ESSENCE OF THE JOINT CONTROLLERSHIP AGREEMENT PURSUANT TO ART. 26 (2) GDPR
This information is provided in accordance with Art. 26 (2) (“GDPR”). It describes the essence of the Joint Controllership Agreement pursuant to Art. (26) GDPR signed by the companies that are part of the Design Holding Group.
- The Parties
The companies that are part of the Agreement are the following:
- Design Holding S.p.A. (VAT NUMBER IT10446470964), with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
- Flos S.p.A. (VAT NUMBER IT00290820174), with registered office at Via Angelo Faini, 2, 25073, Bovezzo (Italy)
- B&B Italia S.p.A. (VAT NUMBER IT07122350965), with registered office at Via Durini, 14, 20122, Milano (Italy)
- Louis Poulsen A/S (VAT NUMBER DK59742817), with registered office at Kuglegårdsvej 19 DK-1434 København K, Copenhagen (Denmark)
- International Design Group S.p.A. (VAT NUMBER IT 10462810960), with registered office at Via Alessandro Manzoni 38 – 20121 Milano (Italy)
- D Studio – Copenhagen ApS, with registered office at Kuglegårdsvej 13, DK-1434, Copenhagen (Denmark)
The Agreement is open to the adhesion by other companies that are or will in the future become part of the same group of Companies (currently Design Holding group).
- Subject matter of the Agreement
The Parties intend to implement a wide-group marketing strategy aimed at the promotion of all DH Group Brands, which includes the processing of Personal Data relating to their Customers for marketing and profiling purposes. Accordingly, subject to the specific consent of the Data Subjects, each Party shall transfer the Personal Data of its Customers into a common database held and managed by Design Holding, which is accessible by all Parties. Personal Data included in the database can be processed for common marketing and profiling activities relating to the Brands of DH Group, either wholly or singularly.
Notwithstanding the fact that Design Holding hosts and directly manages the database, the Parties jointly determine the means and purposes of the Federated Activities and shall therefore qualify as joint data controller pursuant to Article 26 of the GDPR. The Parties define every aspect relating to the performance and implementation (either by themselves or through third parties appointed as Processors) of the Federated Activities, if necessary also through the conclusion of specific and additional written agreements detailing the personal data shared, the means, the purposes of the Federated Activities, the security measures to be adopted and the relevant technical standards.
The Parties acknowledge that, with regard to the processing activities of personal data different from the Federated Activities carried out under the Agreement each Party shall autonomously determine the purposes and means of processing. Therefore, in this respect, each Party shall qualify as autonomous Controller and it assumes separate responsibilities under applicable legislation.
- General obligations of the Parties
The Parties will carry out the Federated Activities through computer, automatized and/or paper instruments in compliance with the principles of fairness, lawfulness, transparency, accuracy, integrity, data minimization and purpose and storage limitation, as well as in accordance with the provisions of the GDPR and the applicable data protection legislation.
The Parties guarantee the security and confidentiality of the personal data subject to the Federated Activities in light of the GDPR and applicable data protection legislation.
The Parties undertake to process the Personal Data falling under the Federated Activities only for the purposes for which they agreed and, also after the termination for any reason of the Agreement, not to use the Personal Data for different purposes, unless this is necessary for the fulfilment of legal obligations or for the protection of the Parties’ rights before any competent authorities.
The Parties undertake to adopt all technical, logic and organizational security measures pursuant to Article 32 GDPR, in order to guarantee the protection of Personal Data processed under the Agreement and to ensure a level of security appropriate to the risks to the rights and freedoms of the Data Subjects.
Should this be necessary to ensure the proper carrying out of the Federated Activities, each Party shall undertake to adopt and sign with third parties - the Processors - specific contracts or other legal acts pursuant to Article 28 of the GDPR, according to Article 3.6 above.
In case of a Personal Data Breach (as defined in Article 4(12) of the GDPR), or in the event that a Party has reason to suspect that such a breach may reasonably occur, it will notify the other Parties immediately and in any case within a maximum of 12 (twelve) hours from the moment in which it became aware of the breach or from the moment in which it became aware of information that would suggest the occurrence of such a breach. In this case, each Party undertakes to provide maximum cooperation and assistance in order to identify and implement all corrective measures to eliminate or in any case limit the effects of the breach as much as possible.
- Transfer of Data outside EEA
The Parties acknowledge and agree that if the Personal Data processed under the Agreement should be transferred or processed – also through Processors or Sub-Processors – in a country located outside the European Economic Area (“EEA”) for which no adequacy decision has been issued by the European Commission, they shall resort to one of the mechanisms provided for by Articles 46 ff GDPR. In particular, the Parties shall resort to the standard clauses for the transfer of personal data to third countries approved by the European Commission, as well as assess the actual level of protection of personal data ensured to the Data Subjects in the aforementioned country. The Parties shall take into account both the mechanisms pursuant to Articles 46 ff GDPR concretely adopted and the legislation of that third country of destination, and adopt, if necessary, additional security measures aimed at the protection of personal data, such as cryptography.
- Rights of the Data Subjects/Single Point of Contact
The Parties have designated a single contact point of contact for the exercise of the Data Subjects rights pursuant to Articles 15-22 GDPR, this being, that can be contacted at the following e-mail address: firstname.lastname@example.org(the “Leading Party”).
Notwithstanding the foregoing, Data Subjects may validly contact each of the Parties in order to enforce their rights with respect to the Federated Activities and each Party shall comply with the same procedure established by the Parties for the management of Data Subjects’ requests. If necessary, the Party who first receives the request (the “Receiving Party”) shall communicate it to the other Parties within 3 working days, sending them a copy, in order to collaborate actively to give timely feedback to these requests and agree on the actions to be taken in accordance with the provisions of paragraph 3 below.
All requests made by the Data Subjects to enforce their rights must be delivered in a manner that allows the verification of the identity of the relevant Data Subjects (e.g. by means of a named email address) and the identity of persons that they may appoint as their representative.
The Receiving Party shall provide the Data Subjects with information on action taken on their requests without undue delay and in any event within 1 (one) month of receipt of the request. That period may be extended by 2 (two) further months where necessary, taking into account the complexity and number of the requests. The Receiving Party shall inform the Data Subjects of any such extension within 1 (one) month of receipt of the request, together with the reasons for the delay. Each response should be agreed upon in advance by the Parties before being provided. Where possible, the Receiving Party shall provide all feedbacks to the Data Subjects on privacy matters from dedicated e-mail account.
Where the Parties are involved in the same processing and where they are, pursuant to Article 82, paragraphs 2 and 3 of the GDPR, responsible for any damage caused by processing, each Party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject.
Each Party shall remain solely and exclusively liable for the damage caused by its own processing infringing the GDPR, as well as if it has acted in a manner that is different from or contrary to the requirements contained in this Agreement.