Essence of the Agreement on Joint Controllership
METRO group companies may share personal data, acting as joint controllers. The description and assignment of each individual processing activity is set out in an individual contract between the involved METRO group companies and described in the respective privacy policy.
This document contains the essence of the Joint Controllership Agreement („JCA“) between the relevant METRO group companies identified as joint controllers in the relevant Privacy Policy.
- Processing activities and responsibility
- The data processing activities set out and identified as ‘joint controllership’ in each Individual Contract will be carried out in accordance with this JCA.
- The Parties are jointly responsible for the lawfulness of all processing activities within the scope of their joint controllership. This is without prejudice to the responsibilities for certain processing activities as set out in the respective Individual Contract.
- Regardless of any corresponding provisions on the responsibility for processing activities in this JCA and the relevant Individual Contract, the Parties must independently ensure that they are able to comply with all legal obligations to retain personal data. To this end, they shall take appropriate data security measures to protect any personal data. This applies in particular in the event of termination of the Parties’ cooperation.
- Lawfulness of processing
- The processing of personal data under this JCA may only take place if and insofar as such processing can be supported by an appropriate legal basis. The legal basis for each activity will be set out in the respective Individual Contract.
- Information to data subjects
- The Parties undertake to provide the data subjects, free of charge, with the information required under Art. 13, 14 GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Each Party to the data processing shall be responsible for providing the information to the data subjects. Insofar as the Individual Contract stipulates that a specific Party shall be responsible for providing the information to the data subjects, the other Parties shall provide this Party with the information required for this purpose.
- The Parties undertake to make available to the data subjects the essential content of this JCA and the Individual Contract in accordance with Art. 26 (2) GDPR. In order to fulfil this obligation, the Parties will communicate to the data subjects the essential content of this JCA with the information pursuant to Art. 13, 14 GDPR. The information regarding the essential content will be updated by the Parties as necessary. The Party responsible for updating this information shall be the Party responsible for providing the information to the data subject.
- Fulfilment of other data subject rights and requests
- Data subjects may assert their rights under Art. 15 to 22 GDPR ("Data Subject Request") vis-à-vis both Parties to the JCA.
- The Parties may appoint a joint contact point within the meaning of Art. 26 (1) Para. 3 GDPR for Data Subject Requests and other data subjects' enquiries concerning joint processing activities under the relevant Individual Contract.
- If data subjects contact one of the Parties with a Data Subject Request, this Party shall process the request independently and, to the extent possible and necessary, inform the other Party thereof. The Parties shall support each other, to the extent necessary, in the fulfilment of Data Subject Requests. Communication with the data subject shall be carried out by the Party to whom the Data Subject Request was addressed. Insofar as the Individual Contract appoints a specific Party as being responsible for processing Data Subject Requests, the other Parties shall support the responsible Party to the extent necessary, in particular by providing any reasonably required information.
- The Parties will inform each other if personal data needs to be amended or deleted. A Party may object to the amendment or deletion for a justified reason, for example if it is subject to a legal obligation to retain the personal data.
- Procedure in the event of Data Breaches
- Unless otherwise agreed in the respective Individual Contract, the Lead Company shall be responsible for the examination and handling of all personal data breaches within the meaning of Art. 4 no. 12 GDPR (“Data Breach”), including the fulfilment of any resulting notification obligations to the competent Supervisory Authority pursuant to Art. 33 GDPR or to data subjects pursuant to Art. 34 GDPR.
- The Parties shall notify each other without undue delay of any Data Breach that may have occurred under the joint controllership and shall cooperate to the extent necessary and reasonable regarding any notification pursuant to Art. 33, 34 GDPR and in examining, mitigating, and rectifying the Data Breach.
- Cooperation with Supervisory Authorities
- Each Party shall notify the other Party without undue delay in the event of a request by Supervisory Authority in connection with the joint controllership.
- The Parties will reasonably and to the extent possible consult with each other before responding to any requests from a Supervisory Authority or before disclosing information relating to the joint controllership to the Supervisory Authority. Furthermore, the Parties will cooperate and assist each other in the event of requests or inspections by a Supervisory Authority.