According to Article 26 GDPR
This agreement sets out the division of responsibilities between XXXX ("Partner") and ConceptX ApS (“CX”), individually referred to as a “Joint Data Controller” and jointly referred to as the “Joint Data Controllers”, in relation to a joint controllership pursuant to Article 26 of the EU Regulation 2016/679 of the European Union and of the Council of 27 April 2016 on the protection of end users with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) as described below.
- Joint controllership in relation to the Digital Partnership
1. 1. This Data Processing Agreement (“Agreement”) sets out the division of responsibilities between Partner and CX in relation to the processing activity taking place as part of the Joint Data Controllers’ Digital partnership concerning targeted advertising management facilitated by and performed on the relevant websites and applications of Partner (“Digital Partnership”) in relation to which Partner and CX act as Joint Data Controller within the meaning of Article 26(2) of the GDPR.
1. 2. This Joint Control Agreement (“Agreement”) shall, in accordance with Article 26(2) of the GDPR, duly reflect the respective roles of the Joint Data Controllers and sets out the respective responsibilities of the Joint Data Controllers to comply with the obligations of the GDPR, in particular to exercise the data subject's rights and the obligation to provide the information referred to in Articles 13 and 14. The main content of the arrangement must also be made available to data subjects.
1. 3. Regardless of the terms of the Agreement, the data subjects may exercise their rights under the GDPR with regard to and against each individual Joint Data Controller. Similarly, the Agreement does not prevent the supervisory authority from exercising its powers in relation to each Joint Data Controller individually.
1. 4. For the purpose of this Agreement, “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Third Party”, “Principles relating to Processing of Personal Data”, “Personal Data Breach” and “Supervisory Authority” shall have the same meaning as in GDPR. Any applicable data protection legislation, including the GDPR, will be referred to as “Data Protection Legislation”. - Processing of personal data in relation to the Digital Partnership
2. 1. For the collection and transfer of the Partners cookie IDs from Partner to CX in order to process them for the purpose of presenting targeted advertising on the Partner websites (“Common Purposes”) directed toward individual website visitors and application users (“Data Subjects”), the Joint Data Controllers will jointly operate and make use of a Consent Management Platform (“CMP”) implemented by Partner on the relevant Partner websites and applications.
2. 2. By means of the CMP, Partner is enabled to share personal data concerning the Data Subjects and especially details of the consent for marketing online activities obtained via the relevant Partner websites and applications with CX. Subsequently, CX will process the personal data concerning the advertisement for the purpose of sharing it with Partner to enable efficient and more online personalized advertisement to be displayed on the relevant Partner websites and applications in the interest of the Joint Data Controllers.
2. 3. By means of online advertising technologies in use on the relevant websites and applications which enable the Joint Data Controllers to store cookies or similar technologies on the individual Data Subject’s device (e.g. computer, tablets, mobile phone and or smartphone, TV, apple TV, etc.), the targeted advertisement can be displayed on the relevant Partner websites and applications in the interest of the Joint Data Controllers.
2. 4. By means of Data Management Platform (“DMP”), the targeted advertisement can be personalised even further based on additional segment and audience data prior to being displayed on the relevant Partner websites and applications in the interest of the Joint Data Controllers.
2. 5. Cookies are small files that the browser stores on the end-device in a directory provided for this purpose. They can be used, among other things, to determine whether a website has already been visited. Many cookies contain a so-called cookie ID. A cookie ID consists of a string of characters by which websites and servers can be assigned to the specific internet browser in which the cookie was stored. This enables both Joint Data Controllers to distinguish the individual browser. A specific internet browser can be recognised and identified via the unique cookie ID. Cookies cannot identify the Data Subjects as a person without additional information.
2. 6. When using apps, instead of a website, a technology with a comparable function can be used, such as the operating system-specific advertising ID, vendor ID or a user ID that is generated at random.
2. 7. To fullfill the Common Purposes of the Digital Partnership, the Joint Data Controller may share the following categories of personal data “Shared Personal Data” concerning the Data Subjects:
2. 7. 1. Unique user identifiers by Partner (e.g. cookie ID)
2. 7. 2. Device information
2. 7. 3. IP addresses
2. 7. 4. Browser information
2. 7. 5. Consent string
2. 8. “Services” shall mean the necessary permissions given by Partner to enable CX to use personal data of its own customers or other tracking technology in order to target its advertising campaigns to specific users of Partner websites and applications.
2. 8. 1. Partner will collect consent from Data Subject through the CMP and share the available Shared Personal Data with CX.
2. 8. 2. Partner will share Shared Personal Data with Partner as a basis. Partner can choose to share additional Shared Personal Data with Partner.
2. 8. 3. Partner will enable the possibility for Partner to place a third-party cookie on the Partner properties with the purposes and functionalities described in Partner's CMP (IAB TCF 2.0 or later version) Vendor List including the CX description.
2. 8. 4. CX will manage the Shared Personal Data in their own system to facilitate personalization, targeting and management of ads to be delivered on Partner properties. - Principles and legal basis for processing of personal data
3. 1. The Joint Data Controllers shall each be jointly responsible with each other for the processing of personal data to the extent that the Joint Data Controllers share, disclose and in any other way process personal data concerning the Data Subjects to fulfil the Common Purposes of the Digital Partnership ("Joint Processing").
3. 2. In relation to the Joint Processing, the Joint Data Controllers are both responsible for complying with the Principles relating to Processing of Personal Data to the extent that the rules apply to the respective Joint Data Controller's responsibilities under this Agreement and shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with the terms of this Agreement and the Data Protection Legislation. - Responsibility and relationship towards Data Subjects
4. 1.The Joint Data Controller which enables cookies or other tracking devices is strictly obliged to do so by getting access through a consent given by the individual Data Subject to the specific purposes.
4. 2. The Data Subject has the possibility at any time to revoke the Data Subject's consent or to object to the processing of personal data which will be updated in the technical signals sent to Partner about the existence of the legal basis for the processing of personal data of the Data Subject.
4. 3. Partner enables the Data Subjects to use the CMP. At the beginning of the usage process, the Data Subject is given the opportunity to determine the scope of the processing of personal data and the access to or storage of information on his or her terminal device by making the appropriate settings in the digital service.
4. 4. Partner undertakes to handle and respond to requests for erasure from Data Subjects without delay after becoming aware of them and to inform CX thereof.
4. 5. In case a Data Subject’s request for erasure is addressed to CX, CX is responsible to ensure that the concerned Shared Personal Data is erased from the DMP used by the Joint Data Controllers in the context of Digital Partnership. Likewise, the Partner is responsible to ensure that the Shared Personal Data is no longer used for the Common Purposes of the Digital Partnership if:
4. 5. 1. The Data Subject has indicated to CX that he or she withdraws his or her consent for the use of Personal Data for the Common Purposes; or
4. 5. 2. The Data Subject has expressed to Partner that he or she would like to object to the use of his or her Personal Data for the Common Purposes (in case Joint Data Controller relies on its legitimate interest as a legal basis)
4. 6. For any other privacy-related request from a Data Subject (including, but not limited to the exercise of their rights under Data Protection Legislation), the Joint Data Controller to whom such request is addressed, is responsible for handling and carrying it out. The Joint Data Controller shall ensure that the request is handled within the period imposed by the Data Protection Legislation. If necessary, the Joint Data Controllers shall provide each other with relevant information and mutual assistance.
4. 7. The Joint Data Controllers undertake to each provide a contact point for Data Subjects seeking to exercise any of their rights under Data Protection Legislation with relation to the processing of Shared Personal Data covered by this Agreement.
4. 7. 1. Contact CX: Frederik Knudsen, CFO & Data Protection Officer, frederik@conceptx.com
4. 7. 2. Contact Partner: XXXX
4. 8. In respect of queries or complaints regarding the Data Protection Legislation and/or compliance under the terms of this Agreement, the following contact persons can be contacted by email or mail:
4. 8. 1. Contact CX: Frederik Knudsen, CFO & Data Protection Officer, frederik@conceptx.com (Toldbodgade 18, ST. TV, 1253 Copenhagen, Denmark.
4. 8. 2. Contact Partner: XXXX - Obligations for CX
5. 1. CX warrants and guarantees that it has all necessary rights in sharing the Shared Personal Data with Partner for the Common Purposes. Further, CX shall ensure that personal data of the Data Subject shall only be processed if there is a legal basis. Such legal basis shall either consist of the Data Subject’s consent or a legitimate interest pursued by the Partner, provided that such interest is not overridden by the interest or fundamental rights and freedom of the Data Subject.
5. 2. CX undertakes to disclose in its privacy policy information about the existence of a joint controllership agreement to CX as well as their rights as Data Subjects and to provide all of the required information pursuant to Art. 13 GDPR. Furthermore, both Joint Data Controllers undertake to provide the Data Subject of the Digital Partnership with the additional further information pursuant to Art. 26 GDPR.
5. 3. CX shall respond to requests from a Data Subject relating to the Joint Processing within the legal time limits set out in Article 12 of the GDPR.
5. 4. CX undertakes responsibilities to inform and update Interactive Advertising Bureau Europe (“IAB”), or other relevant institutions/vendors, with the Partners specific purposes of the Digital Partnership so that the Partner can make the necessary settings to ensure the appropriate and necessary sharing, disclosure and processing of the Shared Personal Data. - Obligations for Partner
6. 1. Partner shall ensure that personal data of the Data Subject shall only be processed if the legal basis jointly determined in accordance with Clause 1 of this Agreement exists and a corresponding signal has been sent to CX.
6. 2. Partner undertakes to cease the Joint Processing if the legal basis ceases to exist.
6. 3. Partner undertakes to disclose in its privacy policy information about the existence of a joint controllership agreement between CX and itself as well as their rights as Data Subjects and to provide all of the required information pursuant to Art. 13 GDPR. Furthermore, both Joint Data Controllers undertake to provide the Data Subjects of the digital Partnership with the additional further information pursuant to Art. 26 GDPR.
6. 4. Partner shall respond to requests from a Data Subject relating to the Joint Processing within the legal time limits set out in Article 12 of the GDPR.
6. 5. Partner shall ensure that CX is listed on the CMP vendor list with a valid vendor ID. Furthermore, Partner shall ensure they have deposited their respective current data protection provisions on the vendor list by means of a link.
6. 6. The CMP must be certified with the Transparency & Consent Framework (the newest version of the TCF, currently TCF 2.0) of the IAB Europe. - Reporting and Notification Obligations
7.1. Each Joint Data Controller is responsible for responding to requests from a Supervisory Authority. If the request may have implications for the further cooperation between the Joint Data Controllers, the Joint Data Controller receiving the request shall notify the other Joint Data Controller in writing in good time.
7. 2. In the event of a breach of the protection of personal data in relation to the Joint Processing, the Joint Data Controller which discovers the breach shall fulfil the necessary reporting and notification obligations in accordance with Article 33 (Notification to the supervisory authority) and Article 34 (Notification to the Data Subject) of the GDPR.
7. 3. Insofar as the breach has not occurred in the sole area of responsibility of one of the Joint Data Controller, the Joint Data Controller in whose area of responsibility the breach has occurred shall provide the other Joint Data Controller with the information required to fulfil the statutory notification and notification obligations in due time.
7. 4. If and to the extent that the information cannot be provided at the same time, the respective Joint Data Controller concerned may provide this information gradually without unreasonable further delay. - Data Protection Impact Assessment
8. 1. Each Joint Data Controller shall carry out any data protection impact assessment required under Article 35 of the GDPR concerning its own responsibility for the Joint Processing.
8. 2. Each Joint Data Controller shall also comply with the requirement of Article 36 of the GDPR Regulation to consult the supervisory authority in advance, where appropriate. - Further Data Protection Obligations
9. 1. Both Joint Data Controllers shall be responsible for complying with the requirement of Article 30 of the GDPR on records of processing activities. This implies that each Party shall include the Joint Processing in its records of processing activities and provide each other with the information necessary pursuant to Article 30(1) of the GDPR.
9. 2. Each Party shall implement and maintain the necessary technical and organisational measures to always ensure adequate protection of the personal data at least in accordance with the requirements of Article 32 of the GDPR and document this in an appropriate manner.
9. 3. Each Party shall provide reasonable assistance to the other Party in the performance of its obligations under this Agreement. In particular, but not exclusively, each Party shall provide the other Party with information without undue delay to the extent that the requesting Party requires the information to fulfil its obligations under Data Protection Legislation.
9. 4. If a Joint Data Controller becomes aware of a breach of any provision of this Agreement or of the protection of personal data in relation to the Joint Processing, it shall promptly notify the relevant Joint Data Controller concerned thereof. The same shall apply in the event of a breach of the provisions of the IAB Europe Transparency & Consent Framework Policies. - Data Transfer to Third Countries
10. 1. The Joint Data Controllers may jointly decide that personal data may be transferred to third countries or international organizations outside EEA.
10. 2. The Joint Data Controller who transfers personal data outside EEA shall be responsible for compliance with the requirements of Chapter V of the General Data Protection Regulation in the event of transfers of personal data to third countries or international organizations.
10. 3. Where personal data are transferred by a Joint Data Controller to a third country, that Joint Data Controller shall in particular provide appropriate safeguards in accordance with Section 46 GDPR and provide the Data Subject with enforceable rights and effective remedies. - Term of this Agreement
11. 1. This Agreement shall take effect on the date CX starts processing personal data to fullfill the Common Purposes of the Digital Partnership and shall continue to apply for as long as CX continues to do so.
11. 2. This Agreement shall automatically terminate for the respective Joint Data Controller upon termination of the Digital Partnership.
11. 3. The Joint Data Controllers agree that the termination of this Agreement at any time, in any circumstances and for whichever reason does not exempt them from the obligations and conditions under the Agreement as regards to the processing of any Shared Personal Data. - Liability
12. 1. In the event that a Joint Data Controller breaches its obligations under this Agreement or the Data Protection Legislation, such Joint Data Controller shall not be liable to the other Joint Data Controller or to indemnify it for any costs, expenses and damages resulting from such breach.
12. 2. The Joint Data Controllers further declare and acknowledge that this Agreement does not and shall not create any joint and several liability between them. Each party shall solely be liable upon any non-fulfilment of its own obligations under this Agreement. - Miscellaneous provisions
13. 1. This Agreement can either constitute an addendum to a main contract or serve as a separate legally binding instrument between the Joint Data Controllers if the Joint Data Controllers have not entered any other agreement concerning the activities in relation to the Digital Partnership.
13. 2. This Agreement supersedes all prior agreements, general conditions, arrangements, and undertakings, whether written or oral, entered into between the Joint Data Controllers, with regard to the processing of personal data in relation to the Digital Partnership.
13. 3. Should one or more provisions of this Agreement be found to be invalid, illegal or unenforceable (in whole or in part), the remainder of the provision and of this Agreement shall not be affected and shall continue in full force and effect as if the invalid, illegal or unenforceable provision(s) had never existed and the Joint Data Controllers will negotiate in good faith to replace the invalid, illegal or unenforceable provision(s) by (a) valid, legal and enforceable provision(s) with similar effect.
13. 4. Any failure or delay by a party in exercising any right under this Agreement, the exercise or partial exercise of any right under this Agreement or any reaction or absence of reaction by a Joint Data Controller in the event of breach by another Joint Data Controller of one or more provisions of this Agreement shall not operate or be construed as a waiver (either express or implied, in whole or in part) of its rights under this Agreement or under said provision(s) or preclude the further exercise of any such rights. Any waiver of a right must be expressed and in writing. - Jurisdiction
14. 1. The Joint Data Controllers agree that this Agreement shall be governed by and construed in accordance with the laws of Denmark.
14. 2. Unless any alternative dispute resolution procedure is agreed between the Joint Data Controllers, each Joint Data Controller irrevocably agrees that the courts of Copenhagen shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims). - Entry into Force of the Agreement
15. 1. Both Joint Data Controllers shall become a party to this Agreement upon signature by both Joint Data Controllers hereto.