Joint Data Controllership: A Comparative Analysis within the Scope of GDPR and KVKK

Introduction

In an era marked by rapid digitalization and technological advancement, the processes surrounding personal data processing have become increasingly intricate. Consequently, data protection law continues to evolve dynamically. The traditional model—wherein a single data controller held all responsibilities for data processing—is gradually being replaced. In modern ecosystems characterized by joint platforms, automation, and complex data management, the concept of “joint data controllership” has emerged as a fundamental legal construct.

Development of the Concept of Joint Data Controllership

The origins of joint data controllership can be traced to the European Union Directive 95/46/EC (the “Directive”), which laid a foundational basis for this model. Article 2 of the Directive allows for data controllers to determine the purposes and means of data processing either “alone or jointly.” National implementations of this directive, such as the United Kingdom’s Data Protection Act, introduced variations like the term “controller in common.”.[1]

Since the Directive is not binding on member states, joint data controllership has not been explicitly defined in the legislation of some countries, such as France; in countries such as Poland, however, it has been implemented in practice through decisions of data protection authorities, even though there is no legal basis for it.[2]

Later, Article 21 of the European Union Directive 2016/680 codified the core principles of joint data controllership, particularly regarding cooperation between public authorities. Although the Council of Europe’s Convention No. 108 does not explicitly mention joint controllership, the preamble to the modernized Convention 108+ recognizes that data processing may be jointly carried out by multiple parties at different stages.

Prior to the enforcement of the General Data Protection Regulation (“GDPR”), joint controllership was largely discussed in theory and interpreted narrowly in practice, often equated with data controllers outsourcing data processing to processors.[3] However, the increasing complexity of the data ecosystem and the involvement of multiple stakeholders necessitated a more nuanced and clear regulatory approach. Responding to this need, Article 26 of the GDPR—effective since 2018—introduced detailed provisions governing joint data controllership, including shared responsibilities and the rights of data subjects.

To support uniform interpretation, the Article 29 Working Party, and subsequently the European Data Protection Board (EDPB), issued key guidelines that have become central to defining the roles of controllers and processors under the GDPR.

Joint Data Controllership under the GDPR

• Definition and Conditions of Joint Data Controllership

Article 26 of the GDPR defines joint controllership as a situation where two or more controllers jointly determine the purposes and means of data processing.

The distinguishing feature between a sole data controller and joint data controllers lies in the collaborative nature of decision-making and the shared responsibility for compliance and the exercise of data subject rights.

For joint controllership to exist, there must be joint determination of both the purpose and the means of data processing. This joint determination implies that the parties act together or are interdependent in making key decisions. It is not necessary for the parties to share responsibilities equally; it is sufficient that the purposes and means cannot be determined independently by any single party.

•  CJEU Jurisprudence on Joint Data Controllership

The decisions of the Court of Justice of the European Union (“CJEU”) have played a critical role in shaping the concept of joint data controllership.[4] Among these decisions, the most important are the Wirtschaftsakademie, Jehovah's Witnesses, and Fashion ID decisions: 

Wirtschaftsakademie: In its decision, the CJEU ruled that an organization managing a Facebook fan page was a joint data controller with Facebook, thereby establishing that joint controllership does not require that the parties have access to all data or share responsibility equally.[5]

Jehovah's Witnesses: The CJEU recognized joint controllership between community members collecting data during door-to-door preaching and the religious community, emphasizing shared decision-making regardless of access levels.[6]

Fashion ID: The CJEU found that a website using a Facebook plugin was a joint controller with Facebook, as the website operator contributed to the determination of processing purposes and means, even without direct access to the data.[7]

• Obligations of Joint Controllers

Article 26 of the GDPR requires joint controllers to enter into a transparent agreement delineating their respective responsibilities, particularly regarding obligations under Articles 13 and 14 (provision of information to data subjects).

Importantly, while internal arrangements allocate duties between controllers, data subjects retain the right to exercise their rights against any of the joint controllers. This ensures clarity and accountability, reinforcing transparency and safeguarding the rights of individuals.

• Joint Liability under the GDPR

Article 82 of the GDPR establishes a robust liability framework. In cases where multiple controllers or processors are involved in a processing activity that results in damage, each may be held jointly and severally liable.

This means a data subject may seek full compensation from any of the parties involved. The party that pays compensation retains the right to seek proportional reimbursement from the others. This framework ensures effective remedies for data subjects and reinforces responsibility among controllers and processors.

Joint Data Controllership Under the KVKK

• Legal Status in Turkish Law

Article 3 of the Turkish Personal Data Protection Law (“KVKK”) defines the data controller as the natural or legal person who determines the purposes and means of personal data processing. Unlike the GDPR, this definition does not explicitly recognize joint data controllership. Consequently, the concept lacks formal legal codification under current Turkish legislation.

•  Personal Data Protection Board’s Position

Despite the absence of an explicit legal provision, the Personal Data Protection Board (“Board”) introduced the concept of joint data controllership in its decision dated December 23, 2021, numbered 2021/1304. In this decision, the Board held that both car rental software providers and rental companies qualify as joint controllers when they jointly determine the purpose and methods of data processing.

The Board emphasized that joint data controllers must formalize their relationship through a written agreement. In the absence of such an agreement, each party would be held liable based on its degree of fault in the event of a breach. This approach signifies the implicit recognition and practical applicability of joint data controllership under Turkish law.

•  Liability Framework

The KVKK provides for administrative, civil, and criminal sanctions in cases of unlawful data processing. Article 11/1(ğ) guarantees data subjects the right to seek compensation for damages arising from unlawful processing, while Article 14/3 ensures that those whose personality rights are violated can claim compensation under general civil law principles.

Personal data is considered a component of personality rights under Turkish law. Therefore, breaches of data protection are addressed within the broader framework of personality protection under the Turkish Civil Code.

• Joint and Several Liability under Turkish Law

Turkish law recognizes joint and several liability under Article 61 of the Turkish Code of Obligations. According to this provision, multiple parties who contribute to the same damage—whether through shared or independent acts—may be held jointly and severally liable.

In the context of joint data controllership, this means a data subject may claim full compensation from any of the joint controllers. Liability continues until the full damage is remedied, after which internal recourse among controllers is possible. This ensures effective protection for the injured party.

Conclusion

Joint data controllership is an essential mechanism for safeguarding personal data in the digital era. While the GDPR provides comprehensive regulations on the subject, the Turkish data protection framework has only recently begun to adopt the concept through administrative decisions.

From a business perspective, joint data controllership facilitates collaboration but also entails shared legal responsibilities. The principle of joint and several liability plays a crucial role in ensuring effective remedies for data subjects and equitable distribution of responsibility among controllers.

Given the rapid evolution of technology and data ecosystems, it is vital for legal frameworks—both in the European Union and in Türkiye—to continue refining the regulatory tools that govern joint data controllership. 

With thanks to Seray Çakır for her contribution to this article.

References

Court of Justice of the European Union, Case C-210/16, Wirtschaftsakademie Schleswig-Holstein GmbH. (2018, 07 10). Retrieved from InfoCuria: https://curia.europa.eu/juris/document/document.jsf?docid=203822&doclang=EN

Court of Justice of the European Union, Case C-25/17, Jehovah’s Witnesses. (2018, 07 10). Retrieved from InfoCuria: https://curia.europa.eu/juris/document/document.jsf?docid=203822&doclang=EN

Court of Justice of the European Union, Case C-40/17, Fashion ID GmbH & Co. KG. (2019, 07 29). Retrieved from InfoCuria: https://curia.europa.eu/juris/liste.jsf?num=C-40/17

Dülger, M. (2021, 02). GDPR’da Bulunan Ancak KVKK’da Yer Verilmeyen Bir Kavram: Ortak Veri Sorumlusu Kavramı ve Güncel Kararlar Işığında Değerlendirilmesi. Retrieved from ResearchGate: https://www.researchgate.net/publication/349552755_GDPR'da_Bulunan_Ancak_KVKK'da_Yer_Verilmeyen_

Bir_Kavram_Ortak_Veri_Sorumlusu_Kavrami_ve_Guncel_Kararlar_Isiginda_Degerlendirilmesi

Kaya, İ. (2023). KVKK ve GDPR Kapsamında Ortak Veri Sorumluluğu. On İki Levha Yayıncılık.

Kuner, C. (2007). European Data Protection Law Corporate Compliance and Regulation. Retrieved from Oxford University Press.

Kuner, C., Bygrave , L. A., Docksey, C., Millard , C., & Kamarinou , D. (2020). “Article 26. Joint controllers”, The EU General Data Protection Regulation (GDPR) A Commentary. Retrieved from Oxford University Press.

Voigt, P., & Bussche, A. v. (2017). The EU General Data Protection Regulation (GDPR) A Practical Guide. Retrieved from Springer.