between
shopware AG Ebbinghof 10 48624 Schöppingen
(hereinafter referred to as “Controller”)
and
the store operator who agrees to this agreement by accepting it in the backend of their storefront
(hereinafter referred to as “Further Controller”)
(hereinafter collectively referred to as “Joint Controllers”)
The Controller and Further Controller are committed to the high standards that apply to each of the Joint Controllers in terms of data protection.
The Joint Controllers have jointly determined the purposes and means of processing personal data (short: “Data”) in accordance with Article 26 (1) Sentence 1 of the GDPR (short: “Joint Processing Activity”). This Joint Controller Agreement (short: “JCA”) specifies the rights and obligations of the Joint Controllers in relation to these Joint Processing Activities, arising from the contractual or quasi-contractual relationship already existing or to be established between the Joint Controllers (short: “Main Contract”).
Unlike data processing under Article 28 of the GDPR, joint responsibility under Article 26 of the GDPR does not prescribe a fixed allocation of the rights and obligations of the Joint Controllers. Therefore, the parties allocate these responsibilities through the JCA. In some cases, one of the Joint Controllers may assume a more prominent role in the Joint Responsibility. In this case, the relevant party should be listed as the Controller in the header of the JCA.
The JCA applies exclusively to the Joint Processing Activities described in the following clauses. The data protection provisions applicable to the Joint Processing Activities are regulated in the JCA. This includes, in particular, the determination of which of the Joint Controllers fulfills which obligation under the GDPR, especially with regard to the exercise of the rights of the data subject, and which of the Joint Controllers complies with the information obligations under Articles 13, 14 of the GDPR, insofar as the respective tasks of the parties are not mandatorily prescribed by legal provisions.
In case of conflicts, the provisions of this JCA and all its parts shall take precedence over the provisions of the associated Main Contract.
Any annexes are part of the JCA. In case of conflicts, the provisions in the annexes shall take precedence over the general provisions of the JCA. If reference is made to the JCA in the following or in an annex, the JCA with all its parts is meant.
The subject matter of the Joint Processing Activity arises from the Main Contract.
The Joint Processing Activity, including deletion, is carried out by the Controller.
The duration of the Joint Processing Activity arises from the Main Contract.
The nature and purpose of the Joint Processing Activity arise from the Main Contract.
The categories of data affected by the Joint Processing Activity arise from the Main Contract.
The categories of persons affected by the Joint Processing Activity arise from the Main Contract.
The categories of recipients of the data affected by the Joint Processing Activity arise from the Main Contract.
The legal basis for data processing within the scope of the Joint Processing Activity arises for the Controller from Article 6 (1) Sentence 1 (f) of the GDPR and for the Further Controller from Article 6 (1) Sentence 1 (f) of the GDPR.
Each of the Joint Controllers is responsible for ensuring compliance with applicable legal data protection requirements, particularly for the lawfulness of disclosure to the other(s), as well as for the lawfulness of the Joint Processing Activity.
Should one of the Joint Controllers process data from a Joint Processing Activity for other purposes, that Joint Controller shall be independently responsible as a Controller within the meaning of Article 4 No. 7 of the GDPR. This Controller is obliged to inform the other Joint Controllers of such processing for other purposes in writing.
The allocation of which Joint Controller fulfills which obligation under the GDPR for the Joint Processing Activities is as follows:
Obligation | Controller | Further Controller |
Decisions regarding Joint Processing Activities | Jointly decided | Jointly decided |
Accountability under Article 5 (2) GDPR | Own responsibility of each Joint Controller | Own responsibility of each Joint Controller |
Implementation, obtaining, and management of consents from data subjects for the collection of data on end devices in accordance with Section 25 of the TTDSG | ☒ | |
Fulfillment of information obligations under Articles 13, 14, 21 GDPR | ☒ | |
Fulfillment of rights of data subjects under Article 15 GDPR (access) | ☒ | |
Fulfillment of rights of data subjects under Article 16 GDPR (rectification) | ☒ | |
Fulfillment of rights of data subjects under Article 17 GDPR (erasure) | ☒ | |
Fulfillment of rights of data subjects under Article 18 GDPR (restriction of processing) | ☒ | |
Fulfillment of rights of data subjects under Article 19 GDPR (notification obligations) | ☒ | |
Fulfillment of rights of data subjects under Article 20 GDPR (data portability) | ☒ | |
Fulfillment of rights of data subjects under Article 21 GDPR (objection) | ☒ | |
Ensuring GDPR-compliant processing measures under Article 24 GDPR | ☒ | |
Implementation of data protection by design under Article 25 (1) GDPR | ☒ | |
Implementation of privacy-friendly default settings under Article 25 (2) GDPR | ☒ | |
Provision of the essential contents of the JCA to data subjects under Article 26 (2) Sentence 2 GDPR | ☒ | |
Maintenance of records of processing activities for the Joint Processing Activities under Article 30 GDPR | ☒ | |
Ensuring security of processing under Article 32 GDPR | ☒ | |
Handling data breaches under Articles 33, 34 GDPR | ☒ | |
Conducting data protection impact assessments and consulting the supervisory authority under Articles 35, 36 GDPR | ☒ | |
Appointment of a data protection officer under Article 37 GDPR (if necessary) | Independently by each Joint Controller | Independently by each Joint Controller |
Commitment of employees to confidentiality of personal data | Independently by each Joint Controller | Independently by each Joint Controller |
Each Joint Controller will assist the other in fulfilling the GDPR obligations as necessary and feasible.
Should one Joint Controller be assigned an obligation under this clause, they shall document the fulfillment of this obligation in accordance with their accountability obligation under Article 5 (2) of the GDPR and provide documentation to the other Joint Controller(s) as necessary to fulfill their obligations.
In the case of a data breach notification under Article 33 (1) of the GDPR or consultation with a supervisory authority under Article 36 (1) of the GDPR, the responsible Joint Controller shall coordinate with the other Joint Controller without delay, unless such coordination would jeopardize compliance with mandatory GDPR provisions (e.g., notification deadlines under Article 33 (1) GDPR).
The information that is to be made available to data subjects under Articles 13, 14, 21 GDPR and Article 26 (2) Sentence 2 GDPR will be determined separately and by mutual agreement between the Joint Controllers.
The Joint Controller responsible for fulfilling the information obligations under Articles 13, 14, 21 GDPR and Article 26 (2) Sentence 2 GDPR will make the information easily accessible to the data subjects as follows: As data protection information on its website (storefront).
The Joint Controller responsible for ensuring the security of processing will implement appropriate technical and organizational measures in accordance with Article 32 GDPR (short: “TOM”) and maintain them for the duration of the JCA.
The TOM are subject to technological progress and development, as well as to legal changes. Therefore, the Joint Controller responsible for ensuring the security of processing is permitted to implement alternative and appropriate TOM, provided that the overall level of security is not reduced compared to the previously defined TOM. The other Joint Controllers will be informed of such changes in writing by providing the new TOM.
The point of contact for data subjects under Article 26 (1) Sentence 3 GDPR is the Controller. The party designated as the point of contact (hereinafter: “Contact Point”) will handle the processing of requests from data subjects under Articles 15 ff. GDPR fully on behalf of the other Joint Controllers.
If a data subject exercises their rights under Article 26 (3) GDPR by contacting a Joint Controller other than the Contact Point, this Joint Controller shall immediately forward the request to the Contact Point, who will then process the request. When communicating with the data subject, the Contact Point will indicate that they are also acting on behalf of the other Joint Controllers.
The Joint Controllers will each designate one or more contact persons in writing for data protection matters, including any appointed data protection officers. This designation may be omitted if it is already specified in the Main Contract or other arrangements made by the Joint Controllers.
Each Joint Controller shall immediately notify the Joint Controller responsible for handling data breaches, within the meaning of Article 4 No. 12 GDPR (short: “Data Breach”), if (a) a Joint Processing Activity is affected and (b) a Data Breach within their organizational area is known, or if there is a concrete suspicion of such a Data Breach.
If one of the Joint Controllers identifies errors in the Joint Processing Activity, they shall immediately inform the other Joint Controllers.
The Joint Controller affected by the Data Breach shall immediately take the necessary measures to remedy the Data Breach or error and mitigate possible adverse consequences, particularly for the data subjects. This will be coordinated with the other Joint Controllers. Oral notifications must be confirmed in writing without delay.
The transfer of data to a recipient in a third country outside the EU and EEA by one of the Joint Controllers is permissible under the conditions set out in Articles 44 ff. GDPR.
The transferring Joint Controller shall notify the other Joint Controllers in writing about such transfers. Details may be regulated in the annex “Third Country Transfer” if needed.
Only the Controller is authorized to engage processors for all Joint Controllers. The Controller alone is responsible for compliance with the requirements under Article 28 GDPR. The Controller shall notify the other Joint Controllers in writing about such data processing agreements.
If necessary for the implementation of the JCA, the Controller shall issue instructions to the processors regarding the Joint Processing Activities and provide evidence of this to the other Joint Controllers upon request.
If data of the other Joint Controllers are involved, the Controller shall ensure that audits under Article 28 (3) Sentence 2 (h) GDPR can also be conducted by the other Joint Controllers and that the processor will assist with such audits.
If a supervisory authority exercises its powers under Article 58 GDPR, the Joint Controllers shall immediately inform each other. They will assist each other within their respective areas of responsibility in fulfilling their obligations toward the respective supervisory authority.
If a data subject asserts claims (such as for injunctive relief or damages) against one of the Joint Controllers due to violations of data protection regulations, the affected Joint Controller shall immediately inform the other Joint Controllers in writing.
The Joint Controllers are liable to data subjects in accordance with the provisions of Article 82 GDPR.
The Joint Controllers will mutually support each other in defending against claims from data subjects, unless this would jeopardize the legal position of one Joint Controller in relation to the others or the supervisory authority.
Each Joint Controller shall bear their own costs arising from fulfilling the obligations under the JCA.
The JCA is concluded for an indefinite period.
The JCA may be terminated with three months’ notice to the end of a quarter. The right to extraordinary termination for good cause remains unaffected.
Termination of the JCA by the Controller must be declared to all other Joint Controllers. Termination by a Further Controller must be declared to the Controller, who is authorized to receive the termination on behalf of all other Joint Controllers. Upon receipt of a termination, the Controller shall immediately inform the other Joint Controllers in writing.
If the Controller terminates the JCA or otherwise leaves the arrangement, the JCA will end upon the Controller’s departure, regardless of the number of remaining Joint Controllers. The remaining Joint Controllers may enter into a new agreement, designating a new Controller.
Upon termination of the Main Contract or the JCA, the Joint Controllers shall immediately hand over or delete the data in compliance with data protection requirements. The obligation to hand over or delete data does not apply if the respective Joint Controller is independently entitled to continue processing the data after the termination of the Main Contract or the JCA.
The decision as to whether data should be handed over and/or deleted shall be made by the Joint Controller who first disclosed the data to the Further Controller(s). Handover and deletion shall be confirmed in writing (e.g., by a deletion log).
Each Joint Controller is responsible for ensuring that they comply with retention obligations regarding the data. To this end, they shall establish appropriate TOM, which complement the TOM applicable to the Joint Processing Activities.
Amendment proposals for the JCA shall be prepared by the Controller or submitted to the Controller by another Joint Controller.
The Controller will promptly provide all other Joint Controllers with the proposal for amendments or a consolidated proposal from several Joint Controllers, allowing a reasonable period for written comments.
If the proposal is accepted unchanged by all Joint Controllers within the set period and returned to the Controller, the agreement shall be amended as proposed. Otherwise, the proposal is considered rejected.
The Joint Controllers agree that the JCA does not create a civil-law partnership, a pre-company, a pre-foundation company, or any other company or association, nor is such a formation intended.
If data from a Joint Processing Activity of one of the Joint Controllers is threatened by seizure or confiscation, insolvency or settlement proceedings, or other events or actions by third parties, the affected Joint Controller shall immediately inform the other Joint Controllers in writing. Additionally, the affected Joint Controller must inform the third parties in writing that responsibility for the data lies with all Joint Controllers under Article 26 GDPR.
No verbal side agreements have been made. Amendments and supplements to the JCA must be in written form to be effective and must explicitly refer to the JCA. Any differing verbal agreements between the Joint Controllers are ineffective. This also applies to changes to this clause.
If any provision of this agreement is or becomes invalid or void, the remainder of the JCA shall remain unaffected and valid. In place of the invalid or void provision, the law shall apply unless the gap can be filled by supplementary contractual interpretation under Sections 133, 157 of the German Civil Code (BGB). However, the Joint Controllers are obliged to immediately agree on and prepare a valid and data protection-compliant contractual amendment.
German law applies.