AI Lawyer Blog
Joint Controller Agreement (Free Download + AI Generator)
Greg Mitchell | Legal consultant at AI Lawyer
3
When two or more organizations jointly determine why and how personal data is processed, their responsibilities do not disappear into shared decision-making. Under the General Data Protection Regulation (GDPR), joint controllers must clearly define their respective roles, duties, and liability. A Joint Controller Agreement establishes that clarity in writing, ensuring transparency toward data subjects and regulators while reducing compliance risk.
TL;DR
Clarifies how joint controllers allocate GDPR responsibilities.
Defines which party handles data subject rights and regulatory communications.
Documents security, breach notification, and compliance obligations.
Allocates liability and risk exposure between controllers.
Demonstrates accountability under GDPR Article 26.
Supports audit readiness and regulatory scrutiny.
Download Template: Joint Controller Agreement Template or customize one using our AI Generator, then have your legal advisor review it before implementation.
Organizations operating across multiple EU jurisdictions or processing large volumes of sensitive data should ensure the agreement reflects sector-specific regulatory requirements.
You Might Also Like:
Disclaimer
This article is provided for general informational purposes only and does not constitute legal advice. Data protection laws and regulatory interpretations vary by jurisdiction and industry. Consult qualified legal counsel before adopting or relying on any template for compliance purposes.
Who Should Use This Document?
A Joint Controller Agreement applies whenever two or more legally separate entities jointly determine the purpose (“why”) and essential means (“how”) of processing personal data. In that case, GDPR expects the parties to document their arrangement under Article 26, as further explained in the EDPB guidance on controllers/joint controllers.
This document matters most when collaboration impacts individuals’ rights, involves large-scale processing, or creates overlapping compliance exposure (see GDPR Chapter III – Data subject rights). The following categories commonly need a Joint Controller Agreement:
Technology Platforms and Strategic Partners
Co-developed platforms or integrated products where both parties decide how user data is collected, used, and retained can create joint controllership (CJEU context: Fashion ID).
Marketing Alliances and Co-Branded Campaigns
Joint campaigns and shared customer datasets often involve shared decisions on targeting and tracking, requiring aligned transparency and rights handling (Chapter III).
Healthcare Providers and Research Institutions
Collaborative studies where parties jointly set methodology and data use typically require formal role allocation — especially for special-category data and DPIAs (Article 35).
Corporate Groups and Multinational Affiliates
Group-wide HR, investigations, or analytics platforms may involve shared decisions across entities, making an Article 26 arrangement important for audit clarity.
Financial Institutions and FinTech Collaborations
Joint decisions on fraud monitoring or profiling should clearly split incident and notification workflows.
Public-Private Partnerships and Government Programs
Where a public authority and vendor jointly shape program objectives and data processing, formal allocation under Article 26 supports accountability and public trust.
Any organization with shared decision-making over processing should formalize responsibilities to:
Define who handles rights requests
Align transparency disclosures
Set breach notification coordination
Allocate liability and internal recourse
Demonstrate accountability to regulators
An Article 26 Joint Controller Agreement reduces regulatory risk by making shared processing “governed”: it clarifies who does what, ensures consistent transparency and rights handling, and creates a defensible accountability record for supervisory authorities.
What Is a Joint Controller Agreement Template?
A Joint Controller Agreement template is a formal legal framework that documents how two or more controllers comply with GDPR when they jointly determine the purposes and essential means of processing. It operationalizes GDPR Article 26 and is commonly aligned with the EDPB Guidelines 07/2020.
Defined Allocation of GDPR Duties
It assigns who does what — e.g., handling rights requests under Chapter III, managing consent evidence, running DPIAs (Article 35), and maintaining ROPA — to avoid gaps or duplication.
Transparency and Data Subject Communication
It supports consistent privacy notices, clarifies the contact point and response workflow (Article 12), and ensures the “essence” of the arrangement is made available as required by Article 26.
Security Governance and Breach Coordination
It sets expectations for technical/organizational measures and defines cooperation timelines for breach detection and notification under Articles 33–34.
Internal Liability and Financial Risk Management
Because individuals may claim against any joint controller, the agreement allocates internal financial responsibility (cost-sharing/indemnities) to match each party’s control and contribution.
Structured Oversight and Cooperation Mechanisms
It usually covers regulator cooperation, documentation, audit/assurance rights, dispute resolution, and periodic reviews — supporting GDPR accountability (Article 5(2)).
A Joint Controller Agreement turns shared processing into a governed Article 26 arrangement by assigning duties, aligning transparency and rights handling, coordinating security/breach response, and allocating liability — making collaboration compliant and defensible.
When Do You Need a Joint Controller Agreement?
A Joint Controller Agreement is required when cooperation becomes shared control over processing decisions. Under GDPR Article 26, if two or more organizations jointly determine the purpose (“why”) and essential means (“how”) of processing, they must document their arrangement in writing. This obligation is reinforced by responsibility-allocation logic in Recital 79 and clarified in the EDPB Guidelines 07/2020.
When Strategic Decisions Are Made Together
Joint controllership may exist when parties jointly design a data-driven project — e.g., defining campaign objectives, research methods, platform architecture, analytics tools, profiling criteria, retention, or access rules (see EDPB Guidelines 07/2020).
If both influence “why” and key “how” elements, the relationship typically falls within Article 26 (CJEU context: C-683/21 (EUR-Lex)).
When Customer or User Data Is Combined
Joint controller status commonly arises where datasets are merged or jointly analyzed for shared goals (e.g., shared CRMs, loyalty programs, cross-platform advertising, benchmarking). If the parties jointly decide how combined data is used, they should allocate duties consistently with GDPR principles in Article 5 and lawful-basis planning under Article 6.
When Individuals’ Rights Could Be Impacted
When processing affects individuals through targeting, scoring, eligibility, or large-scale analytics, roles must support rights handling under GDPR Chapter III. If profiling/automated decisions apply, Article 22 may be relevant.
Without clear allocation, data subjects may not know who answers access/erasure/objection requests — an issue addressed in EDPB Guidelines 07/2020.
When Regulatory Oversight or Audits Are Likely
Regulators and auditors often expect written evidence of Article 26 allocation. Documentation also supports the accountability principle in Article 5(2).
When High-Risk or Sensitive Data Is Involved
If special-category data is processed or risk is high, a DPIA may be required (Article 35). The agreement should split security duties and breach coordination.
When Cross-Border or Multi-Jurisdictional Processing Occurs
Multi-country operations benefit from clarified lead authority engagement (Article 56) and cooperation processes (Article 60). If data transfers occur, address Chapter V requirement and, where used, EU SCCs (see the Commission’s SCC overview).
If two or more organizations share real influence over the “why” and “how” of processing, an Article 26 Joint Controller Agreement is usually required to allocate transparency and rights handling, coordinate security and breach response, and provide auditable accountability.
Related Documents
A Joint Controller Agreement often operates within a broader privacy governance framework: Understanding how these documents interact prevents contractual overlap and compliance gaps.
Related Document | Why It Matters | When Used Together |
Defines controller–processor obligations | When processors are involved in addition to joint controllers | |
Structures lawful data transfers | When controllers exchange data but remain independent | |
Provides public transparency | To reflect allocated responsibilities | |
Documents internal compliance | To support Article 30 obligations | |
Standard Contractual Clauses (SCCs) | Governs international transfers | When data leaves the EEA |
Understanding how these documents interact prevents contractual overlap and compliance gaps.
What Should a Joint Controller Agreement Include?
Because the GDPR does not prescribe a rigid format for Joint Controller Agreements, the structure may vary depending on the collaboration model. However, Article 26 requires two core elements:
A transparent explanation of how data subjects can exercise their rights (see GDPR Chapter III and Article 12).
A clear allocation of responsibility for providing privacy information under Articles 13 and 14.
Beyond these mandatory elements, best practice — supported by the EDPB Guidelines 07/2020 — is to include additional clauses that make shared processing operationally workable and accountable.
An effective Joint Controller Agreement should typically include the following components:
Clear Definition of Joint Processing Activities
Precisely describe which processing is “joint” (not all cooperation is). Identify data flows, categories of data, purposes, and where decisions are made collectively (see controller concepts in Article 4(7) and the EDPB Guidelines 07/2020). Clear scoping limits Article 26 exposure to the right activities.
General Data Protection Principles
Reference the key principles in Article 5 (transparency, minimization, accuracy, storage limitation, integrity/confidentiality) and how the parties will evidence accountability.
Security and Technical Safeguards
Define the technical/organizational measures each party implements and who owns/monitors them under Article 32 (e.g., access control, encryption where appropriate, logging, monitoring, incident detection).
Data Breach Management
Set internal escalation timelines and identify who notifies the authority and/or individuals, consistent with Articles 33–34, plus documentation and post-incident coordination.
Data Protection Impact Assessments (DPIAs)
If high-risk processing exists, designate who leads the DPIA under Article 35, how mitigations are implemented, and how outcomes are shared (and whether Article 36 consultation may apply).
International Data Transfers
If data is transferred outside the EEA, specify who implements transfer safeguards under Article 46 and how compliance with Article 44 is maintained (including SCCs where relevant: Commission SCC overview).
Liability, Indemnification, and Financial Risk Allocation
Because data subjects may claim against any joint controller , allocate internal financial responsibility (indemnities/cost sharing/insurance expectations) to match each party’s role.
Cooperation with Supervisory Authorities
Set roles for regulator engagement, investigations, and inquiries — especially where coordination mechanisms like Article 60 may apply.
Define term/termination and exit mechanics (data return/deletion, retention, continuing confidentiality, and cooperation) so GDPR responsibilities remain clear and enforceable even after the collaboration ends.
Legal Requirements and Regulatory Context
The legal basis for Joint Controller Agreements sits in GDPR Article 26, which requires joint controllers to set out their respective responsibilities “in a transparent manner” through an arrangement reflecting their roles in the processing.
The GDPR also establishes liability rules under Article 82, allowing data subjects to seek compensation for GDPR infringements, which makes internal allocation of liability (and cost sharing) essential for risk management between controllers.
Guidance from the European Data Protection Board (EDPB) clarifies when joint controllership applies in practice — especially in connected digital ecosystems, platform partnerships, and advertising/analytics models — helping parties distinguish “joint” decisions from mere service provision.
Supervisory authorities increasingly scrutinize joint arrangements in investigations and audits, supported by their investigative/corrective powers under Article 58 and the administrative fine framework in Article 83 — so missing or vague role documentation can escalate into enforcement, fines, and reputational harm.
For international or multi-jurisdiction collaborations, joint controllers should also document cross-border governance (e.g., lead authority coordination under Articles 56/60) and data transfer safeguards under Chapter V, including use of the Commission’s SCC framework (Decision (EU) 2021/914) where relevant — so responsibilities remain clear and defensible across regulators and borders.
Common Mistakes When Drafting a Joint Controller Agreement
Even experienced organizations can make drafting errors that create compliance gaps. Because joint controllership involves shared responsibility, clarity and precision are essential. Below are common mistakes to avoid (see GDPR Article 26 and the EDPB Guidelines 07/2020).
Misclassifying the Relationship
Incorrectly labeling a party as a processor instead of a joint controller can lead to regulatory scrutiny. Authorities assess the real decision-making structure, not the label (controller definition: Article 4(7)). If both parties determine the purpose and essential means of processing, they must reflect that reality under Article 26. Joint controllership has also been reinforced in CJEU case law in platform/embedded-technology contexts (e.g., Fashion ID press release).
Vague Allocation of Responsibilities
Broad statements such as “both parties will comply with GDPR” are insufficient. Article 26 expects a clear split of duties, including transparency notices, data subject requests (GDPR Chapter III), DPIAs, and breach notification coordination. The EDPB guidance explains how to structure responsibility allocation so it’s operationally workable (EDPB Guidelines 07/2020).
Ignoring Data Subject Communication
Failing to designate a contact point or clarify request routing can cause delays and missed deadlines. The arrangement must explain how individuals exercise their rights under Chapter III, align communications with Article 12 (including time limits in Article 12(3)), and ensure the “essence” of the joint arrangement is made available under Article 26(2).
Overlooking Liability Provisions
Because GDPR establishes joint and several liability toward data subjects, not addressing internal indemnities, cost sharing, and cooperation during claims can leave one party carrying disproportionate financial exposure. Liability planning also matters because noncompliance can trigger administrative fines under Article 83.
Using Generic Templates Without Customization
Every collaboration has unique data flows and decision-making structures. Copying a standard template without mapping it to actual operations can create inconsistencies — especially around security roles, vendor involvement, and breach handling (Articles 33–34). The EDPB guidance stresses assessing the factual setup and documenting responsibilities accordingly (EDPB Guidelines 07/2020).
Avoid these pitfalls by correctly classifying the relationship, explicitly assigning Article 26 responsibilities (notices, rights handling, DPIAs, security and breach workflows), and tailoring the agreement to real data flows and governance — so the arrangement is practical, auditable, and defensible.
How the AILawyer.pro Joint Controller Agreement Template Helps?
The AILawyer.pro template provides a structured framework aligned with GDPR Article 26 requirements. It includes modular sections for responsibility allocation, data subject rights handling, security governance, and liability distribution.
The integrated AI drafting tools allow users to convert operational details into legally coherent language tailored to their collaboration model. This reduces drafting errors, accelerates compliance documentation, and supports regulatory preparedness.
The template is suitable for technology partnerships, research collaborations, marketing alliances, and corporate group arrangements seeking structured and defensible governance.
Practical Tips for Completing Your Joint Controller Agreement
Drafting an effective Joint Controller Agreement requires careful planning and coordination between all parties involved. The following steps help ensure the agreement accurately reflects operational realities and remains compliant with GDPR requirements (see GDPR Article 26 and EDPB Guidelines 07/2020):
Map All Joint Decision-Making Processes
Before drafting, document every processing activity where decisions are made jointly. Identify the purpose, scope, and methods for each operation, focusing on who influences the “why” and essential “how” (controller concept: Article 4(7)). This mapping helps ensure the agreement matches the real governance model required by Article 26.
Assign Operational Responsibility for Data Subject Requests
Decide which organization will operationally coordinate rights requests under GDPR Chapter III — including access (Article 15), rectification, erasure , objection, and portability. Tie the workflow to communication and timing rules in Article 12 (especially Article 12(3)) to avoid missed deadlines.
Align Transparency and Privacy Notices
Ensure privacy notices accurately reflect the joint arrangement and the allocated responsibilities. Notices should meet transparency requirements under Articles 13–14, and the “essence” of the joint controller arrangement must be made available to individuals under Article 26(2).
Confirm Security and Compliance Standards
Verify that each controller’s technical and organizational measures meet GDPR expectations under Article 32 (e.g., access control, encryption where appropriate, logging/monitoring, staff training). Also pre-define how incident detection and escalation will work so breach obligations under Articles 33–34 can be met consistently.
Review Cross-Border Data Transfers
If personal data is transferred outside the EU/EEA, assign responsibility for transfer compliance under Chapter V — including Article 44 and safeguards under Article 46. Where used, document SCC implementation using the Commission’s SCC overview and the underlying Implementing Decision (EU) 2021/914; for corporate groups, consider whether BCRs under Article 47 are relevant.
If the collaboration involves special-category data (Article 9), large-scale profiling/automated decisions, or otherwise high-risk processing, bring legal counsel in early to validate the Article 26 allocation, confirm DPIA requirements (Article 35), and tighten liability, breach coordination, and cross-border safeguards — so the agreement is workable, auditable, and defensible.
Checklist Before You Sign or Use the Joint Controller Agreement
Before finalizing a Joint Controller Agreement, review the points below to ensure clarity, compliance, and enforceability — especially the transparency and allocation duties under GDPR Article 26 (controller definition: Article 4(7)).
Clearly Describe Joint Processing Activities
List only the processing that is truly “joint” (shared decisions on the “why” and essential “how”). Document data categories, purposes, and shared decision points to keep scope defensible under Article 26.
Document Lawful Basis for Processing
Record each controller’s lawful basis and confirm purpose limitation (Article 5(1)(b)). If further processing is planned, address Article 6(4).
Define Security Measures
State the key technical/organizational measures and who owns them (access controls, encryption where appropriate, monitoring, training) in line with Article 32.
Include Breach Notification Procedures
Define internal escalation and who notifies the authority/individuals under Articles 33–34.
Review Liability and Risk Allocation
Because claims may be brought against any joint controller (Article 82), include internal indemnities/cost sharing and cooperation terms; keep fine exposure in mind (Article 83).
Address Termination and Exit Procedures
Cover data return/deletion, retention, confidentiality, and access revocation. If transfers apply, ensure Chapter V safeguards are handled (Articles 44–46; SCCs: Commission SCC overview).
Confirm Authorized Signatories
Verify signatory authority and internal approvals so the agreement is enforceable and operationally adopted.
Before signing, lock down joint scope, a concrete Article 26 duty split (notices + rights), lawful bases, security/breach workflows, liability allocation, exit/transfer safeguards, and proper signatory authority — then ensure the “essence” is made available under Article 26(2).
FAQ: Common Questions About the Joint Controller Agreement
Q: Is a Joint Controller Agreement required under GDPR?
A: Yes. Article 26 of the GDPR explicitly requires that when two or more organizations jointly determine the purposes and means of processing personal data, their arrangement must be documented in writing. A formal agreement ensures clear allocation of responsibilities and helps demonstrate compliance to supervisory authorities.
Q: Can a Joint Controller Agreement eliminate liability?
A: No. GDPR holds joint controllers jointly and severally liable toward data subjects, meaning each party can be held responsible for compliance failures. However, the agreement can define internal mechanisms for sharing or mitigating financial and operational risk, helping manage exposure between the parties.
Q: How does this differ from a standard Data Processing Agreement (DPA)?
A: A DPA is used when one party acts solely as a processor on behalf of a controller. In contrast, a Joint Controller Agreement applies when both parties exercise control over why and how personal data is processed. It governs a partnership rather than a vendor relationship, addressing shared decision-making, compliance, and risk allocation.
Q: Does the full agreement need to be publicly available?
A: No. The complete agreement does not need to be published. However, GDPR requires transparency toward data subjects, so the division of responsibilities and contact points for exercising rights must be clearly reflected in privacy notices or other public communications.
Q: When should organizations review or update the agreement?
A: Agreements should be reviewed whenever processing activities change, new parties are added, or high-risk operations are introduced. Regular updates ensure continued compliance and alignment with operational realities and regulatory expectations.
Get Started Today
Formalize your shared data processing responsibilities with confidence. Download the Joint Controller Agreement Template, customize it using our AI Generator, and obtain legal review before execution.
Strengthen compliance, clarify accountability, and reduce regulatory risk through a structured and professionally drafted agreement.
Sources and References
Best practices in data governance
Implementing Decision (EU) 2021/914
You Might Also Like:
