What does control A.1.2.8 require?
The organisation shall determine respective roles and responsibilities for the processing of PII (including PII protection and security requirements) with any joint PII controller.
This control sits within the Conditions for collection and processing objective (A.1.2). It addresses a specific but increasingly common scenario: where two or more organisations jointly determine the purposes and means of PII processing. Unlike the controller-processor relationship governed by A.1.2.7 Contracts with PII Processors, joint controllership involves shared decision-making authority — and therefore shared accountability.
Joint controllership arises when organisations collaborate on activities that involve PII — for example, joint marketing campaigns, shared platforms, research partnerships, or integrated services where both parties influence what data is collected and how it is used.
What does the implementation guidance say?
Annex B (section B.1.2.8) provides the following guidance:
- Agree on respective responsibilities — Joint controllers must agree on which organisation is responsible for each obligation arising from PII processing, particularly regarding:
- Exercising PII principal rights (access requests, erasure, rectification, portability)
- Providing required information to PII principals (privacy notices, transparency obligations)
- Implementing security measures
- Breach notification
- See also A.1.2.2: Identify and Document Purpose for related requirements
- See also A.1.2.3: Identify Lawful Basis for related requirements
- Make the arrangement available to PII principals — The essence of the joint controllership arrangement should be made available to the individuals whose PII is being processed, so they know which organisation to contact for what
- Document the arrangement formally — While the control does not use the word “contract”, the requirement to “determine” roles and responsibilities implies a formal, documented agreement between the parties
The guidance recognises that in practice, one joint controller may take the lead on certain obligations (such as being the primary point of contact for data subject requests), but this does not absolve the other controllers of their responsibilities.
How does this map to GDPR?
Control A.1.2.8 maps directly to GDPR Article 26:
- Article 26(1) — Where two or more controllers jointly determine the purposes and means of processing, they shall in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR, in particular regarding the exercising of data subject rights and their respective duties to provide information
- Article 26(2) — The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-a-vis the data subjects. The essence of the arrangement shall be made available to the data subject
- Article 26(3) — Irrespective of the terms of the arrangement, data subjects may exercise their rights under the GDPR in respect of and against each of the controllers. This is a crucial point — internal agreements cannot limit PII principals’ rights
Article 26(3) is particularly important: even if the joint controllers agree that Organisation A handles all data subject requests, an individual can still direct their request to Organisation B, which must then either handle it or forward it appropriately. Both organisations remain liable.
How does this relate to ISO 29100 privacy principles?
This control supports the Accountability principle in ISO 29100. Accountability requires that the processing of PII is the responsibility of clearly identified parties who can be held accountable for their actions. Joint controllership creates a situation where accountability must be explicitly allocated — without a formal agreement, it can be unclear which organisation is responsible for which obligation, undermining the entire accountability framework.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.2.8, auditors will typically look for:
- Joint controller register — A documented list of all joint controllership arrangements the organisation is party to, with the identity of each joint controller and the processing activities covered
- Joint controller agreements — Signed, written agreements setting out the allocation of responsibilities between the parties
- Responsibility matrix — A clear mapping of which controller handles which obligation (data subject rights, breach notification, security, transparency)
- PII principal communication — Evidence that the essence of the joint controllership arrangement is communicated to PII principals, typically through privacy notices or dedicated information pages
- Contact point designation — A documented single point of contact for PII principals, even where responsibilities are split between controllers
- Operational procedures — Processes for handling scenarios where a PII principal contacts the “wrong” controller (e.g. forwarding procedures, response time agreements)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.7 Contracts with PII processors | Different contractual requirements apply depending on whether a relationship is joint controllership or controller-processor |
| A.1.3.3 Information for PII principals | Joint controllers must agree on who provides what information and how |
| A.1.3.2 Obligations to PII Principals | Responsibility for handling data subject requests must be allocated between joint controllers |
| A.1.2.6 Privacy impact assessment | Joint processing arrangements may trigger PIA requirements |
| A.1.5.2 Basis for PII Transfer Between Jurisdictions | Sharing PII between joint controllers must be governed |
| A.1.2.9 Records of Processing PII | Processing records should identify joint controllership arrangements |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement appeared as Clause 7.2.7 (joint PII controller). The core requirement is unchanged — joint controllers must agree on their respective responsibilities. The 2025 restructuring into Table A.1 provides clearer separation between the control statement (A.1.2.8) and guidance (B.1.2.8). The emphasis on making the arrangement available to PII principals has been retained, reflecting the transparency requirements that are fundamental to both ISO 27701 and the GDPR. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing joint controller arrangements?
ISMS.online helps you formalise, track and operationalise joint controllership with clarity:
- Joint controller register — Document every joint controllership arrangement with the parties involved, processing activities covered and agreement status
- Responsibility allocation templates — Pre-built responsibility matrices covering data subject rights, breach notification, security and transparency, so nothing falls through the cracks
- Agreement management — Store, version-control and review joint controller agreements alongside your other compliance documentation
- Linked privacy notices — Connect joint controllership arrangements to the privacy notices that inform PII principals, ensuring transparency requirements are met
- Cross-organisation workflows — Define and track procedures for forwarding data subject requests between joint controllers with SLA monitoring
- Audit-ready evidence — Generate compliance evidence packs that demonstrate the allocation of responsibilities and their operational implementation
FAQs
How do we determine if a relationship is joint controllership or controller and processor?
The key question is who determines the purposes and means of processing. If both organisations influence why and how PII is processed, it is joint controllership. If one organisation determines the purpose and the other merely acts on instructions, it is a controller-processor relationship. In practice, many relationships fall in a grey area. Consider: does the other party have its own interest in the processing outcome? Does it decide what data to collect or how to use it? If yes, it is likely a joint controller rather than a processor.
Can one joint controller be held liable for the other’s failures?
Under GDPR Article 26(3), PII principals can exercise their rights against any of the joint controllers, regardless of internal agreements. This means that if one controller fails to handle a data subject request, the other can be held accountable. Supervisory authorities can also take enforcement action against any or all joint controllers. Internal agreements can allocate financial liability between the parties, but they cannot limit the rights of PII principals or the powers of regulators.
What should we tell PII principals about the joint controllership?
The essence of the arrangement must be made available to PII principals. At minimum, this should include: the identity of each joint controller, the types of processing each is responsible for, and how PII principals can exercise their rights (including a contact point). This information is typically provided in the privacy notice. It does not need to disclose every detail of the internal agreement — just enough for individuals to understand who is responsible and how to make contact.
