DICE & Event Partner Joint Controllership Agreement for the Use of MIO Connect
DICE & EVENT PARTNER JOINT CONTROLLERSHIP AGREEMENT (‘Agreement’) FOR THE USE OF MIO CONNECT
This Agreement explains the responsibilities of DICE FM (‘DICE’) and the Event Partner (‘You’) in connection with the parties being joint controllers for end user’s (‘Fans’) personal data, which is processed and shared between us specifically for the use of MIO connect. You accept the terms of this Agreement by submitting an email via MIO Connect.
1. Definitions
1.1. ”Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and “appropriate technical and organisational measures” have the meaning as set out in the UK or EU GDPR, as applicable, and as amended/updated from time to time (the ‘GDPR’).
1.2. ”Permitted Recipients” means the parties to this Agreement, the employees of each party, any third parties engaged to perform obligations in connection with this Agreement, and any professional advisors of either party.
1.3. ”Personal Data” means the personal data to be processed and shared between the parties under this Agreement. Personal Data shall be confined to the contact information relevant to the Fans being contacted via MIO Connect.
2. Transparency duties
Each party is responsible for giving full information to Fans whose Personal Data may be processed under this Agreement (pursuant to the GDPR). Each party:
A. is responsible for creating and publishing their own privacy policies;
B. must ensure their privacy policies are written in clear and plain language and that they provide sufficient information to Fans for them to understand what of their Personal Data is being shared between the parties, the circumstances in which it will be shared, the purposes for the data sharing and either the identity with whom the data is shared or a description of the type of organisation that will receive the Personal Data, as well as how data subjects can exercise their requests pursuant to the rights granted by the GDPR; and
C. must ensure it has all necessary notices in place to enable lawful disclosure or transfer of the Personal Data to the Permitted Recipients in connection with this Agreement.
3. Data subjects requests
Whereas data subjects may exercise the rights granted under the GDPR against any of the parties, each party is responsible for fulfilling any such requests it receives in connection with this Agreement.
4. General data protection principles.
Each party will comply with the data protection principles as set out in the GDPR. In particular, each party agrees to:
A. process Personal Data lawfully, fairly and in a transparent manner in relation to Fans;
B. collect Personal Data for specified, explicit and legitimate purposes and not further process it in a manner that is incompatible with those purposes;
C. process Personal Data in an adequate and relevant manner which shall be limited to what is necessary in relation to the purposes for which it is processed;
D. take any reasonable steps to ensure that Personal Data processed is accurate and kept up to date;
E. keep Personal Data in a form which permits identification of data subjects for no longer than is necessary for the performance of the Agreement; and
F. process Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. Lawfulness of processing
5.1. Each party will have a lawful basis pursuant to the GDPR for processing the Personal Data disclosed to the other party under this Agreement.
5.2. This Agreement is made pursuant to the GDPR. Nothing contained in this Agreement will be construed to represent a substitution for the obligation of the parties to rely on a lawful processing basis in compliance with the GDPR.
6. Security measures
Each party will ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data including as appropriate:
A. the pseudonymisation and encryption of personal data;
B. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
C. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
D. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7. Notification of a personal data breach to the supervisory authority and to the data subjects.
7.1. In the event of personal data breach affecting Personal Data under this Agreement, the party who first identifies the data breach or the party from whom the reason for the breach originates must inform the other party without undue delay, and no later than 24 hours after becoming aware of it.
7.2. The parties will jointly determine on a case by case basis whether the breach shall be notified to the competent supervisory authority and/or the affected data subjects.
7.3. Should the breach be reportable, the parties will jointly determine on a case by case basis which party notifies the breach to the competent supervisory authority and/or the affected data subjects.
8. Use of data processors and sub-processors.
8.1. The parties are entitled to use data processors and/or sub-processors in connection with the Agreement.
8.2. If any data processors and/or sub-processors are used, each party is responsible for compliance with the requirements of the GDPR. The party using processors and/or sub-processors will:
A. only use data processors who provide sufficient guarantees that they will implement appropriate technical and organisational measures in a manner that will meet the requirements of the GDPR and ensure the protection of the Personal Data, rights and freedoms of the data subject; and
B. ensure that a valid data processing agreement has been made between the party as data controller and the data processor.
9. Transfers of data to third countries.
9.1. The parties may transfer Personal Data to third countries or international organisations where it is necessary for the performance of the Agreement.
9.2. At least one of the following safeguards must be applied:
A. Standard Contractual Clauses adopted by the Commission or;
B. Binding Corporate Rules set out and approved in accordance with the GDPR.
9.3. A transfer of personal data to a third country or an international organisation may take place without any of the safeguards above where the Commission has decided that the third country ensures an adequate level of protection.
10. Organisation of contact with data subjects and supervisory authorities.
10.1. Either party may be contacted by the data subjects and supervisory authorities with regard to the provisions of this Arrangement. The parties will decide on a case by case basis how the matters for which they have been contacted shall be handled.