What is a Joint Controller?
Two or more controllers are joint controllers when they jointly determine the purposes and means of processing of personal data (GDPR Article 26). Joint controllership triggers specific obligations: a transparent arrangement defining respective responsibilities, and disclosure of the essence of that arrangement to data subjects. The CJEU has interpreted joint controllership broadly (Fashion ID, Wirtschaftsakademie, Jehovan todistajat) — fan-page operators, plugin embedders and co-branded campaigns can fall within scope.
When joint controllership arises
- Co-determination of purposes: both parties decide why processing occurs.
- Co-determination of essential means: categories of data, retention, recipients.
- Convergent decisions: CJEU C-25/17 — even without a written agreement, factual convergence suffices.
Article 26 arrangement requirements
- Allocate transparency duties (Articles 13-14).
- Allocate data subject rights handling (Articles 15-22).
- Identify a single contact point (optional but recommended).
- Make the essence available to data subjects.
Joint controller vs. controller-processor
- Controller-processor: processor acts only on documented instructions; no shared purposes.
- Joint controllers: both decide purposes and essential means; both face data subject claims directly.
For Turkish operators
KVKK Article 3 defines “veri sorumlusu” without explicit “ortak veri sorumlusu” category, but Kurul kararları and academic literature treat shared purpose-and-means as triggering joint controller-equivalent duties. For EN-TR co-marketing, group company arrangements, or multi-platform integrations, KVKK and GDPR both require a documented allocation of responsibilities.
Do: document the joint arrangement, allocate transparency duties, and brief both teams on data subject request routing.
Don’t: assume a vendor contract converts a joint controller into a processor — the factual decision-making matters more than the label.