Skip to content

What is a Joint Controller?

Table of Contents

If your organisation processes personal information about individuals, it must comply with data protection laws. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) is the main law governing the use of personal data. Most of the UK GDPR rules apply to ‘data controllers’. Data controllers are organisations that decide how to process personal data. If two or more data controllers jointly agree on how personal data is processed, they will be deemed ‘joint data controllers’. This article will explore what a joint controller is under the UK GDPR. 

What is a Data Controller Under the UK GDPR Rules?

A data controller is a person or organisation that (alone or jointly with others) determines the purposes and means of processing personal data.

In a commercial context, a data controller is a business that chooses how to use personal information. 

For example, a business may:

  • choose how to process personal information about its staff to deal with its employer obligations; or 
  • choose how to process personal data about its clients, for example, to deliver services or send them marketing information. 

A data controller will generally:

  • control the personal data they process;
  • make decisions about how to process personal data; and
  • decide how long to retain personal data before deleting it. 

This significantly contrasts with the role of a ‘data processor’ who does not control personal data but acts on a controller’s instructions. Service providers often act as data processors by following the instructions of their customers regarding how to use personal data. 

What is a Joint Controller?

Often, commercial organisations will share personal data with other organisations. For example, this may occur for joint collaboration projects or research purposes. 

Two scenarios could arise if your organisation shares personal data with another data controller.

Firstly, you can share personal data with another data controller, and both parties jointly determine the purposes and means of processing. In this case, you will be joint controllers. Accordingly, both parties will process the same personal data for a joint purpose. This could be for a collaboration project between two commercial entities.

Alternatively, you can also share personal data with another controller to use for its own individual purpose. For example, where a university shares staff data with potential sponsors to assess for their own purposes. In this case, the two organisations sharing personal data have entirely different objectives for using the data. 

In a joint controller scenario, additional rules and considerations apply under the UK GDPR. If you act as a joint data controller, you must carefully consider and comply with the relevant rules. You should seek legal advice if you need clarification on the applicable rules. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Are There Additional Considerations For Joint Controllers?

Joint controllers act as data controllers. As such, the UK GDPR rules for data controllers will apply to them. 

However, further specific and additional considerations will apply if you are a joint data controller as opposed to an independent controller. You must consider these obligations and your general obligations as a data controller. 

As a joint data controller, you must consider additional issues. Let us explore these further below.

Documenting Your Data Sharing

It is a requirement to have an arrangement in place between joint controllers, setting out their respective roles and responsibilities. The best way to do this is to enter into a data-sharing agreement. The agreement should cover various provisions, including the types of personal data you are sharing, any restrictions on how it should be used, apportionment of liability if things go wrong and how to deal with data subject rights. You must also consider specifying a point of contact for data subjects. 

Complying With the ICO’s Guidance

The UK ICO has published a Data Sharing Code of Practice. Where your organisation is sharing personal data, you should carefully consult the code and work to ensure that your data-sharing arrangements reflect its guidance. For example, there is a requirement to carry out a Data Protection Impact Assessment to consider the risks of data sharing. 

You should also consider other requirements in the UK GDPR – for example, documenting the lawful basis you rely upon for the purposes of sharing personal data. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Considering Liability Issues

You should note that you may be liable for non-compliance as a joint controller. A data subject could take action against your organisation for the joint data processing, even if you are not at fault. This gives rise to additional risks to consider. For example, in the worst case, you may have to pay compensation due to the fault of the other joint controller. As such, it is vital to consider the risks associated with joint data processing and how to protect against them. For example, carry out thorough due diligence on the other joint controller and seek contractual protection (such as indemnities) to recover any losses you suffer due to their breaches. 

The considerations around being a joint data controller can be complicated. You should seek legal advice if you are unsure about your obligations and how to protect your business from risk. 

Key Takeaways

The UK GDPR sets out stringent rules for data controllers to comply with. If your organisation shares personal data with another controller, you should consider this carefully. As a priority, you must determine whether you are acting as a joint controller. If so, you will need to ensure that you can demonstrate compliance with the UK GDPR rules as a joint data controller. One of the key ways to demonstrate compliance is to have a robust data-sharing agreement in place to help evidence your accountability. However, there are also various other compliance obligations to consider. If you require support to understand your legal obligations as a joint data controller, you should seek legal advice from a data protection solicitor. 

If you need help understanding whether you are a joint controller or your legal obligations, our experienced IT Lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards