Joint Controller Agreement

1      Background

1.1 This joint controller agreement (the “JCA”) forms an integral part of the Keystone Data Processing Addendum (“Addendum”) and applies when Keystone acts as a joint controller together with the Customer. This arrangement is detailed in Section 2 of the Addendum that corresponds to the Keystone Service purchased by the Customer, as specified in the Order Confirmation, and provided pursuant to the Main Agreement.

Within the scope of the Main Agreement, and in order to provide the relevant Keystone Service, the parties process personal data in the context of joint controllers, as defined in the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”).

1.2 The purpose of this JCA is to set out the contractual arrangements required under Article 26 of the GDPR. This includes each party’s respective rights, obligations and responsibilities to comply with the obligations of the GDPR, in particular with regard to the exercise of the rights of the data subject and the obligation of the parties to comply with the information requirements set out in Articles 13 and 14 of the GDPR. The parties wish to ensure that all obligations arising from the processing of personal data are identified and complied with.

1.3 In addition to the processing of personal data in connection with the Main Agreement, the parties are aware and accept that Keystone may also process personal data in quality of separate controller for its own purposes, such as (i) complying with applicable laws and regulations, (ii) requests and communications with authorities, (iii) for administration, accounting and risk evaluation purposes and (iv) for the purpose of service improvement and product development, analytics, and marketing.

1.4 Notwithstanding the content of this JCA, the parties shall comply with their respective responsibilities and obligations pursuant to EU or Member State law.

1.5 Words, abbreviations and expressions not defined herein shall have the content ascribed to them in the Main Agreement, the Keystone Data Processing Addendum, DPA or Applicable Data Protection Law, unless otherwise appears from the context or is expressly stated.

2      Scope and Extent of the Agreement 

2.1 Pursuant to the Main Agreement, the parties have jointly determined the purposes and means for the processing of personal data in the context of the relevant Keystone Service purchased by the Customer, and as specified in Section 2 of the Addendum.

2.2 The Parties acknowledge that they jointly, and in the capacity of joint controllers, process personal data concerning data subjects in connection with the relevant Keystone Service under the Main Agreement. This joint processing activity is further detailed in in Section 2 of the Addendum, which outlines the subject matter, duration, nature, and purpose of the processing, as well as the types of personal data and categories of data subjects involved (the “Joint Processing Activity”).

2.3 Each party acknowledges its independent obligation to comply with the GDPR in relation to the Joint Processing Activity. Nevertheless, each party agrees to provide reasonable assistance to the other in demonstrating compliance with this clause.

2.4 Each party further acknowledges its sole and independent responsibility for any processing activities related to its own purposes, involving personal data collected and/or generated through the provision and operation of the relevant Keystone Service, which are distinct from the Joint Processing Activity.

2.5 Under the terms of this JCA, the parties shall process personal data exclusively as joint controllers and only within the scope of what is defined as the Joint Processing Activity.

3      Division of Responsibilities

 

No. Obligation under GDPR Keystone Customer
1.
Article 6: Requirement of legal basis for the Joint Processing Activity
Keystone shall be responsible for ensuring a legal basis for the processing of personal data in relation to the Joint Processing Activity, when the processing involves individuals, whose data is originating from the Keystone customer database.
Customer shall be responsible for ensuring a legal basis for the processing of personal data in relation to the Joint Processing Activity, if the processing involves individuals whose data is originating from the Customer database.
2.
Article 13 and 14: Providing information on the joint processing of personal data
Each party shall be responsible for complying with the obligations of transparency towards the data subject.
Each party shall be responsible for complying with the obligations of transparency towards the data subject.
3.
Article 26(2): Making available the essence of this JCA
Keystone shall be responsible for making available the essence of the JCA to the data subjects in connection with the Joint Processing Activity within the scope of the Keystone Service. This information will be included in Keystone’s privacy policy and made available upon request.
Customer shall make available to the data subject the essence of the JCA if the Joint Processing Activity also involves data subjects whose data is originating from the Customer database.
4.
Articles 15-21: Handling the rights of the data subjects
The parties agree on common routines for responding to enquiries from the data subject. Keystone shall be the data subject’s point of contact for the part of the processing concerning the processing of personal data originating from the Keystone customer database.
The parties agree on common routines for responding to enquiries from the data subject. Customer shall be the data subject’s point of contact for the part of the processing concerning the processing of personal data originating from the Customer database.
5.
Article 35: Conducting a DPIA
The parties agree to assist each other in conducting a DPIA if the parties deem this is necessary for facilitating the Joint Processing Activity.
The parties agree to assist each other in conducting a DPIA if the parties deem this is necessary for facilitating the Joint Processing Activity.
6.
Article 28 (3):
Keystone shall have responsibility and right to enter into, amend, or terminate agreements with data processors and/or other recipients of personal data on behalf of both parties, if necessary for the administration and operation of the Joint Processing Activity under the scope of the Keystone Service. This authority extends to the ongoing fulfillment and administration of such agreements, as well as the responsibility to establish data processing agreements with data processors concerning the Joint Processing Activity. The list of sub-processors, engaged by Keystone at any given time, is incorporated by reference into this JCA and is available at the following link: Sub-processor Overview.
7.
Keystone shall act as the point of contact for the processing of personal data in connection with the Joint Processing Activity towards any data processors and other recipients of personal data.

4      Confidentiality

4.1 Each party shall respect the data subject’s right to confidentiality and integrity when processing personal data in connection with the Joint Processing Activity. The parties have a duty of confidentiality regarding documentation and personal data that is processed about the data subject and to which the party in question has gained access through the Joint Processing Activity.

4.2 Each party shall ensure that only authorized personnel have access to the personal data, and that authorization is only assigned to personnel who have a justified need to access the personal data. Further, each party shall ensure that persons authorized to process personal data in connection with the Joint Processing Activity have undertaken to treat the data confidentially by a declaration of confidentiality in an employment contract or other agreement if they are not subject to an appropriate statutory duty of confidentiality.

4.3 The confidentiality obligations under this section 4 shall also apply after termination of this JCA.

5      Security of Processing and Security Breaches

5.1 Each party shall, taking into account the nature, scope, purpose and risk associated with the Joint Processing Activity, independently fulfil the requirements for security measures imposed by applicable legislation (including in particular Article 32 GDPR). The technical and organizational security measures may be improved and further developed in accordance with technological developments. An overview of Keystone’s minimum requirements for technical and organizational security measures is available at the following link: Technical and Organizational Measures (TOM)

5.2 In the event of a personal data breach relating to the Joint Processing Activity, Keystone shall primarily be responsible for coordinating and managing the response on behalf of the parties. Should the Customer become aware of any such breach, the Customer shall without undue delay:

a)     notify Keystone of the breach;

b)     conduct an investigation and provide Keystone with detailed information regarding the breach;

c)     take appropriate and reasonable measures to mitigate the impact and limit damage resulting from the breach;

d)     document the breach, its facts, effects, and remedial actions, and other pertinent details as required under Article 33(5) of the GDPR to ensure compliance with legal obligations; and

e)     allocate necessary resources to assist in notifying supervisory authorities and affected data subjects about the breach, as required under Articles 33 and 34 of the GDPR.

5.3 Keystone shall have the main responsibility, on behalf of the parties, to assess whether the parties are obliged to notify a personal data breach relating to the Joint Processing Activity to the relevant supervisory authority (and possibly the data subject) in accordance with Article 33 and 34 of the GDPR. The Customer shall assist Keystone in case management in connection with any personal data breaches reported to the relevant supervisory authorities.

6      Transfer of Data to Countries Outside of the EU/EEA

6.1 Any transfer of personal data to third countries or international organizations is subject to consensus between the parties and shall always take place in compliance with Chapter V GDPR.

6.2 The parties agree that Keystone shall be authorized to transfer personal data to third countries outside the EU/EEA as part of this JCA and the Joint Processing Activity, should it be necessary to engage a data processor to manage and operate the relevant Keystone Service, as described in section 3 number 6. In such instances, the Customer shall support Keystone by assisting in conducting the required legal and technical risk assessments associated with the transfer of personal data to a data processor in the specified third country, including but not limited to a transfer impact assessment.

6.3 The list of sub-processors engaged by Keystone on behalf of the parties, along with the sub-processors' location and the legal basis for the data transfer, is incorporated by reference into this JCA and available at the following link: Sub-processor Overview.

6.4 To the extent the Main Agreement has been entered into with a Keystone entity located in the UK (as specified in the Order Confirmation), the transfer of personal data internally between the Customer and the relevant Keystone entity located in the UK, in connection with the Joint Processing Activity, is governed by Article 45 of the GDPR and the European Parliament resolution of 21 May 2021 on the adequate protection of personal data by the United Kingdom (2021/2594) (the UK Adequacy Decision).

7      Duration and Termination

7.1 The JCA enters into force on the date of signature of the Main Agreement and remains in effect as long as the parties continue to act as joint controllers and process personal data under the Joint Processing Activities.

7.2 Upon termination of the Main Agreement, the parties shall terminate the processing under this JCA, unless the parties decide otherwise.

7.3 The parties shall ensure that any sub-processor shall terminate the processing of personal data relating to the Joint Processing Activity and delete all personal data from its files upon termination of the Main Agreement.

8      Liability

8.1 The Parties acknowledge that, notwithstanding this JCA, each party shall be liable to the data subject for any damage suffered by the data subject or any other natural person resulting from a breach of the GDPR, in accordance with the provisions of Article 82 of the GDPR. This also applies to administrative fines imposed by supervisory authorities pursuant to Article 83 of the GDPR. As between the parties (inter partes), Keystone's liability under the JCA shall not exceed the limitations on liability as outlined in the Main Agreement.


8.2 For the sake of clarity, a party is never responsible for the other party's processing of personal data as an independent/separate controller outside the scope of the Joint Processing Activity.

9      Notice

Notices or communication pursuant to this JCA shall be sent in writing to the parties' given contact persons as set out in the Main Agreement and/or the Order Confirmation.

10      Legal Venue and Governing Law 

Unless otherwise agreed upon in the Main Agreement, this JCA shall be governed by the laws of Norway, with Oslo District Court as the legal venue.