Joint Data Controller Agreement made in accordance with Section 79 of the Data Protection Act 2018
Context:
This agreement is made to support any personal data processed by the joint operation of www.discoverkerry.com, a web platform for marketing County Kerry, based on Simpleview Europe Software as a Service Platform.
The project is funded by Kerry County Council and DRCD as a strand of the Digital Innovation Programme “Atlantic Discovery Platform”
The three parties to the agreement are:
• Kerry County Council
• Kerry Tourism Industry Federation
• Kerry SciTech (Tech Industry Alliance)
Necessity
As Personal Data is being controlled jointly by the Controllers, under Section 79 of the Data Protection Act 2018, a written agreement (a Joint Data Controller Agreement) must be in place between the parties detailing their roles and responsibilities individually and collectively, and how data subjects can be assisted with their rights.
1. Parties
1.1 This Joint Data Controller Agreement (“this Agreement”) is made between:
- Kerry County Council, a statutory body having its principal place of business at Aras an Chontae, Rathass, Tralee,
- Kerry Tourism Industry Federation, a not for profit company established to represent the interests of all parties associated with Tourism in County Kerry, having its principal place of business at C/O FDC Group Inc., St. Anthony's Place, College Street, Killarney, Co. Kerry, and
- Kerry SciTech Company CLG , a not-for-profit member organisation showcasing the Kerry region as a science, technology and engineering hotspot for talent, jobs and investment (now part of the Tech Industry Alliance), having its principal place of business at Tom Crean Business Centre, Tralee, Kerry, Ireland
2. Purpose and Scope of Agreement
2.1 This Agreement sets out the data Controllers’ (the parties named above) respective responsibilities for compliance with their obligations under the Data Protection Act 2018, which transposed the EU General Data Protection Regulations into national law, when processing personal data through the operation of the DiscoverKerry.com website and related websites hosted on the Simpleview Content Management System and Destination marketing System web platform by the destination marketing consortium.
2.2 The parties to this Agreement shall adhere to the responsibilities set out herein and ensure that all relevant personnel are aware of and act in compliance with this Agreement.
3. Definitions
- “the Act of 2018” means the Data Protection Act 2018;
- Data Protection legislation: The Data Protection Act 2018 (DPA), the General Data Protection Regulation (2016/679) (GDPR) and all applicable laws and regulations relating to the processing of the personal data and privacy, including where applicable the guidance and codes of practice issued by the Data Protection Commission.
- Data Protection Authority: The Data Protection Commission (DPC) of Ireland.
- Subject Access Request: Has the same meaning as "Right of access to personal data" in Article 15 of the GDPR and Section 91 of the Act of 2018.
- Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the shared personal data.
- Data Controller, Data Subject, Personal Data, ‘Special category’ (Sensitive) Personal Data, Processing and Processor, and Appropriate Technical and Organisational Measures shall have the meanings given to them in the Act of 2018.
- Any word or expression which is used in this agreement shall, unless the context otherwise requires, have the same meaning as it has in the Act of 2018.
4. Section 79 of Data Protection Act 2018 - Joint Controller Agreement
Section 79 of the Act of 2018 requires joint data controllers to have an agreement in writing that determines their respective responsibilities:
(1) Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as "joint controllers), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State.
(2) An agreement in writing referred to in subsection (1)—
(a) shall include a determination of—
(i) the respective responsibilities of the joint controllers concerned as regards the exercise by data subjects of their rights under this Part, and
(ii) the respective duties of the joint controllers concerned as regards the provision to a data subject of the information specified in section 90 (2),
And
(b) may designate a single point of contact in respect of the processing concerned for the data subject to whom it relates, where such designation is not otherwise determined by the law of the State.'
5. Compliance with the Data Protection Act 2018
The Controllers agree that the data processed under this Agreement will be necessary and proportionate, and will be processed only in accordance with the data protection fair processing principles as set out in Section 71 of the Act of 2018 and will only be further processed in accordance with Section 71(5) of the Act of 2018.
6. Responsibilities of Controllers
6.1 Each Controller shall be responsible for fulfilling the obligations placed on Controllers by the Act of 2018 in respect of the data processed by them.
6.2 The Controllers shall ensure that the processing of personal data complies with the data protection principles as set out in Section 71 of the Act of 2018.
6.3 The Local Authority named in Section 1.1 will be responsible for ensuring compliance with Section 84 of the Data Protection Act 2018 in respect of this project on behalf of all parties, including the conducting of any Data Protection Impact Assessment (DPIA) necessary and for consultation with the Data Protection Commission as required under Section 84(3) of the Data Protection Act 2018.
6.4 The Controllers have agreed that the arrangements set out in this agreement that relate to the exercise of the data subject’s rights and suspected personal data breaches shall apply to the personal data that is jointly processed by the Controllers, being where the purposes and means of the processing is jointly determined by them.
7. Categories of Data Subjects and Personal Data
7.1 The individuals whose data will be processed by the controllers are data subjects, who,
a) visit DiscoverKerry.com website and other microsites on the Platform and consent to Cookies policy and,
b) sign up for the Newsletter (and further contact) by providing their name and emall address.
7.2 The personal data that will be processed relates to contact details (name and email). Cookies may be used for further data processing – but the user retains control over how such cookies are used.
8. Exercise of Rights by Data Subjects
8.1 All Controllers shall be responsible for providing data subjects with the information required to be given to the data subject under Section 90 of the Act of 2018 and with a summary of the essence of this Agreement.
8.2 To simplify the process for any Data Subject, the contact point in the first instance for data subjects shall be the Data Protection Officer in Kerry County Council (email dpo@kerrycoco.ie – other details as per the Kerry County Council website www.kerrycoco.ie).
8.3 Kerry County Council shall be responsible for fulfilling the obligations placed on Data Controllers by the Act of 2018 in respect of safeguarding the rights of data subjects concerning access to, and the correction, deletion or erasure of, personal data, to enable the fulfilment by the Data Controller of its obligation to respond to requests by data subjects to exercise their rights under Data Protection legislation.
8.4 Kerry County Council may refer the Data Subject request or enquiry in a timely manner to the appropriate Data Controller for action & fulfillment.
9. Notification of Data Breach
9.1 Each Party shall in its capacity of Data Controller be responsible for fulfilling the obligations placed on Data Controllers by Act of 2018 in respect of safeguarding the rights of data subjects and meeting any obligations of the Data Controller to inform the data subjects and the data protection supervisory authority, the Data Protection Commission (DPC).
9.2 Where a breach (or suspected data breach) on the part of any party to this Agreement includes personal data that was jointly processed under this Agreement they will, immediately when the breach (or suspected breach) becomes known, and in any event no later than 24 hours after becoming aware of the breach (or suspected breach), inform the other Parties, describing at minimum:
• the nature of the personal data breach;
• the categories and numbers of data subjects affected;
• the categories and numbers of personal data records concerned;
• the cause or suspected cause of the breach;
• the likely consequences of the personal data breach;
• the measures taken or proposed to be taken to address the personal data breach; and,
• the name and contact details of the relevant contact persons regarding the breach in order that the other Party can take immediate mitigating actions, if considered necessary.
9.3 Depending on the origin/source of the suspected data breach, the Controller with direct responsibility for the relevant processing shall be designated to notify the Data Protection Commission and, where appropriate, the data subject of the breach.
9.4 The Parties agree that they shall cooperate with the Data Protection Authority and take such reasonable steps as are necessary to assist in the investigation, mitigation and remediation of any personal data breach.
10. Security
10.1 The Parties, working with the Processor (Simpleview Europe Ltd), shall implement appropriate and adequate technical and organisational measures to safeguard the confidentiality, integrity and availability of the personal data and to guard against any unlawful access to or processing of (including unauthorised disclosure, deterioration, alteration, destruction or loss of personal data) personal data, taking account of the nature of the personal data concerned, the accessibility of the data, the nature, scope, context and purpose of the processing, any risks to the rights and freedoms of individuals arising from the processing concerned, the likelihood of any risks arising and the severity of such risks, the state of the art and cost of implementation and any guidelines, recommendations and descriptions of best practice issued by the Data Protection Commission.
10.2 The Parties, working with the Processor (Simpleview Europe Ltd), shall maintain administrative, physical and technical safeguards designed for the protection and security, confidentiality and integrity of the personal data being processed under this agreement and shall review the administrative, physical and technical safeguards regularly and shall implement appropriate safeguards where more effective measures may be identified.
10.3 The Parties, working with the Data Processor (Simpleview Europe Ltd), shall document the implementation of the technical and organisational measures in accordance with the requirements of the Act of 2018.
11. Data Retention
Personal data will be processed under this Agreement only in a form that permits identification of a data subject for no longer than is necessary for the purposes for which it was collected. Personal data will only be retained for a period of 12 months from the date of initial collection, unless such consent is renewed by the Data Subject, or they have requested the deletion of such data in the preceding period.
12. Confidentiality
12.1 The Controllers shall take steps to ensure the data protection obligations of any Data Controller member or employee who may have access to the personal data are met. The Controllers shall ensure that access to the personal data is limited to those individuals who are required to have access to the data in order to carry out their lawful functions. The Controllers shall ensure that all authorised individuals (including members or employees) who have access to the personal data are subject to an undertaking of confidentiality or professional, contractual or statutory obligation of confidentiality.
12.2 This duty of confidentiality shall not apply where both Controllers has expressly authorised the furnishing of such personal data to third Controllers or if there is an obligation under the law to make the information available to a third party.
13. Communications with Data Protection Commission
The Data Protection Officer of Kerry County Council shall carry out whatever communications may be necessary with the Data Protection Commission.
14. Implementation and Review
Unless otherwise agreed, this Agreement will remain valid for the period of the operation of the websites built on the shared platform. The Controllers shall review and, if necessary, amend this Agreement if circumstances emerge that warrant a review/amendment, such as changes in legislation, policy or where risks to the rights of data subjects are identified as a result of the processing.
15. Points of Contact and Dispute Resolution
15.1 The Controllers shall appoint a single point of contact to actively seek improvements to ongoing data sharing between each organisation, including the ongoing oversight and review of the effectiveness of this Agreement. The points of contact for each of the Controllers are:
• Helen O’Connor Barry, KCC
• Pat O’Leary, KTIF
• Aoife O’Brien, Kerry SciTech
15.2 The Controllers agree that they will endeavour in the first instance to resolve any disputes regarding the operational implementation of this Agreement by the above points of contact. Only if necessary will the dispute be escalated to the following contacts:
• Niamh O’Sullivan, KCC
• Pat O’Leary, KTIF
• Manjit Gill, Kerry SciTech
16. Date of Effect
This Agreement will have effect from the date of its signing unless and until it is revoked by any of the parties or any party withdraws from it and any such revocation, withdrawal, expiry or termination of this Agreement (howsoever arising) shall be without prejudice to accrued and surviving rights and obligations.
