Joint Controller Agreement Template for Ireland
Generate a bespoke document
What is a Joint Controller Agreement?
This Joint Controller Agreement is essential when two or more organizations collaborate in determining how personal data is processed, requiring compliance with both EU GDPR and Irish data protection law. It should be used whenever organizations share decision-making authority over data processing activities, such as in joint ventures, shared services arrangements, or collaborative projects. The agreement must specify each party's roles and responsibilities, including handling data subject requests, maintaining security measures, and managing data breaches. It's particularly important in the Irish context, where the Data Protection Commission has specific guidance on joint controller arrangements and requirements for transparency in data processing activities.
About the Joint Controller Agreement
When your organization collaborates with others in processing personal data, you need a Joint Controller Agreement to ensure compliance with Irish data protection law and GDPR. This legal document establishes clear responsibilities between organizations that jointly determine how and why personal data is processed, protecting both your business interests and individuals' privacy rights.
When do you need this document?
You need a Joint Controller Agreement whenever your organization shares decision-making authority over personal data processing with another entity. This commonly occurs in joint ventures where both companies access shared customer databases, collaborative research projects involving multiple institutions, or shared service arrangements where organizations pool resources for data processing activities. The agreement is also essential when companies merge their customer databases for marketing purposes, participate in industry consortiums that process member data, or engage in cross-border data sharing initiatives. If you're unsure whether your arrangement constitutes joint controllership, the key test is whether both organizations have meaningful influence over the purposes and means of processing.
Key legal considerations
Your Joint Controller Agreement must clearly allocate GDPR obligations between the parties to avoid legal gaps and compliance failures. Essential clauses include defining the scope of joint processing activities, specifying which party handles data subject requests for access, rectification, and erasure, and establishing procedures for breach notifications within the required 72-hour timeframe. The agreement should designate lead contacts for regulatory communications and outline how security measures will be implemented and monitored across both organizations. You must also address liability allocation for potential fines and compensation claims, ensuring each party understands their financial exposure. Data retention policies need careful coordination to prevent one controller retaining data longer than legally permitted, and cross-border transfer arrangements must comply with adequacy decisions or appropriate safeguards.
Legal requirements in Ireland
Under Irish law, your Joint Controller Agreement must demonstrate compliance with GDPR Article 26 and reflect guidance from the Data Protection Commission. The agreement must be made available to data subjects upon request, requiring clear and accessible language explaining each party's role in processing their personal data. Irish regulations mandate that you conduct joint data protection impact assessments for high-risk processing activities and maintain comprehensive records of processing activities that accurately reflect the joint arrangement. If your processing involves special categories of personal data, additional safeguards under the Data Protection Act 2018 may apply. The Data Protection Commission expects joint controllers to establish clear communication channels for regulatory inquiries and demonstrate effective governance structures for ongoing compliance monitoring. You must also ensure any data processors engaged by either joint controller are properly contracted with adequate technical and organizational measures, maintaining the chain of responsibility throughout the processing ecosystem.
GOVERNING LAW
Applicable law
This Joint Controller Agreement is drafted to comply with Ireland law. Key legislation includes:
Data Protection Act 2018 (Ireland): The primary Irish legislation that implements GDPR and provides additional national requirements for data protection
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011: Irish regulations implementing the ePrivacy Directive, relevant if the joint controllers process electronic communications data
Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018: Specific regulations relevant if the joint controllers are involved in health research data processing
Data Protection Commissioner's Guidance on Joint Controllers: Guidelines and interpretations from the Irish Data Protection Commission on joint controller relationships and obligations
Law Enforcement Directive (LED): EU Directive 2016/680, relevant if one of the joint controllers is a law enforcement authority processing data for law enforcement purposes
European Union (Data Protection) Regulations 2018: Additional Irish regulations supplementing the Data Protection Act 2018 and GDPR implementation
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it