Data Processing Addendum - Joint Controller Agreement
JOINT CONTROLLER AGREEMENT
The Parties, meaning Client and Zeotap (as defined in the Master Services Agreement (“MSA”)), agree to be bound by the below, should it be applicable to that Party(ies). The capitalized terms not specifically defined in the different Sections shall have the meaning set out in the MSA. The terms “Data Subject”, “Data Controller”, “Data Processor”, “EU Standard Contractual Clauses”, “Sub-processor”, “process”, “processes”, “processing” or “processed”, as used throughout the Sections, shall have the meaning as prescribed in Applicable Laws.
This Joint Controller Agreement (“JCA”) determines the rights and obligations of the Data Controllers for the joint processing of Personal Data in accordance with Article 26 of the GDPR. The Parties have jointly determined the purposes and means of processing Personal Data in accordance with Applicable Laws. Capitalized terms not specifically defined herein shall have the meaning set out in the MSA or the DPA. In the event of a conflict between the terms of the MSA as they relate to the processing of Personal Data and this JCA, the JCA shall prevail.
1.Scope and compliance with Applicable Laws
1.1 The Parties, as joint Data Controllers, shall make available to each other only the Personal Data described in Attachment 1 in order that the Parties may process such Personal Data for the supply of the Products under the MSA. This JCA is in addition to any data protection provisions under the MSA and is limited to the processing activity specified in Attachment 1.
1.2 As the entity managing the joint processing of Personal Data, the Client will act in the capacity of main joint Data Controller of Personal Data, the other Party acting as secondary joint Data Controller of Personal Data in accordance with provisions of this JCA, unless otherwise required by the Applicable Laws.
1.3 Subject to the Applicable Laws, in particular rights granted to Data Subjects, the Parties shall have control, excluding any ownership rights, over the joint processing of Personal Data. In this respect, the Parties have jointly agreed to allocate, in good faith, their respective obligations and liabilities, as described in Attachment 1.
1.3 As joint Data Controller, each Party undertakes for the part of joint processing of Personal Data to and be responsible for:
1.4 Collecting or processing Personal Data for the duration of this JCA in accordance with this JCA, being specified that any further processing by each Party for its own purposes is implemented under its exclusive liability acting for it as independent Data Controller;
1.5 Providing the other Party with all relevant information relating to the joint processing of Personal Data (means, storage and country of origin and/or destination of Personal Data) to enable the other Party to demonstrate compliance with the obligations laid down under the Applicable Laws; and
1.6 Informing the other Party immediately if in its opinion, any development or change of the joint processing of Personal Data infringes the Applicable Laws.
2.1 In the context of the joint processing of Personal Data, the Parties shall each abide by their data security obligations, in particular as set out in Article 32 GDPR. Access to the infrastructure, including but not limited to physical and IT access, will be managed by each Party for the part of joint processing under its responsibility.
3.Data Subject requests
3.1 The main joint Data Controller shall be responsible for responding to Data Subject requests and the secondary Joint Controller shall provide assistance to each other within the statutory time limit, in ensuring compliance with the obligation to reply to any request from Data Subjects in exercise of their rights granted under the Applicable Laws (e.g., right to data portability, right to rectification, right to object, right to erasure, right to restrict processing).
4.1 The Parties shall not use any Data Processor for the joint processing of Personal Data in the performance of the MSA, except where the other Party was notified about the use of such Data Processor(s). The Party who engages a new Data Processor shall notify the respective other Party and, upon request, provide the respective other Party with all necessary information either regarding the Processor’s activities (including but not limited to the level of qualification of staff, performances and reliability of IT devices, contact details of data protection officer (if any) or adopted code of conduct) or regarding potential Sub-processors (same safeguards as well as company name, country of residence and country where subcontracting is performed and in particular country(ies) of processing of Personal Data, etc.). The current list of Sub-processors engaged by Zeotap and authorized by Client is available at https://zeotap.com/legal-hub/sub-processors, and, to the extent applicable, Third Party Platforms as listed in the System.
4.2 The Data Processor shall remain solely liable to the Parties for the performance of its obligations and those of its authorized sub-Data Processors. The Data Processor and its authorized Sub-processors shall be subject to confidentiality and security obligations aligned with those under the MSA.
4.3 Each Party shall promptly notify any Data Processor in the event of any request or notice from Data Subjects exercising their rights under the Applicable Laws and comply with the relevant Party’s reasonable instructions with respect to such request or notice. The Party who engages a Data Processor shall ensure that the Data Processor is obliged to ensure that its authorized sub-Data Processors will promptly forward to the relevant Party requests or notices they directly receive from Data Subjects. Taking into account the nature of the joint processing of Personal Data and the information available to the Data Processor, the Data Processor and/or sub-Data Processor shall cooperate in good faith and in a reasonable manner with the relevant Party and provide the relevant Party with the necessary information, in order to allow the relevant Party to respond to Data Subjects’ request within the statutory time limit.
4.4 Each Party shall make sure that its authorized service providers shall comply with these obligations and, when acting as Data Processor or Sub-processor, return Personal Data and every copy of the relevant Personal Data to the concerned Party in any reasonable format or otherwise to be agreed.
4.5 Save as set out in this JCA, any unauthorized processing, use or disclosure of Personal Data by the Data Processor or sub-Data Processor is strictly prohibited.
5.1 Each Party shall take all appropriate steps to ensure the reliability of its personnel, representatives and authorized recipients and any person acting under their authority who shall be involved in the joint processing of Personal Data only to the extent of the performance of the services obligations under this JCA.
5.2 The Parties understand and agree that such Personal Data constitutes Confidential Information, as defined by the MSA.
5.3 Each Party shall ensure that persons authorised to take part in the joint processing of Personal Data committed themselves to the duty of confidentiality. Access, inspection, processing and provision of Personal Data by each Party’s personnel shall take place only in accordance with the “need-to-know” principle.
5.4 Each Party warrants and undertakes that such personnel, representatives, authorized recipients and any person acting under their authority are duly trained and made aware as to each Party’s obligations.
6.1 The Parties hereby agree that they are both authorized in their capacity as joint Data Controller of Personal Data to process, including transfers, certain Personal Data outside of the EEA for the sole purposes of the joint processing of Personal Data. If Personal Data processed under this JCA is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU Standard Contractual Clauses, including supplementary measures as required, for the transfer of Personal Data.
7.Personal Data Incidents
7.1 If a Personal Data Breach in relation to the joint processing of Personal Data occurs, the Party becoming aware of such breach shall not later than 48 (forty-eight) hours report such incident to the other Party. The notifying Party shall provide the other Party with:
7.1.1 The description of the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and Personal Data concerned;
7.1.2 The name and contact details of the data protection officer or other contact point of the notifying Party or any other parties involved from whom further information can be obtained;
7.1.3 The description of the likely consequences of the Personal Data Breach; and
7.1.4 The description of the measures taken and proposed to be taken by the notifying Party to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
7.2 The notifying Party undertakes to cooperate in a reasonable manner with the other Party to allow the other Party to notify the relevant data protection authority within 72 (seventy-two) hours (or any other time limit required under Applicable Laws) from the time the notifying Party has become aware of such breach.
7.3 Neither Party shall make any such Personal Data Breach public without the other Party’s prior consent.
8.1 Each Party shall, upon the other Party’s reasonable request, submit its data processing facilities, data files and documentation necessary and reasonably required for the joint processing of Personal Data for reviewing, auditing and/or certifying by the other Party (or any third party such as inspection agents or auditors of the other Party) to ascertain the first mentioned Party’s with the undertakings in this JCA, subject to that Party’s security policy to the extent that it does not prevent the other Party from enforcing its rights under this JCA. The Party to be audited agrees to cooperate with the other Party in the course of such operations including providing all necessary information and access to all equipment, software, data, files, information systems, etc. used for the performance of services, including the joint processing of Personal Data. Such audits should not unjustifiably disrupt the provision of the Products and/or the other business operations of the Party being audited and should protect the Confidential Information of the Party to be audited and its clients or service providers. Such audits are intended to check compliance by the Party to be audited with the provisions of this JCA, including measures of confidentiality and security implemented by the audited Party in respect of the processing of Personal Data.
8.2 These operations may also review measures of confidentiality and security implemented by the Party to be audited. If such audits reveal a non-compliance with the Party’s warranties and undertakings, the Party to be audited shall undertake measures at its own expense to rectify the non-compliance as soon as possible, as agreed between the Parties.
8.3 In the event that one of the Parties is subject to any audit or investigation, in particular by public authorities, including any data protection authority, the other Party shall, without undue delay cooperate with the investigated Party and/or the public authority in question in a reasonable manner, including by providing any relevant information and, subject to the relevant territorial jurisdiction, access for that public authority to any equipment, software, data, records and systems necessary to carry out the audit or investigations performed by such public authority. The other Party shall not communicate directly with that authority.
8.4 Each Party shall disclose Personal Data if required to do so by an order of a court, public authority, or by any Applicable Laws; provided, however, that the concerned Party shall:
8.4.1 Promptly notify the other Party of the same (if and to the extent permitted by Applicable Laws);
8.4.2 Consult with and assist the other Party, at the other Party’s expense, in obtaining an order to take the necessary actions to dispute or oppose the legal process, obtain an injunction or undertake other appropriate remedies to prevent disclosure of Personal Data; and,
8.4.3 In any case seek the other Party’s consent where such notification is permitted by Applicable Laws prior to the disclosure.
9.1 Each Party shall store Personal Data for the duration required to achieve the purposes of set out in this JCA and, upon termination or expiry of the JCA, delete the Personal Data, unless required otherwise by Applicable Laws, or in case of further processing for which the concerned Party acts as independent Data Controller.
9.2 Each Party shall keep a record of processing activities. Each Party shall maintain its record in writing, including in electronic form and shall make the record available to the relevant data protection authority on request and shall immediately report such communication to the other Party.
9.3 In the event of any change to (including changes in, or further guidance regarding, interpretation of) the Applicable Laws which requires a change to all or any part of the Products or a method of delivery of such Products, the Party that becomes aware of such change shall promptly notify the other Party and the Parties may negotiate and agree in good faith any appropriate adjustments to the terms of the MSA and the services as mutually agreed in writing in order for the Parties to comply with the Applicable Laws.
9.4 Notwithstanding expiry or termination of the MSA, this JCA will remain in effect until, and will automatically expire upon, each Party ceases to use Personal Data, except further processing for which it acts under its own liability as independent Data Controller (always subject to the restrictions and deletion requirements under the MSA) or for storage purposes for a period of time as required under the Applicable Laws.
9.5 Each Party warrants and undertakes it has the legal authority to give the warranties and fulfil the undertakings set out in this JCA. Where applicable, if a Party breaches its contractual obligations under this JCA, it shall be considered to be as independent Data Controller in respect of that processing.
9.6 Subject to the provisions on liability under the MSA, where one or both Parties becomes liable to pay a fine and/or damages in respect of the joint processing of Personal Data, and notwithstanding anything to the contrary set forth in the MSA, each Party’s contribution to the amount payable shall be determined in due proportion to their respective share of responsibility. To do so, the Parties shall discuss at the earliest convenience and agree on their respective contribution.
1. Each Party recognizes that they have full knowledge of the obligations that apply to them pursuant to the Applicable Laws in their role of joint Data Controllers and, as such, shall comply with such Applicable Laws to the extent applicable to each Party in its respective role in relation to the joint processing of Personal Data for which they have commonly determined:
1.1 the purposes of Personal Data processing under the MSA, namely: only the matching of Client Data with Zeotap Data.
1.2 the essential, as well as the non-essential, means of the joint processing of Personal Data for such purpose.
2. Each Party recognizes that Personal Data under this JCA includes both: (i) Client Data; and (ii) Zeotap Data.
3. The Parties have agreed to allocate, in good faith, the obligations and liabilities of the processing of Personal Data under the MSA, as follows:
|RESPONSIBILITIES: JOINT PROCESSING OF PERSONAL DATA|
|Which Party is responsible for determining the legal basis for Joint Processing||Zeotap with regard to Zeotap Data; Client with regard to Client Data|
|Which Party primarily decided:
The System to be used to provide the Products?
the features of the System used for the Products?
|Which Party primarily determined the data categories to be processed under the MSA?||Client|
|Which Party is primarily responsible for the management of any transfer of Personal Data, and for deciding which recipients are authorized to receive such data?||Client|
|Which Party is primarily responsible for:
determining the security measures for the processing of Personal Data under the MSA?
the management of security measures for the processing of Personal Data under the MSA?
|Which Party is primarily responsible for providing Privacy Notice to Data Subjects?||Client (including compliance with art. 26 par. 2 of the GDPR)|
|Which Party is primarily responsible for hosting / storage of Personal Data?||Zeotap|
|Which Party primarily determined the retention period for Personal Data to be processed under the MSA?||Client|
|Which Party is responsible for:
managing and responding to any security incident involving Personal Data processed under the MSA?
notifying the relevant authorities:
where appropriate, notifying the data subjects of such security incident?
|Zeotap with regard to Zeotap Data; Client with regard to Client Data|
|Which Party is responsible for responding to Data Subjects’ requests to enforce their rights to object to the processing of their Personal Data or to access, to modify, to erase, or to make portable their Personal Data?||Zeotap with regard to Zeotap Data; Client with regard to Client Data|
|Which Party is entitled to audit the other in respect of the processing of Personal Data under the MSA?||Each Party|
|Which Party is required to notify the relevant data protection authority where there has been a Personal Data Breach?||Zeotap with regard to Zeotap Data; Client with regard to Client Data|
|INDEPENDENT PROCESSING OF PERSONAL DATA|
|Does either Party intend to undertake any further processing or intend to re-use the Personal Data for its own purpose (including for e.g. statistical / analytical / marketing and any such other independent purposes)?||Client may use (i) Client Data for any purpose; (ii) Zeotap Data only for the purposes under the MSA
Zeotap may use (i) Zeotap Data for other clients; (ii) Client Data as a data processor only for the purposes under the MSA