Joint Controller Agreement
This AGREEMENT is made on OCTOBER 15, 2021 BETWEEN:
(1) Citizens of Humanity Europe S.r.l. with its registered office in Via Savona, 97, 20144 Milano (MI) (“COH EU”)
(2) Citizens of Humanity, LLC, a Delaware limited liability company with its principal office in 5715 Bickett Street, Huntington Park, California 90255 (“COH LLC”)
IT IS AGREED:
1. DEFINITIONS AND INTERPRETATION
For the purpose of this Agreement the following terms shall have the following meanings:
"Agreement" means this Joint Controller Agreement, including all clauses of, and Appendices to this Agreement.
"Applicable Data Protection Laws" means the national legislation protecting the fundamental rights and freedoms of individuals and, where required by law, legal entities, and in particular, their right to privacy with respect to the processing of Personal Data and which contains restrictions or requirements on the cross border transfer of Personal Data, including but not limited to the Regulation (EU) 2016/279 General Data Protection Regulation (“GDPR”), any Local Law, or any legislation which substantially replaces or amends the GDPR, in respect of personal data processed by a controller established in a Member State of the EEA.
"Controller" means the natural or legal person, public authority, agency or any other entity or person who alone or jointly with others determines the purposes and means of the processing of Personal Data.
"Data Subject" means a natural person who can be identified, whether directly or indirectly, including by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and to the extent that corporate entities or deceased persons receive the same or similar protection as natural persons under the Applicable Data Protection Laws, shall also include corporate entities or deceased persons.
"Data Transfer" means any transfer of Personal Data to any Party to this Agreement or any third party, including without limitation providing access to Personal Data without physical transfer of Personal Data.
"Effective Date" means the date on which this Agreement is executed by both Parties.
"Joint Controllers" means the Parties exercising joint data processing as Controllers, as set out in Clause 2.
"Local Law" means any and all laws in any jurisdiction where a Party is based implementing the Directive or the GDPR or, for Parties based in non-EU states, any laws corresponding substantially in their scope to the Directive or the GDPR.
"Party" or "Parties" means a party or the parties to this Agreement.
"Personal Data" means any information relating to an identified or identifiable Data Subject or as otherwise defined as such in the Applicable Data Protection Laws.
“Site” or “website” means a website owned or controlled by a Party as to which a Party receives, stores, transmits or processes Personal Data of Data Subjects entitled to the benefits of Applicable Data Protection Laws.
“Standard Contractual Clauses” means the clauses drafted by COH EU and COH LLC, pursuant art. 46 GDPR and based on the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. SCOPE OF THE JOINT CONTROLLER AGREEMENT
2.1 This joint controller agreement, pursuant to art. 26 GDPR, governs the data processing activities arising in connection with the Site and social media channels of the Parties, and their activities arising in connection with the offer and/or retail sale of products performed through the e-commerce platforms that are available through the Site as further described in Schedule 1 (the "Joint Processing").
3. PROCESSING OF PERSONAL DATA
3.1 The Parties shall process Personal Data as Joint Controllers only for the purposes and to the extent as set out in Clause 2. Processing for any other purpose determined by either of the Parties shall be conducted under sole responsibility of the Party that determines such purpose.
3.2 As concerns the processing of Personal Data, the Parties agree and warrant:
3.2.1 to process the Personal Data in accordance with the Applicable Data Protection Laws applicable to the respective Party;
3.2.2 to have in place appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected;
3.2.3 that the Personal Data have been collected and processed by the Parties in accordance with the Applicable Data Protection Laws applicable to the respective Party;
3.2.4 that each Party will provide the other Party, when so requested, with copies of the Applicable Data Protection Laws;
3.2.5 that each Party will provide the other Party, upon reasonable request, evidence of compliance with the Clause 3.2.3.
4. DATA SUBJECTS AND ENFORCEMENT
4.1 The Parties agree that Data Subjects may enforce and rely on this Agreement only to the extent required under the Applicable Data Protection Laws. Accordingly, except as set forth in Applicable Data Protection Laws, nothing contained in this Agreement will entitle anyone (including Data Subjects), other than the Parties to any claim, cause of action, remedy or right of any kind whatsoever.
4.2 A person who is not a Party to this Agreement has no right, whether as a third party beneficiary, or under any equivalent local legal principle or law, to enforce any term of this Agreement except to the extent set out in Clause 4.1.
4.3 This Agreement may be terminated and any term may be amended or waived without the consent of any Data Subject.
5. CONTROLLERS' OBLIGATIONS
5.1 The Parties acknowledge that they are as Controllers jointly responsible for the fulfilment of the obligations of Controllers but are obliged to distribute their respective responsibilities pursuant to Art 26 GDPR.
5.3 Any fulfilment of Data Subjects' rights pursuant to Art 15 - 22 GDPR shall be handled by COH EU. For this purpose, COH LLC shall inform COH EU of any enquiry made by the Data Subjects or any authorities concerning the data processing by the Parties as Joint Controllers without undue delay after receiving such enquiry and shall, as the case may be, provide reasonable and necessary support in fulfilment of such Data Subjects' rights.
6. LIMITATION OF LIABILITY
6.1 Subject to Clause 4, the Parties shall be liable for all direct losses and damages, provided, however, that to the maximum extent permissible by law, the Parties shall not be liable for any losses or damages arising by reason of lost profits, turnover, data or opportunity nor for any indirect or consequential losses, arising out of, or in connection with, any breaches by them of this Agreement.
7. STANDARD CONTRACTUAL CLAUSES
7.1 Any processing operation involving the transfer of personal data between COH EU and COH LLC shall be covered by the intercompany agreement entered into by the Parties and the SCC. COH EU and COH LLC agree that the SCC shall be directly binding between COH LLC as data importer (as defined therein) and COH EU acting as data exporter (as defined therein) with respect to Personal Data processed jointly. References in the SCC to various articles and terms will be treated as references to the relevant and appropriate articles in the GDPR.
8.1 The Parties acknowledge that nothing in this Agreement constitutes a transfer or assignment of any ownership rights (including any intellectual property rights) in respect of the Personal Data.
8.2 The Parties will use their best endeavors to procure that any necessary third party executes and performs all such further deeds, documents, assurances, acts and things as any of the Parties to this Agreement may reasonably require by notice in writing to any other party to carry the provisions of this Agreement into full force and effect.
8.3 None of the Parties may assign or transfer any of the rights or obligations under this Agreement without the prior written consent of each other Party's authorized representative.
8.4 This Agreement shall be governed by the substantive laws of Italy.
8.5 All disputes arising out of or in connection with this Agreement shall exclusively be settled by the competent courts of Milan.
SCHEDULE 1 – JOINT PROCESSING ACTIVITIES
Joint controllership’s purposes
The transfer is made for the following joint controllership’s purposes:
· Answering questions and processing user requests
· To allow registration requests to the Site
· Executing the e-commerce services
· Ensuring the technical operation of the Site and the Platforms
· Using the “gift card” service
· Compliance with legal obligations
· Marketing communications
· Profiling activities
· Data analysis to obtain trends and improve the Site and the Platform
· Fraud protection
· Protection of our legitimate and legal interests
Categories of Personal Data
The transfer is related to the following categories of Personal Data:
· Personal Data;
· Contact and address details;
· Information related to the order (shipping details);
· Information related to the payment method;
· Invoicing data;
· Information related to consumer preferences;
· Requests for notification regarding product availability
· Gift card balances and uses
· Operation of a “loyalty” program, if offered
· Marketing details;
· Tracking information;
· Information relating to disputes with customers.
According to guidance from the European Data Protection Board, Standard Contractual Clauses remain a valid mechanism to transfer data, if there are supplementary measures that prevent government surveillance of personal data.
Data controllers are required to review data transfers that rely on Standard Contractual Clauses to ensure that there are adequate supplementary measures in place.
In relation to the Personal Data measures hereunder must include, but not be limited to:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to the Personal Data in the event of a physical or technical incident;
- the prevention of unauthorized persons’ gaining access to data processing systems (physical access control);
- the prevention of data processing systems being used without authorization (logical access control);
- ensuring that individuals entitled to use a data processing system gain access only to such Personal Data as they are entitled to access in accordance with their legitimate access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
- ensuring the establishment of an audit trail to document whether and by whom the Personal Data have been entered into, modified in, or removed from data processing systems (entry control):
- ensuring that the Personal Data is Processed solely in accordance with the relevant Data Exporter’s instructions (control of instructions);
- Data Importer must maintain and enforce at least equal to best industry standards and practices for such types of service locations.
Citizens of Humanity Europe S.r.l. and Citizens of Humanity LLP take the following supplemental controls to protect data from mass surveillance.
- Encryption Standards