Joint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used.
Article 26(1) GDPR provides the definition of the joint controllership: “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”.
The EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 sums up: “a ‘general’ level of complementarity and unity of purpose could already trigger a situation of joint controllership, if the purposes and (essential elements of the) means of the processing operation are jointly determined.”
Article 26(1) and 26(2) GDPR lays out the obligations of the joint controllers that should be regulated in an arrangement (read agreement). The essential elements of the arrangement should be published to the data subjects.
Irrespectively of how the joint controllers have allocated their obligations in the agreement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the Data Controllers.