Article 26 - Joint controllers
3 preliminary rulingsJudgment of 7 Mar 2024, C-604/22 (IAB Europe) 
Article4(7) and Article26(1) of Regulation 2016/679must be interpreted as meaning that:–first, a sectoral organisation, in so far as it proposes to its members a framework of rules that it has established relating to consent to the processing of personal data, which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data relating to such consent, must be classified as a ‘joint controller’ for the purpose of those provisions where, in the light of the particular circumstances of the individual case, it exerts influence over the personal data processing at issue, for its own purposes, and determines, as a result, jointly with its members, the purposes and means of such processing. The fact that such a sectoral organisation does not itself have direct access to the personal data processed by its members under those rules does not preclude it from holding the status of joint controller for the purpose of those provisions;–second, the joint controllership of that sectoral organisation does not extend automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising.
Judgment of 11 Jan 2024, C-231/22 (Belgian State)
Article 5(2) of Regulation 2016/679, read in conjunction with point 7 of Article 4 and Article 26(1) thereof, must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of that regulation, is solely responsible for compliance with the principles set out in Article 5(1) thereof as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.
Judgment of 5 Dec 2023, C-683/21 (Nacionalinis visuomenės sveikatos centras)
Article 4(7) and Article 26(1) of Regulation 2016/679 must be interpreted as meaning that the classification of two entities as joint controllers does not require that there be an arrangement between those entities regarding the determination of the purposes and means of the processing of personal data in question; nor does it require that there be an arrangement laying down the terms of the joint control.
