This agreement sets out the division of responsibilities between [Partner Name] (“Partner”) and Concept X ApS (“CX”), individually referred to as a “Joint Data Controller” and jointly referred to as the “Joint Data Controllers”, in relation to a joint controllership pursuant to Article 26 of the General Data Protection Regulation (“GDPR”) as described below.
1. Joint Controllership in Relation to the Digital Partnership
1.1. This Agreement defines the respective responsibilities of the Joint Data Controllers in relation to the processing of personal data within the context of the digital advertising partnership (“Digital Partnership”).
1.2. Both parties agree to jointly determine the purposes and means of processing in accordance with Article 26(2) of the GDPR.
1.3. Data subjects may exercise their rights under the GDPR with regard to and against each individual Joint Data Controller.
2. Processing of Personal Data
2.1. Partner and CX will jointly use a Consent Management Platform (CMP) on Partner’s digital properties to collect user consents and transfer Shared Personal Data between parties.
2.2. Shared Personal Data includes, but is not limited to:
- Unique user identifiers (e.g. cookie IDs)
- Device information
- IP addresses
- Browser information
- Consent strings
2.3. CX will process this data for targeting and managing advertising activities on Partner platforms.
3. Principles and Legal Basis
3.1. Each Joint Data Controller is responsible for ensuring a valid legal basis exists for processing, including consent or legitimate interest, as defined by GDPR.
3.2. Both parties are accountable for GDPR compliance and must ensure data is processed lawfully, fairly, and transparently.
4. Responsibility Towards Data Subjects
4.1. Partner is responsible for ensuring valid user consent is obtained via CMP.
4.2. Partner handles erasure and objection requests from users and notifies CX as needed.
4.3. Each Joint Data Controller must respond to privacy-related inquiries addressed to them, within the legal time frame.
4.4. CX Contact: Frederik Knudsen, CFO & Data Protection Officer (frederik@conceptx.com)
Partner Contact: [To be filled]
5. CX Obligations
5.1. CX ensures lawful sharing and processing of Shared Personal Data and discloses joint controllership in its privacy policy.
5.2. CX shall respond to user rights requests and notify Partner of relevant updates.
5.3. CX is responsible for maintaining accuracy and purpose limitation.
6. Partner Obligations
6.1. Partner must cease processing if no valid legal basis exists.
6.2. Partner must disclose joint controllership in its privacy policy and ensure CX is properly listed in CMP.
7. Reporting and Breach Notifications
7.1. Each party is responsible for handling regulatory inquiries and data breaches affecting their respective responsibilities.
7.2. The discovering party must notify the other if a breach relates to joint processing.
8. Data Protection Impact Assessments
8.1. Each party is individually responsible for conducting DPIAs as required under Article 35 GDPR.
9. Additional Data Protection Obligations
9.1. Both parties must maintain Article 30 processing records.
9.2. Appropriate technical and organisational measures must be implemented and documented under Article 32 GDPR.
10. Data Transfers
10.1. Any transfer of personal data to third countries must comply with Chapter V of GDPR.
10.2. Appropriate safeguards must be in place for such transfers, including Standard Contractual Clauses if applicable.
11. Term of Agreement
11.1. The agreement takes effect from the date CX begins processing personal data for the Digital Partnership.
11.2. It remains in effect as long as such processing continues and terminates with the underlying Digital Partnership.
12. Liability
12.1. Each party is individually liable for its own breaches and there is no joint liability.
13. Miscellaneous
13.1. This Agreement supplements or constitutes a standalone agreement between the parties on joint data processing.
13.2. If any provision is found unenforceable, the rest of the agreement remains valid.
13.3. Amendments or waivers must be made in writing.
14. Jurisdiction
14.1. This Agreement is governed by the laws of Denmark.
14.2. Disputes shall be resolved in the City Court of Copenhagen, unless an alternative dispute resolution method is agreed.
15. Entry into Force
15.1. This Agreement is effective upon signature by both Joint Data Controllers.
