- Privacy & Cookie policy
- Terms of use
- Shipping policy
- Returns policy
- Candidates Privacy policy
- Information Newsletter
- AGREEMENT FOR THE JOINT CONTROL OF DATA PROCESSING
- Information Notice for retails
- Information Notice for Website surfers
AGREEMENT FOR THE JOINT CONTROL OF DATA PROCESSING
AGREEMENT FOR THE JOINT CONTROL OF DATA PROCESSING
pursuant to and in accordance with Article 26 of Regulation (EU) 2016/679
PARTIES
1) OWENSCORP ITALIA SPA (VAT N°: 07725270016) with headquarters at 4 VIA PONZA, 10121 TURIN, ITALY (hereinafter also referred to as "Data Controller", "Joint Controller", and "Controller1")
2) OWENSCORP FRANCE SAS (SIRET company registration number 811 163 351 00018 – VAT N° FR 43 811163351) with headquarters at 7 BIS PLACE DU PALAIS BOURBON, 75007 PARIS, FRANCE (hereinafter also referred to as "Data Controller", "Joint Controller", and "Controller2")
3) LES DEUX PALAIS SARL (VAT N° FR05488349440) with headquarters at 29 RUE DE VALOIS, 75001, PARIS, FRANCE (hereinafter also referred to as "Data Controller", "Joint Controller", and "Controller3")
4) OWENSCORP Germany GmbH, Schlüterstraße 45, 10707 Berlin (hereinafter referred to as "Controller 4").
Controller 1, 2, 3 and 4 hereinafter collectively referred to as the "Joint Controllers" and individually as a "Joint Controller".
WHEREAS
A. On 04.06.2018 Joint Controller 1, Joint Controller 2 and Joint Controller 3 entered into an agreement intended to jointly determine the purposes and means of processing certain personal data, thereby acting as joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") (hereinafter "Agreement 1").
B. On 30.09.2025, Joint Controller 1 and Joint Controller 4 entered into an agreement intended to jointly determine the purposes and means of processing certain personal data, thereby acting as joint controllers within the meaning of Article 26 of the GDPR (hereinafter "Agreement 2").
C. The Joint Controllers intend to renew and modify the aforementioned Agreement 1 and Agreement 2.
D. The Joint Controllers acknowledge their obligation under Article 26 GDPR to determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 GDPR.
E. This Agreement sets out the respective responsibilities of the Joint Controllers concerning the joint processing activities described herein.
F. All data Controllers are established in Europe.
IT IS HEREBY AGREED as follows:
1. Definitions
Unless otherwise defined herein, terms used in this Agreement shall have the same meaning as in the GDPR.
"GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"Joint Processing Activity/Activities": The specific processing operations identified in Schedule A, for which the Joint Controllers jointly determine the purposes and means.
2. Processing Activities
2.1. Purpose of the Processing
The Joint Controllers shall process personal data for the following purposes:
1) HR management
2) Electronic direct marketing
2.2. Categories of Personal Data Processed
RELATING TO POINT 1)
Name, surname, address, working hours, information related to family and personal situations, data on job and remuneration, economical, commercial, financial and insurance activities, education and culture, face, name, address or other personal identification data, tax code and other personal identification numbers, video surveillance recording, occupation.
In addition, Joint Controllers may obtain knowledge of special categories of data, as follows: Internet access log files, unions enrollment, racial or ethnic origins, religious beliefs, health conditions. Personal data in these special categories shall be processed in compliance with Art. 9 of the GDPR.
Furthermore, for the purposes of the aforesaid processing, the Data Controller may obtain knowledge of personal data relating to criminal convictions or offences pursuant to Art. 10 of the GDPR and in particular: information concerning judicial measures; information concerning the quality of the accused or investigated.
RELATING TO POINT 2)
The Joint Controllers shall process the following categories of data: name, surname, address, type and quantity of purchase, contact details (email; phone number).
2.3. Legal Basis for Joint Processing
RELATING TO POINT 1)
Art. 6(1)(b) GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
RELATING TO POINT 2)
Art. 6(1)(a) GDPR: the data subject consents to the processing.
2.4. Data Retention Period
In accordance with the principles of lawfulness, limitation of purpose and minimisation of data, pursuant to Art. 5 of the GDPR, the data storage period, relating to both 1) and 2), is jointly set by both Controllers for a timing not larger than the one which implies its purpose achievement, given the aim to collect data, and collected and processed for the execution and fulfillment of contract purposes; established as a period of time not exceeding the purposes for which the data were collected and processed and complying with the compulsory times required by law.
3. Respective Responsibilities of Joint Controllers (Art. 26(1) GDPR)
3.1. The Joint Controllers hereby determine and agree upon their respective responsibilities for compliance with the obligations under the GDPR with regard to the Joint Processing Activities, as set out in Schedule A (Allocation of Responsibilities) attached hereto.
3.2. Schedule B shall specify the allocation of responsibilities for:
a. Exercising of Data Subject Rights (Articles 15-22 GDPR): Which Joint Controller is primarily responsible for handling requests from data subjects regarding their rights (e.g., access, rectification, erasure, restriction of processing, data portability, objection).
b. Provision of Information to Data Subjects (Articles 13 & 14 GDPR): Which Joint Controller is primarily responsible for providing privacy notices and all required information to data subjects in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
c. Lawfulness of Processing (Article 6 GDPR): Both Joint Controllers shall ensure a valid legal basis for the joint processing.
d. Security of Processing (Article 32 GDPR): Responsibilities for implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
e. Personal Data Breach Notification (Articles 33 & 34 GDPR): Responsibilities for detecting, managing, reporting, and communicating personal data breaches to the supervisory authority and/or data subjects, as applicable.
f. Data Protection Impact Assessments (DPIAs) and Prior Consultation (Articles 35 & 36 GDPR): Responsibilities for conducting DPIAs where required and engaging in prior consultation with the supervisory authority.
g. Data Protection Officer (DPO) (Articles 37-39 GDPR): If applicable, how the DPO (if any for each Controller, or a joint DPO) will be involved and coordinate.
h. Records of Processing Activities (Article 30 GDPR): Responsibilities for maintaining accurate and up-to-date records of processing activities.
i. Transfers of Personal Data to Third Countries or International Organisations (Chapter V GDPR): Responsibilities for ensuring compliance with conditions for transfers outside the EEA, if applicable.
j. Cooperation with Supervisory Authorities (Article 31 GDPR): Responsibilities for cooperating with supervisory authorities.
k. Responding to Inquiries from Supervisory Authorities: Which Controller is responsible for primary liaison.
3.3. Notwithstanding the allocation of responsibilities, each Joint Controller shall remain individually responsible for its general compliance with the GDPR and other applicable data protection laws.
4. Point of Contact for Data Subjects (Art. 26(3) GDPR)
4.1. For the purpose of facilitating the exercise of data subject rights and inquiries, the Joint Controllers agree that Owenscorp Italia S.p.A. shall act as the primary point of contact for data subjects. The Joint Controllers agree that the single point of contact for data subjects is: privacy@owenscorp.com.
4.2. Irrespective of the terms of this Agreement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the Joint Controllers.
5. Mutual Assistance and Cooperation
5.1. The Joint Controllers shall cooperate with each other in good faith to ensure compliance with their obligations under the GDPR.
5.2. Each Joint Controller shall promptly inform the other Joint Controller of any requests from data subjects or inquiries from supervisory authorities related to the Joint Processing Activities and shall assist the other Joint Controller in responding to such requests or inquiries in a timely and appropriate manner.
5.3. The Joint Controllers shall promptly notify each other of any actual or suspected personal data breaches related to the Joint Processing Activities and shall cooperate in investigating, mitigating, and reporting such breaches as required by the GDPR.
5.4. Each Joint Controller shall provide the other with all necessary information and assistance to enable compliance with the GDPR, including assistance with DPIAs and prior consultations, if applicable.
6. Use of Data Processors
6.1. Each Joint Controller is authorized to engage Data Processors for carrying out specific processing activities on behalf of the Joint Controllers within the scope of the Joint Processing Activities, provided that such engagement is necessary and in compliance with Article 28 GDPR.
6.2. Before engaging a new Data Processor, the engaging Joint Controller shall:
a. Ensure the Data Processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
b. Enter into a written contract (or other legal act) with the Data Processor that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the Joint Controllers, as required by Article 28(3) GDPR.
6.3. The Joint Controller engaging the Data Processor shall remain primarily responsible for monitoring the Data Processor's compliance with its obligations under the Data Processing Agreement and the GDPR, and shall notify the other Joint Controller of any significant issues or breaches involving the Data Processor.
6.4. For the avoidance of doubt, the use of sub-processors by a Data Processor shall also be subject to the conditions set out in Article 28(2) and 28(4) GDPR.
6.5. Data processors already engaged at the starting date of the agreement shall be listed in Annex B.
7. Liability
7.1. The Joint Controllers acknowledge that, pursuant to Article 82(4) GDPR, where more than one controller or processor is involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
7.2. In the event one Joint Controller has paid full compensation for the damage suffered, that Joint Controller shall be entitled to claim back from the other Joint Controller that part of the compensation corresponding to their respective responsibility for the damage in accordance with the principles set out in this Agreement and the GDPR.
8. Review and Amendment
8.1. This Agreement shall be reviewed by the Joint Controllers if there are significant changes to the Joint Processing Activities, the applicable law, or the organizational structures of the Joint Controllers.
8.2. Any amendments to this Agreement must be made in writing and signed by authorized representatives of both Joint Controllers.
9. Entire Agreement
9.1. This Agreement, including its Schedules, constitutes the entire agreement between the Joint Controllers with respect to the subject matter hereof and supersedes all prior discussions, negotiations, and agreements, whether oral or written, relating thereto.
SCHEDULE A: ALLOCATION OF RESPONSIBILITIES
This Schedule outlines the primary responsibilities of each Joint Controller for the Joint Processing Activities. Notwithstanding this allocation, both Joint Controllers remain generally responsible for GDPR compliance.
|
Area |
Responsibilities |
|
1. Lawfulness of Processing |
Both shall ensure a valid legal basis exists for the entire processing activity. |
|
2. Transparency & Information (Art. 13 & 14) |
Joint Controllers shall provide autonomously to data subjects, information pursuant to Art. 13–14 GDPR. |
|
3. Data Subject Rights (Art. 15-22) |
The designated point of contact (as per clause 4.2) will coordinate responses. Data subjects can approach either controller. |
|
4. Security of Processing (Art. 32) |
Joint Controllers shall autonomously implement appropriate technical and organizational measures. Regular security audits and reviews will be conducted jointly. |
|
5. Data Breach Notification (Art. 33 & 34) |
Prompt mutual notification is required. Joint investigation and agreement on communication strategy. |
|
6. DPIA & Prior Consultation (Art. 35 & 36) |
Joint Controllers shall determine if a DPIA is required and collaborate on its execution and any subsequent prior consultation. |
|
7. Records of Processing (Art. 30) |
Each controller is responsible for their own Article 30 records. Each Controller must ensure these records accurately reflect the joint processing activities and can be shared upon request. |
|
8. Data Protection Officer (DPO) |
DPOs shall liaise regularly to ensure consistent advice and compliance regarding the joint processing. |
|
9. International Transfers (Chapter V) |
Joint Controllers shall ensure that any international transfers of jointly processed data comply with Chapter V of the GDPR. |
|
10. Cooperation with SA |
Joint Controllers shall cooperate fully with supervisory authorities concerning the joint processing activities. |