It depends on the characteristics of the IoT project realized.Article 26 par. 2 GDPR on the agreement between joint controllers states that: “The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.”
For example, in the IoT project, one controller realized the device, while the other designed the software, while both can be defined controllers because they both determined the means of processing (through the device) and the purposes (provide a service to the customer), it is possible that they share in equal part the responsibilities of data processing (sensors still track data like location, movements, speed, and the software register and transmit it) or they can share the different amount of responsibility if the device does not access data and only the software does (maybe one part of the software which is provided from a third party, so this will be responsible).
The reason for the legal provision is to allow data subjects to refer to the controller who has access to personal data and that can provide the respect of data subjects rights. In fact, the last paragraph of the Article 26 GDPR states that “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”
The share of the number of responsibilities has internal effects among controllers not towards the data subjects.
Here you can find more information about the obligation of controllers:
Yes, because it processes the data of clients. Data subjects that purchase an IoT device accept the terms and conditions of that producer and provides personal data to that company. Of course, the producer may shift the liability with the IoT development company.
Please, remind that GDPR does not apply only to IoT software but to all data processed by the company so there are more personal data than those acquired by the IoT device.
The two companies can be the joint controller and there will be a data protection agreement where the liability profiles are separated so that the producer will bear responsibility for customer data (shipping, invoices, customer care, marketing, etc) while the software development company will bear responsibility for data processed through the IoT device.
In case the producer of the IoT hires a software development company to design an IoT software giving specific of the software and having access to data and using those data for any purpose (product development, marketing, etc.) the IoT integrator will be the controller and the software will be the processor (for data processed through software) because all control over data is in the producer company.
The following article may help you how to manage the obligation of controllers: