Regardless of the nature of the agreement and the division of responsibilities between the joint controllers, a data subject may exercise his or her rights vis-à-vis each of the joint controllers. A legitimate interest assessment is a three-step test to determine whether you actually have a legitimate interest in carrying out the processing, the need for the processing to achieve your legitimate interest and whether the rights and freedoms of data subjects outweigh your interest, in which case you cannot invoke the legitimate interests of the processing and you must obtain the consent of the data subjects. You will find a legitimate interest assessment form in my GDPR compliance package that you can access //www.suzannedibble.com/gdprpack (C) The parties are working to implement an IT agreement that complies with the requirements of the current legal framework for data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data el and ü on the free movement of data and repealing Directive 95/46/EC (General Data Protection Regulation). Although Article 26 of the GDPR requires an agreement between joint controllers, no written agreement is required between co-responsible persons, but a written agreement to prove the agreement is good practice and helps prove liability. . . .