Guides GDPR Article 26 joint controller arrangements: determining joint controllership via indicators and case law, allocating responsibilities, ensuring transparency. For shared data platforms or joint processing.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin gdpr-compliance-skillsThis skill uses the workspace's default tool permissions.
Article 26 applies when two or more controllers jointly determine the purposes and means of processing. Joint controllers must enter into an arrangement that transparently determines their respective responsibilities for compliance, particularly regarding data subject rights and transparency obligations. The essence of the arrangement must be made available to data subjects.
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Article 26 applies when two or more controllers jointly determine the purposes and means of processing. Joint controllers must enter into an arrangement that transparently determines their respective responsibilities for compliance, particularly regarding data subject rights and transparency obligations. The essence of the arrangement must be made available to data subjects.
Joint controllership exists when two or more entities:
| Indicator | Points to Joint Controllership | Points Away |
|---|---|---|
| Shared decision on purpose | Both parties decide why data is processed | One party decides purpose; other merely executes |
| Shared platform | Both parties upload/access data on a common platform | One party hosts; other merely provides input |
| Shared dataset | Both parties contribute to and benefit from a combined dataset | One party processes only for the other's purpose |
| Mutual benefit | Both parties derive independent benefit from the processing | Only one party benefits; other is purely a service provider |
| Influence on means | Both parties have a say in essential aspects (what data, how long, who accesses) | One party determines all essential means; other party only implements |
The arrangement between joint controllers must determine in a transparent manner:
| Responsibility Area | Allocation Options |
|---|---|
| Lawful basis determination | Which controller is responsible for establishing and documenting the lawful basis |
| Privacy notices (Art. 13-14) | Which controller provides transparency information to data subjects |
| Data subject rights (Art. 15-22) | Which controller serves as the contact point and handles requests |
| Data security (Art. 32) | Which controller implements and maintains security measures |
| Breach notification (Art. 33-34) | Which controller notifies the supervisory authority and data subjects |
| DPIA (Art. 35) | Which controller conducts the DPIA |
| Records of processing (Art. 30) | How both controllers maintain their respective RoPA entries |
The arrangement must designate a contact point for data subjects. Regardless of the arrangement, data subjects may exercise their rights against any of the joint controllers (Art. 26(3)).
The essence of the arrangement must be made available to data subjects. This does not require publishing the full commercial agreement, but must cover:
A compliant Art. 26 arrangement should include:
Under Art. 82(4), each joint controller is liable for the entire damage caused by processing that infringes the GDPR. A joint controller may be exempted from liability under Art. 82(3) only if it proves it is not responsible for the event giving rise to the damage. Internal liability allocation in the arrangement does not affect the data subject's right to claim against either controller.
Under Art. 26(3), data subjects can exercise their rights against each and any of the joint controllers regardless of the arrangement. The supervisory authority may also investigate any joint controller for the full scope of joint processing.
Joint controllership and the controller-processor relationship are mutually exclusive for a given processing activity. If Entity A determines purposes and means and Entity B merely processes on A's instructions, the relationship is controller-processor (Art. 28). If both determine purposes and means, the relationship is joint controllership (Art. 26).