Pursuant to Art. 26 General Data Protection Regulation (hereinafter GDPR), the companies that make up the Nogar Group have jointly agreed on the purposes and methods for the processing of personal data, and hence they should be considered joint controllers of the data processing indicated below:
- SUBJECT OF THIS AGREEMENT
The joint controllers are related with the data subjects through the following DATA PROCESSING:
- Processing for security in the Nogar Group
- Processing for business activity coordination in the Nogar Group
- FUNCTIONS OF AND RELATIONSHIP BETWEEN THE JOINT CONTROLLERS
The joint controller relationships between the different group companies are subject to these items:
- The company Servinoga acts as a point of contact for data subjects to exercise their rights of access, rectification, limitation, deletion, opposition, portability and any other right recognized in the GDPR. Consequently, this company must comply with its duty to inform the data subjects (Arts. 13 and 14 GDPR). In spite of the establishment of a single point of contact for the exercise rights, data subjects may exercise their rights before any of the data controllers.
- The processing activities will have the same purposes, legal basis and recipients for all joint controllers, and the same rights will be granted to all data subjects, regardless of which joint controller carries out processing. Changes in any processing activity of the joint controllers will require the mutual agreement of all of them, in accordance with the rules governing the decisions of the corporate group.
- OBLIGATIONS OF THE JOINT CONTROLLERS:
Each joint controller must comply with the obligations established by the RGPD for a data controller and must carry out the following actions (among others):
- Keep a record of processing activities.
- Ensure that the persons authorized to process personal data assume an express, written commitment to respect confidentiality and to comply with appropriate security measures, of which they must be properly informed.
- Maintain documentation accrediting compliance with the obligations stipulated in the RGPD.
- Ensure the availability of the necessary training in personal data protection for persons authorized to process personal data.
- Respond to the exercise of rights by the data subjects.
- Notify the other joint controllers of any data security breaches without undue delay, at the latest before the maximum period of 36 hours, by e-mail or any other means that accredits receipt of the notification, in order to proceed to notify the Spanish Data Protection Agency (AEPD) of the receipt jointly and in a coordinated manner.
- Jointly coordinate the carrying out of data protection impact assessments, when relevant.
- Jointly coordinate the carrying out of prior consultations with the oversight authority, when relevant.
- Pursuant to Art. 32 GDPR, each controller must implement mechanisms to:
- Ensure the uninterrupted confidentiality, integrity, availability and resilience of processing systems and services.
- Restore availability and access to personal data quickly in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of processing.
- Pseudonymize and encrypt personal data, when necessary.
- In relation to the possible liabilities that may arise with respect to the damages caused to the data subjects, the joint controller who proves his or her lack of culpability for the damage caused, Pursuant to Art. 82.3 GDRP, shall not be held liable.
- The joint controller who has paid a financial penalty or compensation for damages may claim a proportional share from the other joint controllers, in accordance with the liability assumed by each party. In this respect, it is established that the assumption of liability in this agreement for each joint controller is proportional to the total number of joint controllers.
- In any case, the data subject may file a claim against any of the joint controllers, who shall be liable for the totality, regardless of the fact that they may subsequently file a claim against the other joint controllers for the proportional part, in accordance with the liability assumed by each party.
The present agreement has an indefinite duration, and data subjects will find all supplementary information on the Group‘s website.