I’m currently engaged in a ‘stand off’ with a marketing company. We are using them to generate ‘marketing qualified leads’ that we follow up. We are not sharing any data with the marketing company ie not providing any names etc. How the marketing company ‘generate’ these leads is unknown to us.
I’m repeatedly being asked to sign a joint controller agreement however fail to see how we are joint controllers. I do not want to accept any liability if the data has been collected in a manner inconsistent with GDPR and as a joint controller I’m worried this may be the case.