TERMS OF JOINT CONTROLLERSHIP

 

1. BACKGROUND AND COMMITMENT TO THE TERMS

 

These terms concerning joint controllership ("Terms") apply as supplementary to the Terms of Use applicable between Avant Tecno Oy ("Avant Tecno"), its importers ("Importer") and dealers ("Dealer"). Avant Tecno, the Importers and the Dealers are hereinafter jointly referred to as the "Parties" and each individually as a "Party".

The Parties act as joint controllers within the meaning of Article 26 of the EU General Data Protection Regulation1 ("GDPR") with respect to the processing of personal data carried out in the Applications as defined in the Terms of Use.

For the sake of clarity, it is noted that the Parties act as independent controllers in respect of any personal data processing that is not related to the processing carried out in the Applications.

These Terms regarding joint controllership ("Terms") define the division of responsibilities between the Parties in complying with the controller obligations set out in the GDPR. A contract in accordance with the Terms is established between the Parties using the Applications.

Unless otherwise stated, the terminology used in these Terms shall have the same meaning as in the GDPR. Unless otherwise stated, the capitalised terminology shall have the same meaning as in the Terms of Use.

If the Terms of Use and these Terms conflict, these Terms shall prevail.

 

2. OBJECT, PURPOSE AND LEGAL BASIS OF THE PROCESSING

 

2.1. Object of the Processing

 

Data subjects are consumer customers who have purchased Products and contact persons of business customers (together "Data Subjects").

The categories of personal data processed are the Data Subject’s name, contact details, information regarding any represented organisation, customer segment, purchase, service and warranty history of the Products, and any information included in safety related incident notifications to the Products (together "Personal Data").

 

2.2. Purpose and Legal Basis

 

Personal Data is processed for the following purposes:

  • maintenance of the customer relationship
  • lifecycle management of the Product
  • warranty administration
  • direct marketing based on the customer relationship

The GDPR compliant legal basis for the processing of Personal Data is the performance of a contract for consumer customers and the legitimate interest of the Parties (conducting and promoting business activities) for contact persons of business customers.

Composite and statistical datasets may be created from data stored in the Applications. However, individual Data Subjects cannot be identified from such datasets.

Personal Data is not used for automated decision making or profiling.

 

3. OBLIGATIONS OF THE PARTIES

 

3.1. General Obligations

 

The Parties undertake to comply with applicable data protection legislation in force from time to time, including, but not limited to, the GDPR.

Each Party shall independently ensure the lawfulness and appropriate documentation of the Personal Data processing it performs. Each Party shall ensure that a lawful and documented basis for the processing of Personal Data it carries out is present, and shall ensure the confidentiality, integrity, availability and resilience of the processing systems it uses.

 

3.2. Collection and Storage of Personal Data

 

Each Party shall ensure that no Personal Data other than those specified in section 2.1 above are processed in connection with the Applications.

Each Party shall ensure that Personal Data is retained only for the duration of the customer relationship of the Data Subject or the organisation represented by the Data Subject. Each Party shall update in the Applications any changes to Personal Data that it might come aware of.

 

3.3. Informing Data Subjects

 

Avant Tecno has prepared a privacy notice regarding the processing of Personal Data, through which the information obligations of Data Subjects pursuant to Articles 13 and 14 of the GDPR are fulfilled. In this context, Data Subjects are also informed of the Parties’ joint controllership.

 

3.4. Exercising Data Subjects’ Rights

 

Avant Tecno maintains an email account (gdpr@avanttecno.com) that Data Subjects are instructed to contact to submit requests regarding their rights under the GDPR. Avant Tecno shall forward received requests to the Importer or Dealer with whom the Data Subject has a direct customer relationship with or whose operations the request concerns. The implementation of the Data Subject’s request is primarily the responsibility of the aforementioned Importer or Dealer, unless otherwise agreed between that Party and Avant Tecno on a case‑by‑case basis.

The Parties undertake to assist one another, using reasonable measures, in fulfilling any Data Subject rights requests.

For the sake of clarity, and notwithstanding the above, the Data Subject has, under Article 26(3) of the GDPR, the right to address a request concerning the exercise of their GDPR rights to any of the Parties.

 

3.5. Requests from Authorities

 

An Importer or Dealer receiving a request for information or other contact from an authority shall promptly inform Avant Tecno by email at gdpr@avanttecno.com.

The Party receiving the request shall primarily respond to it, unless the Parties agree otherwise on a case‑by‑case basis.

 

3.6. Information Security

 

Each Party shall implement appropriate technical, physical and organisational safeguards, taking into account the risks related to the processing of Personal Data, to ensure a high level of security and to protect Personal Data from unauthorised or unlawful processing and from accidental loss, destruction, damage, alteration or disclosure.

Each Party shall ensure that only persons who need access to Personal Data for the purpose of fulfilling the processing purpose have such access, and that these persons are aware of their obligations regarding the processing of Personal Data and process such data only in accordance with the instructions of the Party. Each Party shall ensure that all persons with access to Personal Data are bound by confidentiality obligations by contract or statutory duty.

 

3.7. Personal Data Breaches

 

3.7.1. Notification of Personal Data Breaches Between Controllers

 

An Importer or Dealer shall promptly notify Avant Tecno by email at gdpr@avanttecno.com of any suspected or detected personal data breach concerning Personal Data.

The notification submitted to Avant Tecno shall include at least the following:

  1. description of the actual or suspected personal data breach, including the categories and estimated number of affected Data Subjects, and the categories and estimated number of Personal Data types, to the extent known;
  2. name and contact details of the responsible person from whom further information can be obtained;
  3. description of the likely consequences of the personal data breach;
  4. description of the measures proposed or already taken by the Party to address the breach, and, where applicable, measures to mitigate any adverse effects.

Similarly, the Importer or Dealer shall promptly notify Avant Tecno of any other disruptions or problem situations related to Personal Data that may affect the status or rights of the Data Subject.

Avant Tecno shall inform all Importers and Dealers of any detected personal data breach and of any measures already taken or to be taken as a result of the breach, through the Applications.

3.7.2. Notification to Authorities and/or Data Subjects

The Party detecting the personal data breach shall primarily be responsible for notifying the authorities and/or the Data Subjects, unless the Parties agree otherwise on a case‑by‑case basis.

3.7.3. Measures Resulting from Personal Data Breaches

Upon detecting a personal data breach, the Parties shall promptly take measures to eliminate the breach and to limit and remedy its effects.

Importers and Dealers shall comply with any instructions from Avant Tecno regarding the elimination of the data breach and the limitation and remediation of its effects.

 

4. PROCESSORS OF PERSONAL DATA

 

The Parties may use data processors for the processing of Personal Data, provided that the requirements laid down in data protection legislation for the use of processors are met. The Party commencing to co-operation a processor shall conclude a written agreement with the processor in accordance with Article 28 of the GDPR.

If the activities of a processor or its subcontractor require the transfer of Personal Data outside the EU/EEA to so‑called third countries, the Party which commenced to co-operation with the processor shall ensure the existence of a transfer mechanism in accordance with Chapter V of the GDPR.

The Parties are liable for the acts or omissions of the processors they co-operate with as for their own.

 

5. LIABILITY FOR DAMAGES

 

Each Party shall be liable for the damages it causes to the Data Subjects or other Parties in connection with the processing of Personal Data, in accordance with the GDPR and other applicable data protection legislation.

 

The Parties’ respective liability, and that of their processors, towards the Data Subject for any damage caused shall be determined in accordance with Article 82 of the GDPR. For the sake of clarity, the “compensation” referred to in Article 82(5) shall be deemed to include reasonable legal costs incurred by the other Party.

 

6. MISCELLANEOUS

 

6.1. Term of the Agreement

 

The agreement formed by accepting these Terms shall bind the Party as long as the Party processes Personal Data in the Applications in the manner referred to in these Terms. For the sake of clarity, upon ceasing to use the Applications, the Party shall remain responsible, as an independent controller, for any Personal Data in its possession in accordance with applicable data protection legislation. If the agreement formed by accepting these Terms terminates for any reason, the liability for damages clause (Section 5) shall continue in force.

 

6.2. Termination of the Agreement

 

Avant Tecno shall have the right to discontinue the provision of the Applications in whole or in part and terminate the agreements formed under these Terms and the Terms of Use if an Importer or Dealer commits a substantial breach of these Terms.

 

6.3. Applicable Law and Dispute Resolution

 

These Terms shall be governed by the choice‑of‑law and dispute‑resolution clause of the Terms of Use.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).