles access and deletion requests.

  • The privacy notice explains joint controllership.

  • Data subjects can contact either company.

Example 2: Website Operator and Analytics Provider with Shared Decisions

Scenario

A website operator integrates an analytics service. Unlike a standard analytics setup, both parties jointly decide:

  • which metrics are tracked,

  • how users are profiled,

  • how long identifiers are retained.

Why Article 26 Applies

The analytics provider does not act purely on instructions. It co-determines processing logic.

Compliance Measures

  • Joint controller arrangement outlines data subject rights handling.

  • The essence of the arrangement is disclosed in the privacy notice.

  • Both entities accept joint responsibility for GDPR compliance.

Example 3: Franchise Network with Centralized Customer Database

Scenario

A franchisor operates a centralized CRM system used by multiple franchisees. The franchisor sets data policies; franchisees collect customer data and use it locally.

Why Article 26 Applies

Both franchisor and franchisees jointly determine:

  • the purpose of data collection,

  • how customer data is processed across the network.

Compliance Measures

  • Joint controller agreement between franchisor and franchisees.

  • Clear allocation of who responds to data subject requests.

  • Unified privacy notice explaining joint controllership.

  • Internal procedures for coordination.

Example 4: Recruitment Platform and Employer Clients

Scenario

A recruitment platform allows employers to search and manage candidate profiles. Both parties decide:

  • which candidate data is collected,

  • how long it remains accessible,

  • how candidates are contacted.

Why Article 26 Applies

The platform is not merely processing on instruction; it co-determines processing objectives.

Compliance Measures

  • Joint controller agreement specifying responsibilities.

  • Candidates informed about both controllers.

  • Rights exercisable against platform or employer.

Example 5: Joint Research Project Between Two Organizations

Scenario

Two research institutions collaborate on a medical study involving personal data. They jointly design:

  • research objectives,

  • data collection methods,

  • anonymization strategies.

Why Article 26 Applies

Both institutions jointly define purpose and means of processing.

Compliance Measures

  • Written joint controller arrangement.

  • Transparent explanation to participants.

  • Allocation of security, ethics approvals, and rights management.

Practical Steps to Comply With Article 26

Step 1: Identify Joint Decision-Making

Ask:

  • Who decides why data is processed?

  • Who decides how data is processed?

If the answer includes multiple parties, Article 26 may apply.

Step 2: Document the Arrangement

Create a written agreement that:

  • allocates responsibilities,

  • addresses GDPR obligations,

  • covers breach handling and rights requests.

Step 3: Update Privacy Notices

Ensure data subjects are informed about:

  • joint controllers,

  • key responsibilities,

  • how to exercise their rights.

Step 4: Train Internal Teams

Ensure legal, marketing, IT, and compliance teams understand:

  • joint controllership risks,

  • response procedures,

  • accountability requirements.

Common Mistakes Under Article 26

  • Labeling a relationship as “processor” without factual basis.

  • Keeping joint controller agreements confidential from data subjects.

  • Assuming internal contracts override GDPR liability.

  • Ignoring joint controllership in marketing and analytics setups.

  • Failing to coordinate responses to data subject requests.

Regulatory and Enforcement Perspective

Supervisory authorities increasingly focus on:

  • complex data ecosystems,

  • advertising technology,

  • platform-based services.

Article 26 is frequently cited in enforcement actions where responsibilities are unclear or intentionally obscured.

Relationship Between Article 26 and Other GDPR Articles

Article 26 interacts closely with:

  • Article 5 (accountability principle)

  • Article 13–14 (transparency)

  • Article 24 (controller responsibility)

  • Article 30 (records of processing)

  • Article 82 (liability and compensation)

Failure under Article 26 often leads to broader GDPR violations.

Conclusion: Why Article 26 Requires Strategic Attention

GDPR Article 26 reflects a core reality of modern data processing: data responsibility is often shared. The regulation ensures that shared responsibility does not result in reduced accountability or weakened data subject rights.

For organizations involved in partnerships, platforms, integrations, or shared services, Article 26 compliance is not optional—it is foundational. Properly identifying joint controllership, documenting responsibilities, and communicating transparently protects not only data subjects, but also organizations from regulatory risk, financial liability, and reputational damage.