Joint Controllership Agreement

(“Agreement”)

between

commercetools GmbH
Adams-Lehmann-Str. 44
DE-80797 Munich
Germany

("commercetools GmbH")

and

Partner as described in the relevant technology, solution, or other partnership agreement between the parties (“Partner Agreement”)

("Partner")

(commercetools GmbH and the Partner hereinafter jointly the “Parties” and each a “Party”)

The Parties intend to cooperate with respect to the performance of marketing operations specified in further detail in Annex 1 and the particular agreements between the Parties (the "Program").

In this context the Parties will share and otherwise process certain personal data, namely certain data as specified in further detail in Annex 2 to this Agreement (the "Contract Data").

The Parties have agreed that they will jointly determine the purposes and means of processing of the Contract Data for the Program.

Now, and therefore, the Parties agree as follows:

1.1 This Agreement governs the rights and obligations of the Parties with respect to the processing of the Contract Data for the Program. 

1.2 The Parties will jointly determine the purposes and means of processing of the Contract Data for the Program in accordance with Art. 26 GDPR, subject to the provisions of this Agreement.

1.3 Any other processing of the Contract Data (and any other personal data) for purposes outside the Program shall be conducted by the Parties as independent controllers and/or any alternative arrangements, if applicable, and shall not be subject to this Agreement.

1.4 The Parties acknowledge and agree that the joint responsibility established under this Agreement shall be limited to the processing of the Contract Data in accordance with Art. 26 GDPR. 

2.1 Where this Agreement uses terms that are defined in the GDPR, those terms shall have the same meaning as in the GDPR.

2.2 This Agreement shall be read and interpreted in the light of the provisions of the GDPR.

2.3 This Agreement shall not be interpreted in a way that conflicts with rights and obligations provided for in the GDPR.

3.1 Notwithstanding the fact that the Parties act as joint controllers with respect to the processing of the Contract Data for the Program, as between the Parties, the following allocation of primary responsibilities shall apply (hereinafter the “Sphere of Responsibility”).

3.2 commercetools GmbH shall be responsible for ensuring that 

• a) the servers, workstations, devices and other IT systems used by commercetools GmbH, including those of its sub-contractors and external service providers, if any, are operated in accordance with the GDPR and any other applicable laws, 

• b) it has the necessary technical and organisational measures in place in accordance with the GDPR and any other applicable laws,

• c) any Contract Data generated by commercetools GmbH (e.g. from its employees, customers, etc.) are generated on a valid legal basis (including consent, where required) that permits the processing of such Contract Data for the Program by the Parties in accordance with the GDPR and any other applicable laws.

3.3 The Partner shall be responsible for ensuring that 

• a) the servers, workstations, devices and other IT systems used by the Partner, including those of its sub-contractors and external service providers, if any, are operated in accordance with the GDPR and any other applicable laws, 

• b) it has the necessary technical and organisational measures in place in accordance with the GDPR and any other applicable laws,

• c) any Contract Data generated by the Partner (e.g. from its employees, customers, etc.) are generated on a valid legal basis (including consent, where required) that permits the processing of such Contract Data for the Program by the Parties in accordance with the GDPR and any other applicable laws.

4.1 The Parties shall process the Contract Data only for the specific Program. 

4.2 The Parties may only process the Contract Data for another purpose:

• a) where the relevant Party has obtained the data subject’s prior consent;

• b) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;

• c) where necessary in order to protect the vital interests of the data subject or of another natural person, or

• d) where otherwise permitted under applicable law.

4.3 Any processing of the Contract Data for another purpose than the Program shall be performed by the respective Party as independent controller.

5.1 Each Party undertakes to ensure compliance of its processing of the Contract Data with GDPR and any other applicable laws. 

5.2 Contract Data shall be:

• a) processed lawfully, fairly and in a transparent manner in relation to the data subject („lawfulness, fairness and transparency“);

• b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

• c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed („data minimisation“);

• d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Contract Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay („accuracy“);

• e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Contract Data are processed; Contract Data may be stored for longer periods insofar as the Contract Data will be processed solely as permitted under the GDPR subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject („storage limitation“);

• f) processed in a manner that ensures appropriate security of the Contract Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures („integrity and confidentiality“).

5.3 The Parties shall be responsible for, and be able to demonstrate compliance with, Sec. 5.2 above („accountability“).

5.4 Either Party shall promptly inform the other Party if it is unable to comply with this Agreement, for whatever reason.

5.5 In the event that a Party is in breach of this Agreement or unable to comply with this Agreement, the other Party shall suspend the transfer of personal data to the incompliant Party until compliance is again ensured or the Agreement is terminated.

6.1 In order to enable data subjects to effectively exercise their rights pursuant to the GDPR, the Parties shall inform them:

• a) of its identity and contact details;

• b) of the categories of personal data processed;

• c) of the right to obtain a copy of the essence of the arrangements under this Agreement;

• d) where a Party intends to onward transfer the Contract Data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore.

6.2 Sec. 6.1 above shall not apply where the data subject already has the information, including when such information has already been provided by one of the Parties, or providing the information proves impossible or would involve a disproportionate effort for the Parties. In the latter case, the Parties shall, to the extent possible, make the information publicly available.

6.3 The provisions of this Section are without prejudice to the obligations of the Parties under Articles 13 and 14 GDPR.

7.1 To the extent required under Article 26 (2) GDPR, the Parties undertake to make the essence of the arrangements under this Agreement available to the data subjects.

7.2 To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of this Agreement prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.1 Each Party, where relevant with the assistance of the other Party, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under this Agreement without undue delay and at the latest within one month of the receipt of the enquiry or request. 

8.2 Each Party shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

8.3 In particular, upon request by the data subject the relevant Party shall, free of charge:

• a) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to the GDPR; and provide information on the right to lodge a complaint with a supervisory authority in accordance with the GDPR;

• b) rectify inaccurate or incomplete data concerning the data subject;

• c) erase personal data concerning the data subject if such data is being or has been processed in violation of any of this Agreement, or if the data subject withdraws the consent on which the processing is based.

8.4 The Parties shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under applicable law.

9.1 The Parties shall inform data subjects in a transparent and easily accessible format, through individual notice or on their website, of a contact point authorised to handle complaints. Each Party shall deal promptly (unverzüglich) with any complaints it receives from a data subject.

9.2 In case of a dispute between a data subject and one of the Parties as regards compliance with this Agreement, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

10.1 In the event of a personal data breach concerning Contract Data processed by the Parties under this Agreement, the Parties shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

10.2 In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Parties shall without undue delay notify both the other Party and the competent supervisory authority pursuant to this Agreement. 

10.3 Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. 

10.4 To the extent it is not possible for the Parties to provide all the information at the same time, it may do so in phases without undue further delay.

10.5 In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the Parties shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the other Party, together with the information referred to in the previous paragraph, unless the Parties have implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the Parties shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.

10.6 The Parties shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

11.1 If a Party discovers breaches or irregularities with regard to the processing of the Contract Data, the Party discovering the breaches or irregularities undertakes to promptly notify the other Party accordingly. 

11.2 The Parties shall promptly take all measures as required to remedy the breaches or irregularities.

11.3 The Parties shall promptly provide each other with the necessary information as required to remedy the breaches or irregularities.

12.1 The Parties shall implement appropriate technical and organisational measures to ensure the security of the Contract Data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. 

12.2 In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

12.3 The Parties have agreed on the technical and organisational measures set out in Annex 3. The Parties shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

12.4 The Parties shall ensure that persons authorised to process the Contract Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

12.5 Where the Contract Data involve personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the Parties shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

13.1 Whenever a Party wishes to commission a processor for the processing of the Contract Data for the Program under this Agreement, the Party retaining the processor undertakes to conclude a data processing agreement in accordance with Article 28 GDPR and to obtain the consent of the other Party before concluding the data processing agreement. 

13.2 Each Party shall have the right to withhold the consent for the commissioning of a particular processor for good cause only.

13.3 The Parties shall inform each other in a timely manner of any intended commissioning, change in the use or replacement of any processors and shall only use processors that comply with the requirements of the GDPR, and any other applicable laws and the provisions of this Agreement. 

13.4 The above consent requirement does not include services that the respective Party receives from third parties as an ancillary service to support the performance of the Agreement, such as telecommunications services and maintenance. However, the Parties are obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Contract Data, even in the case of externally contracted ancillary services.

14.1 Each Party shall be able to demonstrate compliance with its obligations under this Agreement. In particular, each Party shall keep appropriate documentation of the processing activities carried out under its responsibility.

14.2 The Parties shall make such documentation available to the competent supervisory authority on request.

If a data protection impact assessment is required pursuant to Article 35 GDPR, each Party shall perform and document such data protection impact assessment.

16.1 Each Party shall store the Contract Data in its systems in a structured common and machine-readable format.

16.2 Each Party ensure that only those Contract Data are collected that are necessary for the fulfilment of the Program.

17.1 Each Party undertakes to comply with the principle of storage limitation as per Art. 5 (1)(e) GDPR. 

17.2 The Parties shall retain the personal data for no longer than necessary for the Program for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymization of the data and all back-ups at the end of the retention period.

17.3 The Parties shall independently ensure that they comply with all statutory retention obligations in relation to the Contract Data. To this end, they shall take appropriate data security precautions (Art. 32 et seq. GDPR). This applies in particular in the event of termination of this Agreement.

18.1 Without prejudice to the provisions of this Agreement, the Parties shall be jointly and severally liable vis-à-vis the data subjects for any damage caused by processing that does not comply with the GDPR. 

18.2 In accordance with the principles set forth in Art. 82 (5) GDPR, as amended by this Agreement, where a Party paid full compensation for the damage suffered or is obliged to pay such compensation for any damage, that Party shall be entitled to claim from the other Party involved in the processing that caused the damage that part of the compensation corresponding to its part of responsibility for the damage. 

18.3 The principles under Sec. 18.2 above shall also apply to any administrative fines issued by any supervisory authorities.

18.4 In case of any actual or potential claims, the Parties shall promptly notify each other in writing (email sufficient) of the applicable claim, furnish each other with all relevant information available to the respective Party and closely cooperate in the defense.

18.5 Each Party's liability to the other Party for one or more breaches of this Agreement shall be subject to the limitations and exclusions of liability set out in the Partner Agreement. Neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

19.1 "Confidential Information" means any information, documents, items, materials, substances or electronic files disclosed by one Party to the other Party in written, electronic, oral or any other form, which is marked confidential by the disclosing Party or is by its nature to be treated as confidential.

19.2 The Parties undertake to treat the Confidential Information of the other Party as confidential and to use them exclusively for the purposes of the performance of this Agreement. 

19.3 The disclosure of the Confidential Information of the disclosing Party by the respective recipient to third parties is only permitted to the extent that this is necessary for the performance of this Agreement, provided that the third party has committed itself to confidentiality vis-à-vis the Party making the Confidential Information available to the third party or is bound to confidentiality for professional reasons. Legal disclosure obligations remain unaffected. The respective Party making the Confidential Information available to the third party shall be responsible for ensuring that the obligations of this Agreement are also observed by such third parties. The Party making the Confidential Information available to the third party shall be liable for breaches of the confidentiality obligations under this Agreement by such third parties as if they were its own breach.

19.4 Each Party undertakes to protect the Confidential Information of the respective other Party by taking appropriate security measures.

19.5 The foregoing obligations shall not apply to information of which the receiving Party can prove that it (i) was or is available to the public in a lawful manner and in a manner not in breach of the provisions of this Agreement, (ii) was previously known to the receiving Party and was available to it without restriction, (iii) was disclosed to the receiving Party by a third party authorized to do so, or (iv) was developed by the receiving Party independently and without use of the Confidential Information disclosed by the disclosing Party.

19.6 The respective receiving Party undertakes to completely and permanently destroy all documents and records containing Confidential Information of the respective other Party or, in the case of electronic data, to permanently delete such data immediately after termination of this Agreement. This shall not affect any statutory storage and archiving obligations.

19.7 After termination of this Agreement, all rights and obligations of each Party with respect to the Confidential Information of the respective other Party shall continue to apply for a period of ten (10) years.

20.1 This Agreement becomes effective upon the start of the Program.

20.2 This Agreement shall remain in force and effect for as long as Contract Data are processed by the Parties for the Program.

20.3 The right to terminate this Agreement for good cause remains unaffected. 

20.4 A right to terminate for good cause applies, in particular, if one Party commits a breach of a material contractual obligation under this Agreement, provided that the other Party cannot reasonably be expected to continue the Agreement for this reason. The prerequisite for termination under this provision is that the terminating Party must provide the other Party, by way of a warning letter, with a detailed written explanation of the reasons for termination, sets a reasonable period of at least thirty (30) days for the other Party to eliminate the cause for termination and expressly threatens termination in its warning letter if good cause for termination is not eliminated in due time. The threat is not required if the breach of Agreement cannot, by its nature, be remedied.

20.5 Furthermore, a right to terminate for good cause shall be deemed to exist in particular if the other Party suffers or threatens to suffer substantial losses in its economic circumstances, in particular if the other Party itself files for the opening of insolvency proceedings over its assets or if insolvency proceedings are opened over its assets and/or the other Party suspends payments;

20.6 Notices of termination must be in writing to the contact information listed for the Parties in the Partner Agreement.

20.7 The Parties acknowledge and agree that following a termination of this Agreement, they shall no longer jointly determine the purposes and means of processing of the Contract Data for the Program, but will act as independent controller. However, where a processing of the Contract Data is no longer permitted by either or both Parties as independent controllers, the relevant Party or Parties, as applicable, shall discontinue any further processing of the Contract Data. Statutory storage and archiving obligations shall remain unaffected.

20.8 Claims of the Parties arising before the termination date shall remain unaffected by the termination of this Agreement.

20.9 The provisions of this Agreement, which shall continue to apply beyond the termination of this Agreement, shall not be affected by the termination of this Agreement. This applies in particular to the confidentiality obligations agreed under this Agreement.

21.1 Each Party shall bear its own costs incurred in connection with the execution and performance of this Agreement, unless expressly agreed otherwise in this Agreement.

21.2 The Parties may transfer personal data outside the European Union (EU) and the European Economic Area (EEA). In this regard particularly transfer of personal data to such countries, including for example the United States of America (US), may be affected. Personal data that is processed outside the EU and EEA may not be covered by the same level of data protection as applicable in the EU and EEA. For this reason, the Controllers have entered into the standard contractual clauses provided by the EU Commission as follows:

As under this Agreement personal data may be transferred from the European Union to the US the conclusion of the Standard Contractual Clauses in the form issued as part of the EU Commission Decision (EU) 2021/914 (“SCCs”), as may be updated from time to time, will be necessary. For the purposes of the SCCs: between the Parties commercetools GmbH is considered the controller and the Partner is also considered the controller. commercetools GmbH is considered the data exporter (“Data Exporter”) and the Partner is considered the data importer (“Data Importer”) and, as applicable, Module One (transfer controller to controller) of the SCCs shall apply; clause 7 of the SCCs is opted out for; for the purposes of clause 11 (a) of the SCCs the optional part is deleted; for the purposes of clause 13 (a) and Annex  I. C, the competent supervisory authority shall be “Bayrisches Landesamt für Datenschutzaufsicht”; for the purposes of clause 17 of the SCCs option 1 shall apply and the Parties agree that the laws of the Federal Republic of Germany shall apply; for the purposes of clause 18 of the SCCs disputes shall be resolved by the courts of Munich, Federal Republic of Germany; for the purposes of Annex I A. of the SCCs Controller A is the Data Exporter in the role as controller with the following details: “name” is commercetools GmbH, “address” is Adams-Lehmann-Str. 44, 80797 Munich, Federal Republic of Germany, “contact person’s name, position, and contact details” are provided in the relevant agreement, the “activities relevant to the data transferred” are set forth in the agreement; and Controller B is the Data Importer in the role as controller with the following details: “name” is provided in the relevant agreement, “address” is provided in the relevant agreement “contact person’s name, position, and contact details” are provided in the relevant agreement the “activities relevant to the data transferred” are set forth in the relevant agreement, the “data subjects” are set forth in the Agreement, the “categories of personal data” are set forth in the relevant agreement, the “frequency of the transfer” is considered to be on an ongoing basis, the “nature of processing” is considered the processing of personal data regarding the processing activities that are necessary to perform the relevant agreement, the “purpose” is considered to be the fulfillment of the relevant agreement, the “period” is considered to be for the duration of the relevant agreement; for the purposes of Annex II of the SCCs the security measures of the Data Importer are set forth in Annex I to the Agreement.

21.3 This Agreement fully reflects the agreement between the Parties regarding the subject matter; no oral or other side agreements exist. Unless expressly agreed otherwise in this Agreement, all previous agreements between the Parties regarding the subject matter shall be fully replaced by this Agreement with effect from the effective date of this Agreement.

21.4 Amendments or additions to this Agreement shall require written form to be effective, unless a stricter form is required under mandatory law. The same applies to the waiver of this written form requirement. Unless expressly agreed otherwise in this Agreement, e-mails do not comply with this written form requirement. The written form requirement under this Agreement shall be deemed to have been met when the copy of a declaration is being transmitted by telecommunications (e.g. as an attachment to an e-mail) and that copy contains the signature of the person making that declaration, unless a stricter form is required under mandatory law.

21.5 This Agreement may not be assigned without the other party’s prior written consent; provided that in connection with a merger, reorganization, or sale of all or substantially all of its assets, this Agreement shall automatically transfer to the successor in interest. In which case, the party shall provide notification that such transfer has occurred within thirty (30) days of such event.

21.6 This Agreement shall be governed by the laws of the Federal Republic of Germany, excluding the conflict of laws rules of private international law. The applicability of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.

21.7 Exclusive place of jurisdiction for all disputes arising out of or in connection with this Agreement shall be the statutory seat of commercetools GmbH, unless otherwise required by mandatory law.

21.8 Should any provision of this Agreement be or become invalid or unenforceable in whole or in part, the validity of the remaining provisions of this Agreement shall not be affected. The same shall apply if and insofar as a gap in this Agreement becomes apparent. In place of the invalid or unenforceable provision or to fill the gap, an appropriate provision shall apply which, as far as legally possible, comes closest to or corresponds to what the Parties economically intended or would have intended according to the spirit and purpose of this Agreement, had they considered this point.

Annex 1
Description of the Program

The Parties may engage jointly in the following marketing, sales and/or partner management operations:

• Management of events; and/or

• Management of advertisements; and/or

• Management of prospects; and/or

• Management of branded events; and/or

• Management of joint campaigns; and/or

• Management of deal registrations; and/or

or other promotional activities that may be further described in the Partner Agreement.

Annex 2
Contract Data

• Name

• Address (Street, Number, City, Postal Code, Country, etc.)

• E-Mail Address (business and private, if applicable)

• Phone number (business and private, if applicable)

• Job title

• IP-address

• Department/Function

Annex 3
TOMs

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate

TOMs of commercetools GmbH

See here: https://commercetools.com/toms 

TOMs of Partner

Will be available on request.