A joint controller arrangement arises when two or more organisations collectively decide the purposes and means of processing personal data. Under Article 26 of the GDPR, joint controllers must enter into a transparent arrangement that defines their respective responsibilities for compliance, particularly regarding the exercise of data subject rights and the provision of information.
In practice, joint controllership is common in partnerships, shared platforms, and collaborative research projects. Organisations must clearly document which party handles data subject requests and breach notifications, as each controller remains fully liable to the data subject regardless of the internal arrangement.