Joint Controller Agreement

Agreement between Joint Controllers

further to Section 26 GDPR


This Agreement sets out the responsibilities between ID Ward Ltd (the Supplier) and the Customer, as represented in the Contract Details.

1. Purposes and Legal Bases of Processing

The purposes and respective legal bases for the processing of personal data on the digital offers by the Customer and the Supplier, consist solely in enabling the collection of data by the Supplier on the digital offers of the Client pursuant to the explicit consent expressed by the user in the consent management of the digital offer (so-called “Consent Management Platform” or “CMP”), and only for the data processing operations thereby defined by the Supplier (hereinafter “COMMON PURPOSES”).

2. Means of Processing

2.1 The personal data of users of the digital offer is processed via the online advertising technology of the Supplier integrated into the digital offer of the Client.

2.2 The online advertising technologies enables the Supplier to store cookies or similar technologies on the user’s end device; these enable access to or storage of information on the end device for the specified COMMON PURPOSES.

2.3 Cookies are small files that the browser stores on the end device in a designated directory. Among other things, they may be used to determine whether a website has already been visited. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which websites and servers may be assigned to the specific internet browser in which the cookie was stored. This enables the Client and the Supplier to distinguish the individual browser from other internet browsers that contain other cookies. A specific internet browser can be recognised and identified via the unique cookie ID. Cookies cannot identify the user as a person without additional information.

3. Function and Relationship vis-à-vis Data Subjects

3.1 The Client enables the data subject to use the digital offer. At the beginning of the use process, the data subject is given the opportunity to determine the scope of the processing of personal data and the access to or storage of information on their end device by making the appropriate settings in the CMP.

3.2 The data subject has the opportunity at any time to revoke consent given by him/her in the settings in the digital offer or to object to the processing of personal data.

3.3 The Supplier receives consent from the data subject to the processing of personal data. The Supplier collects, stores and processes personal data on the data subject’s device.

3.4 The Supplier creates a pseudonymous ID representing the data subject and stores it on its servers.

3.5 The Supplier further enables the data subject to view, download and delete the personal data collected and stored on the device and on its servers.

4. Scope of Joint Controllership

The Client and the Supplier shall each be jointly responsible for processing personal data to the extent that the Client provides the Supplier with access to its domain for the collection of personal data from users of the digital offer in accordance with this Agreement, including for its own purposes (hereinafter “JOINT PROCESSING”).

5. Duties of the Customer

5.1 The Customer undertakes to inform the users of the digital offer about the type, scope and purpose of the JOINT PROCESSING of personal data as well as their rights as data subjects further to Section 13 GDPR. The Customer also undertakes to provide the users of the digital offer with additional information further to Section 26 GDPR.

5.2 The Customer undertakes to provide the users of the digital offer with access to the Consent Management Platform, by means of which the user of the digital offer may at any time make the required settings further to Section 3.1 of this Agreement or amend them further to Section 3.2.

5.3 The Consent Management Platform must comply with the requirements of the Data Protection Authority in the jurisdiction where the Customer operates, as well as the requirements of the relevant Data Protection Authorities in the jurisdictions where the data subjects reside.

5.4 The Customer shall respond to any enquiry concerning data subjects it receives and relating to the JOINT PROCESSING of personal data within the statutory time limits.

5.5 If the Customer receives a complaint, notice or statement from a supervisory authority relating directly or indirectly to JOINT PROCESSING or possible non-compliance with data protection rules, the Customer shall immediately forward the complaint, notice or statement to the Supplier to the extent permitted by law. Responses to the Authority in this regard shall be coordinated with the Supplier to the extent permitted by law.

6. Duties of the Supplier

6.1 The Supplier undertakes to provide the Client with the information necessary in order to comply in a timely manner with the information obligations in No. 5.1 and requests for information in No. 5.5 in each case relating to their JOINT PROCESSING.

6.2 The Supplier shall ensure that personal data of the data subject are processed only if the legal basis jointly determined in accordance with Section 1 of this Agreement exists and a corresponding signal has been sent to the Supplier. The same applies to the retrieval or storage of information on the end device of the data subject.

6.3 Both the Client and the Supplier undertake to immediately cease JOINT PROCESSING in the event that the legal basis ceases to exist. 

6.4 The Supplier undertakes to make available to the data subject a dedicated data and privacy management platform and to implement requests for personal data deletion or data portability from data subjects immediately after becoming aware of them via such platform.

6.5 The Supplier shall maintain a list of the domains under which tracking cookies are stored or read by them, and make these available to the Client on request.

7. Reporting and Notification Obligations

7.1 In the event of a personal data breach, the Client and the Supplier shall each fulfil the necessary notification and reporting obligations further to Section 34 of the GDPR concerning the data subject in question.

7.2 Further to the above, the Client or the Supplier in whose area of responsibility the infringement has occurred shall provide the other Party in good time with the information required to fulfil the statutory reporting and notification obligations.

7.3 The information to be provided shall also include the information listed in Section 33(3) GDPR. If and insofar as the information cannot be provided at the same time, the respective Party concerned may provide this information step-by-step without undue further delay.

8. Data Protection Impact Assessment

Each Party shall, on its own responsibility, carry out a data protection impact assessment required under Article 35 of the GDPR for JOINT PROCESSING.

9. Further Obligations

9.1 Further to Section 30(1) GDPR, each Party shall include JOINT PROCESSING in its processing directory. The Parties shall provide each other with the information necessary for the inventory of processing activities further to Article 30(1) of the GDPR.

9.2 In the event of a breach of the protection of personal data within the meaning of Section 4 (12) of the GDPR in relation to the JOINT PROCESSING, the respective party concerned shall fulfil the necessary notification obligations further to Section 33 of the GDPR vis-à-vis the competent data protection authority.

9.3 Each Party shall implement and maintain the necessary technical and organisational measures for ensuring an adequate level of protection of personal data which at all times at least complies with the requirements of Article 32 GDPR and shall document this in an appropriate manner.

9.4 Each Party shall provide reasonable assistance to the other Party in the performance of its obligations under this Agreement. In particular but not exclusively, each Party shall provide the other Party with information without undue delay if the requesting Party requires the information in order to fulfil its obligations under data protection law.

9.5 If a Party becomes aware of a breach of any provision of this Agreement or of the protection of personal data in relation to JOINT PROCESSING, it shall immediately notify the Party or Parties concerned.

10. Data Transfer to Third Countries

10.1 The Parties make clear that the Supplier will transfer no personal data to a third country as part of the JOINT PROCESS.

10.2 The Supplier shall inform the Client PROMPTLY if it has reason to fear that it will no longer be able to comply with the level of protection of the GDPR.

11. Entry into Force and Termination of this Agreement

11.1 This Agreement is an integral part of the Service Agreement. By signing the Service Agreement, the Client acknowledges and accedes to this Agreement.

11.2 This Agreement shall automatically terminate for the respective party in each case upon termination of JOINT PROCESSING.