Joint Data Controllers Under UK GDPR: What Businesses Need to Know

If your business shares customer, user or employee data with another organisation, you might assume one of you is the “data controller” and the other is just a “service provider”.

In reality, a lot of day-to-day business relationships don’t fit neatly into that box. Sometimes, both parties make decisions about the why and how personal data is used. When that happens, you may be acting as joint data controllers under UK GDPR.

This matters because joint controller status brings extra compliance steps (and extra risk if you get it wrong). The good news is that once you understand the concept, it’s very manageable - and putting the right documents in place early can save you a lot of headaches later.

Below, we break down what joint data controllers means, when it applies, what you need to do, and how to protect your business.

What Are Joint Data Controllers Under UK GDPR?

Under UK GDPR, a data controller is the person or organisation that decides:

• why personal data is processed (the “purpose”), and
• how it is processed (the “means”, especially key decisions about the processing).

Joint data controllers are two (or more) controllers who jointly determine those purposes and means.

It’s not about who physically holds the data or whose system it sits in. It’s about who is actually calling the shots.

Controller Vs Processor (And Why It’s Easy To Get Wrong)

A common point of confusion is the controller/processor split:

• Controller: decides the “why” and “how”.
• Processor: processes personal data on the controller’s instructions (for example, a payroll provider running payroll based on your instructions).
• Independent controllers: both parties process the data for their own separate purposes (even if data is shared).

When the relationship is genuinely “you instruct, they do”, you usually want a processor contract in place, such as a Data Processing Agreement.

But if both parties are deciding what happens - and the processing is part of a shared or aligned activity - you may be in joint controller territory.

A Quick Practical Definition

As a rule of thumb, you’re likely joint controllers if you and another organisation are both answering questions like:

• What data should we collect?
• What is it used for?
• Who do we share it with?
• How long do we keep it?
• How do we communicate this to individuals?

If those decisions are shared (or effectively agreed together), it’s time to take a closer look.

When Do Businesses Become Joint Data Controllers? Common SME Scenarios

Joint controller arrangements often show up in perfectly normal commercial setups - especially for startups, online businesses, franchises, partnerships, and businesses running collaborative marketing or service delivery.

Here are some common examples where SMEs should pause and assess whether joint controller status applies.

1) Joint Marketing Campaigns

Two businesses co-run a campaign, decide together what customer segments to target, what data to collect, and how leads will be followed up. If you’re both deciding the purpose (lead generation) and key means (data fields, platforms, follow-up rules), you may be joint controllers.

2) Co-Hosted Events Or Webinars

If both organisations are collecting attendee details, using them for follow-up marketing, and agreeing how the attendee list will be used, that’s a classic joint controller risk area.

3) Platform Partnerships And Integrations

If you integrate with another business’s platform and you both decide how user data is used across the integration (for example, mutual analytics, shared reporting, or cross-promotion), joint controllership can arise.

4) Referral Arrangements With Shared Lead Management

Referral relationships can be either controller-controller sharing or controller-processor arrangements. The key question is: do you both decide how the lead data will be used and what happens next, or is one party acting strictly on instruction?

5) Group Companies With Shared Systems

Businesses within a group often share HR, CRM, and finance systems. If multiple entities decide how and why personal data is used across the group, you may have joint controller obligations (even if one entity “hosts” the system).

In these scenarios, it’s particularly important that your Privacy Policy clearly explains what’s happening and who individuals should contact.

6) Shared Service Delivery (Where Both Parties Shape The Process)

Sometimes two businesses deliver a service together (for example, a health/wellbeing program, training service, or managed service package). If both parties are deciding how personal data is collected, used, and retained for that service, joint controller status is a real possibility.

None of these scenarios are “bad” or unusual. They just need careful handling so you’re protected from day one.

Why Joint Data Controllers Matter: Key Legal Duties And Risks

Being joint data controllers isn’t just a label - it changes what UK GDPR expects of you, and it can affect who is responsible when something goes wrong.

You Need An Article 26 Joint Controller Arrangement

UK GDPR requires joint controllers to put in place a transparent arrangement that sets out (in essence):

• who does what in terms of UK GDPR compliance; and
• how you’ll make key information available to individuals.

This is commonly called a “joint controller agreement” (or “Article 26 arrangement”). It’s not optional if you’re actually joint controllers.

Individuals Can Enforce Their Rights Against Either Controller

A major commercial risk is that individuals may be able to exercise their rights (like access or deletion requests) against either joint controller.

That means you can’t assume the other party will deal with requests properly. Your arrangement needs clear processes so nothing falls through the cracks.

Regulatory And Contractual Risk

If your joint controller relationship is undocumented (or documented incorrectly as “processor” when it isn’t), you can run into:

• regulatory scrutiny (especially after complaints or a data breach);
• commercial disputes if responsibilities aren’t clear;
• reputational damage if customers feel misled about who is using their data; and
• practical chaos - for example, duplicate privacy notices or inconsistent retention periods.

It can feel a bit overwhelming, but the fix is usually straightforward: clarify roles, document them properly, and align your privacy communications.

What Must A Joint Controller Arrangement Include?

There’s no single “perfect” template that works for every business (and generic templates often miss the point). But a solid joint controller arrangement typically covers the following.

1) The Purpose And Scope Of The Joint Processing

Be clear about:

• what activity you’re doing together (for example, running a co-marketing campaign or delivering a shared service);
• what categories of personal data are involved (names, emails, purchase history, etc.); and
• what categories of individuals are affected (customers, prospects, employees, users).

2) Who Handles Privacy Notices And Transparency?

Joint controllers must ensure individuals are told (in a clear and accessible way):

• that the processing is joint;
• the “essence” of the joint arrangement (who is responsible for what); and
• how individuals can exercise their rights.

In practice, this usually means your privacy information needs to align. Often, you’ll do this through your Privacy Policy and any point-of-collection privacy notices (e.g. signup forms).

3) Lawful Basis And Compliance Decisions

UK GDPR requires a lawful basis (such as consent, contract, legitimate interests, legal obligation). Joint controllers should agree:

• what lawful basis applies for each purpose;
• who will gather consent (if consent is used) and how it will be recorded; and
• how legitimate interests assessments will be handled (if relevant).

This is one of those areas where businesses often “assume” alignment - and later discover they’ve each taken a different approach. Documenting it early helps avoid that.

4) Handling Individual Rights Requests (DSARs, Deletion, Objections)

Your agreement should set out who handles what if someone requests:

• access to their data (a DSAR);
• correction of inaccurate data;
• deletion (where applicable);
• restriction or objection; or
• data portability (where relevant).

Even if one party is “front-facing”, both parties should know the internal workflow and timeframes, and how data will be located across systems.

5) Security Measures And Data Breach Response

Joint controllers should agree minimum security standards and how breaches will be handled. A good arrangement will cover:

• technical and organisational measures (access controls, encryption, logging, training);
• incident detection and escalation pathways; and
• who will coordinate notifications to the ICO and affected individuals where required.

It’s worth remembering that while an arrangement can set out who will take the lead in practice, each joint controller still has its own legal obligations under UK GDPR.

It’s also sensible to align this with your internal Data Breach Response Plan so your team knows what to do under pressure.

6) Data Sharing Rules (What Goes Where, And When)

In many joint controller situations, you will be sharing personal data back and forth.

A clear Data Sharing Agreement (or equivalent provisions inside your joint controller arrangement) can help document:

• what data can be shared;
• what it can be used for (and what it can’t);
• who the data can be disclosed to; and
• how long it can be kept.

This is especially important for marketing collaborations, referrals, and group-company operations.

7) International Transfers And Sub-Processors

If either joint controller uses suppliers outside the UK (or otherwise makes restricted transfers), you need to consider:

• whether international transfer safeguards are required; and
• how you’ll ensure both parties are meeting those requirements.

Even if this is a “back-end” issue, it can become very relevant if a complaint is made or a breach occurs.

How To Decide If You’re Joint Data Controllers (A Step-By-Step Checklist)

If you’re unsure whether your relationship is joint controllers, controller-processor, or independent controllers, you’re not alone. Here’s a practical way to assess it.

Step 1: Map The Data Flow

Write down (even just on a simple diagram):

• what data is collected;
• where it comes from (website forms, app, in-person, referrals);
• where it’s stored;
• who can access it; and
• who it is shared with.

Step 2: Identify Who Decides The “Why”

Ask: who decided the purpose? For example:

• “We want to co-run this campaign and both market to the leads” (likely joint).
• “We just want them to send emails on our instruction” (more likely processor).

Step 3: Identify Who Decides The Key “How”

“How” doesn’t mean every minor operational choice. It means meaningful decisions like:

• what data fields are required;
• how leads are scored or profiled;
• who gets access; and
• how long data is retained.

Step 4: Check The Reality (Not Just The Contract Label)

UK GDPR looks at what’s actually happening in practice. Even if your contract calls one party a “processor”, if they’re really deciding the purpose and means with you, you may still be joint controllers.

Step 5: Put The Right Paperwork In Place

Once you’ve identified joint controllership, don’t leave it sitting in an email chain or a handshake agreement.

Document it properly, align your privacy wording, and make sure your internal policies and processes match the setup (for example, how your team manages access to shared systems and responds to data rights requests).

If you’re stuck at any step, this is a good moment to get tailored advice - small details in how your relationship is structured can change the legal analysis.

Key Takeaways

• Joint data controllers arise when two organisations jointly decide the purposes and key means of processing personal data - it’s about decision-making power, not who holds the database.
• Common SME setups like co-marketing campaigns, co-hosted events, group-company operations, and shared service delivery can easily create joint controllership under UK GDPR.
• If you’re joint controllers, you should put an Article 26 joint controller arrangement in place that clearly sets out how you’ll meet UK GDPR requirements and how the “essence” will be made available to individuals.
• You should align your privacy communications (including your Privacy Policy) so customers and users aren’t confused about who is using their data and why.
• Your arrangement should cover practical compliance issues like lawful basis, DSAR handling, security standards, breach response, retention, and data sharing rules (noting that each joint controller keeps its own legal responsibilities under UK GDPR).
• Getting the classification wrong (for example, calling a joint controller a “processor”) can create real legal and commercial risk, especially when complaints or incidents arise.

If you’d like help figuring out whether your business is dealing with joint data controllers - or you want the right agreements and privacy wording in place - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.