Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business is working closely with another organisation and you’re handling personal data together, it’s essential to understand whether you’re acting as a “joint controller” under UK GDPR. Getting this right isn’t just a tick-box exercise-it can mean the difference between robust compliance and a risky data breach scenario.
In today’s data-driven world, it’s common for organisations to share information to deliver collaborative projects, innovate new services, or even just deliver a seamless customer experience. But these arrangements come with serious privacy law implications. In the UK, the Information Commissioner’s Office (ICO) provides specific guidance for joint controllers under the Data Protection Act 2018 (and UK GDPR), requiring agreement and transparency from the very start.
So, how do you know when you’re a joint controller? What are your legal obligations, and how can you put strong compliance foundations in place? In this guide, we’ll break down the key concepts, walk you through practical scenarios, and give you actionable steps to ensure you’re protected from day one.
What Is a ‘Joint Controller’ Under UK GDPR?
Let’s start with the basics. Under the UK General Data Protection Regulation (UK GDPR), a data controller decides how and why personal data is processed. But sometimes, two or more organisations come together and jointly determine the purposes and means of processing personal data. In these situations, you’re considered joint controllers. The ICO’s definition is clear: joint controllers “jointly determine the purposes and means of processing” for particular data. This means you’re actively agreeing together what data is collected, how it’s used, and why. Joint controllership isn’t about just handing over data to someone else-it’s about collective decision-making.- Example: Two health clinics set up a shared patient booking system. They both decide what information to collect and how it will be used for managing appointments-that’s joint controllership.
- Non-example: A travel agency sends customer lists to an insurance provider, who independently uses the data for selling policies. Here, each party is acting as an independent controller.
When Are You a Joint Controller (And When Aren’t You)?
Determining whether you’re joint controllers-rather than simply two independent controllers-boils down to a crucial question: who decides what happens with the data?Typical Joint Controller Scenarios
- Collaborative Projects: Two tech companies create a new app and agree together what information is collected, its purpose, and its privacy safeguards.
- Partnerships in Healthcare: Hospital trusts managing a patient portal, with both participating in creating rules about access, sharing, and storage of sensitive patient data.
- Joint Marketing Campaigns: Retailers co-hosting an event and jointly deciding how personal data from sign-ups will be used for follow-ups, offers, and updates.
When You’re Not Joint Controllers
- Simple Data Transfers: You provide customer info to a delivery company who then uses it for their own delivery operations within their own processes.
- Sub-processor Arrangements: You hire an IT company to process your data according to your instructions (they’re a data processor). You remain the controller.
- Separate Purpose Use: Organisations receive data but use it for entirely different objectives than the original provider’s purpose.
What Legal Obligations Do Joint Controllers Have?
As a joint controller, you aren’t off the hook if your partner drops the ball. You’re each responsible for GDPR compliance. Here are the key obligations you need to keep in mind:- General ICO Data Controller Duties: Both parties must comply fully with all controller obligations under UK GDPR and the Data Protection Act 2018-this includes transparency, data minimisation, lawful basis for processing, and security.
- Joint Arrangements: You must enter into a clear joint controller arrangement (ideally a written data-sharing agreement).
- Transparency With Individuals: You need to inform data subjects about the arrangement and make sure people know who to contact for their data rights.
- Data Subject Rights: Together, you’re both responsible for making sure individuals can exercise their data rights easily-whether it’s access, rectification, or deletion.
- Security and Breach Reporting: Both parties must take robust protective measures and work together to address data breaches or complaints.
What Should a Joint Controller Agreement Include?
When acting as joint controllers, a formal, practical agreement is essential-not just for compliance, but to avoid disputes. The ICO recommends a written record that sets out:- The nature and purposes of the data-sharing project
- Clear allocation of roles and responsibilities (who is responsible for security, handling access requests, dealing with complaints, etc.)
- The types of personal data involved
- Limitations on data use (what can and can’t be done with the data)
- Procedures for data subject rights (how will people access, amend, or delete their data?)
- Point of contact for data subjects (one party should be designated as the go-to contact-or you can both act, but it must be crystal clear for individuals)
- Liability arrangements and indemnities (who is responsible if something goes wrong?)
- How disagreements will be resolved
Practical Steps To Ensure Joint Controller Compliance
Navigating joint controllership can be complex, but breaking it into a checklist of steps will help you get your legal foundations sorted from day one.1. Assess Your Role
- Are you actively involved in decision-making about how and why personal data is processed? If yes, joint controllership is likely.
- If you’re simply instructed by another party, you’re probably a processor-not a joint controller.
2. Agree (And Document) Your Arrangement
- Meet with your partners and document how you’ll handle personal data collaboratively.
- Draft a written joint controller/data-sharing agreement (see above for what it should include).
- Make sure this document is reviewed and signed by all parties.
3. Notify Data Subjects
- Update your Privacy Policy and other notices to explain the joint controller relationship.
- Make it clear how individuals can access their rights, and who to contact.
4. Allocate Responsibilities Clearly
- Designate which party will handle specific obligations (such as responding to right-of-access requests or security incidents).
- Agree a lead contact for data subjects-and share these details transparently on your website and other documentation.
5. Regularly Review Your Arrangement
- Joint ventures and partnerships change over time-review your agreement whenever the nature of the project or the way data is used changes.
- Keep clear records of decisions in board minutes or other formal documents.
6. Seek Expert Legal Advice
- An expert legal review will ensure you aren’t overlooking important risks, and that your arrangement stands up to ICO scrutiny.
- Compliance isn’t just about paperwork-the right legal advice gives you peace of mind and practical systems that work day to day.
Why Joint Controller Compliance Matters
If you don’t follow the rules on joint controllership, you risk:- ICO complaints, investigations, and even fines for non-compliance with UK GDPR controller duties
- Damaged reputation and lost customer trust if your data use appears secretive or poorly managed
- Legal disputes between partners when roles aren’t clear or things go wrong
- Potential civil liability for individuals who suffer data breaches or mishandling
FAQs: Common Joint Controller Questions
Do We Always Need a Written Joint Controller Agreement?
While the UK GDPR doesn’t strictly require a written contract between joint controllers, the ICO strongly recommends it-and in practice, it’s virtually essential for demonstrating compliance and handling any future disputes.What’s the Difference Between Joint Controllers and Processors?
A joint controller shares responsibility for deciding “how” and “why” data is processed. A processor only acts on instructions and doesn’t have discretion over the data. For more details, see our guide on the differences between data controllers and processors.How Should We Deal with Data Subject Access Requests?
You should make it clear in your joint controller arrangement who will take primary responsibility for handling these, and how you’ll ensure a prompt response. Ultimately, both controllers are responsible-so it’s important not to leave this undefined.As a Small Business, Does This Apply to Me?
Yes. Joint controllership isn’t limited to large organisations. If you’re a small business working with others on shared data projects (e.g., joint customer promotions, shared service offerings), these rules are just as important.Key Takeaways
- Joint controllers under UK GDPR are two or more organisations that decide together how and why personal data is processed.
- This arrangement comes with full controller responsibilities for each party-plus specific ICO recommendations for written agreements and transparency.
- A strong joint controller (data-sharing) agreement should clearly specify roles, responsibilities, data subject contact points, and liability.
- Practical steps include: assessing whether you’re a joint controller, formally documenting your arrangement, informing individuals, and regularly reviewing your setup.
- If you’re unsure about your status or how to set up an agreement, expert legal advice is crucial to avoid compliance headaches and protect your business.
