Joint Controllers (Article 26) – A Comprehensive Guide for CIPP/E Exam Preparation
Introduction
Joint controllership is one of the most nuanced and frequently tested concepts in the CIPP/E exam. Article 26 of the General Data Protection Regulation (GDPR) governs situations where two or more controllers jointly determine the purposes and means of processing personal data. Understanding this provision is critical not only for passing the exam but also for real-world data protection compliance.
Why Is Article 26 Important?
In today's interconnected digital economy, it is increasingly common for multiple organisations to collaborate on data processing activities. Social media platforms, joint marketing campaigns, shared databases, and collaborative research projects all raise the question of whether the participating organisations are acting as joint controllers. Article 26 is important for several reasons:
1. Clarity of Responsibility: When multiple parties process personal data together, it can be unclear who bears responsibility for compliance. Article 26 requires joint controllers to clearly allocate their respective responsibilities, ensuring that no obligations fall through the cracks.
2. Protection of Data Subjects' Rights: Data subjects must know whom to contact to exercise their rights (access, erasure, rectification, etc.). Article 26 ensures that regardless of internal arrangements, data subjects can exercise their rights against any of the joint controllers.
3. Accountability Principle: Article 26 is a direct expression of the accountability principle under Article 5(2) GDPR. Joint controllers must be able to demonstrate compliance and show how responsibilities are divided.
4. Liability Implications: Under Article 82 GDPR, each joint controller may be held liable for the entire damage caused by processing that infringes the GDPR, making it essential to understand and properly structure joint controller arrangements.
5. Regulatory Scrutiny: Supervisory authorities and the CJEU (Court of Justice of the European Union) have increasingly examined joint controllership, as seen in landmark cases such as Wirtschaftsakademie, Jehovah's Witnesses, and Fashion ID.
What Is Joint Controllership Under Article 26?
Article 26(1) states that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. The key elements are:
1. Two or More Controllers
Each party must qualify as a controller in its own right — meaning each has a role in determining the purposes and/or means of processing. This is distinguished from a controller-processor relationship, where the processor acts only on the controller's instructions.
2. Joint Determination of Purposes and Means
The word jointly does not require that each party determines purposes and means equally or to the same degree. According to the EDPB (European Data Protection Board) and CJEU case law, joint controllership can exist even when:
- The parties have different levels of involvement.
- The parties process data at different stages.
- One party has more influence over purposes while the other has more influence over means.
The critical question is whether the parties are making converging decisions about the processing — decisions that have a tangible impact on the determination of purposes and means and that are inextricably linked.
3. Arrangement Between Joint Controllers
Article 26(1) requires joint controllers to determine their respective responsibilities for compliance with the GDPR in a transparent manner by means of an arrangement between them. This arrangement must address, in particular:
- The exercise of data subjects' rights (who handles access requests, erasure requests, etc.).
- The respective duties to provide information under Articles 13 and 14.
Article 26(2) specifies that the arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement must be made available to data subjects.
4. Data Subject Rights Are Not Limited by the Arrangement
Article 26(3) makes clear that regardless of the terms of the arrangement between joint controllers, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. This is a critical safeguard — joint controllers cannot use their internal agreement to restrict or complicate the exercise of data subjects' rights.
How Does Joint Controllership Work in Practice?
Step 1: Identifying Joint Controllership
The first step is to assess whether joint controllership exists. Key indicators include:
- Multiple parties making decisions about why (purposes) and how (means) personal data is processed.
- A common or converging objective that the parties pursue together.
- Mutual benefit from the processing.
- The processing would not be possible without the participation of each party (or at least the involvement of each party significantly shapes the processing).
Important distinction: Not every collaboration results in joint controllership. If two organisations independently determine purposes and means (even if they use the same data), they are separate controllers, not joint controllers. Similarly, if one party merely provides processing services under instruction, a controller-processor relationship exists instead.
Step 2: Establishing the Arrangement
Once joint controllership is identified, the parties must enter into an arrangement (often a written agreement) that covers:
- Allocation of compliance obligations: Who handles DPIAs, data breach notifications, record-keeping, etc.
- Data subject rights management: A designated contact point or clear process for handling requests.
- Information obligations: Who provides privacy notices under Articles 13/14 and what information each party provides.
- Security measures: Respective responsibilities for technical and organisational measures.
- Data breach notification: Who notifies the supervisory authority and data subjects in the event of a breach.
Step 3: Transparency to Data Subjects
The essence of the arrangement must be made available to data subjects. This is typically achieved through privacy policies, supplementary notices, or references in privacy information that explain the joint controllership relationship and how responsibilities are divided.
Step 4: Ensuring Data Subject Rights Are Protected
Regardless of internal allocation, each joint controller must be prepared to handle data subject requests. If a data subject contacts any one of the joint controllers, that controller must facilitate the request, even if the arrangement assigns primary responsibility to the other party.
Key CJEU Case Law on Joint Controllership
Understanding the following landmark cases is essential for the CIPP/E exam:
1. Wirtschaftsakademie Schleswig-Holstein (Case C-210/16, 2018)
The CJEU held that the administrator of a Facebook fan page was a joint controller with Facebook for the processing of personal data of visitors to the fan page. Even though the administrator did not have access to the raw data and Facebook made most decisions about the processing, the administrator contributed to determining the purposes (audience insights, marketing) and enabled the processing by creating the page.
2. Jehovah's Witnesses (Case C-25/17, 2018)
The CJEU found that the Jehovah's Witnesses community was a joint controller with its individual members who collected personal data during door-to-door preaching. The community organised, coordinated, and encouraged the data collection activity, thereby jointly determining its purposes and means.
3. Fashion ID (Case C-40/17, 2019)
The CJEU held that a website operator who embedded a Facebook "Like" button on its website was a joint controller with Facebook for the collection and transmission of personal data triggered by the plugin. However, the joint controllership was limited to the specific processing operations for which the website operator actually determined purposes and means (collection and transmission), not for subsequent processing by Facebook.
Key Takeaways from Case Law:
- Joint controllership does not require equal involvement.
- Joint controllership can be limited to specific stages or operations of processing.
- The existence of a mutual benefit or common purpose is a strong indicator.
- Even passive or indirect involvement in determining purposes and means can establish joint controllership.
Joint Controllers vs. Other Roles
Joint Controllers vs. Separate (Independent) Controllers:
Joint controllers share determination of purposes and means. Separate controllers each independently determine their own purposes and means. For example, if Organisation A shares data with Organisation B and each uses it for its own, separate purposes, they are likely separate controllers (and should have a data sharing agreement rather than a joint controller arrangement).
Joint Controllers vs. Controller-Processor:
A processor processes personal data on behalf of the controller and does not determine the purposes of processing. If a party makes its own decisions about purposes, it is a controller (or joint controller), not a processor. Mischaracterising a joint controller relationship as a controller-processor relationship is a common compliance failure and a favourite exam topic.
Common Exam Scenarios and How to Analyse Them
Scenario 1: Two companies jointly develop and operate a shared customer loyalty programme. Both decide what data is collected and how it is used for marketing purposes.
Analysis: This is joint controllership — both parties jointly determine purposes (marketing, customer retention) and means (data collection methods, platform design).
Scenario 2: A company uses a cloud service provider to store and process data. The provider only acts on the company's instructions.
Analysis: This is a controller-processor relationship, not joint controllership.
Scenario 3: A company embeds a third-party analytics tool on its website. The tool provider also uses the collected data for its own purposes.
Analysis: Following Fashion ID principles, the company and the tool provider may be joint controllers for the collection and transmission of data, but the tool provider is likely a separate controller for its own subsequent processing.
Exam Tips: Answering Questions on Joint Controllers (Article 26)
1. Start with the Definition: When you see a question about joint controllership, always begin your analysis by stating the Article 26(1) definition: two or more controllers who jointly determine the purposes and means of processing.
2. Apply the "Purposes and Means" Test: Ask: Do both parties play a role in deciding why data is processed (purpose) and/or how it is processed (means)? If yes, joint controllership likely exists. Remember that the determination does not need to be equal.
3. Know the Three Key Cases: The CIPP/E exam frequently tests knowledge of Wirtschaftsakademie, Jehovah's Witnesses, and Fashion ID. Be able to identify the principle from each case and apply it to new fact patterns.
4. Remember the Arrangement Requirement: Article 26 requires an arrangement that allocates responsibilities. If an exam question asks what joint controllers must do, the arrangement is a key requirement. Note that it must cover data subject rights and information obligations in particular.
5. Emphasise Data Subject Protections (Article 26(3)): A favourite exam point: regardless of the internal arrangement, data subjects can exercise their rights against any joint controller. This is non-derogable. If a question asks what protections data subjects have, this is the answer.
6. Distinguish from Other Relationships: Expect questions that test whether you can distinguish joint controllers from separate controllers and from controller-processor relationships. Focus on who determines purposes and means.
7. Think About Liability: Under Article 82(4), where a controller is involved in the same processing with other controllers, each controller shall be held liable for the entire damage. Under Article 82(5), a controller that has paid full compensation may claim back the proportionate share from other controllers. This joint and several liability aspect is frequently tested.
8. Transparency Obligation: Remember that the essence of the joint controller arrangement must be made available to data subjects (Article 26(2), last sentence). Questions may test whether the full arrangement must be published (it need not be — only the essence).
9. Watch for Trick Questions on Equal Involvement: A common misconception is that joint controllership requires equal decision-making power. The CJEU has made clear that unequal involvement can still constitute joint controllership. If an answer option states that parties must have equal roles, this is incorrect.
10. Scope of Joint Controllership Can Be Limited: Following Fashion ID, joint controllership can apply to only certain processing operations rather than the entire data lifecycle. Be prepared to identify which specific operations fall under joint controllership and which do not.
11. Use Elimination Strategy for Multiple Choice: In CIPP/E multiple-choice questions, eliminate answers that confuse joint controllership with processor arrangements, that state data subjects can only contact one designated controller, or that require formal equality of decision-making between joint controllers.
12. Link to Accountability: Article 26 sits within the broader GDPR accountability framework. When writing longer answers, connecting joint controllership to the accountability principle (Article 5(2)) and demonstrating compliance (Article 24) strengthens your analysis.
Summary Checklist for Article 26
✓ Joint controllership arises when two or more controllers jointly determine purposes and means of processing.
✓ An arrangement must be made allocating responsibilities (especially data subject rights and information duties).
✓ The essence of the arrangement must be made available to data subjects.
✓ Data subjects can exercise rights against any joint controller regardless of the arrangement.
✓ Joint controllership does not require equal involvement — unequal participation suffices.
✓ Joint controllership can be limited to specific processing operations.
✓ Joint and several liability applies under Article 82.
✓ Key cases: Wirtschaftsakademie, Jehovah's Witnesses, Fashion ID.
By mastering these principles, understanding the case law, and practising scenario-based analysis, you will be well-equipped to handle any question on Joint Controllers (Article 26) in the CIPP/E examination.
