The organisation should clearly define roles and responsibilities related to processing personal data together with a joint controller. Definition must include requirements for protecting and processing data.
The organisation can for example make a contract with joint controllers or document procedures for joint controllers and publish them on the website and make them available at offices