Article 26 of GDPR: Joint data controllers
There are instances when there may be more than one company collecting and processing personal data.
In such a scenario, GDPR provides for the possibility of a data processing activity to create joint controller duties and obligations requiring the organizations involved in the data processing activity to assume joint responsibility.
Joint determination of processing purpose (Article 26(1) GDPR)
When two or more companies jointly determine the purpose of personal data processing, under Article 26(1) of GDPR, they must inform the data subjects in a transparent way.
More specifically, joint controllers must:
- Clearly inform the data subject as to their respective processing activities
- How a person can exercise their rights under GDPR
- Each of the joint controller’s duties with respect to the information they will each need to provide the data subject about their data collection and processing
- Each of the joint controller’s duties with respect to the information they collect from other sources
The joint data controllers can also agree to appoint one point of contact for individuals and data subjects to communicate.
Role of each data controller (Article 26(2) GDPR)
In instances when two or more companies jointly determine the purpose of personal data processing, the joint data controllers must each outline their respective roles and their relationship as it relates to the data subject.
The nature of the arrangement between the joint data controllers must be made available to individuals.
Data subject rights against joint controllers (Article 26(3) GDPR)
Regardless of the nature of joint data processing activities and the relationship between the joint data controllers, a data subject may exercise his or her rights against any of the joint data controllers.
Recitals applicable to Article 26 of GDPR
Relevant Recitals: 58, 79
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 26 or relevant recitals
GDPR Text: Article 26 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)