Back to overview

Joint controllers: What does the GDPR say?

The GDPR will enter into force on 25 May 2018. The responsibility of a controller is clearly defined. But the notion of ‘joint controllers’ is more complex. Allow us to explain.

The controller is required to compensate all damage suffered by natural persons due to the processing of their data in an unlawful way. Therefore it goes without saying that it is recommended to limit the risk of errors by acting in accordance with the GDPR.

The responsibility of a controller is clear. But the situation becomes more complex if two or more controllers jointly define the purposes and means of the processing. In such cases, the provisions of the Regulation speak of “joint controllers”.

What are ‘joint controllers’?

When can we speak of joint controllers? Think, for example, of:

  • a holding structure;
  • a joint venture;
  • a (sub)contracting structure;
  • employers’ groups;
  • multiple companies located at a shared business park.

These are all situations in which two or more controllers jointly determine the purposes and means of processing personal data. Concrete example: security cameras are installed at a business park used jointly by several companies.

These companies together are then joint controllers.

Is your company in such a situation? Then you are obliged to establish the respective responsibilities for compliance with the GDPR rules in a transparent and clear manner.

What does this mean in practice?

More specifically, together with the other joint controllers, you must agree who will take on which responsibilities and obligations with regard to the exercise of the rights of the natural persons whose data they process. In particular, the right to information and access to personal data must be guaranteed.

Thus in the case of two controllers, while both can make specific agreements among themselves, this does not prevent natural persons holding both parties individually accountable if the other party does not comply with the agreements made.


Check whether you are in a situation where you process personal data together with other companies. If that is the case, make clear arrangements: who does what, where and when? Include this in your own register of processing activities.

Do you still have questions? As trusted partner, we of course would be happy to assist you.

© Van Havermaet International 2024

We use cookies or similar technologies (e.g. pixels or social media plug-ins) to optimise your user experience on our website, among other things. In addition, we wish to use analytical and marketing cookies to personalise your visit to our website, to send targeted advertisements to you, and to give us more insight into your use of our website.

Do you consent to our use of cookies for an optimal website experience, so that we can improve our website and surprise you with advertisements? Then confirm with ‘OK’.

Conversely, would you like to set specific preferences for different types of cookies? This can be done via our Cookie Policy. Would you like more information about our use of cookies or how to delete cookies? Please read our Cookie Policy.