Joint Controller Agreement
Opinary is a service provider specialized in increasing reader engagement in online media. For that purpose, Opinary has developed a set of online polling tools that allow website users to take part in discussions and voice their opinions by voting on a poll.
Opinary offers its contractual partners a plugin that can be used on their websites / platforms. When using the tool, personal data can be processed. With regards to the European Court of Justice’s (CJEU) judgements on the cases Fashion ID and Facebook fan page, we are convinced that Opinary and its publisher partners shall share joint responsibility for such processing. This view is based on the following considerations.
When using the Opinary tool the publisher is aware that it is a tool that processes personal data (=Processing cf. Art. 4 para. 2 GDPR). According to the CJEU rulings, the publisher therefore qualifies as Controller (cf. Art. 4 para. 7 GDPR) for collecting and transmitting personal data (para. 35 of Fanpage decision and para. 77 ff. of the Fashion ID decision).
Opinary uses this personal data for its own purposes (such as providing and improving its products, generation of statistics and, possibly, displaying sponsored content). Further, Opinary has developed the product, which includes data processing, and also its business model (cf. recital. 30 of the fan page decision and recital. 47 f. of the legal opinion of the Advocate General). Opinary is therefore also Controller according to GDPR.
Both parties are thus jointly responsible within the meaning of Art. 26 para. 1 GDPR and therefore both are Controllers.
In consequence, the parties are obligated to stipulate a contract covering the obligations arising from GDPR for each of them, in particular with regard to the exercise of the rights of the Data Subject (cf. Art. 4, no 1 GDPR), and information to be provided according to Articles 13 and 14 GDPR. The following draft represents such a contract.
Joint Controller Agreement
pursuant to Art. 26 GDPR
1. Subject of Agreement
3This agreement determines rights and obligations of the controllers (hereinafter referred to as “parties”) with regards to the use of the Opinary tools. When using the Opinary tools personal data is processed as cookies are placed on user devices. Accordingly, the parties agree that due to this cooperation they shall jointly determine the purposes and means of processing. They shall be joint controllers in accordance with Art. 26 GDPR. This contract describes the respective roles and relationships of the joint controllers vis-à-vis the data subjects.
2. Description of the Processing
With the help of the Opinary plugin, sponsored and editorial polls are shown on the websites / platforms of the contractual partner. Poll results are collected as the contractual party’s website visitors vote on the embedded Opinary polls. Opinary’s systems process this data in order to get overall aggregated results from individual interactions. Hence, two cookies are stored on the user’s terminal device. A user ID and a vote ID. Data collected by the vote ID are used to calculate aggregated voting results. Data collected through the user ID are used for control and reporting information as well as measured and counted in order to prove and invoice our service to the contractual partner.
3. Type of Personal Data
The following information from the website visitor is retrieved through the Opinary plugin:
Cookie IDs and IP.
4. Responsibilities and Competencies
a) The contractual partner is the party responsible for collecting and transmitting the user data to Opinary. Opinary is responsible for aggregating the user data and – if applicable – for the collection of data in the context of sponsored polls by third parties in articles on the contractual partner’s pages. Should the contractual partner use the Opinary tool to play out conversion banners/own content, so he/she is the responsible party for this part of the product (e.g. conversion on landing page).
b) Within their responsibility for processing and implementation, each party is Controller for measures taken for exercising the rights of Data Subjects according to Art. 15-21 GDPR.
c) If consent is required for processing, the contractual partner has to ensure that it is lawfully obtained from the user.
d) Notwithstanding the provisions in paragraphs 1 and 2, the parties agree that Data Subjects may address both parties for the purpose of exercising their rights. In such a case the other party is obliged to forward the request of a Data Subject to the responsible party immediately. The parties shall designate a contact and notify any change immediately in written form.
5. Implementation of Data Subject Rights
a) The parties commit themselves to provide the data subject with any information referred to in Art. 12-14 GDPR and Art. 26 para. 2 S. 2 GDPR, insofar as the respective party is responsible for the processing within the meaning of section 4 a) of this contract. The parties ensure that this information is accessible via the Internet.
6. Common Duties
The parties shall inform each other immediately and completely if they notice errors or infringements regarding this contract or applicable data protection law (in particular the GDPR).
7. Data Protection Violations
The party that first becomes aware of a violation of processing of personal data in regards to this contract has to inform the other party immediately, at the latest within 24 hours after becoming aware of it. This also applies to suspected cases which may result in a not only low risk violation for the data subjects.
8. Cooperation with the Supervisory Authorities
Both parties are obliged to inform the supervisory authority and the data subjects affected by a violation of the protection of personal data in accordance with Articles 33 and 34 GDPR concerning their operating ranges (section 4 a) of this contract). The Parties shall inform each other about any such notification to the supervisory authority without undue delay and agree to keep each other informed on the respective matter.
9. Official Request for Information
In case one of the parties receives a request for information from a supervisory authority with reference to this contract, the respective party is obliged to inform the other party about the request for information, unless this notice is prohibited by law. If possible, the parties will consult with each other before complying with any requests from authorities..
10. Technical and Organizational Measures
a) The parties mutually commit to implement technical and organizational measures according to Art. 32 GDPR before processing begins, in order to ensure a risk-appropriate level of security for the whole time of processing under this contract.
b) The technical and organizational measures are subject to technical progress. The parties are therefore entitled to implement alternative adequate measures, as long as the security level of the specified measures is still appropriate. Significant changes shall be documented, and the other party shall be notified immediately in written form.
c) If any party determines that the measures implemented are not sufficient, it has to inform the other party immediately in writing. The Parties shall agree on how to restore an adequate level of security at short notice.
11. Subcontracted Processors
a) Each party is authorized to mandate suitable and reliable processors (=Art. 28 GDPR) in compliance with the data protection law.
b) The parties commit themselves to conclude a contract in accordance with Article 28 GDPR when engaging processors within the scope of this agreement (see § 1) and to obtain the written consent of the other party before concluding the contract.
c) If a subcontracted processor resides outside of the European Union (EU) or the European Economic Area (EEA), provisions according to Art. 44 ff. GDPR must be fulfilled.
a) The parties shall be liable for damages to the persons concerned resulting from processing that fails to comply with statutory provisions.
b) In the internal relationship the parties are liable, notwithstanding the provisions of this contract, only for damages which have arisen within their operating range (section 4 a) of this contract).
13. Final Provisions
a) For the term and termination of this contract, the provisions of the main contract apply (Opinary Contractual Agreement). In the event of any contradictions between this contract and other contracts between the parties, in particular the main contract, the provisions of this contract shall take precedence.
b) If individual provisions of this contract are or become invalid, contain a gap or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision which comes closest to the purpose of the invalid provision and best meets the requirements of Art. 26 DSGVO.
c) German law including GDPR applies.