The two businesses are joint controllers because they jointly determine the purposes and means of processing personal data. They have a common purpose (selling products together via mail order) and have jointly decided on the means (a single website and a single order system). The fact that employees from both companies can administer all orders on this shared system further demonstrates this joint control over the processing activities. This arrangement fits the definition of joint controllership as outlined in Article 26 of the GDPR, where multiple entities collaborate on the essential decisions about data processing.

A. They are controllers of their own information contained in the single order system only.

This is incorrect because it fails to recognize the joint decision-making on the purposes and means of processing for the entire dataset, which is the hallmark of joint controllership.

B. They are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.

This is incorrect. A processor acts on the instructions of a controller. Here, both businesses have a shared purpose and control, not a hierarchical controller-processor relationship.

C. The businesses are controllers of their respective information, and the staff are processors of this information.

This is incorrect because employees acting under the direct authority of their employer (the controller) are not considered separate processors.

---

1. General Data Protection Regulation (EU) 2016/679.

Article 26(1): "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers." This directly defines the scenario described.

Article 4(7): Defines a 'controller' as the entity that "determines the purposes and means of the processing of personal data." The joint nature of this determination is key.

2. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.1, Adopted on 7 July 2021.

Paragraph 52: "Joint controllership exists when different entities process the same or a set of personal data for a joint purpose and have jointly defined the means for this processing."

Paragraph 53: "The joint participation can take the form of a common decision taken by two or more entities or result from converging decisions... where the decisions complement each other and are necessary for the processing to take place..." This describes the businesses' agreement to use a single system for a shared goal.

Section 2.1, Example 1 (p. 23): Discusses a research project where several institutes jointly agree on the purpose, data, and means, concluding they are joint controllers. This provides a direct parallel to the business collaboration in the question.