Processor or joint controller

If personal data is passed on to third parties (processors or joint controllers), it should be considered before the start of processing which of the above variants is available. 

Many companies enter into data processing agreements without further examination, although in many cases it is more likely to be a matter of joint responsibility.


Joint Controller

Due to the common interests and the joint agreement on which processing is carried out, both parties are responsible for the resulting processing of personal data. This applies both to each other and to those affected, e.g. B. in safeguarding the rights of those affected. In order to clearly regulate who is responsible for what and, for example, has to provide information to those affected, both parties must draw up a so-called joint control contract in accordance with Art. 2 GDPR, which regulates this relationship.

This should specify in a transparent form which of the parties involved fulfills which obligation under the GDPR. This agreement is also known as the Joint Controller Agreement (JCA). The arrangement must also duly reflect the respective actual roles and relationships of the joint controllers with the data subjects. The essence of the agreement is made available to the data subject in accordance with Article 26(2) of the GDPR.



According to Art. 4 No. 8 GDPR, a “processor” is any natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible. If processing is carried out by joint controllers, the actors involved must conclude an agreement in accordance with Art. 28 GDPR. In order to be able to assume order processing, two criteria must be present:

  • On the one hand, it must be an actor separate from the person responsible.
  • The personal data must be processed on behalf of and according to the instructions of the controller.

However, the processor has a certain amount of leeway as to the specific means with which he can best comply with the controller’s instructions. To this end, he can select the technical and organizational means that he deems most suitable for implementing the instruction.