JOINT CONTROL AGREEMENT
pursuant to Art. 26 of European Regulation 679/2016 – GDPR
BETWEEN
Fondazione Centro Euro-Mediterraneo sui Cambiamenti Climatici, VAT no.IT03873750750 with
registered office in Lecce, 73100, via Marco Biagi, 5, represented by its President Antonio Navarra,
domiciled for this purpose at the aforesaid office;
Verein Der EuropaeischenBurgerwissenschaften – ECSA E.V. (ECSA), VAT n.a. with registered
office in Museum für Naturkunde Berlin; Leibniz-Institut für Evolutions- und
BiodiversitätsforschungBereichsleitungWissenschaftskommunikation und Wissensforschung, Berlin
D-10115, Invalidenstraße 43, represented by its Managing Director Dorte Riemenschneider,
domiciled for this purpose at the aforesaid office;
Barcelona Supercomputing Center-Centro Nacional De Supercomputacion (BSC CNS), VAT no.
ESS0800099D, with registered office in Barcelona, 08034, represented by its BSC Director Mateo
Valero Cortés, domiciled for this purpose at the aforesaid office;
Centro Internazionale in Monitoraggio Ambientale – Fondazione CIMA (Fondazione CIMA), VAT
- IT01503290098, with registered office in Savona, 17100, Via Via Magliotto 2, represented by its
President Luca Ferraris, domiciled for this purpose at the aforesaid office;
IcleiEuropeanSecretariat GmbH (ICLEI EUROPASEKRETARIAT GMBH) (ICLEI EURO),VAT
- DE153445986, with registered office in Freiburg, 79098 ,Leopoldring 3, represented by its
Managing Director Wolfgang Teubner, domiciled for this purpose at the aforesaid office;
Agenzia Per La Promozione Della Ricerca Europea (APRE), VAT no. IT03929151003, with
registered office in Rome, 00184, via Cavour 71, represented by its Director Marco Falzetti, domiciled
for this purpose at the aforesaid office;
Internationales Institut Fuer Angewandte Systemanalyse (IIASA), VAT no. ZVR 524808900with
registered office in Laxenburg, 2361, Schlossplatz 1, represented by its Director General Albert van
Jaarsveld, domiciled for this purpose at the aforesaid office;
Stiftelsen The Stockholm Environment Institute (SEI HQ), VAT no. SE802014076301 and
organization number no. 802014-0763, with registered office in Stockholm, 104 51,Linnégatan 87D,
BOX 24218, represented by Financial Director Simon Persson, domiciled for this purpose at the
aforesaid office;
FundacionIbercivis, VAT no. ESG99330094, with registered office in Zaragoza, 50018, C/Mariano
Esquillor Gómez S/N, Edificio I+D, 802014-0763, represented by its Executive Director Francisco
Sanz García, domiciled for this purpose at the aforesaid office;
Athens Technology Center AnonymiViomichanikiEmporiki Kai
TechnikiEtaireiaEfarmogonYpsilisTechnologias, VAT no.GR094360380, with registered office in
Chalandri, 15233, Rizariou street, represented by General Manager Yiannis Kliafas, domiciled for this
purpose at the aforesaid office;
Universite De Geneve (UNIGE), VAT no. CHE1149273676TVA, with registered office in Geneve,
1211, 24 rue du Général-Dufour, represented by its Vice-Rector Brigitte Galliot, domiciled for this
purpose at the aforesaid office;
Sei Oxford Office Limited, VAT no. GB 799904649, with registered office in Oxford, OX2 0ES, Eco
Centre, Roger House, Osney Mead, represented by its Director Ruth Butterfield, domiciled for this
purpose at the aforesaid office.
Henceforth, the parties shall be jointly referred to as the ‘Joint Controllers‘ or ‘Parties’.
WHEREAS
1) the Parties signed a Consortium Agreement and a Grant Agreement(herein referred to as the
“Contracts”), both relating to the implementation of a joint project, called ‘AGORA’ consisting in
support the overall objectives of the Mission on Adaptation to Climate Change by leveraging and
step forwarding best practices, innovative approaches, policy instruments and governance
mechanisms to meaningfully and effectively engage communities and regions in climate actions,
accelerating and upscaling adaptation process for building a climate resilient Europe.
2) It will promote democracy, climate justice, gender equality, equity, and foster adaptive capacity and
citizens’ empowerment to proactively support decision-making processes;
3) the Parties, by mutual agreement and for the pursuit of the purposes underlying the joint project
‘AGORA’, intend to set up an online platform to collect and subsequently use the personal data of
the stakeholders that may be interested in being involved in the aforementioned project;
4) the Parties, by consensus, have determined that the creation and maintenance of this online
platform will be taken care of by APRE;
5) that on 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data and repealing Directive 95/46/EC (General Data
Protection Regulation) (hereinafter, more simply, “GDPR”) became fully operational;
6) Article 4(1)(7) of the GDPR defines data controller “as the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”;
7) Pursuant to Article 26(1) of the GDPR “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects”;
8) pursuant to Article 26(2) of the GDPR “The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject”;
9) the Parties not incorporated within the European Union, specifically UNIGE and Sei Oxford
Office Ltd., strictly adhere to relevant national laws regarding data protaction matters, wich have
been subject to an adequacy decision of the European Commission;
10) it is the intention of the Parties to regulate in a transparent manner their mutual rights and
obligations as a result of the strict observance of the rules and principles contained in the GDPR
and the relevant national laws of each Party on data protection, with particular regard to the
exercise of the rights of the data subject, as well as their respective roles in the communication of
information to the data subjects, by signing this Agreement;
THE FOLLOWING IS AGREED AND STIPULATED
Article 1 – Preliminary Agreements
- Within the scope of their respective responsibilities, the Joint Controllers shall at all times perform
their obligations in accordance with this Agreement and in such a way that they process the data
without violating applicable legal provisions.
- It is understood between the Parties that, pursuant to Article 26(3) of Regulation (EU) 2016/679,
irrespective of the provisions of this Agreement, the data subject may exercise his or her rights towards and against each Data Controller.
- Consistently with their mission and values, the Joint Controllers mutually undertake to protect the
personal data of every natural person who comes into contact with them (‘Data Subject’), respecting
the identity, dignity of every human being and the fundamental freedoms guaranteed in accordance
with the GDPR and the relevant national laws on the protection of individuals with regard to the
processing of personal data and the free movement of such data.
- No rights to revision of prices or other forms of commitment, also economic, already defined
between the Parties, arise from this Agreement, since these are obligations and fulfilments deriving
from legal regulations already known.
- This Agreement cancels and/or supersedes any and all existing contractual arrangements between
the Parties on the same matter and their relations shall be governed exclusively by this Agreement.
- Any amendment or addition to this agreement may only be made in writing under penalty of
nullity.
- The essential content of this Agreement shall be made available to the Data Subject through the
online platform.
Article 2 – Object of data processing
- The Joint Controllers, with regard to the processing of Personal Data, agree on the decisions
regarding the purposes and means of data processing, as defined in the Grant Agreement, insofar as
such processing relates to the AGORA project.
- The joint control relates to the processing of all data that will be acquired by the stakeholders
through the platform, as well as through specific online forms, interviews and project events (such as
focused groups, workshops and other relevant events to the project) in person and/or virtual in paper
and/or electronic format, better specified in the Contracts.
- The activities underlying this agreement entail the processing of the following categories of
personal data regarding the interested stakeholders: Name; Surname; Age; Sex; Organisation;
Category: area of expertise/type of stakeholder (NGO, public sector, etc.); Country; Position
(Director, Professor, Researcher, etc.); E-mail; Website.
The above mentioned data may be supplemented, due to the duration of the project, by the Joint
Controllers on the basis of eventual emerging needs that cannot be foreseen at the date of signing this
agreement. The Joint Controllers, however, undertake to give precise notice to the Data Subjects,
through the information sheet on the data processing provided according to Article 13 of the GDPR,
of the data categories processed in connection with the project’s activities.
- Hereby the Joint Controllers agree that the personal data of the Data Subject shall be processed for
scientific research, networking and uptake purposes, as better explained in the documents of the
AGORA joint project. To this end, the data may be archived, stored, used for sending invitations to
events, workshops and relevant initiatives and activities, included but not limited to questionnaires,
newsletters and project updates.5. The data may under no circumstances be shared with or transferred to parties other than the Joint Controllers.
Article 3 – Duration and Effects upon Termination of the Contract
- This Agreement shall become effective when all the Parties will have signed it and shall be valid and
effective until the expiry, original or extended, of the contractual relationship binding the Joint
Controllers, or its termination for any reason whatsoever.
- Therefore, the processing of personal data under the joint control regime shall last no longer than
it is necessary for the purposes for which the personal data were collected, and such data shall be
safely stored in the systems and databases of the Joint Controllers in a form that allows the
identification of the Data Subjects for a period of time not exceeding the aforesaid period, unless the
processing and storage of such data by each of the Joint Controllers is required by the applicable law.
- Following the termination of the data processing or the termination of the underlying contractual
relationship, whatever the cause, the Joint Controllers shall be obliged to provide for the complete
destruction of the personal data processed, except in cases where the preservation of the data is
required by law or where autonomous circumstances arise that justify the continuation of the
processing of the data by the individual Joint Data Controllers, in a limited manner and for the
period of time strictly necessary for this purposes.
- Except as indicated in the preceding paragraphs, the personal data of the Data Subjects may be
retained by the Joint Controllers, where the former have given their express consent for the use of
their data for further purposes. For these purposes, each party shall act as an autonomous Data
Controller.
Article 4 – Obligations between the Parties
- The protection of personal data is based on compliance with the principles set out in this
document, which the Joint Controllers undertake to disseminate, respect and ensure, with their
directors, employees, collaborators and eventual third parties, with whom the Joint Controller may
collaborate in the performance of their activities. In particular, the Joint Controllers are committed to
ensure that the personal data protection policy is understood, implemented and supported by all
subjects, internal and external, involved in the activities of the Joint Controllers.
- The Joint Controllers undertake to maintain and guarantee the confidentiality and protection of
personal data collected, processed and used under this agreement. In particular, each of them
undertake to:
- a) process personal data in a lawful, correct and transparent manner in compliance with
relevant legislation, in particular the GDPR, and only for the time strictly necessary for
the intended purposes, including those necessary to comply with legal obligations;
- b) collect personal data limited that are indispensable for carrying out the activities
constituting the joint project (relevant and limited personal data);
- c) process personal data according to the principles of transparency only for the specific
purposes expressed in the information policy pursuant to article 13 of the GDPR;
- d) adopt processes for updating and rectifying personal data processed to ensure that
personal data are, as far as possible, correct and up-to-date;
- e) preserve and protect the personal data in its possession with the best available
preservation techniques;
- f) ensure the continuous updating of personal data protection measures. This
commitment will be constantly followed within the framework of the principle of
accountability by consistently implementing appropriate technical and organizational
measures and policies to ensure and be able to demonstrate that processing is carried
out in accordance with the GDPR and all relevant national laws, taking into account
the state of the art, the nature of the personal data stored and the risks to which they
are exposed;
- g) ensure the timely recovery of the availability of personal data in the event of a physical
or technical incident
- h) make clear, transparent and relevant the means through which personal data are
processed and stored in order to ensure adequate security;
- i) foster the development of a sense of responsibility and awareness throughout each
organization towards personal data, seen as the property of the Data Subject;
- j) ensure compliance with the laws and regulations applicable to the protection of
personal data by updating data protection management where necessary;
- k) prevent and minimize, within the limits of available resources, the impact of potential
breaches or unlawful and/or harmful processing of personal data;
- The Joint Controllers undertake in particular to guarantee the exercise of the rights of the Data
Subject and to provide the information referred to in Articles 13 and 14. This information will be
provided directly by APRE at the time of registration on the platform to be set up.
- The communication of the personal data necessary to ensure the pursuit of the joint project
objectives shall take place taking care that the personal data are accurate, true, up-to-date, relevant and not excessive in relation to the purposes for which they were collected and will be subsequently
processed.
Article 5 – Persons authorised to process and internal contact persons
- Each of the Joint Controllers shall identify and designate the persons authorised to carry out
processing operations related to the purposes of the joint project.
- The Joint Controllers guarantee that their employees and collaborators are trustworthy and have
full knowledge of the data protection regulations.
- Within each organization, an internal contact person shall be identified by each Party, with the task
of liaising with those designated by the other Parties, to oversee the proper fulfilment of the
provisions of this agreement.
Article 6 – Data Processors
- Each of the Joint Controllers which deems necessary to employ a data processor for the
performance of specific tasks required in the framework of the joint project shall give the other Parties
due notice thereof.
- Specific data protection obligations shall be imposed on the data controller by means of a contract
or other legal act pursuant to Union or Member State law, providing in particular sufficient
guarantees to implement appropriate technical and organizational measures so that the processing
meets the requirements of the applicable law.
- The relationship between the processor and any of the Parties of this agreement shall be governed
by Article 28 of the GDPR.
Article 7 – Breach of personal data
- In the event of any breach of the security of personal data leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored
or otherwise processed and likely to jeopardize the rights and freedoms of individuals whose personal
data are processed in the context of the joint project, the coordination activity for the purposes of
complying with the obligations set out in Articles 33 and 34 of the GDPR is entrusted to APRE, in
light of its management position with respect to the platform, which will take care of the preparation
of a specific document (Data Breach Policy), where not already existing and adopted.
- Upon the occurrence of a personal data breach, the non-coordinator Joint Controller shall:
- a) promptly inform the other Parties, however within 24 hours from the discovery of the
event, that it has become aware of a breach, providing all the details of the breach
suffered, in particular a description of the nature of the personal data breach, the
categories and approximate number of data subjects involved, as well as the categories
and approximate number of data records involved, the impact of the personal data
breach on the data subjects concerned and the measures taken to mitigate the risks;
- b) provide assistance in dealing with the breach and its consequences, especially for the
Data Subject involved. It will also act to mitigate the effects of breaches, proposing
timely corrective actions and implementing all corrective actions approved and/or
requested by the coordinator. These measures are required to ensure a level of security
appropriate to the risk related to the Processing performed.
- Each Joint Controller undertakes to establish and keep up-to-date an internal register of personal
data breaches and to collect and store all documents relating to each breach, including those relating
to the circumstances of the breach, its consequences and the measures taken to remedy it.
Article 8 – Decisions on international transfers of personal data
- This agreement provides that personal data will be processed within the territory of the European
Union, Switzerland(Commission Decision of 26th July 2000, C(2000) 2304) and of the United
Kingdom, which guarantees adequate protection of personal data (Commission Implementing
Decision of 28th June 2021, C(2021) 4800 Final).
- In the event that, for technical and/or operational reasons it becomes necessary to use entities
located outside the European Union, the Switzerland and the United Kingdom, the transfer of
personal data, limited to the performance of specific Processing activities, will be regulated in
accordance with Chapter V of the GDPR. All necessary precautions will therefore be taken to ensure
the fullest protection of personal data based on such transfer:
- on adequacy decisions of third country recipients by the European Commission;
- on adequate guarantees given by the third-party recipient pursuant to Article 46 of the
GDPR;
iii. on the adoption of binding corporate rules.
Article 9 – Exercise of Rights of the Data Subject and Project Contact Person
- The Joint Controllers agree that APRE, in light of its management position on the platform, shall
identify a Project Contact Person as the point of contact for the Data Subjects. Requests for the
exercise of rights and any complaints submitted by the Data Subjects shall be handled by the Project
Contact Person. However, the Data Subjects may exercise their rights towards each Joint Controllers.
- In particular, if the Project Contact Person receives requests from the Data Subjects for the purpose
of exercising his or her rights, he or she shall:
– promptly notify each Party in writing, enclosing a copy of the requests received;
– coordinate, where necessary and within its competence, with the internal functions
designated by each Party to manage relations with the Data Subject;
– verify the existence of the prerequisites and allow, defer or refuse its exercise, giving
timely written notice thereof to each Co-owner by certified e-mail.
- The Project Contact Person shall also provide assistance to each of the Joint Controllers in the
context of administrative and judicial proceedings instituted by the Data Subject or the Supervisory
Authority as a result of the activity referred to in this Article.
- The contact person will be made known to the Data Subjects by means of the information notice
pursuant to Art. 13, which will be made available on the platform.
Article 10 – Liability for Breach of Provisions
- The Joint Controllers shall be jointly and severally liable for the full amount of the damage in order
to ensure the effective compensation of the Data Subject. Therefore, each Party may have to
compensate in full any Data Subject who proves to have been damaged by the processing activities.
Only at a later stage, the Joint Controller who has compensated the Data Subject in full may have
recourse against the Joint Controllers actually liable for the damage, by exercising recourse action.
- Damage caused to the Data Subject in cases of force majeure shall also be borne jointly and
severally by the Joint Controller. The Joint Controller who has paid shall have recourse against the
others.
Article 11 – Null, void or ineffective clauses
- Should one or more of the clauses of this agreement be or become contrary to mandatory rules or
public policy, they shall be considered non existing and shall not affect the validity of this agreement,
without prejudice to the right of each party to request an amendment to the agreement if the mere
elimination of the invalid clause would seriously impair its rights.
Article 12 – Communications
- Any notice relating to this Agreement shall be given in writing, thorough mail, addressed at the
registered office of each Party. This address may be changed by either Party by notifying the other
pursuant to this Article.
Article 13 – Counterpart Clause
This Agreement may be executed in counterparts, each of which shall be deemed to be an original,
and all of which shall constitute one and the same agreement.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.