A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).

While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on

A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. Legal professional organizations in some countries have indicated that barristers and solicitors rarely function as