Joint Controller Agreement
Between
Fitness Nation GmbH
Bergstr. 18
59394 Nordkirchen,
GERMANY
– hereinafter referred to as “Controller A”–
and
the company named in the main contract
– hereinafter referred to as “Controller B” –
Controller A and Controller B may hereinafter also be referred to individually as a “Party” or together as the “Parties”.
§ 1 Subject of the Agreement
(1) This Joint Controller Agreement (hereinafter “JCA”) is entered between the Parties concerning the processing of personal data through the concluded Master Agreement. As the Parties have jointly determined the purposes and means of the processing operations described below (hereinafter “Processing Operations”), they consider themselves joint controllers within the meaning of Art. 26 of the General Data Protection Regulation (hereinafter “GDPR”).
(2) For the avoidance of doubt, each Party shall remain solely responsible and fully liable as a single controller within the meaning of Art. 4 no. 7 of the GDPR, and neither Party shall have any duties or obligations towards the respective other Party concerning any and all processing operations that fall outside the scope of the present JCA.
(3) The present JCA comprises the Parties’ duties and obligations towards one another as the regards the Processing Operations. In case of a conflict between the provisions of the present JCA and the Master Agreement, the former shall prevail, if and inasmuch as such conflict affects the Parties’ duties and obligations as regards the Processing Operations. Notwithstanding the afore-said, the Parties agree that neither Party shall be entitled to any remuneration for the fulfillment of its duties under the present JCA, but that these are fully covered by the remuneration agreed under the Master Agreement.
(4) Unless stipulated otherwise in the present JCA, the terms used herein shall have the meaning ascribed to them in Art. 4 of the GDPR.
§ 2 Principles for and Details of the Processing Operations
(1) The Parties represent and warrant that any and all personal data are collected and further processed in compliance with the provisions of the present JCA and the applicable data protection laws, in particular but not limited to the principles relating to the processing of personal data set out in Art. 5 para. 1 of the GDPR. If either Party is of the opinion that the respective other Party, within the course of the execution of the present JCA, infringes the provisions of this JCA or applicable data protection laws, it will inform this other Party thereof immediately.
(2) Within the course of the Processing Operations, the Parties will process all personal data in a structured, commonly used and machine-readable format.
(3) Neither Party will make any copies or duplicates of personal data processed under the present JCA, unless this is required for the Processing Operations (including data backups), or to comply with statutory retention obligations.
(4) The details of the Processing Operations are laid out in Appendix A. These details include an exhaustive description of the nature, purpose and subject matter of the Processing Operations, the categories of data subjects affected by the Processing Operations, and the types of personal data that are being processed. In addition, the Parties will specify in Appendix A each step of the Processing Operations, indicating (a) which Party is responsible for which of these steps, and (b) the legal basis for such Processing Operation(s).
(5) If so required due to a change in the Processing Operations themselves, and/or as a result of an alteration of or an amendment to the Master Agreement, the Parties will respectively update the provisions of Appendix A. In consideration of the Parties’ obligations as joint controllers, it is either Party’s responsibility to inform the respective other Party if it is of the opinion that the provisions of Appendix A need to be updated. Notwithstanding the afore-said, either Party will regularly, but not less than once a year, check whether the provisions of Appendix A still reflect the then current Processing Operations.
(6) The Parties hereby assign Controller A the power to implement decisions about the Processing Operations with respect to all joint controllers, resulting in Controller A being the main establishment in the European Union for the Processing Operations for the Parties. Therefore, the lead supervisory authority for the Processing Operations is the supervisory authority of NRW.
§ 3 Place of the Processing; Transfer to Third Countries and the United Kingdom
(1) The Parties will process personal data only at their own or their authorized sub-contractor’s premises. In general, any Processing Operations will, therefore, be carried out in the member states of the European Union or in another state that is party to the Agreement on the European Economic Area.
(2) Any processing of personal data outside the EU/EEA shall be permitted only upon prior agreement of the Parties, and only if the conditions of Art 44 et seq. of the GDPR are met.
(3) For the purposes of the present JCA, the United Kingdom of Great Britain and Northern Ireland shall be treated as if being a third country in order to mitigate the risks of “Brexit”. Thus, any data processing in the UK shall only be permissible if appropriate safeguards within the meaning of Art. 46 of the GDPR have been agreed upon as a backup.
§ 4 Rights of the Data Subjects
(1) The Parties will provide to the data subjects the information in accordance with Art. 13, 14 of the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In this respect, the Parties agree that (a) the Privacy Notice visible under “Privacy” meets the abovementioned requirements of Art. 12 para. 1 of the GDPR, (b) considering Art. 13 para. 4, 14 para. 5 no. 1 of the GDPR, there is no further information obligation concerning the Processing Operations, and (c) the Privacy Notice contains the essence of the arrangement within the meaning of Art. 26 para. 2 of the GDPR which is, thus, made available to the data subjects. § 2 section 5 shall apply accordingly.
(2) The Parties designate Controller A as a contact point for data subjects. However, the Parties are aware of the fact that, irrespective hereof, the data subject may exercise his or her rights in respect of and against each of the Parties. Therefore, Controller B must notify Controller A without undue delay about any complaint, communication or request it received directly from a data subject and pertaining to his or her personal data, without responding to that request. Controller B shall provide Controller A with the required assistance in relation to any complaint, communication or request received from a data subject.
(3) Controller A shall provide to the data subject confirmation as to whether or not personal data concerning him or her are being processed as part of the Processing Operations. Where that is the case, Controller A shall provide to the data subject the information set out in Art. 15 para. 1 of the GDPR, and a copy of the data undergoing processing as part of the Processing Operations in accordance with Art. 15 para. 3 of the GDPR.
(4) Controller A shall examine with due care any request of a data subject concerning (a) the rectification of his or her allegedly inaccurate personal data, (b) the erasure of his or her personal data, (c) the restriction of processing his or her personal data, or (d) the right to such data subject’s data portability. Upon examination, Controller A shall determine whether the request is well-founded or not, and which Party is or whether both Parties are obliged to rectify or erase the personal data, or to restrict its processing, or to execute the data subject’s right to data portability. Controller A shall inform Controller B respectively.
(5) If a request for the erasure of personal data is well-founded, or upon termination or expiration of the Master Agreement the Parties shall erase the respective or all personal data. If data protection laws to which a Party is subject prevent this Party from erasing all or part of the personal data, this Party has to guarantee that (a) the confidentiality of such personal data is maintained, (b) it will not actively process such personal data anymore, and (c) it will erase such personal data as soon as the legal obligation to not erase the personal data is no longer in effect. Either Party will draw up a report on any erasure of personal data, which shall be submitted to the respective other Party upon request.
§ 5 Mutual Representations of the Parties
(1) The Parties have appointed authorized representatives and deputies as single points of contact for all communications as regards the Processing Operations in their privacy. Authorized representative: The Parties will immediately notify each other in writing of any change in the person of the authorized recipient or his deputy or their permanent hindrance, appointing a substitute. Until such notification is received by the respective other Party, the designated persons shall continue to be entitled to receive communications from the respective other Party and communications addressed to them shall be deemed to have been properly made.
(2) Any communications between the Parties shall in principle be made in writing or at least in text form by the persons authorized to do so in accordance with the present JCA. Oral communications shall be confirmed immediately in writing or in text form without undue delay.
(3) The employees of either Party: (a) who have access to personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) shall process personal data only as instructed to by the employing Party, unless otherwise required to do so by data protection laws; and (c) shall be provided training as necessary from time to time, but no less than once a year, with respect to the Parties’ obligations under this JCA, under data protection laws and, in particular, under the GDPR.
(4) Upon request, the Parties will assist each other in the event of an investigation by or request from a supervisory authority, if and to the extent that such investigation or request relates to the Processing Operations. The Parties will take the necessary steps to comply with any obligations in connection with such an investigation or request. Regardless of any request for assistance, the Parties will in any case notify each other of any such investigation by or request from a supervisory authority.
(5) The Parties will inform each other without delay, but in no event later than within 24 hours if they discover a personal data breach in connection with the Processing Operations. This notification must contain the information set out in Art. 33 para. 3 of the GDPR, or at least, if the reporting Party is not able to provide such information within the time frame of 24 hours, an explanation as to (a) the grounds for such inability, (b) the envisaged additional period of time it will take the reporting Party to complete the information, and (c) the impact of such inability on the measures taken to mitigate the adverse effects of such personal data breach, if any. If a Party is obliged by law to provide information due to a risk to the rights and freedoms of natural persons as a result of such a personal data breach (in particular but not limited to the information duties according to Art. 33, 34 of the GDPR), the respective other Party must assist the obligated Party to the best of its abilities in fulfilling its information duties. If possible, any communication concerning a personal data breach to the competent supervisory authority and/or the data subjects shall be agreed between the Parties before submission.
(6) Taking into account the nature of the Processing Operations and considering the provisions of Art. 35 of the GDPR, the Parties agree that a data protection impact assessment is not required. However, if future changes to the Processing Operations reveal that the Processing Operations become likely to result in a high risk to the rights and freedoms of natural persons, the Parties will cooperate and assist each other with a then necessary data protection impact assessment, and/or with any regulatory consultations that the Parties are legally required to make in respect of such data protection impact assessment in accordance with Art. 36 of the GDPR.
§ 6 Technical and Organizational Measures
(1) Prior to the commencement of the processing, the Parties must implement the technical and organizational measures listed in TOMs and maintain them during the term of the present JCA. These are (a) measures to ensure compliance with the rights of the data subjects and (b) data security measures to ensure a level of protection appropriate to the risk regarding the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of processing as well as the varying likelihood and severity for the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 of the GDPR have been taken into account.
(2) Since the technical and organizational measures are subject to technical progress and technological development, the Parties are permitted to implement alternative and adequate measures, provided that the safety level of the measures specified in TOMs is not compromised.
(3) However, a Party is obliged to implement further measures once it turns out that (a) the measures set out in TOMs are no longer adequate within the meaning of section 1 above due to technical progress and technological development, and/or (b) an audit or an investigation by a supervisory authority has revealed the measures in TOMs to be insufficient.
(4) Either Party will document any changes as referred to hereinabove and provide the respective other Party with a copy of the amended or updated technical and organizational measures.
§ 7 Further Controllers; Appointment of Processors
(1) The Parties acknowledge that no further controllers may, by joining the present JCA, be granted access to the personal data processed so far as part of the Processing Operations. The Parties furthermore agree that, should they wish to include another controller in future Processing Operations, this would require (a) an amendment to both the Master Agreement and the present JCA, (b) a thorough execution of the procedure set out in § 2 para. 5, and (c) the provision of updated information to the data subjects in accordance with § 4 para. 1.
(2) When appointing a processor, the appointing Party must impose privacy, confidentiality and data security obligations on any such processor that (a) meet the requirements of Art. 28, 29 of the GDPR, and (b) are at least as stringent as those set forth in the present JCA. § 3 sections 2 and 3 shall apply accordingly.
(3) A Party must give the respective other Party written notice of its intention to appoint any new processor. If, within thirty (30) days of receipt of that notice, the notified Party notifies the appointing Party in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative solution.
(4) Where a processor fails to fulfill its obligations with respect to the Processing Operations, the appointing Party shall remain fully liable to the respective other Party for the performance of that processor’s obligations.
(5) The Parties agree that ancillary service providers are no processors within the meaning of data protection laws; this includes in particular transport services of postal or courier companies, cash transport services, telecommunication services, security services and cleaning services. However, the Parties shall enter into customary confidentiality agreements with such service providers.
§ 8 Audit Rights
(1) Either Party may audit the respective other Party’s compliance with the present JCA if so required in order to (a) properly fulfill an obligation towards a supervisory authority, or (b) convince itself that the respective other Party has aligned its processes to the provisions of the present JCA after a personal data breach.
(2) If and inasmuch as such audit requires on-premise inspections, it shall usually be conducted during normal business hours and without unreasonably disrupting business operations. The Party conducting the audit shall inform the respective other Party good time in advance of all circumstances relating to the execution of the audit.
(3) A Party may commission a third party to carry out the audit. In such event, however, the third party shall be bound in writing to strict secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy.
§ 9 Liability
(1) The Parties acknowledge that they are both liable towards data subjects as regards the Processing Operations in accordance with Art. 82 para. 1–4 of the GDPR.
(2) Where a Party has, in accordance with Art. 82 para. 4, paid full compensation to a data subject for a damage suffered, that Party shall be entitled to claim back from the respective other Party that part of the compensation corresponding to that other Party’s part of responsibility for the damage.
(3) Section 2 shall apply accordingly in the event that a supervisory authority has imposed an administrative fine on a Party, if and inasmuch as the breach that gave rise to the administrative fine was, in whole or in part, attributable to the respective other Party’s failure to comply with the present JCA or the applicable data protection laws. However, a Party may only claim compensation for an administrative fine if it used all reasonable efforts to avert or reduce such fine in the administrative procedures.
§ 10 Miscellaneous Provisions
(1) The present JCA will be governed by the same law as the Master Agreement, and the competent courts agreed between the Parties under the Master Agreement shall have the sole jurisdiction concerning all conflicts arising out of or in connection with the present JCA as well.
(2) No modification or amendment of the present JCA shall be effective unless in writing.
(3) If any provision in this JCA is held by the competent court to be invalid or unenforceable, all other provisions shall remain in full force and effect.
(4) This JCA will become effective as of the date the Parties have signed the Master Agreement. Notwithstanding expiry of the term of the Master Agreement, it will remain in effect until, and will automatically expire upon, deletion of all personal data by the Parties and/or any applicable processors.