1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (2010)
EDPS, Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725 (2019).
EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2020).
EDPB, Guidelines 8/2020 on the targeting of social media users (2020).
Information Commissioner’s Office, Right of Access (2020).
CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018).
CJEU, Tietosuojavaltuutettu v Jehovan todistajat, Case-C-25/17 (2018):
The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. Actual access to personal data is not a prerequisite for joint responsibility (p. 68-72).
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to articles 26(1), 26(2), and 26(3) GDPR:
7.2.7 Joint PII controller
Control
The organization should determine respective roles and responsibilities for the processing of PII (including PII protection and security requirements) with any joint PII controller.
Implementation guidance
Roles and responsibilities for the processing of PII should be determined in a transparent manner.
These roles and responsibilities should be documented in a contract or any similar binding document that contains the terms and conditions for the joint processing of PII. In some jurisdictions, such an agreement is called a data sharing agreement.
A joint PII controller agreement can include (this list is neither definitive nor exhaustive):
— purpose of PII sharing / joint PII controller relationship;
— identity of the organizations (PII controllers) that are part of the joint PII controller relationship;
— categories of PII to be shared and/or transferred and processed under the agreement;
— overview of the processing operations (e.g. transfer, use);
— description of the respective roles and responsibilities;
— responsibility for implementing technical and organizational security measures for PII protection;
— definition of responsibility in case of a PII breach (e.g. who will notify, when, mutual information);
— terms of retention and/or disposal of PII;
— liabilities for failure to comply with the agreement;
— how obligations to PII principals are met;
— how to provide PII principals with information covering the essence of the arrangement between the joint PII controllers;
— how PII principals can obtain other information they are entitled to receive; and
— a contact point for PII principals.