---
name: joint-controllership-en-template
description: "English language joint controller agreement template under Article 26 GDPR. Allocates responsibilities for information duties data subject requests security incidents and DPIA. Includes published essence clause required by Article 26 (2) GDPR. Output: complete English joint controller agreement t..."
---

# Joint Controller Agreement – English Template (Article 26 GDPR)

## Zweck / Purpose

English-language template for a joint controller agreement under Article 26 GDPR, allocating responsibilities and publishing the essence under Article 26 (2) GDPR. Purpose (DE): Englischsprachige Mustervorlage für eine Joint-Controller-Vereinbarung nach Art. 26 DSGVO.

## Wann dieses Modul hilft

- Two or more parties jointly determine the purposes and means of processing.
- Cross-border setup with English working language.
- CJEU patterns: C-498/16 (Fanpages), C-40/17 (Fashion ID), C-25/17 (Jehovah's Witnesses) – verified case numbers.
- A short version of the agreement must be made publicly available (Article 26 (2) GDPR).

## Rechtlicher Rahmen

- Article 26 (1) GDPR – Determination of respective responsibilities in a transparent manner.
- Article 26 (2) GDPR – Essence of the arrangement must be made available to the data subjects.
- Article 26 (3) GDPR – Data subjects may exercise their rights vis-a-vis each controller.
- Article 82 (4) GDPR – Joint and several liability.
- EDPB Guidelines 07/2020 on controller / processor concepts (final 07 July 2021).

## Ablauf / Checkliste

1. Confirm joint determination of purposes and means.
2. Map data flows and the contribution of each party.
3. Allocate information duties (Articles 13 and 14 GDPR).
4. Define single point of contact and request routing.
5. Allocate Article 32 / 33 / 34 / 35 / 36 GDPR responsibilities.
6. Draft the essence-clause for publication under Article 26 (2) GDPR.
7. Internal indemnity and recourse provisions.

## Mustertext / Template

```
JOINT CONTROLLER AGREEMENT (Article 26 GDPR)

This Joint Controller Agreement ("JCA") is entered into between:

 (1) [Party A Legal Name], a company organised under the laws of [jurisdiction]
 ("Party A"); and

 (2) [Party B Legal Name], a company organised under the laws of [jurisdiction]
 ("Party B").

Recital A. The Parties jointly determine the purposes and means of the processing
described in Annex I and therefore qualify as joint controllers within the meaning
of Article 26 GDPR.
Recital B. This JCA sets out the respective responsibilities of the Parties in a
transparent manner.

1. SCOPE
1.1 The joint processing covers the processing activities described in Annex I,
 including the categories of personal data, categories of data subjects and
 purposes.

2. ALLOCATION OF RESPONSIBILITIES
2.1 Party A is responsible for:
 (a) provision of the processing infrastructure;
 (b) compliance with information duties under Articles 13 and 14 GDPR towards
 data subjects reached via Party A;
 (c) handling of data subject requests under Articles 15 to 22 GDPR received
 through Party A;
 (d) notification of personal data breaches under Articles 33 and 34 GDPR in
 respect of processing components controlled by Party A.
2.2 Party B is responsible for:
 (a) collection and initial transfer of personal data to Party A;
 (b) compliance with information duties under Articles 13 and 14 GDPR towards
 data subjects reached via Party B;
 (c) handling of data subject requests under Articles 15 to 22 GDPR received
 through Party B;
 (d) notification of personal data breaches under Articles 33 and 34 GDPR in
 respect of processing components controlled by Party B.
2.3 The Parties shall jointly carry out:
 (a) a data protection impact assessment under Article 35 GDPR where required;
 (b) the definition of retention periods;
 (c) the definition of technical and organisational measures under Article 32
 GDPR.

3. SINGLE POINT OF CONTACT
3.1 The single point of contact for data subjects pursuant to Article 26 (1) GDPR
 is Party A. Party A shall forward without undue delay any request that falls
 within the responsibility of Party B.
3.2 Article 26 (3) GDPR remains unaffected: data subjects may exercise their
 rights against each Party.

4. TRANSPARENCY TOWARDS DATA SUBJECTS (Art. 26 (2) GDPR)
4.1 The Parties shall make available to data subjects the essence of this JCA in
 their respective privacy notices. Annex II contains the agreed essence-text
 for publication.

5. SECURITY AND BREACH NOTIFICATION
5.1 The Parties shall coordinate without undue delay, and in any event within
 twenty-four (24) hours of becoming aware of a personal data breach, on
 notification obligations.
5.2 The Party in whose area of responsibility the breach occurs shall lead the
 notification. Where the breach affects the joint area, Party A shall lead.

6. LIABILITY AND RECOURSE
6.1 The Parties are jointly and severally liable to data subjects pursuant to
 Article 82 (4) GDPR.
6.2 In the internal relationship between the Parties, each Party shall bear the
 damage in proportion to its share of responsibility pursuant to Article 82
 (5) GDPR.
6.3 The internal liability of each Party is capped at [AMOUNT] EUR per claim and
 [AMOUNT] EUR per calendar year. The cap shall not apply in case of wilful
 misconduct, gross negligence, or for damage arising from injury to life,
 body or health.

7. SUPERVISORY AUTHORITY
7.1 The Parties shall cooperate in good faith in respect of inquiries and
 investigations by supervisory authorities.

8. TERM AND TERMINATION
8.1 This JCA is concluded for an indefinite period and may be terminated by
 either Party with six (6) months' written notice to the end of a calendar
 quarter.

9. GOVERNING LAW AND JURISDICTION
9.1 This JCA shall be governed by the laws of [jurisdiction]. The courts of
 [court venue] shall have exclusive jurisdiction.

Annex I Description of the joint processing
Annex II Essence-text for publication (Article 26 (2) GDPR)

Signed on behalf of Party A: Signed on behalf of Party B:
__________________________________ __________________________________
Name: Name:
Title: Title:
Date: Date:
```

## Typische Drafting-Fehler

- A DPA is signed where joint controllership applies.
- Responsibilities allocated as "both jointly" without granularity.
- No single point of contact defined.
- No essence-text published as required by Article 26 (2) GDPR.
- Internal recourse cap exceeds GDPR statutory liability or excludes wilful misconduct.
- Web tracking scenarios where the initial collection (Fashion ID) is forgotten.

## Quellen Stand 06/2026

- GDPR Articles 13, 14, 26, 32, 33, 34, 35, 36, 82.
- EDPB Guidelines 07/2020 (final 07 July 2021), edpb.europa.eu.
- CJEU C-25/17 (Jehovah's Witnesses) – verified.
- CJEU C-498/16 (Wirtschaftsakademie / Fanpages) – verified.
- CJEU C-40/17 (Fashion ID) – verified.
- Full texts available via curia.europa.eu.
- Citation rules: `../../../references/zitierweise.md`.
```