A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. Legal professional organizations in some countries have indicated that barristers and solicitors rarely function as

A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. While regulatory authorities have not offered guidance as to whether the term does, or does

It depends.

Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”

On July 29, 2019, the Court of Justice of the European Union (CJEUfound that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under