The classic trap
Article 26 is the most overlooked liability in GDPR enforcement by the CNIL and CNPD since the CJEU Fashion ID ruling (2019): most organisations embedding a Meta Pixel, a social share button, a shared analytics tool, or co-organising an event with a partner are in fact joint controllers, without knowing it and without a written arrangement. The EDPB (guidelines 07/2020) reminds that qualification depends on the purposes and means jointly determined, not on the contract you signed. The result: you believe you have a processor (article 28), you actually have a joint controller, and your DPA is worthless.
Situations that silently flip into joint controllership
- Marketing pixels and SDKs: Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Google Ads conversion. Meta has been officially declared a joint controller on site-side collection since 2022.
- Co-marketing platforms: dual-brand webinars, shared trade fairs, cross-partner lead generation.
- Multi-brand loyalty programs and sector consortia (banking, insurance, retail).
- Joint ventures and shared subsidiaries sharing a CRM or a data lake.
- Multi-centre academic research and sector registries (health, finance).
- Job platforms where the employer and the job board jointly determine algorithmic matching.
The EDPB 3-question test
To qualify the relationship, the EDPB applies three cumulative criteria: (1) joint decision on purposes, (2) joint or converging decision on essential means (data categories, retention, recipients), (3) actual impact on the processing. If two of the three are met, you fall under article 26, not article 28. The CNPD systematically checks this during audits of Luxembourg e-commerce sites and CSSF-regulated fintechs.
How Luxgap automates this risk
Our Luxgap Joint-Controller Detector makes the article 26 blind spot impossible by continuously scanning your websites, applications and data flows to detect every joint-controllership situation hidden behind a pixel, an SDK, a partnership or a consortium. The tool deploys a lightweight JS snippet on your web properties, cross-references outbound flows with the EDPB database of known joint-controllership decisions (Meta, Google, LinkedIn, TikTok, Criteo, Salesforce Marketing Cloud), and analyses your partner contracts stored in Odoo, M365 or DocuSign via a dedicated AI agent.
- Automatically detects third-party pixels, SDKs and trackers present on your public websites and mobile apps, and qualifies each one against the EDPB 07/2020 grid.
- Classifies each partner relationship (sole controller, joint controller, processor) by analysing your contracts through an LLM agent trained on CJEU case law and CNIL/CNPD/APD decisions.
- Generates ready-to-sign article 26 arrangement templates by typology: advertising pixel, joint venture, shared platform, research consortium, multi-brand loyalty program.
- Automatically publishes the /joint-controllers/ page of your website reflecting the essence of the arrangements, in line with article 26(2), and updates it whenever a contract changes.
- Alerts via Teams or email as soon as a new pixel appears on your sites or a new marketing partnership is signed in your CRM.
- Produces a cryptographically sealed timestamped PDF report, enforceable against the CNPD or CNIL during an audit, demonstrating the full mapping of your joint controllerships.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our team will prepare a demonstration on your real perimeter, with a free 48-hour scan of your sites and applications to surface your hidden joint controllerships before any commitment.
