The INTERLACE Partners (hereinafter also referred to jointly as "the Parties" or individually as “Party”) have concluded a Joint Controllership Agreement according to Art. 26 of the General Data Protection Regulation. The Agreement applies to all activities of the parties when processing personal data within the project. It is provided in the following.
(1) This agreement determines the rights and obligations of the controllers (hereinafter also referred to jointly as "the Parties" or individually as “Party”) for the joint processing of personal data. It applies to all activities of the Parties, or processors appointed by a Party, when processing personal data. The Parties have jointly determined the purposes and means of processing personal data in accordance with Art. 26 GDPR.
(2) Further specifications of the handling of personal are determined in the INTERLACE project Data Management Plan which complements the Joint Controllership agreement.
(3) The INTERLACE project processes personal data during different research activities which can include for example conducting surveys, qualitative methods, interviews and deploying the co-creation process to develop tools and guidelines, the development of a stakeholder database as part of the co-creation and agile working process as well as dissemination and outreach activities. The Parties determine the sections in which personal data are processed under joint controllership (Article 26 GDPR). For the other sections of processing, where the Parties do not jointly determine the purposes and means of data processing, each contracting Party is a controller pursuant to Article 4 No. 7 GDPR. As far as the contracting Parties are joint controllers pursuant to Article 26 GDPR, it is agreed as follows:
Each Party shall ensure compliance with the legal provisions of the GDPR, particularly in regards to the lawfulness of data processing under joint controllership. The Parties shall take all necessary technical and organisational measures to ensure that the rights of data subjects, in particular those pursuant to Articles 12 to 22 GDPR, are guaranteed at all times within the statutory time limits.
(1) The Parties shall store personal data in a structured, commonly used, and machine-readable format.
(2) The Parties shall ensure that only personal data which are strictly necessary for the legitimate conduct of the process are collected and for which the purposes and means of processing are specified by Union or national law. Moreover, contracting Parties agree to observe the principle of data minimisation within the meaning of Article 5 (1) lit. c) GDPR.
(1) The Parties commit themselves to provide the data subject with any information referred to in Articles 13 and 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided free of charge. If not stated otherwise for a specific section, the Party who is collecting personal data is responsible for informing the data subjects about the collection process, the transfer of personal data to other Parties for processing (if applicable), the personal data categories concerned and the purposes prior to data collection in line with Article 14 of the GDPR. According to § 1 of this agreement, this information will be added and made available in the data management plan prior to the relevant data collection and processing.
(2) Contact details of the controller and of the respective Data Protection Officer can be found in § 19 of this agreement.
(3) The data processing party shall support the data collecting party in providing information to the data subjects.
The data subject may exercise his or her rights under Articles 15 to 22 GDPR against each of the joint controllers. In principle, the data subject may receive the requested information from the contracting Party to whom the request was made.
(1) Ecologic Institute or, alternatively, any other Party shall provide the data subject access according to Article 15 of the GDPR.
(2) Where the data subject requests access according to Article 15 GDPR, the Parties shall provide this information. The following process applies if a data subject requests access:
- The request is received by the INTERLACE project data protection officer or the data protection officer of any INTERLACE Party. If only the latter is informed by the data subject, he/she has to inform the INTERLACE project data protection officer about the request.
- Data will be compiled and send back according to the GDPR.
If necessary, the Parties shall provide each other with the necessary information from their respective operating range. Competent contact persons of the Parties are listed under §19. Each Party must immediately inform the others of any change of the contact person.
(1) If a data subject exercises his or her rights against one of the Parties, in particular of the rights of access, correction, or deletion of his or her personal data, the Parties are obliged to forward this request to the other Parties and INTERLACE project data protection officer without undue delay. This applies irrespective of the general obligation to guarantee the right of data subjects. The Parties receiving the request must provide the information within its operating range to the requesting Party.
(2) If personal data are to be deleted, the Parties shall inform each other in advance. A Party may object to the deletion for a legitimate interest, for example, if there is a legal obligation to retain the data set for deletion.
The Parties shall inform each other immediately if they notice errors or infringements regarding data protection provisions during the examination of the processing activities.
The Parties undertake to communicate the essential content of the joint controllership agreement to the data subjects (Article 26 (2) GDPR). For this purpose, the agreement will be made public on the INTERLACE project website and updated if amendments are made.
The Parties are obliged to inform INTERLACE Data Protection officer who will inform the supervisory authority and the data subjects affected by a violation of the protection of personal data in accordance with Articles 33 and 34 GDPR concerning all operating ranges. The Parties shall inform each other about any such notification to the supervisory authority without undue delay. The Parties also agree to forward the information required for the notification to one another without undue delay.
If a data protection impact assessment pursuant to Article 35 GDPR is required, the Parties shall support each other.
Documentations within the meaning of Article 5 (2) GDPR, which serve as proof of proper data processing, shall be archived by each Party beyond the end of the contract in accordance with legal provisions and obligations.
(1) Within their operating range, the Parties shall ensure that all employees authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Articles 28 (3), 29, and 32 GDPR for the duration of their employment, as well as after termination of their employment. The Parties shall also ensure that they observe the data secrecy provisions prior to taking up their duties and are familiarised with the data protection legislation and rules relevant to them.
(2) The Parties shall independently ensure that they are able to comply with all existing storage obligations with regard to the data. For this purpose, they must implement appropriate technical and organisational measures (Article 32 et seq. GDPR). This applies particularly in the case of termination of the cooperation/agreement.
(3) The implementation, default-setting, and operation of the systems shall be carried out in compliance with the requirements of the GDPR and other regulations. In particular, compliance with the principles of data protection by design and data protection by default will be achieved through the implementation of appropriate technological and organisational measures corresponding to the state of the art.
(4) The Parties agree to store personal data which are processed individually. Each Party is responsible for the security of the data collected and processed.
(1) The Parties commit themselves to conclude a contract in accordance with Article 28 GDPR when engaging processors within the scope of this agreement (see § 1) and to obtain the written consent of the other Party before concluding the contract.
(2) The Parties shall inform each other in a timely manner of any intended change with regard to the involvement or replacement of subcontracted processors. The Parties shall only commission subcontractors who meet the requirements of data protection legislation and the provisions of this agreement. Services which the contracting Parties use from third Parties to support the execution of the contract, such as telecommunications services and maintenance, shall not be seen as services provided by subcontractors within the meaning of this contract. However, the Parties are obligated to make appropriate contractual agreements in accordance with the law and to take controlling measures to guarantee the protection and security of personal data, even in the case of additional third Party services.
The Parties shall include the processing operations in the records of processing activities pursuant to Article 30 (1) GDPR, in particular, with a comment on the nature of the processing operation as one of joint or sole responsibility.
Notwithstanding the provisions of this contract, the Parties shall be liable for damages resulting from processing that fails to comply with the GDPR. In external relations they are jointly liable to the persons concerned. In this case, if an external entity should claim one Party due to another Party’s breach and the non-breaching Party should have to compensate for the damages caused by the breaching Party, the non-breaching Party shall have the action for recovery towards the breaching Party, and the latter shall have the obligation to compensate the non-breaching Party entirely without delay.
In the internal relationship the Parties are liable, notwithstanding the provisions of this contract, only for damages which have arisen within their operating range.
(1) The controllers may decide that personal data can be transferred to third countries or international organisations.
(2) The controllers are responsible for compliance with the requirements in Chapter V of the GDPR if personal data are transferred to third countries or international organisations.
(3) Each controller is responsible for its own personal data transfers to third countries or international organisations, including for ensuring that a legal basis for transfer exists and that Chapter V of the GDPR has been observed.
The following information is required under Article 14 of the GDPR for all Parties.
- Ecologic Institute
Contact details of the controller: Pfalzburger Strasse 43/44, 10717 Berlin, Germany
Main Phone Number: +49 (30) 86880-0
Contact details of the data protection officer: David Reichwein, firstname.lastname@example.org
YEPEZSALMON YEPEZ SALMON ASOCIADOSSA (YES)
Contact details of the controller: Armero OE7-261 y El Oro, 170521 Quito, Ecuador
Main Phone Number: +593 22215909
Contact details of the data protection officer: Nicolas SALMON, email@example.com
UNIVERSIDAD AUTONOMA DE BARCELONA (UAB)
Contact details of the controller: Calle Campus Universitario Sn Cerdanyola V, Cerdanyola Del Valles 08290, Spain
Main Phone Number: +34 93 581 2774Website: www.uab.cat
Contact details of the data protection officer: Agustí Verde Parera, Agusti.Verde@uab.cat
INSTITUTO DE INVESTIGACIÓN DE RECURSOS BIOLÓGICOS ALEXANDER VON HUMBOLDT (IAVH)
Contact details of the controller: Calle 28a # 15-09 Bogotá, Colombia
Main Phone Number: +57(1) 3202767
Contact details of the data protection officer: Johanna Galvis Galindo, firstname.lastname@example.org
UNIVERSIDAD NACIONAL (UNA)
Contact details of the controller: Campus Omar Dengo, Edificio Rectoria Avenida 1, Calle 9. Apartado Postal: 86-3000
Main Phone Number: 506-22773000
Contact details of the data protection officer: Axel Hernández, email@example.com
FUNDACJA SENDZIMIRA (TSF)
Contact details of the controller: WIARUSA 11/3, ZIELONKI 32 087, Poland
Main Phone Number: +48 22 828 91 28
Contact details of the data protection officer: Ilona Gosk, firstname.lastname@example.org, +48 696 015 723
EIGEN VERMOGEN VAN HET INSTITUUT VOOR NATUUR- EN BOSONDERZOEK (EV INBO)
Contact details of the controller: Havenlaan 88 Bus 73, Brussel 1000, Belgium,
Main Phone Number:
Contact details of the data protection officer: Koen Van Muylem, email@example.com
FUNDACION TECNALIA RESEARCH & INNOVATION (TEC)
Contact details of the controller: Parque Tecnológico de Álava C/ Leonardo Da Vinci, 11, Edificio Miñano 1, E01510
Main Phone Number: 670498199
Contact details of the data protection officer: firstname.lastname@example.org
STIFTELSEN NORSK INSTITUTT FOR NATURFORSKNING NINA (NINA)
Contact details of the controller: Høgskoleringen 9, 7034 Trondheim, Norway
Main Phone Number: +47 73 80 14 00
Contact details of the data protection officer: email@example.com and firstname.lastname@example.org
COMMUNE DE NANTERRE (NAN/UCLG)
Contact details of the controller: Direction de la Vie Citoyenne, Ville de Nanterre
Main Phone Number: 0033 6 274 888 39
Contact details of the data protection officer: Fulvia Cugini, Fulvia.CUGINI@mairie-nanterre.fr
CLIMATE ALLIANCE - KLIMA-BUENDNIS - ALIANZA DEL CLIMA e.V. (CA)
Contact details of the controller: Galvanistr. 28, 60486 Frankfurt am Main, Germany
Main Phone Number: +49 69 717139 13
Contact details of the data protection officer: Dr. Wolfgang Hofstetter. W. Hofstetter@climatealliance.org
UNION NACIONAL DE GOBIERNOS LOCALES (UNGL)
Contact details of the controller: San José, Costa Rica
Main Phone Number: (506) 2290 40 97
Contact details of the data protection officer: Braulio Guevara: email@example.com
STOWARZYSZENIE METROPOLIA KRAKOWSKA (KRA)
Contact details of the controller: Daniel Wrzoszczyk
Main Phone Number: +48 12 34 18 512
Contact details of the data protection officer: Daniel Wrzoszczyk, firstname.lastname@example.org
ASOCIACION DE DESARROLLO INTEGRAL DE SALITRILLOS DE CONCEPCION DE LA UNION (CBIMA)
Contact details of the controller: Concepción de la Unión contiguo a la Escuela de Ricardo André Salón Comunal de Salitrillos, Cartago 3000, Costa Rica
Main Phone Number: 506 87072030
Contact details of the data protection officer: Maricruz Alvarez, email@example.com
STADT CHEMNITZ (CHE)
Contact details of the controller: Stadt Chemnitz, Stadtplanungsamt, Postfach 1121, 09070 Chemnitz
Main Phone Number: +49 371 488 6101
Contact details of the data protection officer: Bianca Dietz-Thalmann, firstname.lastname@example.org
GOBIERNO AUTONOMO DESCENTRALIZADO MUNICIPAL DEL CANTON DE PORTOVIEJO (POR)
Contact details of the controller: AV. METROPOLITANA KM. 2 1/2 VÍA A MANTA, 130105, Portoviejo, Ecuador
Main Phone Number: +59353700250
Contact details of the data protection officer: Félix Francisco Jaime Vaca, email@example.com, +593980157247
ALCADIA DE ENVIGADO (ENV)
Contact details of the controller: calle 40 B sur 37-24, sede Secretaria de Medio Ambiente y Desarrollo Agropecuario, Barrio El Dorado, municipio de Envigado, Antioquia, Colombia
Main Phone Number: (57) 313 672 43 02
Contact details of the data protection officer: Luz Mercedes Montoya Luna
AJUNTAMENT DE GRANOLLERS (GRA)
Contact details of the controller: Placa De La Porxada 6, Granollers 08401, Spain
Main Phone Number:
Contact details of the data protection officer: Alfred Lacasa
OPPLA EEIG (OPPLA)
Contact details of the controller: PO Box 51, 5070 AB Udenhout, The Netherlands
Main Phone Number: +44 (0)161 236 3432
Contact details of the data protection officer: Jonathan Porter, firstname.lastname@example.org
FONDO MUNDIAL PARA LA NATURALEZA COLOMBIA - WWF COLOMBIA (WWF)
Contact details of the controller: Oswaldo Venegas
Main Phone Number: 57 3143824518
Contact details of the data protection officer: Carmen Ana Dereix, email@example.com
FLACMA MÉXICO (FLACMA)
Contact details of the controller: firstname.lastname@example.org
Main Phone Number: +52 55 5729.9637
Contact details of the data protection officer: Sergio Arredondo Olvera email@example.com