This Joint Controllership Agreement (“JCA”) is supplementary to the PromoRepublic Master Platform Subscription Agreement between PROMOREPUBLIC OY, Business ID 2703642-5, a Finnish company (“PromoRepublic”) and the entity or person(s) identified as Customer in the Order Form referencing this JCA (“Customer”).
PromoRepublic and Customer have agreed to enter into this JCA for the purposes of ensuring compliance with Data Protection Legislation, inter alia, Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).
PromoRepublic and Customer have agreed that they are Joint Controllers as defined in Article 26 of the GDPR as both the PromoRepublic and Customer jointly determine the purposes and means of processing of personal data.
PromoRepublic and Customer are collectively referred to as the “Joint Controllers” and individually referred to as a “Joint Controller”.
1.1 “Platform Subscription Agreement” means a contract governing Customer’s acquisition and use of PromoRepublic’s services.
1.2 “Platform” means a social media marketing collaboration platform currently located at https://promorepublic.com/ and https://app.promorepublic.com/.
1.3 “Platform Services” means some or all of the Platform functionality described in the Platform Subscription Agreement.
1.4 “User” means an individual who is authorized by Customer to use the Platform Services on behalf of Customer.
1.5 “Joint Controller” is the natural or legal person, public authority, agency or other body which jointly with another controller, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
1.6 “Personal Data” means any information relating to an identified or identifiable individual.
1.7 “Personal Data Breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.8 “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.9. “Standard Contractual Clauses” (“SCCs”) are standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.10 Any capitalised terms used but not defined in this JCA shall have the meanings given to them in the GDPR.
2. Scope of the JCA
2.1 This agreement is limited to personal data provided to PromoRepublic by the data subjects on the Platform.
2.2 This personal data is transferred to the Customer on a regular basis to allow Customer to provide communication with the data subjects.
3. Retention of Data
3.1 PromoRepublic and Customer will retain the personal data of data subjects as each of them describe in their own Privacy Policies and Data Retention Policies, as applicable.
4. Main Purpose of Data Processing
4.1 PromoRepublic has developed and operates an all-in-one local marketing platform (“Platform”) through which it provides hosted subscription services to some or all Platform functionality (“Platform Services”). Customer orders Platform Services for Users of the Platform (“Users”). PromoRepublic assists the Customer in promoting Platform-related services to Users, communicates with them about promotions, upcoming events, webinars, and other news about Platform. Data processing of personal data will be undertaken by PromoRepublic and Customer for purposes directly related to the Platform Services.
4.2 PromoRepublic and Customer each shall comply with their obligations under the GDPR when collecting, disclosing, sharing, using or otherwise processing personal data of Users in connection with the Platform Services, including ensuring that they have a legal basis for the processing of personal data. PromoRepublic and Customer are not responsible for processing of Personal Data for their own purposes.
5. Data Subject Rights
Data subjects have a range of rights under the GDPR, PromoRepublic and Customer have agreed the following procedures to allow data subjects to exercise these rights. It should be noted that a data subject is not obliged to follow these procedures and a data subject may exercise his or her rights against each of the controllers as stated in Article 26.3 of the GDPR.
5.1 Right of Accessing Personal Data
PromoRepublic will provide the data subject with a copy of personal data undergoing processing as required under Article 15 of the GDPR.
5.2 Right of Rectification of Personal Data
A data subject may request the rectification of any inaccurate and/or incomplete personal data held by the joint controller under Article 16 of the GDPR. Where the personal data is provided by the data subject PromoRepublic will correct any inaccurate data and make it available to Customer.
5.3 Right of Erasure of Personal Data and Objection to the processing of Personal Data
A data subject may request the erasure of personal data held by the joint controller under Article 17 of the GDPR. If the data subject makes the request, PromoRepublic will delete the data and inform Customer of the request who will delete any data on their system. PromoRepublic shall promptly comply with requests from data subjects objecting to the processing of their personal data, including opt-out of direct marketing activities.
5.4 Right of Data Portability
PromoRepublic will administer any requests for data portability under Article 20 of the GDPR. Where this request relates to processes conducted solely by Customer or data held solely by Customer, this request will be forwarded directly to Customer.
5.5 Provision of Information Regarding Processing
6.1 PromoRepublic and Customer must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.
7. Use of data processors and sub-processors
7.1 PromoRepublic and Customer are entitled to use other data processors and/or sub-processors in connection with the Platform Services.
7.2 If any data processors and/or sub-processors are used, each Joint Controller is responsible for compliance with the requirements of Article 28 of the GDPR. The Joint Controller is obliged, inter alia, to:
(a) use only data processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
(b) ensure that a valid data processing agreement has been made between the Joint Controllers and the data processor.
8. Records of processing
8.1 Each Joint Controller is responsible for its own compliance with the requirement for records of processing activities in Article 30 of the GDPR.
9. Notification of a personal data breach to the supervisory authority
9.1 Each Joint Controller is responsible for compliance with Article 33 of the GDPR on notification of a personal data breach to the supervisory authority.
9.2 The Joint Controller with whom a personal data breach was committed or from whom the reason for the breach originates is responsible for notifying the personal data breach to the supervisory authority.
9.3 Immediately after having become aware of a personal data breach, the Joint Controller must inform the other Joint Controller of the breach. The other Joint Controller must be kept informed of the process after the discovery of the personal data breach and will receive a copy of the notification to the supervisory authority.
9.4 If the reason for the breach is not immediately attributable to one of the Joint Controllers, PromoRepublic is responsible for notifying the personal data breach to the supervisory authority. PromoRepublic shall obtain Customer’s written authorization prior to notifying a personal data breach to a supervisory authority mentioning Customer’s name.
10. Communication of a personal data breach to the data subject
10.1 Each Joint Controller is responsible for compliance with Article 34 of the GDPR on communication of a personal data breach to the data subject.
10.2 If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Joint Controller with whom the personal data breach was committed, or from whom the reason for the breach originates is responsible for communicating the personal data breach to the data subjects affected.
10.3 If the reason for a personal data breach is not directly attributable to one of the Joint Controllers, and the breach is likely to result in a high risk to the rights and freedoms of natural persons, PromoRepublic is responsible for communicating the personal data breach to data subjects affected. PromoRepublic shall obtain Customer’s written authorization prior to notifying a personal data breach to affected data subjects mentioning Customer’s name.
11. Data protection impact assessment and prior consultation
11.1 Each Joint Controller is responsible for compliance with the requirement in Article 35 of the GDPR on data protection impact assessment. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Joint Controllers must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
11.2 The Joint Controllers are obliged to comply with the requirement in Article 36 of the GDPR on prior consultation of the supervisory authority when this is relevant.
12. Standard Contractual Clauses (“SCCs”)
12.1 Pursuant to Article 46(1) of Regulation (EU) 2016/679, in the absence of an adequacy decision by the Commission pursuant to Article 45(3), Joint Controllers may transfer personal data to a third country in connection with the Platform Services only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by SCCs.
12.2 Where the processing involves data transfers from PromoRepublic subject to Regulation (EU) 2016/679 to Customer established in a third country, the SCCs shall be incorporated by reference and form an integral part of this JCA with PromoRepublic as “data exporter” and Customer as “data importer”. For the purposes of the SCCs:
(a) the Module One (Controller to Controller) provisions shall apply and the Module Two, Three and Four provisions shall be deleted in their entirety;
(b) Clause 7 shall be omitted;
(c) in Clause 11 right to lodge a complaint with an independent dispute resolution body shall not be included;
(d) for the purpose of Clause 13 the data exporter is established in an EU Member State;
(e) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the law of Finland;
(f) in Clause 18 (b), disputes shall be resolved before the courts of Finland;
(g) the Annexes of the SCCs shall be populated with the information set out in the Annexes to this JCA;
(h) In the event of a contradiction between the SCCs and the provisions of related agreements between the Joint Controllers, existing at the time these SCCs are agreed or entered into thereafter, these SCCs shall prevail.
13. Transfers of personal data to third countries or international organisations
13.1 The Joint Controllers may decide that personal data can be transferred to third countries or international organisations.
13.2 The Joint Controllers are responsible for compliance with the requirements in Chapter V of the GDPR if personal data are transferred to third countries or international organisations.
13.3 Each Joint Controller is responsible for its own personal data transfers to third countries, including for ensuring that a legal basis for transfer exists and that Chapter V of the GDPR has been observed.
14.1 Each Joint Controller is responsible for the handling of any complaints from data subjects if the complaints relate to the infringement of provisions in the GDPR, for which the Joint Controller is responsible according to this JCA.
14.2 If one of the Joint Controllers receives a complaint which should rightfully be handled by another Joint Controller, the complaint is forwarded to such Joint Controller without undue delay.
14.3 If one of the Joint Controllers receives a complaint, part of which should rightfully be handled by another Joint Controller, such part is forwarded for reply by the Joint Controller without undue delay.
14.4 In connection with the forwarding of a complaint or part of a complaint to another Joint Controller, the data subject must be notified about the essence of this JCA.
14.5 Generally, the Joint Controllers inform each other about all complaints received about the Platform Services.
15. Termination of the JCA
15.1 If any Joint Controller wishes to terminate its participation in this JCA, it may do so by providing written notice to the other Joint Controller specifying the reason for its termination and the proposed date of termination (“Termination Date”), at least three months prior to proposed termination.
15.2 Notwithstanding the expiry or termination of this JCA for any reason the provisions of this JCA shall continue to apply to any personal data in the possession of either party which was covered by the JCA.
16.1 This JCA shall be governed by law of Finland and subject to the exclusive jurisdiction of the courts of Finland.
A. LIST OF PARTIES
|Name: PromoRepublic Oy
||Name: entity/ies identified as Customer in the Order Form
|Company number: 2703642-5
||Company number: the Customer’s company number
|Address: Tammasaarenkatu 1, 00180
|Address: the Customer’s address
|Contact person’s name, position and contact details: the Primary Contact name, position, email specified in the Order Form by PromoRepublic
||Contact person’s name, position and contact details: the Primary Contact name, position, email specified in the Order Form by the Customer
|Activities relevant to the data processed under these Clauses: PromoRepublic has developed and operates a marketing collaboration platform through which it provides hosted subscription services to some or all Platform functionality (“Platform Services”).
||Activities relevant to the data processed under these Clauses: Customer orders Platform Services for Users.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Users of the Platform
Categories of personal data transferred: Contact information (first name, last name, email address, telephone number, role, country), Account information, User Content, Technical information and any other personal data that Users provide on the Platform or through the Platform.
The frequency of the transfer: on a continuous basis.
Nature of the processing: any or all of the following processing operations: collection, recording, organisation, structuring, storage, adaptation/alteration, retrieval, consultation, use, alignment / combination, restriction, erasure / destruction.
Purpose(s) of the data transfer and further processing: provision of the Platform Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data shall be retained for no longer than necessary for the purpose(s) of the Platform Subscription Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Office of the Data Protection Ombudsman
P.O. Box 800
Tel. +358 29 56 66700
Fax +358 29 56 66735
TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
LIST OF PROMOREPUBLIC PROCESSORS
The Joint Controllers have agreed that PromoRepublic will use the processors set out on this list.