Responsibilities of joint controllers

Can a joint controller be held liable for non-compliance?

Yes. Individuals can seek compensation from joint controllers in exactly the same way as from any sole controller. Each joint controller will be liable for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage. The arrangement made between controllers is irrelevant for these purposes.

If as a joint controller you have had to pay compensation to an individual but were not wholly responsible for the damage, you may be able to claim back from another controller or processor the share of the compensation for which they were liable.

In addition, joint controllers are each fully accountable to the Information Commissioner for failure to comply with their responsibilities.


A luxury car company teams up with a designer fashion brand to host a co-branded promotional event. The companies decide to run a prize draw at the event. They invite attendees to participate in the prize draw by entering their name and address into their prize draw system at the event. After the event, the companies post out the prizes to the winners. They do not use the personal data for any other purposes.

The companies will be joint controllers of the personal data processed in connection with the prize draw, because they both decided the purposes and means of the processing.


A property management company maintains apartments for the landlord. The company enters tenancy agreements with the occupants on the landlord’s behalf and chases any rent arrears. It collects the rent and passes it to the landlord after taking a commission.

The company is a joint controller of the tenancy-related information, including regarding rental payments. It decides what information it needs from the occupants to set up and manage the tenancies but will share this data with the landlord.