DATA PROTECTION when both parties are data controllers

“Data Protection Laws” means the General Data Protection Regulation 2016/679 (hereinafter the “GDPR”) and all applicable data protection laws.

The Parties acknowledge that, in the framework of the Cooperation Agreement, each Party act as a Data Controller (where “Data Controller” means the legal person which determines the purposes and means of the Processing of Personal Information) on the Personal Data it Processes (where “Process” or “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) for their respective purposes. The Parties shall therefore not be construed as joint controllers and/or data processors (as set forth in the GDPR) pursuant to the Cooperation Agreement.

The Parties wish to set out the terms on which each Party will Process Personal Data for their own purposes and will transmit or disclose Personal Data to the other Party for the performance of their obligations under the Cooperation Agreement, as Data Controller.

In this context, each Party ensures that such Personal Data is Processed and transmitted in compliance with applicable Data Protection Laws.

Each Party acknowledges to transmit to the other Party Personal Data (i) that is relevant and adequate for the purpose of the Cooperation Agreement and comprehensible and up-to-date. Each Party shall inform the other Party if the Personal Data is incomplete, inaccurate or not updated and take all appropriate measures to update it, and (ii) in accordance with the rules applicable to transfers of Personal Data.

In accordance with Art. 13 and 14 of the GDPR, each Party warrants that it provides the Data subjects with all requested information regarding the Processing of Personal Data.

In accordance with Art. 15, 16, 17, 18 and 21 of the GDPR, each Party recognizes that the Data subjects have a right to access, rectify, erase, restrict or object to his/her use of Personal Data. Where it deems necessary, each Party undertakes to communicate to the other any request it may directly receive from a Data subject exercising his/her above mentioned right relating to him/her and which makes express reference to the other Party.

In accordance with Art. 30 of the GDPR, each Party undertakes to maintain a record of Processing activities under its responsibility.

In accordance with Art. 5 (1e) of the GDPR, each Party undertakes not to keep Personal Data in a form which permits identification of Data subjects for any longer than is necessary for the purposes for which the data were collected or for which they are further processed.

In accordance with Art. 32 of the GDPR, each Party shall implement and maintain appropriate environmental, safety and facility procedures, data security and back-up procedures and other administrative, technical, and physical safeguards, to protect the security, confidentiality and integrity of Personal Data and to prevent the misuse and wrongful disclosure thereof. These measures shall be designed to:

• protect against the destruction, loss, unauthorized access or alteration of Personal Information and other sensitive data provided hereunder;
• inform each Party’s employees authorized to access Personal Information of their obligation to maintain the security thereof.

Each Party will provide necessary information, co-operation and assistance reasonably requested by the other Party in relation to Personal Data, and which is in their 

possession or control for the sole purpose of complying with Applicable Data Protection Law (unless such information is classed as confidential by the disclosing Party, or such Party is otherwise legally prohibited from doing so).

Each Party will provide reasonable and necessary assistance to the other Party in connection with any investigation by any competent data protection authority in relation to the Personal Data processed in relation with the Cooperation Agreement.

Upon expiration of the Cooperation Agreement, each party shall keep the Personal Data in its data base and shall remain liable for any operation in relation with the Personal Data processed in its systems. 

Notwithstanding any other provision of this Cooperation Agreement, neither Party excludes or limits its liability under this Cooperation Agreement for breach of applicable Data Protection Laws. If a Data subject brings a claim directly against a Party for damages suffered in relation to the other’s Party breach of Data Protection Laws with regard to the Processing Personal Data, this Party will fully indemnify the other for any cost, charge, damages, expenses or loss arising from such a claim.”

Each Party agrees to apply reasonable organizational, physical, technical and administrative safeguards for Personal Data that is in its possession or under its control in order to protect the same from unauthorized Processing that would violate this Cooperation Agreement or any applicable Data Protection Laws, and in general to comply with best practices in terms of application security.