Joint Data Controller Agreement Template for Ireland
Generate a bespoke document
What is a Joint Data Controller Agreement?
This Joint Data Controller Agreement is essential when two or more parties jointly determine the purposes and means of processing personal data in Ireland. The agreement is required under Article 26 of the GDPR and the Irish Data Protection Act 2018, ensuring clear allocation of responsibilities and transparent arrangements between controllers. It should be used whenever organizations collaborate on projects or services involving shared data processing activities, such as joint research projects, shared services, or collaborative initiatives. The document addresses crucial aspects including data subject rights, security measures, breach notification procedures, and liability allocation, while ensuring compliance with Irish and EU data protection requirements. This agreement is particularly important as it helps organizations demonstrate their compliance with accountability obligations under data protection law and provides transparency to data subjects about how their personal data is handled.
About the Joint Data Controller Agreement
When your organization collaborates with other parties to process personal data, you need a Joint Data Controller Agreement to comply with Irish data protection law. This legally binding document establishes clear responsibilities between organizations that jointly determine how and why personal data is processed, ensuring compliance with Article 26 of the GDPR and the Irish Data Protection Act 2018.
When do you need this document?
You require a Joint Data Controller Agreement whenever two or more organizations share decision-making authority over personal data processing activities. This commonly occurs in research collaborations between universities and healthcare providers, shared customer databases between business partners, joint marketing initiatives, or when government agencies work together on public services. The agreement is also essential for technology platforms that integrate with third-party services, educational institutions sharing student data for collaborative programs, and financial institutions participating in joint lending or insurance products. Without this agreement, you risk significant GDPR penalties and regulatory action from the Data Protection Commission.
Key legal considerations
The agreement must clearly define each party's specific responsibilities, including who handles data subject requests, breach notifications, and regulatory communications. You need to establish transparent arrangements for data subjects to understand their rights and which controller to contact for different matters. The document should allocate liability between controllers, specify security measures each party must implement, and detail procedures for data sharing, retention, and deletion. Include provisions for regular compliance audits, staff training requirements, and data protection impact assessments where necessary. Consider international data transfers if any controller operates outside the EU, ensuring appropriate safeguards are in place. The agreement should also address what happens if the joint processing relationship ends, including data return or destruction procedures.
Legal requirements in Ireland
Under Irish law, joint controllers must demonstrate compliance with the accountability principle, maintaining detailed records of processing activities and their legal basis. The Data Protection Commission requires that joint controller arrangements are transparent to data subjects, with clear information about how to exercise their rights. You must implement appropriate technical and organizational measures to ensure data security, and notify the DPC of personal data breaches within 72 hours where feasible. Irish law also requires that data protection by design and by default principles are embedded in your joint processing activities. If your joint processing involves special categories of personal data or criminal conviction data, additional safeguards and legal bases are required. The agreement must comply with Irish contract law principles and may need to address specific sectoral regulations applicable to your industry, such as healthcare or financial services requirements.
GOVERNING LAW
Applicable law
This Joint Data Controller Agreement is drafted to comply with Ireland law. Key legislation includes:
Data Protection Act 2018 (Ireland): The Irish law that implements GDPR and provides additional national requirements for data protection in Ireland.
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011: Irish regulations governing privacy in electronic communications, relevant if the joint controllers process electronic communications data.
Data Protection Act 1988 and 2003 (Ireland): While largely superseded by GDPR and DPA 2018, these acts may still be relevant for understanding the historical context and certain continuing provisions.
Data Protection (Registration) Regulations 2001: Irish regulations governing the registration of data controllers with the Data Protection Commission, relevant for joint controller arrangements.
Charter of Fundamental Rights of the European Union: EU charter that establishes the fundamental right to protection of personal data (Article 8), providing the legal basis for data protection requirements.
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it