Hi I agree Tony's point. Joint controller is probably right in my scenario, but I couched it as processing for clarity on the particular point. It just shifts it from Art 28 to 26 compliance. As it happened in the particular case, B was actually using a third party app. B had a supply and processor contract with C who provided this. No-one appreciated that A also needs an Art 28 agreement with C in that situation ... although this might perhaps be incorporated in the B-C agreement on an agency basis with good drafting ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^