The Higher Regional Court of Dusseldorf has referred a question on the interpretation of Article 26(2) of the GDPR to the Court of Justice of the European Union (CJEU) this year in Case C-287/26, asking whether platforms and website owners operating as joint controllers are legally required to publish the essence of their data-sharing arrangements online, or whether making that information available only on request is sufficient.

The referral, lodged at the CJEU on 4 April 2026, arises from a dispute between the Bundesverband fur Inkasso und Forderungsmanagement e. V. (BFIF e. V.), a German federal association for debt collection and receivables management, and a lawyer based in Duisburg identified as RR in anonymised court documents. The Dusseldorf court made its decision to refer on 24 February 2026, following a hearing on the same day.

According to court documents, the defendant lawyer advertised his services via a profile page on anwalt.de, a legal services directory platform operated by a third party. The BFIF e. V. alleged that on 18 March 2025, the profile page at the URL https://www.anwalt.de/RR contained no indication of where data subjects could find the information required under Article 13 of the GDPR, and that the essence of the joint controller arrangement required by the second sentence of Article 26(2) was not accessible from the page either.

The applicant association sought a court order requiring the defendant to refrain, in the course of business relating to debt collection services, from operating digital services without making the essence of any joint controller arrangement available to data subjects. The penalty clause sought was a fine of up to EUR 250,000 per infringement, or imprisonment for a maximum of six months.

The defendant's position was that the website was outdated and that he was no longer active in debt collection at the time proceedings were initiated, negating any competitive relationship. He further contended that Article 26 of the GDPR does not, on its face, require the relevant information to be published on a website; providing it upon specific request from a data subject is, in his view, sufficient.

What Article 26 of the GDPR actually says

Article 26 of the General Data Protection Regulation establishes the legal framework for situations where two or more controllers jointly determine the purposes and means of personal data processing. Under Article 26(1), joint controllers must determine their respective responsibilities for compliance through a transparent arrangement. The second sentence of Article 26(2) - the provision at the heart of Case C-287/26 - states that the essence of that arrangement must be made available to data subjects.

What the regulation does not specify is exactly when or how. That gap is the source of the disagreement now heading to Luxembourg.

The Dusseldorf court found itself unable to resolve the case without guidance from the CJEU because legal opinion is sharply divided. According to the court documents, academic commentators disagree. Authors Specht-Riemenschneider and Schneider, writing in the journal MMR in 2019, argued that joint controllers are under a duty to publish the arrangement on the website. Piltz, writing in the commentary Gola/Heckmann, concluded there is no such duty. Spoerr, in BeckOK Datenschutzrecht (51st edition), described the question as unresolved.

Data protection supervisory authorities are similarly split. Of the five German authorities that shared views on the question with the Landesbeauftragte fur Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), three agreed that proactive website publication is not mandatory, while one dissented and argued the opposite.

How anwalt.de illustrates the joint controller problem for platforms

The referral provides a detailed account of how joint controllership operates on anwalt.de, which serves as a practical illustration of a data-sharing structure common to professional directory platforms, legal services marketplaces, and many other operator-hosted profile services.

According to the observations submitted to the Dusseldorf court by the State Commissioner for Data Protection and Freedom of Information, Baden-Wurttemberg, anwalt.de is in principle the sole controller for processing related to the general operation of the platform - including user accounts, technical provision, usage statistics analysis, and rating and ranking features. That much is uncontroversial.

However, for certain processing operations directly related to individual lawyer profiles - specifically the messaging feature, feedback requests, reviews, and orders for legal services - joint controllership exists between anwalt.de and the respective law firm or lawyer. According to the Baden-Wurttemberg authority's description, anwalt.de provides an Article 26 arrangement to govern this, published at https://tos-handler.sls.anwalt.de/document/8e559659-d0f6-42e4-aaf2-729f91d2e74b/download/Vereinbarung_GV.pdf, which allocates responsibilities for the duty to provide information and for data subjects' rights.

A further detail matters here. The moment a message from a potential client reaches the lawyer and the process moves into the pre-engagement phase, the lawyer becomes the sole controller of that processing. Reviews and statistical analyses, by contrast, remain under anwalt.de's sole controllership. The structure is, according to the court documents, consistent with the CJEU's stage-specific approach to joint controllership developed in Case C-210/16 (ULD v Wirtschaftsakademie) and Case C-40/17 (Fashion ID v Verbraucherzentrale NRW).

The LDI NRW position, and where German authorities disagree

The most detailed legal analysis in the referral comes from the LDI NRW, which submitted observations on the head of claim and subsequently informed other German data protection authorities of its assessment.

According to the LDI NRW, Article 26 of the GDPR does not specify when or how the essence of the arrangement must be made available to data subjects. Unlike Article 30(4) of the GDPR, which requires the record of processing activities to be made available on request, or Article 40(11), which requires codes of conduct to receive appropriate publicity, Article 26(2) uses neither of those formulations. That omission, the LDI NRW argued, means no binding obligation to publish proactively can be read into the provision.

The authority drew support from the European Data Protection Board's Guidelines 07/2020 on the concepts of controller and processor. According to paragraph 181 of those guidelines, "it is up to the joint controllers to decide the most effective way to make the essence of the arrangement available to the data subjects (e.g. together with the information in Article 13 or 14, in the privacy policy or upon request to the data protection officer, if any, or to the contact point that may have been designated)."

One German supervisory authority disagreed. That authority, quoted in the court documents, concluded that because Article 26(2) does not include the qualifying phrase "upon request" - as other GDPR provisions do when requiring on-request disclosure - the obligation is unconditional and requires proactive disclosure. "Since a requirement to submit a request does not follow from the wording of the provision and forms the starting point and the limit of the interpretation," the dissenting authority stated, "the provision also creates an unconditional (binding) obligation on the controller."

Three other German authorities sided with the LDI NRW. Four data protection supervisory authorities thus support the view that on-request provision is sufficient; one considers proactive online publication mandatory.

The specific question referred to the CJEU

The Dusseldorf court framed the referred question narrowly. It asks:

"Where both the platform operator and the website owner are jointly responsible for the processing of data when a website is accessed via a platform, are the controllers then required to make the essence of their arrangement within the meaning of Article 26(1) of the GDPR available on that website or at least on another website to which the accessed website refers by means of an appropriately marked link?"

The framing reflects the specific factual situation: a user accesses a profile page on anwalt.de; data is processed as a result; and the question is whether the joint controller arrangement must be visible on that page itself, or accessible via a link, or whether providing it only to those who specifically request it is enough.

The court noted that for the Article 13 information required upon data collection, the established practice is already that it must be available either on the accessed website or via an appropriately marked link on the accessed website. The applicant association argued that the same standard should apply to the second sentence of Article 26(2). That equivalence is precisely what the CJEU must now assess.

Why data subjects are not necessarily left unprotected in the interim

The LDI NRW's submission to the Dusseldorf court included an argument that even without a proactive disclosure obligation under Article 26(2), data subjects retain meaningful protections through other GDPR provisions.

Under Articles 13(1)(a) and 14(1)(a), controllers are required to identify themselves to data subjects. In a joint controller scenario, that obligation covers all controllers. Under Articles 13(1)(e) and 14(1)(e), controllers must identify recipients of personal data, a category that encompasses controllers as well as processors. And under Article 26(3), data subjects may exercise their GDPR rights against any of the joint controllers, regardless of how internal responsibilities have been allocated in the arrangement - meaning they are not dependent on having read the arrangement to assert their rights.

The LDI NRW's conclusion was that the "essence of the arrangement" required by Article 26(2) is not a substantive element of the Article 13 and 14 information but rather "organisational information" about which joint controller is responsible for ensuring compliance with which obligations. Whether that characterisation is accepted by the CJEU will determine much of the practical outcome of Case C-287/26.

Prior CJEU case law on joint controllership

The Dusseldorf court's referral invokes three CJEU judgments as precedent for the existence of joint controllership between anwalt.de and the defendant lawyer. The first is the judgment of 5 June 2018 in Case C-210/16 (ULD v Wirtschaftsakademie Schleswig-Holstein), which established that Facebook fan page operators and Facebook itself are joint controllers for data collected from page visitors. The second is the judgment of 29 July 2019 in Case C-40/17 (Fashion ID v Verbraucherzentrale NRW), which found that website operators embedding the Facebook Like button share joint controllership with Facebook for the initial data collection phase. The third is the judgment of 2 December 2025 in Case C-492/23 (X v Russmedia Digital SRL and Inform Media Press SRL), the most recent in the sequence.

The referral date of 4 April 2026 means that any CJEU decision on Case C-287/26 is likely at least 12 to 18 months away, given typical processing timelines. In the interim, the legal uncertainty documented by the Dusseldorf court will continue to affect how joint controllers across Europe approach their Article 26(2) obligations.

Why this matters for marketing and ad tech

The referral sits within a broader pattern of European courts and regulators using joint controller doctrine to distribute data protection obligations across the advertising technology supply chain. German courts in February 2026 found that website operators embedding Meta's tracking tools share liability under joint controller provisions outlined in Article 26, awarding EUR 1,500 per affected user in damages and prohibiting Meta from collecting data about the plaintiffs on third-party sites.

The mechanism by which platforms and site owners become joint controllers is well-established in German case law. A Leipzig court awarded EUR 5,000 in compensation for violations involving Meta's Business Tools in July 2025, applying GDPR Article 82 rather than national law. A subsequent Thuringian Higher Regional Court awarded EUR 3,000 in damages in March 2026, marking the fourth Higher Regional Court in Germany to rule in favour of claimants in Business Tools tracking proceedings.

The Belgian Market Court's ruling in May 2025 on the IAB Europe Transparency and Consent Framework drew a comparable line in programmatic advertising: IAB Europe is a joint controller for TC String processing within the TCF framework, but not for the OpenRTB processing that follows. That distinction - specifying which party controls which stage of processing - is the same structural question that Article 26 arrangements must document and that Article 26(2) requires, in some form, to be communicated to data subjects.

The EDPB's 2025 annual report, published in April 2026, recorded EUR 1.15 billion in GDPR fines across the European Economic Area during 2025. The volume of enforcement activity makes the question of how Article 26(2) disclosures must be structured practically urgent for any business operating or embedding platform services.

The EDPB's Europrivacy certification scheme, examined in an April 2026 opinion covered by PPC Land, explicitly excludes joint controller processing from its scope - an exclusion that underlines the degree to which joint controllership remains an area of unresolved compliance complexity.

More immediately, the CJEU preliminary ruling in Case C-287/26 will be read closely by any operator hosting third-party professional profiles, by publishers embedding platform widgets, and by the ad tech companies that depend on complex chains of data processing involving multiple controllers. If the court determines that the essence of a joint controller arrangement must be published on or linked from the accessed website, the practical impact extends well beyond legal directories. Every platform that hosts user-generated professional profiles, every publisher embedding third-party ad serving technology, and every website that integrates social plugins while acknowledging joint controllership with the platform would face a disclosure obligation that currently many meet, at best, via a clause buried in a privacy policy.

The EDPB's DSA-GDPR guidelines, adopted on 11 September 2025 and covered by PPC Land, require advertising transparency disclosures to be available in real time. Whether Article 26(2) disclosures must meet a similar accessibility standard is now a question only the CJEU can definitively resolve.

Timeline

Summary

Who: The Bundesverband fur Inkasso und Forderungsmanagement e. V. (BFIF e. V.), a German federal association for debt collection and receivables management, brought proceedings against a lawyer (identified as RR in anonymised documents) who advertised on the legal services platform anwalt.de. The referring court is the Oberlandesgericht Dusseldorf (Higher Regional Court, Dusseldorf, Germany), the 20th Civil Chamber.

What: The court has referred Case C-287/26 to the Court of Justice of the European Union for a preliminary ruling on the interpretation of the second sentence of Article 26(2) of the GDPR. The specific question is whether joint controllers are required to make the essence of their Article 26(1) arrangement available on the accessed website or via a link from it, or whether providing it on request is sufficient.

When: The order to stay proceedings and refer was issued on 24 February 2026. The request for a preliminary ruling was lodged at the CJEU on 4 April 2026.

Where: The proceedings originated at the Oberlandesgericht Dusseldorf in Germany. The referred case, C-287/26, is now pending before the Court of Justice of the European Union in Luxembourg.

Why: German legal literature and data protection supervisory authorities are divided on whether Article 26(2) imposes a proactive publication obligation or merely requires controllers to supply the information on request. The EDPB's Guidelines 07/2020 leave the method of disclosure to the joint controllers' discretion, but one German data protection authority has argued the provision creates an unconditional obligation. The Dusseldorf court concluded it could not resolve the dispute without authoritative guidance from the CJEU, given that the question is directly relevant to the outcome and concerns the interpretation of EU law.