Joint Controllers Under UK GDPR: Key Duties And Risks

Sharing customer data with a partner can unlock growth - from co‑marketing to running a shared platform. But if you’re deciding “why” and “how” personal data is processed together, UK GDPR may treat you as joint controllers.

Getting this right matters. When businesses are joint controllers, you each carry legal responsibility for transparency, lawful bases, data subject rights and more. The good news? With a clear plan and a solid written arrangement, you can collaborate confidently and stay compliant.

Below, we explain what joint controllers are under UK GDPR, how to tell them apart from processors, common scenarios that create joint control, and a step‑by‑step approach to setting it up properly from day one.

What Does “Joint Controllers” Mean Under UK GDPR?

Under the UK General Data Protection Regulation and the Data Protection Act 2018, a controller is the party who decides the purposes and essential means of processing personal data. Businesses are joint controllers when two or more parties together decide those purposes and means (UK GDPR, Article 26).

In plain English: if both businesses are meaningfully determining why the data is used and key choices about how it’s used (not just following instructions), you are likely joint controllers. This can apply even if you each process data in slightly different ways, as long as your decisions are linked and you have a common objective.

Key points to remember:

• Joint control arises from joint decision‑making, not just joint access to a database.
• It’s about substance over form - what happens in practice trumps what the contract says.
• If you are joint controllers, UK GDPR requires a written arrangement between you that transparently allocates compliance responsibilities and tells individuals the essence of that arrangement.

Joint Controllers Vs Independent Controllers Vs Processors

Before you label the relationship, step back and map what each party actually decides and does. The labels have real legal consequences.

Independent Controllers

Two businesses can be separate, independent controllers for the same personal data. This typically happens when each party decides its own purposes independently (for example, each builds its own marketing list from the same event attendees) without a common objective or joint decision‑making.

Joint Controllers

Here, both parties determine the purposes and key means together - for instance, they co‑design a loyalty scheme and agree how sign‑ups, segmentation and communications will work. Each remains responsible for compliance, but you must agree who will handle which obligations (like responding to rights requests).

Processors

A processor acts on a controller’s documented instructions and does not decide “why” or the essential “how”. If one party is only providing a service and following instructions (for example, a mailing vendor), it’s likely a processor. In that case, you need a Data Processing Agreement, not a joint controller arrangement.

Why the distinction matters:

• Misclassifying a processor as a joint controller (or vice versa) can lead to the wrong contracts and gaps in compliance.
• Joint controllers must publish the “essence” of their arrangement and are both accountable to the ICO. Controllers using processors must include the mandatory UK GDPR Article 28 clauses in their contract.

Common Small‑Business Scenarios That Create Joint Control

Not every collaboration creates joint control - but many do. Ask whether you’re pursuing a common purpose and jointly deciding key data uses.

• Co‑Hosted Events Or Webinars: You and a partner plan a webinar, agree the registration fields, jointly use the attendee list for follow‑up and analytics, and both decide communications strategy. This often points to joint controllers for the attendee data.
• Shared Loyalty Or Rewards Programme: Retailers in a precinct team up to run a single rewards app, agree the sign‑up process, decide profiling rules and jointly access dashboards. That’s classic joint control.
• Marketplace Or Co‑Branded E‑Commerce: A platform and a brand co‑determine the customer journey, fraud checks, communications cadence and data retention. You may be joint controllers for parts of the journey (e.g., sign‑up and personalisation) and independent controllers for others (e.g., each party’s own marketing).
• Joint Research Or Proof‑Of‑Concept: Two SMEs trial a new service using real customer data, decide together what data to collect, how to pool it and how to analyse outcomes. That can create joint control for the trial dataset.
• Joint Marketing Campaign: You pool lists, agree targeting criteria and attribution rules, and both decide how cookies/trackers will operate on a shared landing page. This often indicates joint control over campaign data.

Tip: You can have a patchwork of roles across the same collaboration. For example, you might be joint controllers for registration data, but each an independent controller for your own post‑event marketing.

What Must Go In A Joint Controller Arrangement?

Article 26 requires joint controllers to determine their respective responsibilities for compliance in a transparent manner. In practice, this means a written arrangement that covers at least:

• Purpose and Scope: Which processing activities are in scope, the common objective, and the datasets involved.
• Transparency: Who will provide privacy information to individuals and when (e.g., at sign‑up, on a landing page). You’ll each need an up‑to‑date Privacy Policy reflecting the shared processing.
• Lawful Bases: Which UK GDPR lawful basis applies for each activity (consent, contract, legitimate interests, etc.) and how you’ll manage it (e.g., records of consent, legitimate interests assessment).
• Data Subject Rights: Who leads on rights requests (access, rectification, erasure, objection, portability) and how requests will be routed between you. It helps to align processes with your approach to subject access requests.
• Security: Agreed technical and organisational measures, minimum standards, and incident coordination - ideally alongside a documented Data Breach Response Plan.
• Data Sharing Rules: What’s shared, how, and when; data minimisation; pseudonymisation; frequency; and restrictions on onward disclosure. Many businesses formalise this within a robust Data Sharing Agreement.
• Retention And Deletion: How long each party will retain shared data, how you’ll sync retention schedules, and what happens on termination.
• International Transfers: Whether data leaves the UK/EEA, transfer tools used (e.g., IDTA or SCCs), and each party’s responsibilities for transfer risk assessments.
• Accountability: How you’ll keep records of processing, review the arrangement, and evidence compliance to the ICO.

You must also make the essence of your joint controller arrangement available to individuals - usually via layered privacy notices and your websites.

How To Set Up A Compliant Joint Controller Relationship (Step‑By‑Step)

1) Map The Processing And Decide The Roles

Start with a simple data map: what personal data is collected, from whom, for what purposes, by which channels, and who decides those purposes. Use this to decide whether you’re joint controllers, independent controllers, or controller–processor. If one party is simply providing services under instruction, a controller–processor relationship is more likely and you’ll need a tailored Data Processing Agreement.

2) Agree The Lawful Basis (Per Activity)

For each processing purpose, agree and document your lawful basis under UK GDPR. For example:

• Contract for providing a service the individual requested (e.g., event registration and attendance).
• Legitimate Interests for analytics or certain B2B marketing, provided you do a balancing test and offer easy opt‑outs.
• Consent for optional marketing or where you’re relying on cookies/trackers that aren’t strictly necessary.

Make sure your cookie tooling supports your approach, and ensure your Cookie Policy and banners match how the technology actually behaves.

3) Draft The Joint Controller Arrangement

Capture the allocation of responsibilities clearly and pragmatically. Keep in mind:

• Individuals Can Still Contact Either Party: Even if you allocate lead responsibility for rights requests to one party, both of you remain accountable. Build a simple triage process so requests reach the right team quickly.
• Make It Practical: Align responsibilities with who has the systems and people to action them. For instance, the party that controls the main CRM may be best placed to handle access and deletion requests in the first instance.
• Plan For Change: Include review points, variation mechanisms and what happens if one party materially changes its tech stack.

It’s wise to have the arrangement drafted to dovetail with your wider compliance pack, including your GDPR Package, so everything fits together consistently.

4) Update Privacy Notices And On‑Page Language

Update your layered privacy information to explain the joint processing in plain English - who you are, what you’re doing together, lawful bases, who to contact, and the essence of the arrangement. Make sure forms and landing pages align, and avoid burying key points in long legalese.

5) Implement Processes For Rights, Security And Retention

Build shared playbooks so your teams know what to do when:

• Data Subject Rights: Intake, verify, locate data across systems, respond in timeframes, and record outcomes (this ties to your approach to subject access requests).
• Security Incidents: Who assesses severity, who notifies whom (and when), and how you’ll coordinate ICO and individual notifications if required - anchored by a practical Data Breach Response Plan.
• Retention: Shared rules so data isn’t kept longer than needed by either party; clear deletion routines on exit.

6) Keep Records, Train Teams And Review

Maintain Article 30 records for the joint activities and document your lawful bases, balancing tests and DPIA (if needed). Train relevant staff, spot‑check compliance and review the arrangement annually or after material changes (new tools, new purposes, international transfers, etc.).

Ongoing Compliance: Rights, Marketing, Cookies And Data Sharing

Joint control isn’t a “set and forget” exercise. Day‑to‑day operations must line up with what you’ve agreed and told individuals.

Data Subject Rights

Make it easy for individuals to exercise their rights with either party. Agree shared SLAs and ensure whichever party receives a request can route it immediately. If the processing is likely to result in high risk, consider whether a DPIA is required and who leads it.

Marketing Compliance

For B2C email and SMS, the Privacy and Electronic Communications Regulations (PECR) layer on top of UK GDPR. If you rely on “soft opt‑in”, make sure you’ve met the criteria (same or similar products, easy opt‑out at collection and in each message). For B2B marketing, legitimate interests is often used - but you still need to provide clear opt‑outs and honour objections quickly.

Cookies And Tracking

When you jointly run landing pages or shared portals, align your cookie consent approach with your lawful bases and ensure banners are accurate and user‑friendly. If you’re not sure whether your banner is compliant, it’s worth reviewing practical steps for cookie banners that comply.

Data Sharing Controls

Only share what’s necessary for the joint purpose. Lock down transfers with secure channels, audit logs and clear retention windows. Where helpful, house the operational detail in a standalone Data Sharing Agreement referenced by your Article 26 allocation.

Handling Requests And Deletions

Agree practical “who does what” for corrections, suppressions and erasure so you aren’t duplicating effort or missing deadlines. If you routinely receive DSARs, ensure both parties’ processes reflect the UK timelines and exemptions - your teams can refer to playbooks aligned with the approach in our guidance on subject access request deadlines.

International Transfers

If either party stores or accesses data outside the UK/EEA, you’ll need an appropriate transfer tool (e.g., UK IDTA or EU SCCs plus UK Addendum) and (where required) a transfer risk assessment. Capture who is responsible for maintaining these and informing the other of changes.

When Consent Is In Play

Where consent is your lawful basis (for example, optional marketing or certain cookies), align consent capture and withdrawal across both businesses. Make sure that withdrawing consent with one party is effective across the joint activities where appropriate.

Practical Pitfalls To Avoid

• Over‑Or Under‑Sharing: Sharing “everything just in case” breaches data minimisation. On the flipside, if you don’t share enough to fulfil rights requests, you’ll miss deadlines.
• Confusing Roles: Calling a service provider a joint controller doesn’t make it so - and could leave you without the mandatory controller–processor clauses. Use a proper Data Processing Agreement where the relationship is truly controller–processor.
• Mismatched Notices: Your website says one thing, partner emails say another. Keep privacy language consistent and up to date across touchpoints with a clear, accessible Privacy Policy.
• Unclear Opt‑Outs: If individuals can’t easily opt out across the joint activities, expect complaints. Build a single, simple path and honour it quickly.
• No Exit Plan: If the collaboration ends, who keeps what? Plan data return or deletion up front and test the process.

Do You Need A Lawyer For Joint Controllers?

You don’t need to be a privacy expert to run a compliant collaboration - but the allocation of responsibilities, lawful bases, data sharing mechanics and notices need to be right. A tailored arrangement will save you headaches later, especially if you face complaints or ICO scrutiny.

If you’re setting up a new collaboration, it’s sensible to get your core compliance suite aligned - for example, a practical GDPR Package, a clear Data Sharing Agreement (where appropriate), and an up‑to‑date Privacy Policy that explains the joint activities in plain English.

Key Takeaways

• Businesses are joint controllers when you together decide the purposes and essential means of processing - it’s about real‑world decision‑making, not just contract labels.
• Map the data flows and decide roles first; if one party only follows instructions, you likely need a controller–processor Data Processing Agreement, not joint control.
• Article 26 requires a written arrangement that allocates responsibilities, explains transparency, sets lawful bases, and covers rights, security, retention and transfers - and you must share the essence with individuals.
• Keep your notices, cookie tooling and operational processes aligned across both businesses. A user‑friendly Privacy Policy and accurate Cookie Policy are must‑haves.
• Operationalise the arrangement with playbooks: handling rights requests, incidents and deletion, supported by a tested Data Breach Response Plan.
• Review regularly. As purposes, tools or partners change, update your joint controller arrangement, records and privacy information to stay compliant.

If you’d like help setting up a joint controller arrangement - or you want us to review your current collaboration - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.