Two or more controllers that jointly determine the purposes and means of processing personal data, sharing responsibility under the GDPR.
Where two organizations together decide why and how personal data is processed, the GDPR treats them as joint controllers. Article 26 requires them to set out their respective responsibilities in a transparent arrangement, especially regarding how individuals exercise their rights.
Distinguishing joint controllership from a controller-processor relationship matters, because it changes who is accountable for what.
Related frameworks
KaitoSec