JOINT CONTROL AGREEMENT

pursuant to Art. 26 of European Regulation 679/2016 – GDPR

BETWEEN

 

Fondazione Centro Euro-Mediterraneo sui Cambiamenti Climatici, VAT no.IT03873750750 with

registered office in Lecce, 73100, via Marco Biagi, 5, represented by its President Antonio Navarra,

domiciled for this purpose at the aforesaid office;

 

Verein Der EuropaeischenBurgerwissenschaften – ECSA E.V. (ECSA), VAT n.a. with registered

office in Museum für Naturkunde Berlin; Leibniz-Institut für Evolutions- und

BiodiversitätsforschungBereichsleitungWissenschaftskommunikation und Wissensforschung, Berlin

D-10115, Invalidenstraße 43, represented by its Managing Director Dorte Riemenschneider,

domiciled for this purpose at the aforesaid office;

 

Barcelona Supercomputing Center-Centro Nacional De Supercomputacion (BSC CNS), VAT no.

ESS0800099D, with registered office in Barcelona, 08034, represented by its BSC Director Mateo

Valero Cortés, domiciled for this purpose at the aforesaid office;

 

Centro Internazionale in Monitoraggio Ambientale – Fondazione CIMA (Fondazione CIMA), VAT

1. IT01503290098, with registered office in Savona, 17100, Via Via Magliotto 2, represented by its

President Luca Ferraris, domiciled for this purpose at the aforesaid office;

 

IcleiEuropeanSecretariat GmbH (ICLEI EUROPASEKRETARIAT GMBH) (ICLEI EURO),VAT

1. DE153445986, with registered office in Freiburg, 79098 ,Leopoldring 3, represented by its

Managing Director Wolfgang Teubner, domiciled for this purpose at the aforesaid office;

 

Agenzia Per La Promozione Della Ricerca Europea (APRE), VAT no. IT03929151003, with

registered office in Rome, 00184, via Cavour 71, represented by its Director Marco Falzetti, domiciled

for this purpose at the aforesaid office;

 

Internationales Institut Fuer Angewandte Systemanalyse (IIASA), VAT no. ZVR 524808900with

registered office in Laxenburg, 2361, Schlossplatz 1, represented by its Director General Albert van

Jaarsveld, domiciled for this purpose at the aforesaid office;

 

Stiftelsen The Stockholm Environment Institute (SEI HQ), VAT no. SE802014076301 and

organization number no. 802014-0763, with registered office in Stockholm, 104 51,Linnégatan 87D,

BOX 24218, represented by Financial Director Simon Persson, domiciled for this purpose at the

aforesaid office;

 

FundacionIbercivis, VAT no. ESG99330094, with registered office in Zaragoza, 50018, C/Mariano

Esquillor Gómez S/N, Edificio I+D, 802014-0763, represented by its Executive Director Francisco

Sanz García, domiciled for this purpose at the aforesaid office;

 

Athens Technology Center AnonymiViomichanikiEmporiki Kai

TechnikiEtaireiaEfarmogonYpsilisTechnologias, VAT no.GR094360380, with registered office in

Chalandri, 15233, Rizariou street, represented by General Manager Yiannis Kliafas, domiciled for this

purpose at the aforesaid office;

 

 

 

Universite De Geneve (UNIGE), VAT no. CHE1149273676TVA, with registered office in Geneve,

1211, 24 rue du Général-Dufour, represented by its Vice-Rector Brigitte Galliot, domiciled for this

purpose at the aforesaid office;

 

Sei Oxford Office Limited, VAT no. GB 799904649, with registered office in Oxford, OX2 0ES, Eco

Centre, Roger House, Osney Mead, represented by its Director Ruth Butterfield, domiciled for this

purpose at the aforesaid office.

Henceforth, the parties shall be jointly referred to as the ‘Joint Controllers‘ or ‘Parties’.

 

WHEREAS

 

1) the Parties signed a Consortium Agreement and a Grant Agreement(herein referred to as the

“Contracts”), both relating to the implementation of a joint project, called ‘AGORA’ consisting in

support the overall objectives of the Mission on Adaptation to Climate Change by leveraging and

step forwarding best practices, innovative approaches, policy instruments and governance

mechanisms to meaningfully and effectively engage communities and regions in climate actions,

accelerating and upscaling adaptation process for building a climate resilient Europe.

 

2) It will promote democracy, climate justice, gender equality, equity, and foster adaptive capacity and

citizens’ empowerment to proactively support decision-making processes;

 

3) the Parties, by mutual agreement and for the pursuit of the purposes underlying the joint project

‘AGORA’, intend to set up an online platform to collect and subsequently use the personal data of

the stakeholders that may be interested in being involved in the aforementioned project;

 

4) the Parties, by consensus, have determined that the creation and maintenance of this online

platform will be taken care of by APRE;

 

5) that on 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council

of 27 April 2016 on the protection of natural persons with regard to the processing of personal

data and on the free movement of such data and repealing Directive 95/46/EC (General Data

Protection Regulation) (hereinafter, more simply, “GDPR”) became fully operational;

 

6) Article 4(1)(7) of the GDPR defines data controller “as the natural or legal person, public authority,

agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”;

 

7) Pursuant to Article 26(1) of the GDPR “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects”;

 

8) pursuant to Article 26(2) of the GDPR “The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject”;

 

9) the Parties not incorporated within the European Union, specifically UNIGE and Sei Oxford

Office Ltd., strictly adhere to relevant national laws regarding data protaction matters, wich have

been subject to an adequacy decision of the European Commission;

 

10) it is the intention of the Parties to regulate in a transparent manner their mutual rights and

obligations as a result of the strict observance of the rules and principles contained in the GDPR

and the relevant national laws of each Party on data protection, with particular regard to the

exercise of the rights of the data subject, as well as their respective roles in the communication of

information to the data subjects, by signing this Agreement;

 

THE FOLLOWING IS AGREED AND STIPULATED

 

Article 1 – Preliminary Agreements

1. Within the scope of their respective responsibilities, the Joint Controllers shall at all times perform

their obligations in accordance with this Agreement and in such a way that they process the data

without violating applicable legal provisions.

2. It is understood between the Parties that, pursuant to Article 26(3) of Regulation (EU) 2016/679,

irrespective of the provisions of this Agreement, the data subject may exercise his or her rights towards and against each Data Controller.

3. Consistently with their mission and values, the Joint Controllers mutually undertake to protect the

personal data of every natural person who comes into contact with them (‘Data Subject’), respecting

the identity, dignity of every human being and the fundamental freedoms guaranteed in accordance

with the GDPR and the relevant national laws on the protection of individuals with regard to the

processing of personal data and the free movement of such data.

4. No rights to revision of prices or other forms of commitment, also economic, already defined

between the Parties, arise from this Agreement, since these are obligations and fulfilments deriving

from legal regulations already known.

5. This Agreement cancels and/or supersedes any and all existing contractual arrangements between

the Parties on the same matter and their relations shall be governed exclusively by this Agreement.

6. Any amendment or addition to this agreement may only be made in writing under penalty of

nullity.

7. The essential content of this Agreement shall be made available to the Data Subject through the

online platform.

 

Article 2 – Object of data processing

1. The Joint Controllers, with regard to the processing of Personal Data, agree on the decisions

regarding the purposes and means of data processing, as defined in the Grant Agreement, insofar as

such processing relates to the AGORA project.

2. The joint control relates to the processing of all data that will be acquired by the stakeholders

through the platform, as well as through specific online forms, interviews and project events (such as

focused groups, workshops and other relevant events to the project) in person and/or virtual in paper

and/or electronic format, better specified in the Contracts.

3. The activities underlying this agreement entail the processing of the following categories of

personal data regarding the interested stakeholders: Name; Surname; Age; Sex; Organisation;

Category: area of expertise/type of stakeholder (NGO, public sector, etc.); Country; Position

(Director, Professor, Researcher, etc.); E-mail; Website.

The above mentioned data may be supplemented, due to the duration of the project, by the Joint

Controllers on the basis of eventual emerging needs that cannot be foreseen at the date of signing this

agreement. The Joint Controllers, however, undertake to give precise notice to the Data Subjects,

through the information sheet on the data processing provided according to Article 13 of the GDPR,

of the data categories processed in connection with the project’s activities.

4. Hereby the Joint Controllers agree that the personal data of the Data Subject shall be processed for

scientific research, networking and uptake purposes, as better explained in the documents of the

AGORA joint project. To this end, the data may be archived, stored, used for sending invitations to

events, workshops and relevant initiatives and activities, included but not limited to questionnaires,

newsletters and project updates.5. The data may under no circumstances be shared with or transferred to parties other than the Joint Controllers.

 

Article 3 – Duration and Effects upon Termination of the Contract

1. This Agreement shall become effective when all the Parties will have signed it and shall be valid and

effective until the expiry, original or extended, of the contractual relationship binding the Joint

Controllers, or its termination for any reason whatsoever.

2. Therefore, the processing of personal data under the joint control regime shall last no longer than

it is necessary for the purposes for which the personal data were collected, and such data shall be

safely stored in the systems and databases of the Joint Controllers in a form that allows the

identification of the Data Subjects for a period of time not exceeding the aforesaid period, unless the

processing and storage of such data by each of the Joint Controllers is required by the applicable law.

3. Following the termination of the data processing or the termination of the underlying contractual

relationship, whatever the cause, the Joint Controllers shall be obliged to provide for the complete

destruction of the personal data processed, except in cases where the preservation of the data is

required by law or where autonomous circumstances arise that justify the continuation of the

processing of the data by the individual Joint Data Controllers, in a limited manner and for the

period of time strictly necessary for this purposes.

4. Except as indicated in the preceding paragraphs, the personal data of the Data Subjects may be

retained by the Joint Controllers, where the former have given their express consent for the use of

their data for further purposes. For these purposes, each party shall act as an autonomous Data

Controller.

 

Article 4 – Obligations between the Parties

1. The protection of personal data is based on compliance with the principles set out in this

document, which the Joint Controllers undertake to disseminate, respect and ensure, with their

directors, employees, collaborators and eventual third parties, with whom the Joint Controller may

collaborate in the performance of their activities. In particular, the Joint Controllers are committed to

ensure that the personal data protection policy is understood, implemented and supported by all

subjects, internal and external, involved in the activities of the Joint Controllers.

2. The Joint Controllers undertake to maintain and guarantee the confidentiality and protection of

personal data collected, processed and used under this agreement. In particular, each of them

undertake to:

1. a) process personal data in a lawful, correct and transparent manner in compliance with

relevant legislation, in particular the GDPR, and only for the time strictly necessary for

the intended purposes, including those necessary to comply with legal obligations;

1. b) collect personal data limited that are indispensable for carrying out the activities

constituting the joint project (relevant and limited personal data);

1. c) process personal data according to the principles of transparency only for the specific

purposes expressed in the information policy pursuant to article 13 of the GDPR;

1. d) adopt processes for updating and rectifying personal data processed to ensure that

personal data are, as far as possible, correct and up-to-date;

1. e) preserve and protect the personal data in its possession with the best available

preservation techniques;

1. f) ensure the continuous updating of personal data protection measures. This

commitment will be constantly followed within the framework of the principle of

accountability by consistently implementing appropriate technical and organizational

measures and policies to ensure and be able to demonstrate that processing is carried

out in accordance with the GDPR and all relevant national laws, taking into account

the state of the art, the nature of the personal data stored and the risks to which they

are exposed;

1. g) ensure the timely recovery of the availability of personal data in the event of a physical

or technical incident

1. h) make clear, transparent and relevant the means through which personal data are

processed and stored in order to ensure adequate security;

1. i) foster the development of a sense of responsibility and awareness throughout each

organization towards personal data, seen as the property of the Data Subject;

1. j) ensure compliance with the laws and regulations applicable to the protection of

personal data by updating data protection management where necessary;

1. k) prevent and minimize, within the limits of available resources, the impact of potential

breaches or unlawful and/or harmful processing of personal data;

3. The Joint Controllers undertake in particular to guarantee the exercise of the rights of the Data

Subject and to provide the information referred to in Articles 13 and 14. This information will be

provided directly by APRE at the time of registration on the platform to be set up.

4. The communication of the personal data necessary to ensure the pursuit of the joint project

objectives shall take place taking care that the personal data are accurate, true, up-to-date, relevant and not excessive in relation to the purposes for which they were collected and will be subsequently

processed.

 

Article 5 – Persons authorised to process and internal contact persons

1. Each of the Joint Controllers shall identify and designate the persons authorised to carry out

processing operations related to the purposes of the joint project.

2. The Joint Controllers guarantee that their employees and collaborators are trustworthy and have

full knowledge of the data protection regulations.

3. Within each organization, an internal contact person shall be identified by each Party, with the task

of liaising with those designated by the other Parties, to oversee the proper fulfilment of the

provisions of this agreement.

 

Article 6 – Data Processors

1. Each of the Joint Controllers which deems necessary to employ a data processor for the

performance of specific tasks required in the framework of the joint project shall give the other Parties

due notice thereof.

2. Specific data protection obligations shall be imposed on the data controller by means of a contract

or other legal act pursuant to Union or Member State law, providing in particular sufficient

guarantees to implement appropriate technical and organizational measures so that the processing

meets the requirements of the applicable law.

3. The relationship between the processor and any of the Parties of this agreement shall be governed

by Article 28 of the GDPR.

 

Article 7 – Breach of personal data

1. In the event of any breach of the security of personal data leading to the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored

or otherwise processed and likely to jeopardize the rights and freedoms of individuals whose personal

data are processed in the context of the joint project, the coordination activity for the purposes of

complying with the obligations set out in Articles 33 and 34 of the GDPR is entrusted to APRE, in

light of its management position with respect to the platform, which will take care of the preparation

of a specific document (Data Breach Policy), where not already existing and adopted.

2. Upon the occurrence of a personal data breach, the non-coordinator Joint Controller shall:
3. a) promptly inform the other Parties, however within 24 hours from the discovery of the

event, that it has become aware of a breach, providing all the details of the breach

suffered, in particular a description of the nature of the personal data breach, the

categories and approximate number of data subjects involved, as well as the categories

and approximate number of data records involved, the impact of the personal data

breach on the data subjects concerned and the measures taken to mitigate the risks;

1. b) provide assistance in dealing with the breach and its consequences, especially for the

Data Subject involved. It will also act to mitigate the effects of breaches, proposing

timely corrective actions and implementing all corrective actions approved and/or

requested by the coordinator. These measures are required to ensure a level of security

appropriate to the risk related to the Processing performed.

4. Each Joint Controller undertakes to establish and keep up-to-date an internal register of personal

data breaches and to collect and store all documents relating to each breach, including those relating

to the circumstances of the breach, its consequences and the measures taken to remedy it.

 

Article 8 – Decisions on international transfers of personal data

1. This agreement provides that personal data will be processed within the territory of the European

Union, Switzerland(Commission Decision of 26th July 2000, C(2000) 2304) and of the United

Kingdom, which guarantees adequate protection of personal data (Commission Implementing

Decision of 28th June 2021, C(2021) 4800 Final).

2. In the event that, for technical and/or operational reasons it becomes necessary to use entities

located outside the European Union, the Switzerland and the United Kingdom, the transfer of

personal data, limited to the performance of specific Processing activities, will be regulated in

accordance with Chapter V of the GDPR. All necessary precautions will therefore be taken to ensure

the fullest protection of personal data based on such transfer:

1. on adequacy decisions of third country recipients by the European Commission;
2. on adequate guarantees given by the third-party recipient pursuant to Article 46 of the

GDPR;

iii. on the adoption of binding corporate rules.

 

Article 9 – Exercise of Rights of the Data Subject and Project Contact Person

1. The Joint Controllers agree that APRE, in light of its management position on the platform, shall

identify a Project Contact Person as the point of contact for the Data Subjects. Requests for the

exercise of rights and any complaints submitted by the Data Subjects shall be handled by the Project

Contact Person. However, the Data Subjects may exercise their rights towards each Joint Controllers.

2. In particular, if the Project Contact Person receives requests from the Data Subjects for the purpose

of exercising his or her rights, he or she shall:

– promptly notify each Party in writing, enclosing a copy of the requests received;

– coordinate, where necessary and within its competence, with the internal functions

designated by each Party to manage relations with the Data Subject;

– verify the existence of the prerequisites and allow, defer or refuse its exercise, giving

timely written notice thereof to each Co-owner by certified e-mail.

3. The Project Contact Person shall also provide assistance to each of the Joint Controllers in the

context of administrative and judicial proceedings instituted by the Data Subject or the Supervisory

Authority as a result of the activity referred to in this Article.

4. The contact person will be made known to the Data Subjects by means of the information notice

pursuant to Art. 13, which will be made available on the platform.

 

Article 10 – Liability for Breach of Provisions

1. The Joint Controllers shall be jointly and severally liable for the full amount of the damage in order

to ensure the effective compensation of the Data Subject. Therefore, each Party may have to

compensate in full any Data Subject who proves to have been damaged by the processing activities.

Only at a later stage, the Joint Controller who has compensated the Data Subject in full may have

recourse against the Joint Controllers actually liable for the damage, by exercising recourse action.

2. Damage caused to the Data Subject in cases of force majeure shall also be borne jointly and

severally by the Joint Controller. The Joint Controller who has paid shall have recourse against the

others.

 

Article 11 – Null, void or ineffective clauses

1. Should one or more of the clauses of this agreement be or become contrary to mandatory rules or

public policy, they shall be considered non existing and shall not affect the validity of this agreement,

without prejudice to the right of each party to request an amendment to the agreement if the mere

elimination of the invalid clause would seriously impair its rights.

 

Article 12 – Communications

1. Any notice relating to this Agreement shall be given in writing, thorough mail, addressed at the

registered office of each Party. This address may be changed by either Party by notifying the other

pursuant to this Article.

 

Article 13 – Counterpart Clause

This Agreement may be executed in counterparts, each of which shall be deemed to be an original,

and all of which shall constitute one and the same agreement.

 

 

Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.

You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.

You are not opted out. Uncheck this box to opt-out. You are currently opted out. Check this box to opt-in.

The tracking opt-out feature requires cookies to be enabled.