• Valentina Colcelli IFAC Institute, Via Madonna del Piano, 10 Sesto Fiorentino, Firenze, Italy


The GDPR obliges organisations to keep watch for potential instances of joint controllership of personal data. Where those instances arise, organisations must enter into suitable “arrangements” that apportion data protection compliance responsibilities between joint data controllers. The controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. But, f.i. in the case of the case of a Biobank, more than one public bodies are the controllers of personal data, and their processing takes place in an intra-group context. The paper will analyse elements established by art. 26 GDPR for Joint Controller Agreement for managing personal data under GDPR, the respective roles and relationships of the joint controllers vis-à-vis the data subjects, as well as responsibility and liability of controllers and processors.