Agreement between joint controllers (Art. 26 GDPR)
Directly publishable version (complete, without omissions)
Agreement between jointly responsible parties
between
Fitness Nation GmbH
Bergstr. 18
59394 Nordkirchen
Germany
– hereinafter referred to as “Controller A” –
and
the company named in the main contract
– hereinafter referred to as “Controller B” –
Controller A and Controller B will hereinafter also be referred to individually as the “Party” or jointly as the “Parties”.
§ 1 Subject of the contract
(1) The parties conclude this Joint Controllers Agreement (hereinafter referred to as the “JC”) with regard to the processing of personal data in connection with the main contract concluded between the parties. Having jointly determined the purpose and means of the processing operations described below (hereinafter referred to as the “processing operations”), the parties consider themselves to be joint controllers within the meaning of Article 26 of the General Data Protection Regulation (hereinafter referred to as the “GDPR”).
(2) For the avoidance of doubt, it is noted that with regard to any processing which falls outside the scope of this General Data Protection Regulation, each of the parties shall remain solely responsible and fully liable as controller within the meaning of Article 4(7) GDPR, and that in this respect there shall be no responsibilities or obligations of one party towards the other party.
(3) This General Data Processing Agreement (GDPR) sets out the mutual responsibilities and obligations of the parties with regard to the processing operations. Should the provisions of this GDPR conflict with those of the main contract, the former shall prevail if and to the extent that the responsibilities and obligations of the parties with regard to the processing operations are affected. Notwithstanding the foregoing, the parties agree that neither party may claim separate remuneration for the performance of its responsibilities under this GDPR, but that such claims shall be fully covered by the remuneration arrangements under the main contract.
(4) Unless otherwise provided in this General Data Protection Regulation, the terms used herein shall have the meanings given to them in Article 4 of the GDPR.
(5) Insofar as individual processing steps or processing operations, according to their actual design, are not to be classified as joint controllership but as data processing within the meaning of Article 28 GDPR, the parties shall conclude a supplementary data processing agreement for this purpose. The remaining provisions of this General Data Protection Regulation shall remain unaffected.
§ 2 Principles for and details of the processing operations
(1) The parties assure and guarantee each other that, with regard to the processing operations, all personal data will be collected and further processed in accordance with the provisions of this General Data Protection Regulation (GDPR) and applicable data protection laws, in particular in accordance with the principles for the processing of personal data set out in Article 5 of the GDPR. Should either party believe that the other party has infringed the provisions of this GDPR or applicable data protection laws in the course of its implementation, it shall inform the other party immediately.
(2) Where necessary to comply with legal obligations or to grant data subject rights (in particular Articles 15 and 20 GDPR), the parties shall provide personal data in a structured, commonly used and machine-readable format, insofar as this is technically feasible and proportionate.
(3) Neither party shall make copies or duplicates of the personal data processed under this General Data Protection Regulation (GDPR), except as necessary for the processing operations (including data backups, logging, redundancies, fail-safe operation, debugging to the necessary extent) or for compliance with statutory retention obligations.
(4) The details of the processing operations are set out in the separately published overview ‘Data Flow’ (hereinafter ‘Data Flow Overview’). This overview provides a comprehensive description of the nature, purpose and subject matter of the processing operations, the categories of data subjects affected by the processing operations and the type of personal data processed. In addition, the parties describe each step of the processing operations in the Data Flow Overview and record:
(a) which of the parties is responsible for each of these steps,
(b) on which legal basis the individual processing operations are based,
(c) which recipients or categories of recipients are involved,
(d) what storage and deletion periods or criteria apply for determining the duration, and
(e) which technical and organisational measures (TOMs) are relevant in each case.
(5) If this becomes necessary due to a change in the processing operations themselves and/or due to an amendment or supplement to the main agreement, the parties will adjust the provisions in the Data Flow Overview accordingly. In view of the parties' obligations as joint controllers, each party is responsible for informing the other party if it considers an adjustment of the provisions in the Data Flow Overview necessary. Notwithstanding the foregoing, each party will regularly, but at least annually, review whether the provisions in the Data Flow Overview reflect the processing operations then in effect.
(6) The supervisory authority responsible for the processing operations of Controller A is the supervisory authority of the State of North Rhine-Westphalia. For Controller B, the competent supervisory authority is the one located at its registered office.
§ 3 Place of data processing; transfer to third countries
(1) The parties will process personal data exclusively at their own registered office or the registered office of their authorized data processor. All processing operations will, in principle, be carried out in the Member States of the European Union or in another state that is a party to the Agreement on the European Economic Area.
(2) Any processing of personal data outside the EU/EEA is only permitted with prior agreement between the parties and only if the requirements of Articles 44 et seq. GDPR are met.
(3) The parties agree that, in the absence of an adequacy decision by the EU Commission pursuant to Article 45 GDPR, any transfer of personal data to a country outside the EU/EEA is only permissible if the parties have no reason to believe that the laws and practices in the destination third country which apply to the processing of personal data by the data importer, including requirements for the disclosure of personal data or measures which allow public authorities access to such data, prevent the data importer from ensuring that the level of protection of natural persons guaranteed by the GDPR is not undermined. The party intending to transfer personal data to a country outside the EU/EEA must therefore provide the other party with written evidence prior to the transfer that it has adequately considered (a) the specific circumstances of the transfer, (b) the laws and practices of the third country relevant to the specific circumstances of the transfer, including any restrictive provisions and safeguards, and (c) all relevant contractual, technical or organisational safeguards provided to supplement the safeguards agreed under this General Data Protection Regulation (GDPR).
§ 4 Rights of the persons concerned
(1) The parties shall provide data subjects with the information required under Articles 13 and 14 of the GDPR in a precise, transparent, intelligible, and easily accessible form, using clear and plain language. In this context, the parties agree that (a) the data protection notices available under "Data Protection" comply with the aforementioned requirements of Article 12(1) of the GDPR, (b) with regard to Article 13(4) and Article 14(5)(1) of the GDPR, there are no further information obligations concerning the processing operations, and (c) the data protection notices contain the essential elements of the agreement within the meaning of Article 26(2) of the GDPR, which are thus made available to data subjects. Section 2(5) applies accordingly. The parties shall also ensure that the essential content of this agreement within the meaning of Article 26(2) of the GDPR is made available to data subjects in an appropriate manner.
(2) The parties designate Controller A as the point of contact for data subjects. The parties nevertheless acknowledge that data subjects may assert their rights with and against any party. For this reason, Controller B shall promptly inform Controller A of any complaint, communication, or request received directly from a data subject concerning that data subject's personal data, without responding to such request. Controller B shall provide Controller A with the necessary support with regard to any complaint, communication, or request from a data subject. Controller B shall forward requests, complaints, or communications from data subjects to Controller A within 48 hours of receipt and shall not provide any substantive response to the data subject unless Controller A expressly agrees to do so.
(3) Controller A shall confirm to the data subject whether personal data concerning him or her are being processed within the scope of the processing operations. Where this is the case, Controller A shall provide the data subject with the information pursuant to Article 15(1) GDPR and a copy of the personal data undergoing processing pursuant to Article 15(3) GDPR.
(4) Controller A will diligently investigate each request from a data subject regarding (a) the rectification of their allegedly inaccurate personal data, (b) the erasure of their personal data, (c) the restriction of processing of their personal data, (d) that data subject's right to data portability, and (e) an objection pursuant to Article 21 GDPR. Upon completion of the investigation, Controller A will decide whether the request is justified and which party, or both parties, is obliged to rectify or erase the personal data, restrict its processing, grant the data subject the right to data portability, or comply with the objection pursuant to Article 21 GDPR. Controller A will inform Controller B accordingly.
(5) The parties undertake to implement an internal procedure for handling data subject requests (e.g., a ticketing system) to ensure timely fulfillment within the statutory deadlines. Controller B shall support Controller A without undue delay, but no later than within 5 working days, by providing the necessary information and data to the extent required to process the request.
(6) If a request for the erasure of personal data is justified, or upon termination or expiry of the main contract, the parties shall erase the relevant or all personal data. If the data protection laws to which a party is subject prohibit that party from erasing all or part of the personal data, that party must guarantee that (a) the confidentiality of such personal data is maintained, (b) it no longer actively processes the personal data, and (c) it will erase such personal data as soon as the legal obligation not to erase the data no longer exists. Each party shall draw up a record of the erasure of personal data, which shall be made available to the other party upon request.
§ 5 Joint Assurances of the Parties
(1) The parties have appointed authorized representatives and their deputies as the sole points of contact for all communication concerning the processing operations. The parties shall immediately notify each other in writing of any change in the person of the authorized representative or their deputy and shall appoint a replacement. Until such notification has reached the other party, the appointed persons shall remain authorized to receive messages from the other party, and messages addressed to that party shall be deemed to have been duly transmitted.
(2) All communication between the parties shall, in principle, be in writing or at least in text form by persons authorized to do so under these General Terms and Conditions. Oral communications shall be confirmed in writing or in text form without delay.
(3) Employees of both parties: (a) who have access to personal data have submitted to an obligation of confidentiality or are subject to a statutory duty of secrecy; (b) may process personal data only on the instructions of the employing party, unless there is another legal obligation to process it; and (c) will be regularly trained, at least once a year, regarding the parties' obligations under this General Data Protection Regulation, data protection laws and in particular the GDPR.
(4) Upon request, the parties shall assist each other in the event of investigations or inquiries by a supervisory authority, if and to the extent that such investigation or inquiry relates to the processing operations. The parties shall take the necessary steps to comply with any obligations relating to such an investigation or inquiry. Irrespective of any request for assistance, the parties shall in any case inform each other of any such investigation or inquiry by a supervisory authority.
(5) The parties shall notify each other without undue delay, and in any event no later than 24 hours after they have become aware of a personal data breach. This notification must contain the information required under Article 33(3) GDPR or, if the notifying party is unable to provide this information within the 24-hour period, at least an explanation of (a) the reasons for this inability, (b) the additional time expected to be required to complete the information, and (c) where applicable, the impact of this inability on the measures taken to mitigate the adverse effects of this personal data breach. Where a party is legally obliged to provide information due to a risk to the rights and freedoms of natural persons (in particular, but not limited to, Articles 33 and 34 GDPR), the other party shall make every effort to assist the obliged party in fulfilling its notification obligations. Where possible, any communication with the competent supervisory authority and/or the data subjects relating to a personal data breach should be coordinated between the parties before it is sent.
(6) Based on the current status of the processing operations, the parties have assessed whether a data protection impact assessment (DPIA) pursuant to Article 35 GDPR is required and currently assume that there is no obligation to carry out a DPIA. The parties undertake to review this assessment on an ad hoc basis, in particular in the event of changes to the processing operations, and at least annually. Should a DPIA become necessary, the parties shall provide each other with reasonable support in carrying it out. Any obligation to consult the supervisory authority beforehand pursuant to Article 36 GDPR remains unaffected.
§ 6 Technical and organizational measures
(1) Before processing commences, the parties shall implement the technical and organizational measures specified in the TOMs and maintain them throughout the term of this General Data Protection Regulation (GDPR). These measures shall include (a) measures to ensure compliance with the rights of data subjects and (b) technical and organizational measures to ensure a level of security appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems. In doing so, the state of the art, the costs of implementation, and the nature, scope, context, and purpose of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, must be taken into account.
(2) Because technical and organisational measures are subject to technical progress and technological developments, the parties are permitted to implement alternative and appropriate measures, provided that this does not result in a safety standard that is not lowered than that specified in the TOMs.
(3) Notwithstanding the foregoing, a party shall be obliged to implement further measures if it turns out that (a) the measures specified in the TOMs are no longer appropriate within the meaning of paragraph 1 in view of technical progress and technological developments and/or (b) an audit or investigation by a supervisory authority has shown that the measures in the TOMs are insufficient.
(4) Each party shall document any changes as described above and provide the other party with a copy of the technical and organisational measures as amended or updated in this manner.
§ 7 Other responsible parties; use of data processors for the data under joint responsibility here
(1) The parties acknowledge that no further controller may be granted access to personal data processed up to this point as part of the processing operations by joining this General Data Protection Regulation (GDPR). The parties further agree that if they wish to involve another controller in future processing operations, this would require (a) a supplementary agreement to both the main contract and this GDPR, (b) careful implementation of the process laid down in Section 2(5), and (c) updated information to the data subjects as defined in Section 4(1).
(2) If a party uses a data processor, it must impose obligations on that processor regarding data protection, confidentiality, and data security which (a) meet the requirements of Articles 28 and 20 of the GDPR and (b) are at least as stringent as those laid down in this General Data Protection Regulation. Section 3, paragraphs 2 and 3, apply accordingly.
(3) Each party must notify the other party in writing if it intends to deploy a new Data Processor. If the notified party, within 30 days of receiving this notification, informs the deploying party in writing and in a verifiable manner of its rejection of the proposed deployment, the parties shall negotiate a mutually acceptable alternative solution in good faith.
(4) If a Data Processor fails to fulfill its obligations with regard to the processing operations, the instructing party shall be fully liable to the other party for the Data Processor's compliance with its obligations.
(5) The parties agree that the providers of ancillary services are not data processors within the meaning of data protection laws; this applies in particular to transport services provided by postal or courier services, cash transport services, telecommunications services, security services, and cleaning services. Notwithstanding the foregoing, the parties will conclude customary confidentiality agreements with such service providers.
§ 8 Audit rights
(1) Each party has the right to verify the other party's compliance with this General Data Protection Regulation (GDPR) if this is necessary to (a) properly comply with an obligation to a supervisory authority or (b) to verify that the other party has adapted its procedures to the provisions of this GDPR following a data breach.
(2) If and to the extent that such a review requires on-site inspections, these should normally take place during normal business hours and without undue disruption to operations. The party conducting a review shall inform the other party in advance, with reasonable notice, of all circumstances relating to the review.
(3) A party may engage a third party to carry out the review. In such a case, the third party must be bound in writing to strictly maintain secrecy and confidentiality, unless the third party is subject to a professional duty of confidentiality.
(4) Audits shall be limited to the scope necessary for the examination and shall be carried out while respecting the trade and business secrets of the other party. Where possible, suitable evidence (e.g., certificates, audit reports, TOM documentation) shall be provided first instead of on-site inspections.
§ 9 Liability
(1) The parties acknowledge that they are both liable to data subjects with regard to the processing operations pursuant to Article 82(2) to (4) GDPR.
(2) Where a party has paid full compensation to a data subject for the damage suffered in accordance with Article 82(4) GDPR, that party shall be entitled to recover from the other party the part of the compensation which corresponds to the other party’s share of responsibility for the damage.
(3) Paragraph 2 shall apply mutatis mutandis where a supervisory authority has imposed a fine on a party if and to the extent that the infringement giving rise to the fine is wholly or partly attributable to an infringement by the other party of this General Data Protection Regulation or applicable data protection laws. Notwithstanding the foregoing, a party may only claim compensation for a fine if it has made every reasonable effort to avert or reduce that fine through administrative proceedings.
§ 10 Other provisions
(1) These General Terms and Conditions shall be governed by the same law as the main contract, and any disputes arising out of or in connection with these General Terms and Conditions shall be subject to the exclusive jurisdiction of the courts to which the parties have agreed in the main contract.
(2) Amendments or additions to this General Terms and Conditions shall only be effective if they are made in writing.
(3) If any provision of this General Terms and Conditions is declared invalid or unenforceable by the competent court, the remaining provisions shall remain in full force and effect.
(4) This General Data Protection Regulation (GDPR) shall enter into force upon signature of the main contract by the parties. It shall remain in effect, irrespective of the expiry of the term of the main contract, until all personal data have been deleted by the parties and/or all data processors used, and shall then automatically cease to have effect.
Place, date: ___________________________
Fitness Nation GmbH (Controller A)
Signature: ___________________________
Name/Function: _________________________
[Company] (Controller B)
Signature: ___________________________
Name/Function: _________________________