JOINT CONTROLLERS AGREEMENT FOR THE “UNLEASHED” PET TECH NEWSLETTER
THIS AGREEMENT is made on 15 October 2020 (the Effective Date), BETWEEN:
Nestlé Enterprises S.A., acting through its business division Nestlé Purina PetCare EMENA, a company established under the laws of Switzerland, with Registration Number CHE-108.731.444 and registered address at 12 Entre-Deux-Villes, 1800 Vevey, Switzerland, (Controller A); and
Sifted (UK) Ltd, a company established under the laws of England and Wales, with Registration Number 11080313and registered address at 20-22 Wenlock Road London N1 7GU, UK (Controller B),
each a “Party” and together the “Parties”.
1. Definitions and Interpretation
- 1.1. In this Agreement, unless the context otherwise requires:
“Controller” has the meaning given in the GDPR.
“Data Breach” means a personal data breach, as described in Article 33 of the GDPR.
“Data Protection Authority” means a Supervisory Authority, as that term is defined in the GDPR.
“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR.
“Data Subject” has the meaning given in the GDPR.
“GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.
“Joint Controller” has the meaning given in the GDPR.
“Joint Processing Activity” has the meaning given in Clause 2.2.
“Personal Data” has the meaning given in the GDPR.
“Process” or “Processing” has the meaning given in the GDPR.
“Processor” has the meaning given in the GDPR.
“Relevant Personal Data” has the meaning given in Clause 2.1.
2. The Joint Processing Activities
2.1. For the purposes of this Agreement, the Parties intend to engage in the Processing of the following categories of Personal Data:
(a) Name, surname;
(b) E-mail address;
(c) Job title;
(d) Company name;
(e) Business vertical.
together, the “Relevant Personal Data”.
2.2. The Parties intend to Process the Relevant Personal Data for the following joint purposes:
(a) To send a newsletter related to petcare and pet tech topics.
In addition, the Parties intend to Process the Relevant Personal Data for the following purposes:
(b) Controller A will use the Relevant Personal Data only to invite selected Data Subjects to join a petcare start-up community;
each a “Joint Processing Activity” and together the “Joint Processing Activities”.
2.3. The Parties acknowledge that, for the purposes of the Joint Processing Activities, they shall be Joint Controllers.
3. Allocation GDPR compliance obligations between the Parties
3.1. Except as specifically set out in this Agreement, each Party shall bear responsibility for its own compliance obligations as a Controller under the GDPR. The Parties shall provide one another with all reasonable assistance necessary to demonstrate compliance with the GDPR, in accordance with Article 24 of the GDPR.
3.2. Controller B shall be responsible for providing Data Subjects with notice of the Joint Processing Activities, in accordance with Articles 13 and 14 of the GDPR.
3.3. Both Parties shall separately record the Processing Activities in a suitable register of data processing activities.
3.4. In the event that a Data Subject makes a request to either Party to exercise one or more of the rights afforded to Data Subjects under the GDPR:
(a) that Party shall promptly notify the other Party of such request; and
(b) Controller B shall be responsible for giving effect to those rights. To the extent that either Party reasonably requires input or assistance from the other Party in order to give effect to any of the rights afforded to Data Subjects under the GDPR, that other Party shall provide all such input or assistance.
3.5. Controller B shall be responsible for ensuring that the principles of data protection by design and by default, as set out in Article 25 of the GDPR, are addressed prior to the commencement of any Joint Processing Activity.
3.6. To the extent that any of the Joint Processing Activities is likely to result in a high risk to the rights and freedoms of Data Subjects, Controller B shall be responsible for conducting a Data Protection Impact Assessment in accordance with Article 35 of the GDPR, and any necessary prior consultation with the relevant Data Protection Authority under Article 36 of the GDPR.
3.7. The Parties acknowledge that, irrespective of the terms of this Agreement, a Data Subject may choose to exercise any of the rights afforded to Data Subjects under the GDPR against either Party in its capacity as a Joint Controller.
4. Appointment of Processors
4.1. Either Party may appoint one or more Processors to assist it in connection with any of the Joint Processing Activities. In the event that either Party appoints a Processor for these purposes, it shall do so in accordance with the provisions of Article 28 of the GDPR.
4.2. In the event one Party considers appointing a Data Processor outside the EEA, the appointing Party shall ensure that (a) the Data Processor is established in a jurisdiction considered as offering an adequate level of data protection as set out in the GDPR or (b) the Data Processor has completed and signed the EU model clauses (Standard Contractual Clauses).
5. Data security
- 5.1. Each Party shall implement appropriate technical and organisational measures to ensure the security of the Joint Processing Activities, appropriate to the level of risk associated with those activities. In particular, Controller B will provide access to the Relevant Personal Data only to selected individuals of Controller A to perform the Processing Activity according to clause 2.2 (a) above.
6. Data Breach reporting
6.1. In the event that either Party discovers a Data Breach that affects any Joint Processing Activity or any Relevant Personal Data, that Party shall promptly, and in any event within 24 hours of discovering the Data Breach, notify the other Party. The Parties shall then work together, providing one another with all reasonable assistance necessary to identify the cause of the Data Breach, remedy the Data Breach, and determine whether the Data Breach is likely to result in a risk to the rights and freedoms of Data Subjects.
6.2. Unless the Parties have first conclusively determined that the Data Breach is unlikely to result in a risk to the rights and freedoms of Data Subjects, the Party that first discovered the Data Breach shall, within 72 hours after that discovery, report the Data Breach to the relevant Data Protection Authority in accordance with Article 33 of the GDPR.
6.3. If appropriate, the Parties shall work together, providing one another with all reasonable assistance, to provide affected Data Subjects with appropriate notification of the Data Breach.
7. Disclosure of this Agreement to Data Subjects and Data Protection Authorities
- 7.1. In the event that either Party receives a request from a Data Subject or a Data Protection Authority for information relating to this Agreement or the relationship between the Parties as Joint Controllers, that Party shall provide to the Data Subject or Data Protection Authority, as appropriate, a copy of this Agreement.
8. Primary Points of Contact
8.1. The Parties designate the following persons as their primary points of contact for the purposes of this Agreement:
Name: Kim Bill
12 Entre Deux Villes
Telephone number: +41 21 924 2786
Name: Caspar Woolley
c/o Huckeltree, 18 Finsbury Square
London EC2A 1AH
Telephone number: +44 780 320 8080
together, the “Primary Points of Contact”.
8.2. All notices sent under or in connection with this Agreement should be sent to the relevant Primary Point of Contact.
8.3. Either Party may change the details of its designated Primary Point of Contact, immediately upon written notice to the other Party.
- 9.1. This Agreement shall remain in force for the duration of the Joint Processing Activities.
10. Governing Law
- 10.1. This Agreement shall be governed by, and construed in accordance with, the laws of Switzerland and each Party irrevocably submits to the exclusive jurisdiction of the courts of Canton Vaud Switzerland.
SIGNED by or on behalf of the Parties on the Effective Date.
for and on behalf of Nestlé Enterprises S.A.
NAME: Kim Bill
and for and on behalf of Sifted (EU) Ltd
NAME: Caspar Woolley