Free UK Joint Controller Agreement Template (Art 26 UK GDPR)

JOINT CONTROLLER AGREEMENT

UK GDPR Article 26  ·  England And Wales  ·  20 July 2026

This Joint Controller Agreement (the "Agreement") is made on 20 July 2026 between Northbridge Onboarding Services Ltd of 34 King William Street, London, EC4R 9AS (ICO ZA1234567; data protection contact Eleanor F. Caldicott, dpo@northbridge-onboarding.co.uk) (the "First Joint Controller"); Kestrel Identity Verification Ltd of 88 Wood Street, London, EC2V 7RS (ICO ZA7654321; data protection contact Daniel J. Pemberton, privacy@kestrel-iv.co.uk) (the "Second Joint Controller"), together the "Joint Controllers". The Joint Controllers jointly determine the purposes and means of the personal data processing described in clause 2 below and accordingly are joint controllers within the meaning of Article 26 of the UK GDPR (Retained Regulation (EU) 2016/679, as amended by the Data (Use and Access) Act 2025). This Agreement sets out their respective obligations under UK GDPR for the joint processing, allocates responsibilities as between them, and identifies the essence of the arrangement to be made available to data subjects under Article 26(2). Notwithstanding any allocation, each Joint Controller remains responsible for compliance with the UK GDPR in full and joint and several liability may arise for any breach (Fashion ID v Verbraucherzentrale [C-40/17] (CJEU 29 July 2019; UK retained per EUWA 2018 s.3-6)).

"UK GDPR" means Retained Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, as it has effect as part of UK law by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data (Use and Access) Act 2025.

"DPA 2018" means the Data Protection Act 2018, as amended.

"DUAA 2025" means the Data (Use and Access) Act 2025, with Part 5 main data protection provisions in force from 5 February 2026.

"ICO" means the Information Commissioner's Office, the UK supervisory authority for the purposes of UK GDPR.

"Personal Data", "Processing", "Data Subject", "Controller", "Joint Controllers", "Processor", "Special Category Data", "Data Subject Request", "Personal Data Breach" and "International Transfer" shall each have the meaning given in the UK GDPR.

"Joint Processing" means the processing of Personal Data described in clause 2, jointly determined as to purpose and means by the Joint Controllers.

2.1 Joint determination of purpose. The Joint Controllers determine jointly that the Personal Data shall be processed for the following purpose(s): Combined identity verification and ongoing customer due diligence for UK retail-banking onboarding under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), including PEP / sanctions screening and ongoing monitoring.

2.2 Joint determination of means. The Joint Controllers determine jointly the means of processing as follows: Document upload and OCR (Northbridge customer-facing UX); biometric liveness, document authenticity check and sanctions / PEP screening against Refinitiv World-Check (Kestrel platform); shared verification result and audit trail stored in Kestrel's ISO 27001 / SOC 2 Type II environment; encrypted API integration over mTLS; UK-only processing and storage.

2.3 Categories of data subjects. The categories of data subjects whose Personal Data is processed are: Prospective and current retail-banking customers of Northbridge's client banks, located in the UK.

2.4 Categories of Personal Data. The categories of Personal Data processed are: Names; date of birth; nationality; UK / EEA identity document images (passport, driving licence, national ID); biometric facial template (transient, deleted on verification result); residential address; sanctions / PEP screening results; verification outcome (pass / refer / fail); audit-trail metadata.

2.5 Special Category Data. The Joint Processing includes Special Category Data under Article 9 UK GDPR. The lawful condition relied upon under Schedule 1 DPA 2018 is: DPA 2018 Schedule 1 Part 2 paragraph 14 (preventing or detecting unlawful acts) for the biometric facial template processing, with the appropriate policy document maintained by both JCs.. The Joint Controllers shall maintain an appropriate policy document where required by DPA 2018 Schedule 1 paragraph 39.

3.1 Made available to data subjects. The essence of this Agreement, as required by Article 26(2) UK GDPR, shall be made available to data subjects via the Joint Controllers' privacy information (whether website privacy notice, layered privacy notice, in-product notice, or other transparency mechanism). The essence is as follows:

Northbridge collects identity documents and personal data from the customer via its onboarding journey and is the customer-facing party for transparency, data subject rights and primary support. Kestrel runs the biometric and screening checks on Northbridge's behalf within the joint determination of purpose, returns the verification outcome, and maintains the joint audit trail. Both Northbridge and Kestrel are responsible for UK GDPR compliance in respect of the Joint Processing; data subjects may exercise their rights against either party.

3.2 Primary point of contact. the First Joint Controller acts as the lead point of contact for data subject enquiries, without prejudice to the data subject's right under Article 26(3) UK GDPR to exercise rights against any Joint Controller. Each Joint Controller shall direct data subject enquiries received by it to the other Joint Controller(s) as needed for effective handling.

3.3 Joint liability acknowledgement. The Joint Controllers acknowledge that under Article 26(3) UK GDPR data subjects may exercise their rights in respect of the Joint Processing against any Joint Controller, irrespective of the internal allocation in this Agreement.

4.1 Governing law. This Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes), shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

4.2 Duration. This Agreement takes effect on the date set out at the start of this Agreement and shall continue until terminated under clause 9.

5.1 Allocation of handling. The Lead Joint Controller (the First Joint Controller) centralises all Data Subject Requests. Other Joint Controllers receiving a request shall forward it to the Lead Joint Controller within the timeframe at clause 5.2 below. The Lead Joint Controller coordinates the response in consultation with the other JCs.

5.2 Internal information flow. When a Joint Controller receives a Data Subject Request relating to the Joint Processing it shall notify the other Joint Controllers within three (3) working days of receipt, furnishing all information reasonably required for response.

5.3 Response time. Data Subject Requests shall be responded to within one (1) month from receipt, in accordance with Article 12(3) UK GDPR.

5.4 Scope of rights covered. The rights to be handled jointly include: information (Arts 13-14), access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), data portability (Art 20), objection (Art 21), automated decision-making (Arts 22 / 22A-22D — DUAA 2025), and complaint to ICO (Art 77).

5.5 Refusal coordination. A Joint Controller shall not unilaterally refuse a Data Subject Request relating to the Joint Processing without first consulting the other Joint Controllers. The refusing JC shall record the reasoned refusal in writing and share with the other JCs.

6.1 Lead. the First Joint Controller acts as the breach-coordination lead for all Personal Data Breaches affecting the Joint Processing.

6.2 Internal notification. A Joint Controller that becomes aware of a Personal Data Breach affecting the Joint Processing shall notify the other Joint Controllers in writing within 12 hours of awareness, providing all information then known about the breach.

6.3 ICO notification (Article 33 UK GDPR — 72 hours). The Lead Joint Controller shall, where required by Article 33 UK GDPR, notify the ICO within 72 hours of becoming aware of the Personal Data Breach. The notification is made on behalf of all Joint Controllers as a single notification under the joint-controllership framework. The other Joint Controllers shall provide all information required for the notification within the internal timeframe at clause 6.2.

6.4 Data subject notification (Article 34 UK GDPR). The Lead Joint Controller shall notify all affected data subjects directly under Article 34 UK GDPR where the breach is likely to result in a high risk to their rights and freedoms. The other JCs shall provide all data subject contact information and assist with the notification.

6.5 Breach register. The Joint Controllers shall maintain a single joint register of all Personal Data Breaches affecting the Joint Processing (whether notifiable or not), recording the facts, effects and remedial action taken, as required by Article 33(5) UK GDPR.

6.6 Containment + mitigation. The Joint Controllers shall coordinate immediate containment and mitigation measures. Where a JC is the source of the breach, it shall lead containment subject to the operational reasonableness test in Article 32 UK GDPR.

7.1 DPIA (Article 35 UK GDPR). The Joint Controllers acknowledge that the Joint Processing is likely to result in a high risk to data subjects under Article 35(1) UK GDPR. A Data Protection Impact Assessment (DPIA) shall be carried out jointly before the Joint Processing commences, by all Joint Controllers jointly. The DPIA shall include the elements required by Article 35(7) UK GDPR and shall be kept under review.

7.2 Record of processing (Article 30 UK GDPR). The Joint Controllers maintain a shared master Article 30 UK GDPR record of processing activities for the Joint Processing as a single document, jointly updated. Each JC may reference the shared master in its own broader ROPA.. The Joint Controllers acknowledge that the DUAA 2025 may relax certain Article 30 obligations for non-high-risk processing where the controller is an SME; the relaxation does not apply to high-risk Joint Processing.

7.3 Sub-processor coordination. New sub-processors for the Joint Processing require the prior written consent of all Joint Controllers. Consent shall not be unreasonably withheld; objection shall be made on reasoned data-protection grounds within 14 days of notification.

7.4 Sub-processor list. The Joint Controllers shall maintain a shared list of sub-processors used for the Joint Processing, updated within 14 days of any change. The list is made available to data subjects on request as part of the Article 26(2) UK GDPR transparency framework.

8.1 Mechanism. No international transfers shall take place. All Personal Data shall be processed and stored within the United Kingdom by all Joint Controllers and any sub-processors.

8.2 Lead party. the First Joint Controller shall lead on the documentation and management of international transfers under the chosen mechanism.

8.3 Data protection test. Where the chosen mechanism requires a destination-country surveillance and access analysis, this shall be conducted by all Joint Controllers jointly. The data protection test (replacing the prior "transfer risk assessment" terminology under DUAA 2025) is conducted in accordance with the ICO's January 2026 updated international transfers guidance.

9.1 Automated decision-making (UK GDPR Arts 22A-22D — DUAA 2025). The Joint Processing includes automated decision-making producing legal or similarly significant effects on data subjects within Article 22 UK GDPR. Following the commencement of UK GDPR Articles 22A-22D on 5 February 2026 (inserted by DUAA 2025 Part 5), the Joint Controllers shall coordinate the safeguards required, including: (a) informing data subjects of significant decisions; (b) providing meaningful information about the logic involved; (c) implementing measures to safeguard data subjects' rights, freedoms and legitimate interests including the right to obtain human intervention; (d) recording categories of data used; and (e) providing the data subject with a right to make representations. all Joint Controllers jointly shall implement and document the safeguards.

9.2 Audit rights. Each Joint Controller may audit the others on at least ten (10) business days written notice, no more than once in any twelve-month period (save where required following a Personal Data Breach). The auditing JC bears its own costs; the audited JC bears its own costs.

9.3 Indemnity. Each Joint Controller shall indemnify the others against costs, fines and damages reasonably incurred by them as a result of the indemnifying JC's breach of UK GDPR or of this Agreement. This is the UK market standard for joint controllerships and reflects the proportionate-fault test in Article 82(2) UK GDPR. Nothing in this clause limits or affects Article 82 UK GDPR joint and several liability to data subjects, which the Joint Controllers acknowledge as overriding statute.

9.4 Termination notice. Either Joint Controller may terminate this Agreement (and its participation in the Joint Processing) by giving 6 month(s)' written notice to the other Joint Controllers. Termination by a single JC where there are three or more JCs does not terminate the Agreement as between the remaining JCs, who may continue subject to amended allocation under clause 3.

9.5 Data on termination. On termination, each Joint Controller may retain the Personal Data it directly collected for its own ongoing purposes (subject to its own lawful basis and retention policy). The Joint Processing as such ceases; the data subject's rights as to each JC's retained data continue under that JC's sole-controller obligations.

9.6 Annual review. The Joint Controllers shall jointly review this Agreement annually, covering (a) the Joint Processing description (clause 2); (b) the essence of arrangement (clause 3); (c) DSR handling effectiveness; (d) breach register; (e) DPIA + ROPA currency; (f) international transfers mechanism (including any DUAA-related ICO guidance updates); and (g) ADM safeguards. The review outcome is documented and signed by an authorised representative of each JC.

10.1 Variation. This Agreement may be varied only by written agreement signed by all Joint Controllers. Variations affecting the essence of arrangement (clause 3) shall be communicated to data subjects via updated privacy information.

10.2 Severance. If any provision is found by any court or competent authority to be invalid, unlawful or unenforceable, that provision shall be deemed not to form part of this Agreement and shall not affect the enforceability of the remainder.

10.3 Counterparts. This Agreement may be executed in any number of counterparts, each of which when executed shall be an original, but together shall constitute one and the same instrument. Electronic execution (DocuSign, AdobeSign or equivalent) is permitted.

10.4 Third-party rights. Save as expressly provided in this Agreement (including data subjects' Article 26(3) UK GDPR rights), no provision is enforceable under the Contracts (Rights of Third Parties) Act 1999 by any person who is not a party to it.

10.5 Notices. Notices shall be in writing and delivered by hand, first-class recorded post, or email to the contact details set out in this Agreement (or such other contact details as a Joint Controller may notify in writing).

10.6 Entire agreement. This Agreement constitutes the entire agreement between the Joint Controllers in relation to the Joint Processing and supersedes all prior arrangements (oral or written) on the subject matter.

IN WITNESS WHEREOF the Joint Controllers have executed this Agreement on the date set out at the start of this Agreement.