Joint Controllers

Information about the joint responsibility
in the meaning of Art. 26 sec. 2 sentence 2 General Data Processing Regulation (GDPR)

What is the reason for joint responsibility?

In the project e-learning platform Responsible A and Responsible B work closely together. This includes the processing of your personal data. The parties have jointly determined the order in which this data will be processed at each stage of the process. They are therefore jointly responsible for the protection of your personal data within the process stages described below (Art. 26 GDPR).

For which stages of the process is there joint responsibility?

Personal data are processed in the “Moodle“-based e-learning system which is customized by Party B.
All personal data processed through collection and entering user data in the database, storing and correcting user data will be stored on a server located in Tokyo, Japan provided by AWS.

Within the scope of joint responsibility, Responsible Party A is responsible for the processing of personal data in its collection, input and storage (effect area A). The subject of the processing, the legal basis of which is the legitimate interest to carry out business activities more effectively, are the following types/categories of personal data: Name and surname, e-mail address, department, contact information and attendance history of educational contents.

Responsible Party B is responsible for the processing of personal data in its collection, input and storage in the context of joint responsibility (Effect area B). The subject of the processing, the legal basis of which is the legitimate interest to carry out business activities more effectively, are the following types/categories of personal data: Name and surname, e-mail address, department, contact information and attendance history of educational contents.

What have the parties agreed?

As part of their joint responsibility under data protection law, Responsible A and B have agreed which of them will fulfil which obligations under the GDPR. This relates in particular to the exercise of the rights of the data subjects and the fulfilment of the information obligations under Articles 13 and 14 of the GDPR.
This agreement is necessary because in the “Moodle“-based e-learning system, personal data is processed in different process sections and systems operated by either Responsible A or Responsible B.

What does this mean for data subjects?

Even if there is a joint responsibility, the parties fulfil the data protection obligations in accordance with their respective responsibilities for the individual process stages as follows:
• Within the framework of joint responsibility
  • Responsible A is responsible for the processing of personal data in section 1 and
  • Responsible B for the processing of personal data in the 2 section.
• Responsible A and Responsible B make the information required under Articles 13 and 14 of the GDPR available to the data subjects free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language. Each party shall provide the other party with all necessary information from its sphere of activity.
• The parties shall inform each other immediately of any legal positions asserted by data subjects. They shall provide each other with all the information necessary to respond to requests for information.
• Data protection rights may be asserted both with regard to Responsible A and Responsible B. In principle, data subjects receive the information from the authority from which rights have been asserted.