How to Demonstrate Compliance With GDPR Article 26

Joint Controllers

Book a demo

business,people,at,work,in,a,busy,luxury,office,space

GDPR Article 26 ensures that in the event of joint controllers operating with the same dataset, responsibilities are clearly understood between all parties, and data subjects are kept well informed of how their data is being managed between two distinct but co-operative controllers.

GDPR Article 26 Legal Text

EU GDPR Version

Joint controllers

  1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
  2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
  3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

UK GDPR Version

Joint controllers

  1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
  2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
  3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Technical Commentary

The Concept of ‘Joint Controllership’

GDPR Article 26 defines joint controllership as any scenario where two controllers ‘jointly determine the purposes and means of processing’. On a basic level, this means that two joint controllers must perform practical, rather than formal, roles in processing an individual’s data.

When analysing the degree to which a party is a joint controllers, attention should be paid to whether or not an organisation exercises ‘decisive control’ over an individual’s data.

This doesn’t mean that two controllers should hold a steady, uniformed influence throughout the processing operation. Different degrees of control can be exercised by each controller at different stages.

ISO 27701 Clause 7.2.7 (Joint PII Controllers) and EU GDPR Article 26

In this section we talk about GDPR Articles 26 (1), 26 (2) and 26 (3)

Organisations need to outline the details of any joint PII processing arrangement, with an accompanying PII controller – this includes general protection measures and all associated security requirements.

This includes:

  • why PII is being shared;
  • data categories;
  • a general overview of the PII processing operation;
  • any relevant roles and responsibilities;
  • how privacy information security is to be governed;
  • what actions are to be taken in the event of a data breach;
  • how PII is to be retained, and destroyed when no longer needed;
  • what occurs when either party is in breach of agreement;
  • what either party’s obligations are to PII principals;
  • what mechanisms are in place to provide PII principals with applicable details of the joint agreement;
  • how PII principals can make official requests, and how to formulate and deliver a response;
  • points of contact – both internally and for PII principals to utilise.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 26 (1) to 26 (3)ISO 27701 7.2.7None

How ISMS.online Helps

With our pre-built environment, you can describe and demonstrate your approach to protecting your customers’ data across the EU and UK in a way that fits seamlessly into your management system.

You can achieve GDPR compliance with ISMS.online in a snap and easily demonstrate that you are protecting data beyond what is deemed to be reasonable, all in one secure, always-on location.

Through our ‘Adopt, Adapt, Add’ implementation approach, the ISMS.online platform provides guidance at every step, which minimises the effort required to demonstrate your compliance with GDPR.

Find out more by booking a 30 minute demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Mark Wightman
Chief Technical Officer Aluma
100% of our users pass certification first time
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now