Joint Data Controller Under UK GDPR

If you run partnerships, collaborations or co-marketing campaigns, there’s a good chance you and another organisation are deciding why and how personal data is used. When that happens, you may be joint data controllers under UK GDPR.

That label matters. It changes your responsibilities, what goes into your privacy notice, how you handle rights requests, and who is on the hook if something goes wrong.

In this guide, we break down what “joint data controller” actually means, when it applies in practice, and the steps you should take to stay compliant and protect your business.

What Is A Joint Data Controller Under UK GDPR?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, a “controller” is the organisation that determines the purposes and means of processing personal data. If two or more organisations jointly determine those purposes and means, they are joint controllers (Article 26 UK GDPR).

In plain English, you’re joint controllers when you and another business decide together what data is collected, why it’s collected, and at a meaningful level, how it’s used (e.g. the categories of data, the retention period, the sharing and disclosure rules).

Being joint controllers does not mean you merge into a single entity. Each party is separately responsible for complying with UK GDPR, and you must put in place a transparent arrangement that clearly sets out who does what. You also need to make the essence of that arrangement available to individuals (e.g. via your privacy notice).

Key legal points to keep in mind:

• Article 26 requires joint controllers to allocate responsibilities for compliance, including responding to rights requests and meeting transparency obligations.
• You’re both accountable for UK GDPR compliance principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability).
• Individuals can exercise their rights (access, erasure, objection, etc.) against any joint controller. You cannot use internal allocation as a shield against the individual.

When Are Businesses Joint Data Controllers?

The line between joint controllers, independent controllers and controllers–processors is sometimes blurry. The practical test is whether you decide together the “why” and the essential “how” of the processing, rather than one of you just following the other’s instructions.

Common Real-World Scenarios

• Co‑marketing campaigns: You and a partner design a joint campaign, agree the target audience, decide what contact data to collect, share a landing page and jointly decide follow‑up communications.
• Event co‑hosts: Two businesses run a conference, agree attendee data fields, ticketing, sponsors’ access to attendee data and post‑event marketing.
• Joint product or service: You co‑develop a service and decide together what customer data is needed, which systems hold it, and how long it’s kept.
• Franchise or multi‑brand initiatives: A brand owner and franchisees jointly control loyalty club data where both decide the purposes of collection and use.

Indicators You’re Likely Joint Controllers

• Shared decision‑making about the purpose of processing (e.g. both want to use the data for their own marketing).
• Co‑ownership of key processing decisions: data categories, retention rules, disclosures to third parties.
• Mutual benefit from the same dataset for the same purposes, agreed in advance.
• Shared tools or platforms configured jointly to achieve common purposes.

Indicators You’re Not Joint Controllers

• Each business collects and uses data separately for different purposes, with no shared decisions (you may be independent controllers).
• One party purely follows the instructions of the other without decision-making power (that party is likely a processor).
• Data is shared after collection but each party then decides its own purposes independently (typically controller-to-controller sharing, not joint control).

Joint Controller Obligations: Who Does What?

Joint control doesn’t reduce your obligations - it adds coordination. Article 26 requires a transparent arrangement between the parties that allocates responsibilities. Here’s what that should cover and how to handle it.

1) Transparency And Privacy Notices

You must tell individuals clearly who the joint controllers are, the core points of your arrangement, and how they can exercise their rights. This needs to appear in your privacy notices and at the point of data collection. Make sure your Privacy Policy explains joint control in plain English and includes contact routes for each controller.

2) Lawful Basis And Purpose Limitation

You must agree the lawful basis for each purpose (e.g. consent, legitimate interests, contract). If you rely on legitimate interests, document a balancing test and ensure both parties stick to the agreed purposes. Avoid scope creep - using the data for a new purpose later without proper checks and notices can breach UK GDPR.

3) Individual Rights (SARs, Erasure, Objection)

Individuals can exercise rights against any joint controller. Decide which party will lead on subject access requests (SARs), erasure and objections, and how you’ll coordinate responses within UK GDPR deadlines. Set up a shared process, with clear SLAs and data exchange mechanisms. Having a plan for subject access requests avoids last‑minute scrambles.

4) Security And Incident Response

Each joint controller must ensure appropriate technical and organisational measures. Practically, you should agree minimum security standards, audit rights, and a coordinated plan for security incidents, including breach assessment and notification. A documented Data Breach Response Plan will help you move quickly and consistently if an incident occurs.

5) Data Sharing And Retention

Define what data you share, in what format, how often, for how long and on what legal basis. Agree retention periods and deletion protocols for each controller, plus processes to correct inaccurate data promptly. A well‑drafted Data Sharing Agreement is usually the best place to capture these controls and the Article 26 allocation.

6) DPIAs And Records Of Processing

If your joint processing is likely to be high risk (for example, large‑scale monitoring or sensitive data), carry out a Data Protection Impact Assessment (DPIA) together. Both parties should maintain records of processing activities that accurately reflect the joint arrangement.

7) Processors And Sub‑Processors

If either controller engages a processor (e.g. an email platform or CRM), that controller must put in place a compliant Data Processing Agreement with mandatory UK GDPR clauses. Joint control doesn’t remove the need for solid processor contracts and due diligence.

How To Put A Joint Controller Arrangement In Place

Getting this right from day one will save time, reduce risk, and keep your relationship on track. Here’s a practical approach.

Step 1: Map The Processing Together

Hold a workshop with your partner to map the data lifecycle: collection points, data fields, systems, access, purposes, lawful bases, retention and deletion. Identify any high‑risk elements (e.g. children’s data, special category data, large‑scale profiling).

Step 2: Decide If It’s Joint Control (Or Not)

Use the indicators above. If both of you decide the core “why” and “how”, you’re likely joint controllers. If one party just follows instructions, it’s a controller–processor relationship instead. Getting this classification wrong can lead to non‑compliant contracts and enforcement risk.

Step 3: Draft Your Article 26 Arrangement

Document who will lead on transparency, rights requests, security incident coordination, DPIAs and dealing with the ICO. If you also share data on an ongoing basis, roll these terms into a single, comprehensive Data Sharing Agreement that covers Article 26 and practical operational details.

Step 4: Update Privacy Notices And Capture Consent (If Needed)

Update your privacy notices to name the joint controllers, explain the arrangement’s essence, and set out contact points. If you rely on consent, make sure it’s properly captured for both controllers and that withdrawal is easy and honoured across the arrangement. Your website’s Cookie Policy and cookie banner should also reflect any shared analytics or marketing tools used jointly.

Step 5: Build Operational Playbooks

Agree SLAs for handling rights requests, correction of data, and breach notifications. Set up shared secure channels for data exchange and a joint escalation process. Align your training and appoint named contacts in each business for data protection coordination.

Step 6: Keep It Under Review

As campaigns, tooling or purposes evolve, revisit your lawful bases, notices and retention rules. Build a review date into your agreement and keep a change log for accountability.

Joint Controllers Vs Processors Vs Independent Controllers

Getting the roles right is critical because the contract and compliance setup changes depending on the relationship.

Joint Controllers

• Decide together the purposes and essential means of processing.
• Must put in place an Article 26 allocation and inform individuals of the arrangement’s essence.
• Each is responsible for UK GDPR compliance and liable for their own breaches; individuals can exercise rights against any controller.

Controller–Processor

• The controller decides purposes and means; the processor acts only on instructions.
• Must have a UK GDPR‑compliant Data Processing Agreement with mandatory clauses (security, sub‑processors, assistance with rights requests, deletion/return on termination, etc.).
• Processor cannot repurpose the data and must implement appropriate security measures.

Independent Controllers

• Each party separately determines its own purposes and means, even if data is exchanged.
• Use controller‑to‑controller terms or a Data Sharing Agreement that clarifies responsibilities, lawful bases, and restrictions on onward disclosure.
• Each controller updates its own privacy notices and handles rights requests for its processing.

Common Pitfalls And How To Avoid Them

These are the mistakes we see most often with joint data controllers - and how to stay clear of them.

1) “We’re Just Sharing a List” - Underestimating Joint Decisions

If you’re co‑designing a campaign and deciding together what data to collect and how it’s used, you’re more than “just sharing a list.” Treat it as joint control from the start and put the right Article 26 terms in place.

2) Fuzzy Roles For Rights Requests

Nothing stalls goodwill like a missed 30‑day deadline for a SAR because “the other side was dealing with it.” Decide a lead, set SLAs, and create a shared tracker for subject access requests, erasure and objections. Build in cover for holidays and absences.

3) Forgetting To Update Privacy Notices

Transparency is a core UK GDPR principle. Make sure your notices clearly name the joint controllers, explain the arrangement’s essence, and give contact routes. This should sit alongside your core website disclosures (including your Cookie Policy for online tracking).

4) No Agreed Incident Response

When incidents happen, minutes matter. Pre‑agree severity thresholds, investigation steps, and who informs affected individuals and the ICO. A shared Data Breach Response Plan makes decisions faster and more defensible.

5) Confusing Processors With Joint Controllers

If a partner is truly acting on your instructions, they’re a processor - and you’ll need a robust Data Processing Agreement. If they’re deciding purposes with you, it’s joint control - use an Article 26 allocation and, typically, a Data Sharing Agreement. Getting this wrong can trigger non‑compliance and enforcement risk.

6) Not Considering Costs And Registration Duties

Most UK businesses processing personal data must pay the ICO data protection fee unless exempt. Factor this into your compliance budget and check whether any ICO fee exemptions apply to your organisation.

7) Over‑Broad Sharing For “Legitimate Interests”

Legitimate interests is not a free pass. Perform and document a balancing test, respect opt‑outs, and keep sharing proportionate to the agreed purposes. If you move into new uses, revisit your lawful basis and update notices.

8) No Clear Deletion Protocols

Agree retention rules and how each party will delete or anonymise data at the end of the campaign or partnership. Build deletion steps into your off‑boarding checklist and test them.

9) Overlooking Voice, Video Or Biometrics

If your joint activity involves surveillance or staff monitoring, be extra cautious with privacy and employment rules. For example, recording conversations or installing CCTV with audio brings additional considerations under both privacy law and employment law. Make sure your broader privacy documentation and policies cover these use‑cases appropriately.

10) Missing Governance And Training

Assign named contacts, refresh training annually, and keep minutes of joint DPIAs and reviews. Good governance reduces mistakes and shows accountability if the ICO comes calling.

Key Takeaways

• You’re joint data controllers when you and another organisation decide together why and how personal data is processed. This triggers Article 26 duties under UK GDPR.
• Put a clear, written allocation in place covering transparency, rights requests, security, DPIAs, retention and communications with the ICO - usually inside a tailored Data Sharing Agreement.
• Update your privacy notices so individuals know who the joint controllers are, how their data is used, and how to exercise their rights. Ensure your Privacy Policy and Cookie Policy reflect the arrangement.
• Agree operational playbooks: who leads on subject access requests, how you share data securely, and how you respond to incidents with a joint Data Breach Response Plan.
• Distinguish joint controllers from controller–processor relationships. If a partner follows your instructions, you’ll need a robust Data Processing Agreement; if you decide purposes together, use an Article 26 allocation.
• Budget for compliance (including the ICO fee) and check if any ICO fee exemptions apply. Review your arrangement regularly as campaigns, tools and purposes evolve.

If you’d like help setting up a compliant joint controller arrangement, drafting a Data Sharing Agreement, or refreshing your Privacy Policy, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.