Company Group Joint Controllership Agreement according to Art 26 GDPR [Note for drafter: Some parts of this agreement are marked in yellow. This indicates, that something has to be entered or a decision between alternatives has to be made. This Agreement is intended to be used for both Group internal and external joint controllership situations. ] between the following Company entities which are named with full address and representatives in the signature pages below: [To be adjusted to the specific agreement] Company Werke GmbH & Co. KG Company Logistik International GmbH Company IT Service GmbH Company Shared Service GmbH Company Holding Internat. Beteilig. GmbH & Co. KG Company Holding International Verw. GmbH Company Industrietechnik GmbH Company Werke Berlin GmbH Company Besitz und Verwaltungs GmbH Digital Energy Solutions GmbH & Co. KG Company Werke GmbH Company PV + E-Systeme GmbH … – hereinafter separately referred to by the numbering or the full name of the entity – – hereinafter together referred to as the “Parties” – Preamble The Company group is an international group of undertakings which exchanges internally personal data, for example in the field of the joint usage of an intranet, the creating and interchanging of reports, for accounting purposes, and for HR-purposes. The parties take the opinion that they all determine the means and purposes of the data processing within the meaning of Art. 26 GDPR. Therefore they conclude the following agreement in order to fulfil the requirement of Art. 26 GDPR. Subject of the Agreement Subject of this agreement is the joint controllership according to Art. 26 GDPR of the parties with respect to the following data processing activities: [The following descriptions are examples, which should be adopted to the specific situation. It is also possible to refer to an underling agreement.] Process number 1 Joint Usage of Intranet by all Company entities. The subject matter of this Data Processing Each Company entity is allowed to post information and to modify information in the Group-internal intranet. On base of their function or member of a user group (e.g. location or department) employees do have access to depending information and tools. No user tracking takes place in the group internal intranet. Categories of processed data Among other things, the contract details of the employees are published in the intranet, including basic employee data like first name, last name, business address, language of communication, nationality, function/position in an undertaking, level or grade, organigram, personnel changes, for internal use only. Elevated to provide an individual communication and information platform for Company employees voluntary: hobbies, interests, former employer, experiences, and profile picture. Categories of data subjects All employees of Company , and some externals suppliers or franchisees (only available for closed communities). Purpose of data processing Making available information to Company ’s employees, including the Company internal business contact details. Process number 2 Creating and using reports (financial departments), usage and management of master data, cash till data. The subject matter of this Data Processing The financial department of each entity creates different reports to external and internal parties for example: Statistics, Auditors, tax authorities (e.g. recapitulative statements, advance VAT return for Poland, Swiss…), reports for managers, statistics of employees (number of employees in certain areas, statistics about average salaries). These reports are sometimes interchanged or created jointly in the group. Categories of processed data It is not the primarily purpose of this process to process personal data; some reports does only contain statistics. However, some reports contain names of key employees or business partners of Company . Sometimes the identities of employees of Company and of business partners of Company can be indirectly identified from information in a report. Categories of data subjects Employees of Company and some externals contractual partners. Purpose of data processing Fulfil the accounting obligations and maintain an internal reporting system. Process number 3 Joint HR process, especially overheads staff costs budgeting and recruiting via “Talent Community”. The subject matter of this Data Processing In general, the HR administration of the Company Group is very decentralized with the following exception: Personal data are interchanged as part of staff cost planning of overheads in the SBU Europe (concessions, retail) (SBU = Service Business Unit). The staff cost planning is organized and monitored primarily by each separate entity, but the relevant data will be reported to Company Werke GmbH & Co. KG. Company Werke GmbH & Co. KG must confirm plans and authorized certain activities. The collection of application documents and information is organized via an online platform. On the online platform the applicant can chose, if he/she wishes only to apply to one specific job or if he/she wants to take part in the “Talent Community” (an application pool, which is used by whole Company group). Categories of processed data Employees name, department, position SAP #, entry date, monthly contract hours ratio, yearly gross salary, bonus%, social security % (only a percentage value is processed, so that no sensitive data according to Art. 9 GDPR is affected), allocation of time worked on business units, yearly travel costs, yearly mileage costs. With respect to the talent community it cannot be excluded, that data within the sense of Art. 9 GDPR will be processed; however, the applicants have given their consent to this. Categories of data subjects Employees of Company and applicants. Purpose of data processing Handling of personal data of application documents to validate the fit of an applicant to a vacancy. International data transfer The undertaking of the contractually agreed processing of data shall be carried out principally within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA). The joint processing involves the transfer of data to Company Manufacturing Company (U.S.) Inc. (USA) and [please add further entities which are located outside the EU]…. In order to fulfil the requirement of Art. 44 GDPR, the parties have also concluded a so called Model Clauses Agreement in-between Controllers according to the EU Commission Decision 2004/915/EC. Fulfilment of the obligations of the GDPR and the national data protection law [This section is the most important provision in an Art 26 Agreement! It must be determined in each specific situation which entity is responsible to fulfil which GDPR-requirement! This also depends on how the Data Protection Compliance System of the Company Group is tailored] Company IT Service GmbH, as a hoster of the underlying IT systems and the mother company of the group, has the primary responsibility to comply with the obligations of the GDPR. Each party is responsible for compliance with the rights of the data subject. Company Werke GmbH & Co. KG will provide transparency documents to the other parties to facilitate compliance with Art. 12–23 GDPR. Furthermore, Company Werke GmbH & Co. KG will provide guidelines on the timely erasure of personal data according to Art. 17 GDPR and will implement this guideline in is IT department. Company Werke GmbH & Co. KG has examined the lawfulness of the joint data processing activities and documented the result in its amended records of data processing activities. It is the responsibility of the parties to assess, if national law leads to a different result. Company Werke GmbH & Co. KG has assessed that no data protection impact assessment pursuant to Art. 35 GDPR is necessary. Company Werke GmbH & Co. KG is primarily responsible to maintain a record of data processing activities according to Art. 30 GDPR. Each party is responsible for notifications according to Art. 33 and 34 GDPR. Each party is responsible to conclude data processing agreements with subcontractors according to Art. 28 GDPR. Each party is responsible for its own compliance and accountability obligations deriving from Art. 5 (2), Art. 24 (1) and (2), 25 (1) GDPR. Company Werke GmbH & Co. KG will provide a group wide Data Protection Compliance Management System, which shall also have the purpose in supporting the subsidiaries to keep compliance with the GDPR. Each party is responsible for fulfilling the obligations of the applicable national data protection law. General duties of the parties The parties shall comply with the following requirements: Each party shall publish – in the Company group intranet – the contact details of a person which is responsible for data protection within the frame of the data processing activities of the respective party. Where a party’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in party’s control, this party shall notify to Company Werke GmbH & Co. KG of such action without undue delay. The Parties shall cooperate, on request, with the data protection supervisory authority in performance of its tasks out of this agreement. If one party answers to a request of a supervisory authority in written form or in text-form (for example per e-mail), the communication towards the supervisory authority must be made available to Company Werke GmbH & Co. KG, in due time for detailed assessment before it will be send to the supervisory authority. Insofar as one party is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject (for example claims based on Art. 15–21 or 82 GDPR) or by a third party or any other claim in connection with this agreement, all parties make every effort to support the party which is subject to such measures. All parties shall assist each other’s in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Art. 32–36 of the GDPR, whereby Company IT Service GmbH – as the hoster of the IT systems – is primarily responsible. However, all parties are responsible for the IT security in their sphere. These include: Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events. The obligation to report a personal data breach immediately to the Company Werke GmbH & Co. KG. The duty to assist each other’s with regard to the obligation to provide information to the data subject concerned and to immediately provide the respective party with all relevant information in this regard. Supporting each other regarding a data protection impact assessment, if necessary. Supporting each other regarding a prior consultation of the supervisory authority. No Payment The parties agree that they will perform their obligations under this agreement for free. No limitation of liability All parties shall be liable without limitation for damage arising from culpable harm to life, body or health. All parties shall only be liable for any other damage if such damage is based on wilful intent or gross negligence of its legal representatives, employees or vicarious agents. Unless the respective party is rightfully accused of intent, the liability for damages shall be limited to foreseeable damage, typically occurring with such agreements. Administrative fines are foreseeable within this meaning. In the event of slight negligence, the parties shall only be liable where material contractual obligations have been violated. Material contractual obligations are such obligations, the fulfilment of which allow the proper performance of the contract in the first place and the breach of which endangers the achievement of the purpose of the contract and on the compliance which a contractual partner may regularly rely upon. Even in such event, the liability shall be limited to the foreseeable damage, typically occurring with such agreements. Miscellaneous; Choice of Law The parties agree that the plea of retention of title by the contractor regarding the processed data and the associated data carrier is excluded. No modification of this agreement or any of its components shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this Joint Controllership Agreement. The foregoing shall also apply to any waiver or modification of this mandatory written form. In case of any conflict, the regulations of this Joint Controllership Agreement shall take precedence over the regulations of this agreement. Where individual regulations of this Joint Controllership Agreement are invalid or unenforceable, the validity and enforceability of the other regulations of this Joint Controllership Agreement shall not be affected. This Joint Controllership Agreement is subject to the laws of the Federal Republic of Germany and the place of jurisdiction is Cologne. Signatures: [to be adjusted to the specific agreement] _______________________ _______________________________________ Date Company Werke GmbH & Co. KG, Company straße 1, 35108 Allendorf, Germany _______________________ _______________________________________ Date Company Logistik International GmbH, Company straße 1, 35108 Allendorf, Germany _______________________ _______________________________________ Date Company IT Service GmbH, Company straße 1, 35108 Allendorf, Germany _______________________ _______________________________________ Date Company Shared Service GmbH, Company straße 1, 35108 Allendorf, Germany _______________________ _______________________________________ Date Company Holding International Verw. GmbH, Company straße 1, 35108 Allendorf, Germany _______________________ _______________________________________ Date Company Industrietechnik GmbH, Am Herzberg, 34576 Homberg, Germany [please verify the address] _______________________ _______________________________________ Date Company Werke Berlin GmbH, Kanalstraße 13, 12357 Berlin [please verify the address] _______________________ _______________________________________ Date Name ssing activity which should be subject to a Data Processing Agreement according to this framework agreement] Process number 1 [Name of data processing activity] Reference to an underlying service agreement [Yes/No] [If Yes, then name the agreement and insert the date of conclusion] The subject matter of this Data Processing The subject matter of this Data Processing Agreement results from the Service Agreement. [If no Service Agreement/SLA/ exist, the following apply: The subject matter of this Data Processing Agreement regarding the processing of data is the execution of the following services or tasks by the Supplier (Please enter a description of the services performed by Supplier)]. Categories of processed data Please name the data categories or choose from the following examples: Personal Master Data (Key Personal Data), B2B Contact Data, B2C Contact Data, Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest), Customer History, Contract Billing and Payments Data, Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories), Other:… (Please specify)] Categories of data subjects [Please name the data categories or choose from the following examples: Customers, Potential Customers, Subscribers, Employees, Suppliers, Authorised Agents, Contact Persons, Other:…... (Please specify)] Purpose of data processing [Examples: Performance of a contract with the data subject; Group internal centralised HR-Administration; Provisioning of IT-Services by Supplier] Term of the data Processing agreement The duration of this Data Processing Agreement corresponds to the duration of the Service Agreement. [in the case of an absence of a Service Agreement, the duration should be regulated in the following way: The Data Processing Agreement is authorised for an unlimited period and can be cancelled by either Party with a notice period of……(time period) to …….(deadline) . This does not prejudice the right to termination of the contract without notice.] Specific instructions Is the data processing carried out within the EU and EEA exclusively [Yes/No] [If No: The adequate level of protection is reached by: [Please delete the rules which do not apply] Decision by the European Commission (Article 45 Paragraph 3 GDPR); Standard Data Protection Clauses (Article 46 Paragraph 2 Points c and d GDPR); Codes of Conduct (Article 46 Paragraph 2 Point e in conjunction with Article 40 GDPR); Approved Certification Mechanism. (Article 46 Paragraph 2 Point f in conjunction with Article 42 GDPR). other means:………. (Article 46 Paragraph 2 Point a, Paragraph 3 Points a and b GDPR) Specific technical and organisational measures deviation from Annex 1