Agreement on joint responsibility (JRA) for the provision of the Parlabox reporting office software

Preamble

The question of responsibility within the meaning of Art. 4 No. 7 GDPR is determined on the basis of objective standards; in particular, the existence of joint responsibility as soon as the client and contractor jointly determine the purposes and means of processing personal data. In these cases, an agreement on joint controllership must be concluded in accordance with Art. 26 GDPR.

When concluding this agreement, the contracting parties are aware that in the event of outsourcing of the internal reporting office, parts of the activities or phases of data processing may constitute joint responsibility.

Insofar as there is joint responsibility between the Client and the Contractor, the following provisions on joint responsibility shall apply as an “agreement on joint responsibility” concluded between the contracting parties.

This VGV is concluded between you (“Controller 1” or “Client”) and Cortina Consult GmbH (“Controller 2” or “Contractor”) and is an integral part of the GTC.

Controller 1 and Controller 2 process personal data from both parties’ area of responsibility under data protection law within the meaning of Art. 26 of the General Data Protection Regulation (GDPR) within the scope of contracts concluded or to be concluded. The personal data processed jointly and, if necessary, separately in the further course (or to be processed) are subject to the provisions of the GDPR and other data protection regulations (e.g. BDSG).

This agreement sets out the framework conditions for ensuring compliance with data protection regulations.

1. subject matter and duration of the agreement

A contractual relationship (“main contract”) exists between the contracting parties regarding the provision of the services of the internal reporting office in accordance with the Whistleblower Protection Act. This contract represents the agreement between joint controllers within the meaning of Art. 26 GDPR between the contracting parties, insofar as there is joint responsibility within the meaning of Art. 4 No. 7 GDPR for the processing of personal data in connection with the provision of services under the main contract. Specifically, this concerns the data processing that the contractor performs in connection with the provision of its services as an internal reporting office for the client.

The duration of the agreement corresponds to the duration of the processing of the personal data collected within the scope of joint controllership.

2. description of data processing

The purpose, type and scope of the processing of personal data result from the main contract concluded between the contracting parties and any additional contractual provisions included in this respect.

3. responsibility and competencies

The contracting parties agree that Controller 2 fulfills the obligations of the GDPR insofar as the Contractor (Controller 2) provides its contractual services as an internal reporting office as controller or joint controller.

4. quality assurance and other duties of the controllers

In addition to the provisions of this agreement, the controllers are subject to statutory obligations pursuant to Art. 26 GDPR; in this respect, they agree in particular to comply with the following requirements:

1. Both controllers ensure compliance with relevant, not exclusively data protection legislation in the present data processing; in particular compliance with the requirements of the GDPR and BDSG.
2. Both contractual partners regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in their respective areas of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
3. Insofar as subsequent data processing takes place in the respective controller’s own area of responsibility, the respective controller must ensure that the rights of data subjects are exercised and the information obligations pursuant to Art. 13 and 14 GDPR are implemented separately.
4. Both controllers cooperate with the supervisory authority in the fulfillment of their tasks upon request.
5. If a controller is affected by control actions and measures of the supervisory authority, the respective contractual partner shall be informed immediately insofar as these relate to data processing in accordance with this agreement. This also applies if a competent authority investigates the processing of personal data at the respective controller in the context of administrative offense or criminal proceedings.

5. implementation of data subject rights

Controller 2 is obliged to implement the information obligations under Art. 13-14 GDPR and Art. 26 para. 2 sentence 2 GDPR vis-à-vis the data subjects, insofar as services are provided as an internal reporting office for the client (Controller 1).

The persons concerned must be provided with the necessary information free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language.

The contracting parties agree that data subjects may contact both controllers for the purpose of exercising their respective data subject rights. In such a case, the other party is obliged to forward the request of a data subject to the other party if this is necessary for measures to implement the rights of the data subject. The Contractor may refrain from forwarding the request to the Client if this would violate obligations arising from the confidentiality requirement pursuant to Section 8 HinSchG.

6. data security

The contracting parties mutually undertake to comply with the technical and organizational measures required in accordance with Art. 32 GDPR, insofar as this concerns the processing of personal data for which there is joint responsibility within the meaning of Art. 4 No. 7 GDPR.

7. reporting obligations in the event of data breaches

Should a data protection breach occur within the scope of joint responsibility, measures must be taken immediately to minimize the potential damage to the persons concerned. To this end, both controllers agree to comply with the necessary measures to detect, contain and, if necessary, report data protection incidents in their own company. This includes in particular

Sensitizing and instructing employees with regard to potential data protection risks and reporting suspicious processes to the respective data protection officers

Each contracting party shall immediately inform the other contracting party in text form of any breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR, insofar as this concerns the processing of personal data for which there is joint responsibility. The contracting parties shall immediately provide each other with all information in connection with the data breach that is necessary to examine the data breach and its consequences and to fulfill any reporting obligations under Art. 33, 34 GDPR.

In the event that a reporting obligation pursuant to Art. 33 GDPR exists, the contracting parties shall coordinate the further procedure within the scope of reasonableness and support each other in fulfilling the reporting obligations.

If notification of the data subjects is required in accordance with Art. 34 GDPR, the contracting parties shall cooperate within the scope of reasonableness and carry out a joint notification of the data subjects, insofar as the contracting parties consider this to be reasonable.

8. common duties

Both contracting parties must inform each other immediately and in full if errors or irregularities in the processing of personal data for which joint responsibility exists or violations of provisions of this contract or applicable data protection law (in particular the GDPR) are discovered.

9. processors

The contracting parties may commission processors with the processing of personal data for which there is joint responsibility. The prerequisite is that the requirements of Art. 28 GDPR are met and can be proven by the respective contracting party.

10. cooperation with supervisory authorities

Each party is obliged to inform the other party immediately if a data protection supervisory authority contacts it and this relates to processing covered by this joint controllership agreement.

The contracting parties shall coordinate the response to inquiries from supervisory authorities regarding the contractual processing, insofar as this is legally permissible and/or reasonable.

The contracting parties agree that regulatory measures must always be complied with. Nevertheless, the contracting parties will agree on whether and to what extent legal remedies will be sought against orders issued by the authority.

11. liability

The contracting parties shall be liable to the persons concerned in accordance with the statutory provisions.

The contracting parties shall indemnify each other internally from any liability if the cause triggering liability within the scope of responsibility for data processing is the sole responsibility of one contracting party. This shall also apply with regard to any fine imposed on a contracting party due to a breach of data protection regulations.

12. final provisions

The provisions of the main contract apply to the term and termination of the contract.

Should individual provisions of this agreement be or become invalid or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements of Art. 26 GDPR.

The law of the Federal Republic of Germany shall apply.