Joint Controllership Statement to CleanMyMac Business
Effective Date: January 07, 2025
The Parties, meaning You and MacPaw Way Ltd. (as defined in the Terms of Service), agree to be bound by the below, should it be applicable to that Party(ies). The capitalized terms not specifically defined in the different Sections shall have the meaning set out in the Privacy Notice and Terms of Service. The terms “Data Subject”, “Data Controller”, “Data Processor”, “EU Standard Contractual Clauses”, “Sub-processor”, “process”, “processes”, “processing” or “processed”, as used throughout the Sections, shall have the meaning as prescribed in Applicable Laws.
This Joint Controllership Statement (“JCS”) determines the rights and obligations of the Data Controllers for the joint processing of Personal Data in accordance with Article 26 of the GDPR. The Parties have jointly determined the purposes and means of processing Personal Data in accordance with Applicable Laws. Capitalized terms not specifically defined herein shall have the meaning set out in the Privacy Notice or the Data Processing Agreement. In the event of a conflict between the terms of this JCS, the DPA shall prevail. This JCS shall constitute the integral part of Privacy Notice with reference to section III “JOINT CONTROLLERSHIP STATEMENT” of Privacy Notice.
1.Scope and compliance with Applicable Laws
1.1 The Parties, as joint Data Controllers, shall make available to each other only the Personal Data described in Attachment 1 in order that the Parties may process such Personal Data for use of the Software as given in Terms of Service.
1.2 As the entity managing the joint processing of Personal Data, You will act in the capacity of main joint Data Controller of Personal Data of Members and Administrator, the other Party acting as secondary joint Data Controller of Personal Data in accordance with provisions of this JCS, unless otherwise required by the Applicable Laws.
1.3 Subject to the Applicable Laws, in particular rights granted to You, Members and Administrator as Data Subjects (together referred to as “Data Subjects”), the Parties shall have control, excluding any ownership rights, over the joint processing of Personal Data. In this respect, the Parties have jointly agreed to allocate, in good faith, their respective obligations and liabilities, as described in Attachment 1.
1.4 As joint Data Controller, each Party undertakes for the part of joint processing of Personal Data to and be responsible for:
1.3.1. Collecting or processing Personal Data for the duration of this JCS in accordance with this JCS, being specified that any further processing by each Party for its own purposes is implemented under its exclusive liability acting for it as independent Data Controller;
1.3.2. Providing the other Party with all relevant information relating to the joint processing of Personal Data (means, storage and country of origin and/or destination of Personal Data) to enable the other Party to demonstrate compliance with the obligations laid down under the Applicable Laws; and
1.3.3. Informing the other Party immediately if in its opinion, any development or change of the joint processing of Personal Data infringes the Applicable Laws or DPA.
1.5. Data Processing Agreement: If required, a Data Processing Agreement (DPA) detailing the roles and responsibilities of both Parties under this JCS will be made available and signed upon request by You. In the event of any discrepancies between this Joint Controllership Statement and the terms of the DPA, the DPA shall prevail to the extent necessary to resolve the inconsistency.
2.Security measures
2.1 In the context of the joint processing of Personal Data, the Parties shall each abide by their data security obligations, in particular as set out in Article 32 GDPR. Access to the infrastructure, including but not limited to physical and IT access, will be managed by each Party for the part of joint processing under its responsibility.
3.Data Subject requests
3.1 The main and secondary joint Data Controllers shall be responsible for responding to Data Subject requests to the extent and in the volume specified in the Attachment 1 hereto and shall provide assistance to each other within the statutory time limit, in ensuring compliance with the obligation to reply to any request from Data Subjects in exercise of their rights granted under the Applicable Laws (e.g., right to data portability, right to rectification, right to object, right to erasure, right to restrict processing).
4.Data Processors
4.1 The Parties shall not use any Data Processor for the joint processing of Personal Data in the performance of the Terms of Service, except where the other Party was notified about the use of such Data Processor(s). The Party who engages a new Data Processor shall notify the respective other Party and, upon request, provide the respective other Party with all necessary information either regarding the Processor’s activities (including but not limited to the level of qualification of staff, performances and reliability of IT devices, contact details of data protection officer (if any) or adopted code of conduct) or regarding potential Sub-processors (same safeguards as well as company name, country of residence and country where subcontracting is performed and in particular country(ies) of processing of Personal Data, etc.).
4.2 The Data Processor shall remain solely liable to the Parties for the performance of its obligations and those of its authorized sub-Data Processors. The Data Processor and its authorized Sub-processors shall be subject to confidentiality and security obligations aligned with those under the Terms of Service.
4.3 Each Party shall promptly notify any Data Processor in the event of any request or notice from Data Subjects exercising their rights under the Applicable Laws and comply with the relevant Party’s reasonable instructions with respect to such request or notice. The Party who engages a Data Processor shall ensure that the Data Processor is obliged to ensure that its authorized sub-Data Processors will promptly forward to the relevant Party requests or notices they directly receive from Data Subjects. Taking into account the nature of the joint processing of Personal Data and the information available to the Data Processor, the Data Processor and/or sub-Data Processor shall cooperate in good faith and in a reasonable manner with the relevant Party and provide the relevant Party with the necessary information, in order to allow the relevant Party to respond to Data Subjects’ request within the statutory time limit.
4.4 Each Party shall ensure that its authorized service providers shall comply with these obligations and, when acting as Data Processor or Sub-processor, return Personal Data and every copy of the relevant Personal Data to the concerned Party in any reasonable format or otherwise to be agreed.
4.5 Save as set out in this JCS, any unauthorized processing, use or disclosure of Personal Data by the Data Processor or sub-Data Processor is strictly prohibited.
5.Confidentiality
5.1 Each Party shall take all appropriate steps to ensure the reliability of its personnel, representatives and authorized recipients and any person acting under their authority who shall be involved in the joint processing of Personal Data only to the extent of the performance of the services obligations under this JCS.
5.2 The Parties understand and agree that such Personal Data constitutes Confidential Information, as defined by the Terms of Service.
5.3 Each Party shall ensure that persons authorised to take part in the joint processing of Personal Data committed themselves to the duty of confidentiality. Access, inspection, processing and provision of Personal Data by each Party’s personnel shall take place only in accordance with the “need-to-know” principle.
5.4 Each Party warrants and undertakes that such personnel, representatives, authorized recipients and any person acting under their authority are duly trained and made aware as to each Party’s obligations.
6.International transfers
6.1 The Parties hereby agree that they are both authorized in their capacity as joint Data Controller of Personal Data to process, including transfers, certain Personal Data outside of the EEA for the sole purposes of the joint processing of Personal Data. If Personal Data processed under this JCS is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU Standard Contractual Clauses, including supplementary measures as required, for the transfer of Personal Data.
7.Personal Data Incidents
7.1 If a Personal Data Breach in relation to the joint processing of Personal Data occurs, the Party becoming aware of such breach shall not later than 48 (forty-eight) hours report such incident to the other Party. The notifying Party shall provide the other Party with:
7.1.1 The description of the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and Personal Data concerned;
7.1.2 The name and contact details of the data protection officer or other contact point of the notifying Party or any other parties involved from whom further information can be obtained;
7.1.3 The description of the likely consequences of the Personal Data Breach; and
7.1.4 The description of the measures taken and proposed to be taken by the notifying Party to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
7.2 The notifying Party undertakes to cooperate in a reasonable manner with the other Party to allow the other Party to notify the relevant data protection authority within 72 (seventy-two) hours (or any other time limit required under Applicable Laws) from the time the notifying Party has become aware of such breach.
7.3 Neither Party shall make any such Personal Data Breach public without the other Party’s prior consent.
8.Audits
8.1 Each Party shall, upon the other Party’s reasonable request, submit its data processing facilities, data files and documentation necessary and reasonably required for the joint processing of Personal Data for reviewing, auditing and/or certifying by the other Party (or any third party such as inspection agents or auditors of the other Party) to ascertain the first mentioned Party’s with the undertakings in this JCS, subject to that Party’s security policy to the extent that it does not prevent the other Party from enforcing its rights under this JCS. The Party to be audited agrees to cooperate with the other Party in the course of such operations including providing all necessary information and access to all equipment, software, data, files, information systems, etc. used for the performance of services, including the joint processing of Personal Data. Such audits should not unjustifiably disrupt the provision of the Products and/or the other business operations of the Party being audited and should protect the confidential information of the Party to be audited and its clients or service providers. Such audits are intended to check compliance by the Party to be audited with the provisions of this JCS, including measures of confidentiality and security implemented by the audited Party in respect of the processing of Personal Data.
8.2 These operations may also review measures of confidentiality and security implemented by the Party to be audited. If such audits reveal a non-compliance with the Party’s warranties and undertakings, the Party to be audited shall undertake measures at its own expense to rectify the non-compliance as soon as possible, as agreed between the Parties.
8.3 In the event that one of the Parties is subject to any audit or investigation, in particular by public authorities, including any data protection authority, the other Party shall, without undue delay cooperate with the investigated Party and/or the public authority in question in a reasonable manner, including by providing any relevant information and, subject to the relevant territorial jurisdiction, access for that public authority to any equipment, software, data, records and systems necessary to carry out the audit or investigations performed by such public authority. The other Party shall not communicate directly with that authority.
8.4 Each Party shall disclose Personal Data if required to do so by an order of a court, public authority, or by any Applicable Laws; provided, however, that the concerned Party shall:
8.4.1 Promptly notify the other Party of the same (if and to the extent permitted by Applicable Laws);
8.4.2 Consult with and assist the other Party, at the other Party’s expense, in obtaining an order to take the necessary actions to dispute or oppose the legal process, obtain an injunction or undertake other appropriate remedies to prevent disclosure of Personal Data; and,
8.4.3 In any case seek the other Party’s consent where such notification is permitted by Applicable Laws prior to the disclosure.
9.Miscellaneous
9.1 Each Party shall store Personal Data for the duration required to achieve the purposes of set out in this JCS and, upon termination or expiry of the JCS, delete the Personal Data, unless required otherwise by Applicable Laws, or in case of further processing for which the concerned Party acts as independent Data Controller.
9.2 Each Party shall keep a record of processing activities. Each Party shall maintain its record in writing, including in electronic form and shall make the record available to the relevant data protection authority on request and shall immediately report such communication to the other Party.
9.3 In the event of any change to (including changes in, or further guidance regarding, interpretation of) the Applicable Laws which requires a change to all or any part of the Products or a method of delivery of such Products, the Party that becomes aware of such change shall promptly notify the other Party and the Parties may negotiate and agree in good faith any appropriate adjustments to the terms of the Terms of Service and the services as mutually agreed in writing in order for the Parties to comply with the Applicable Laws.
9.4 Notwithstanding expiry or termination of the Terms of Service, this JCS will remain in effect until, and will automatically expire upon, each Party ceases to use Personal Data, except further processing for which it acts under its own liability as independent Data Controller (always subject to the restrictions and deletion requirements under the Terms of Service) or for storage purposes for a period of time as required under the Applicable Laws.
9.5 Each Party warrants and undertakes it has the legal authority to give the warranties and fulfill the undertakings set out in this JCS. Where applicable, if a Party breaches its contractual obligations under this JCS, it shall be considered to be as independent Data Controller in respect of that processing.
9.6 Subject to the provisions on liability under the Terms of Service, where one or both Parties becomes liable to pay a fine and/or damages in respect of the joint processing of Personal Data, and notwithstanding anything to the contrary set forth in the Terms of Service, each Party’s contribution to the amount payable shall be determined in due proportion to their respective share of responsibility. To do so, the Parties shall discuss at the earliest convenience and agree on their respective contribution.
Attachment 1
1. Each Party recognizes that they have full knowledge of the obligations that apply to them pursuant to the Applicable Laws in their role of joint Data Controllers and, as such, shall comply with such Applicable Laws to the extent applicable to each Party in its respective role in relation to the joint processing of Personal Data for which they have commonly determined:
1.1 the purposes of Personal Data processing under the Terms of Service, namely: to determine the degree of control over processing of Personal Data of Data Subjects and to facilitate the exercise of Data Subjects rights according to applicable data protection laws and regulations.
1.2 the essential, as well as the non-essential, means of the joint processing of Personal Data for such purpose;
1.3. the primary purposes of processing Personal Data by MacPaw are:
- to offer Software and related Services according to Terms of Service;
- optimisation of administrative work;
- for the proper function of Software;
- the optimisation and improvement of Software;
- marketing, analytics.
1.4. the primary purposes of processing Personal Data by You are:
- managing use of Devices in your organisation;
- creating and administrating an Account, granting access to Account;
- to overview how Members and Administrator use their Devices and installed third party software on Devices;
- to determine List of applications on Devices and how Members and Administrators use them on their Devices.
2. Each Party recognizes that Personal Data under this JCS includes: (i) Members; (ii) Administrator; (iii) Your Personal Data.
3. The Parties have agreed to allocate, in good faith, the obligations and liabilities of the processing of Personal Data, as follows:
RESPONSIBILITIES: JOINT PROCESSING OF PERSONAL DATA | |
Which Party is responsible for determining the legal basis for Joint Processing? | MacPaw and You according to the determined purposes of Personal Data processing |
Which Party primarily decided: The System to be used to provide the Products? the features of the System used for the Products? | MacPaw |
Which Party primarily determined the data categories to be processed? | MacPaw; You when sending an invitation to a relevant e-mail of a Member by indicating the said e-mail address at the Account |
Which Party determines means of processing of Data Subjects’ Personal Data via Software? | MacPaw decides on how Software is configured, the security measures implemented (such as data encryption), and the overall design and functionality; Memberʼs authentication processes; MacPaw and You together perform the completion of authentication process by Members and Administrator |
Which Party is primarily responsible for the management of any transfer of Personal Data, and for deciding which recipients are authorized to receive such data? | You |
Which Party is maintaining records of Members' and Administrator’s Personal Data? | You |
Which Party shall possess Members' and Administrator’s Personal Data processing when using Software? | You; MacPaw can delete some or all Members' and Administrators Personal Data upon request |
Which Party shall possess Your Personal Data processing when using Software? | MacPaw |
Which Party serves as a point of contact to exercise Members' and Administrator’s rights as Data Subjects under applicable laws? | You |
Which Party serves as a point of contact to exercise Your rights as Data Subject under applicable laws? | MacPaw |
Which Party is primarily responsible for: determining the security measures for the processing of Personal Data? the management of security measures for the processing of Personal Data? | MacPaw |
Which Party is primarily responsible for providing Privacy Notice to Member and Administrator of Organisation? | You; MacPaw is responsible for placing Privacy Notice in the Account settings and via Site |
Which Party is primarily responsible for hosting / storage of Personal Data? | MacPaw |
Which Party primarily determined the retention period for Personal Data to be processed? | MacPaw can process Personal Data for its purposes set forth herein and Privacy Notice; You can request MacPaw to delete Your Personal Data and Personal Data of Members and Administrator |
Which Party is responsible for: managing and responding to any security incident involving Personal Data processed under the Terms of ServiceUse? notifying the relevant authorities: where appropriate, notifying the data subjects of such a security incident? | MacPaw; You when processing Members' and Administrator’s Personal Data beyond the purposes set forth herein and Terms of Service |
Which Party is entitled to audit the other in respect of the processing of Personal Data under the Agreement? | You |
Which Party is required to notify the relevant data protection authority where there has been a Personal Data Breach? | The affected Party will notify the relevant data protection authority in the event of a Personal Data Breach unless the breach occurs solely within the scope of other Party’s operations. In such cases, the other Party will assume notification responsibilities. Both Parties will cooperate to ensure timely and accurate reporting |
INDEPENDENT PROCESSING OF PERSONAL DATA | |
Does either Party intend to undertake any further processing or intend to re-use the Personal Data for its own purpose (including for e.g. statistical / analytical / marketing and any such other independent purposes)? | MacPaw may process Personal Data for its purposes as set forth herein and Privacy Notice |