Common use of Joint Controller Agreement Clause in Contracts

Joint Controller Agreement. Controller Status and Allocation of Responsibilities With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Controller in respect of that Personal Data in accordance with the terms of this Annex 1 (Joint Controller Agreement). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controllers. The Parties agree that the Contractor: is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for processing in connection with the Services where consent is the relevant legal basis for that processing; and shall make available to Data Subjects the essence of this Joint Controller Agreement (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the Contractor’s privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). Notwithstanding the terms of paragraph 1.2, the Parties acknowledge that a Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller. Undertakings of both Parties The Contractor and DfE each undertake that they shall: report to the other Party every six months on: the volume of Data Subject Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf); the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; that it has received in relation to the subject matter of the Framework Agreement during that period;