Joint Controller Agreement

Joint Controller Agreement Template

This Joint Controller Agreement (“Agreement”) is entered into on [Date], by and between:

Party A (Controller):
Name: __________________________
Address: __________________________
Email: __________________________
Phone: __________________________

Party B (Controller):
Name: __________________________
Address: __________________________
Email: __________________________
Phone: __________________________

Collectively referred to as the “Parties.”

1. Purpose of the Agreement

The Parties jointly determine the purposes and means of processing personal data as required under GDPR Article 26. This Agreement defines their respective obligations and responsibilities for ensuring lawful, secure, and transparent data processing.

2. Scope of Processing

The Parties will jointly process personal data for the following purposes:
[Describe purposes, e.g., marketing, research, service delivery].

Categories of data subjects include: [e.g., customers, employees, partners].
Categories of personal data include: [e.g., names, contact information, payment data].

3. Roles and Responsibilities

• Party A shall be primarily responsible for [e.g., data collection and initial consent management].

• Party B shall be primarily responsible for [e.g., storage, analytics, and reporting].

• Both Parties share responsibility for overall compliance and shall cooperate to fulfill data subject rights requests.

4. Data Subject Rights

• The Parties agree to provide transparent information to data subjects about the joint processing arrangement.

• Requests for access, rectification, erasure, restriction, or portability shall be directed to [Lead Party].

• The Lead Party will coordinate with the other Party to respond within GDPR-mandated timelines.

5. Security Measures

Each Party shall implement appropriate technical and organizational measures to protect personal data, including but not limited to:

• Encryption and pseudonymization.

• Access controls and audit logs.

• Regular risk assessments and security training.

6. Data Breach Notification

• Each Party must notify the other without undue delay of any personal data breach.

• The Parties will jointly cooperate in assessing and reporting the breach to the relevant supervisory authority within 72 hours.

7. Liability and Indemnification

• Each Party shall be liable for damages arising from its own non-compliance with this Agreement or GDPR.

• If both Parties are jointly liable, they shall share liability proportionately to their level of responsibility.

8. Confidentiality

All personal data and related information must be kept confidential and accessed only by authorized personnel.

9. Term and Termination

• This Agreement begins on the Effective Date and remains in force until terminated by either Party with [X days] written notice.

• Upon termination, each Party shall delete or return personal data as required by law.

10. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of [Jurisdiction] and subject to the exclusive jurisdiction of [Court/Authority].

11. Entire Agreement

This Agreement constitutes the entire understanding between the Parties and supersedes all prior discussions or agreements related to joint data processing.

Signatures

Party A Signature: __________________________ Date: _________
Printed Name & Title: _________________________________________

Party B Signature: __________________________ Date: _________
Printed Name & Title: _________________________________________