This Joint Controllership Agreement (the “JCA”) defines the regulation of the relationship between Prestatech GmbH (the “Company”, “we”, “us” or “our”) and you (the “User”, “You” or "Yours") regarding the processing of Applicants’ personal data by both the Company and You. The JCA supplements but isn´t a part of the Terms and Conditions (hereinafter “T&C”), which governs your use of the Finioo (“Service”).

Definitions

The definitions used in the T&C and in the Privacy Policy also apply to this JCA.

“Joint controller” means the natural or legal person which jointly with other controllers determines the purposes and means of the processing of personal data. In the context of this JCA and in the T&C, this means either the Company or You, together identified also as “Joint controllers”.

“Personal data” means any information relating to a data subject, namely an identified or identifiable natural personal, included in the Finioo Report and in the Site.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

General provisions

When processing personal data of Applicants, parties shall respect the obligations set forth in this JCA and in the applicable laws and regulations. The Company and You may act as the Joint controllers of the following personal data of Applicants (“Applicant Information” as further elaborated in the Privacy Policy):

• Identifying and registration data collected during the use of the webapp.
• Information about the Applicant’s current and potential housing situation.
• Information about the Applicant’s financial and professional situation.
• Other information as provided in the Finioo Report.

• for the User, to process (e.g. store, use, delete, etc.) the Application Information in the form of the Finioo Report within the Site and outside the Site (e.g. hard copies print outs, back-ups of the files in the User storages). 
• for the Company, the purpose is reported in the T&C, the Privacy Policy and the Terms and Conditions for the Tenants.

Representations and Warranties

Each party undertakes to implement appropriate technical and organizational measures that complies with applicable laws and regulations designed to:

• ensure and protect the security, integrity and confidentiality of the Application Information, and
• protect the Application Information against any unauthorized processing, loss, use, disclosure or acquisition of or access.

Also, each Joint Controller ensures that the Application Information is accurate and undertakes to notify the other Joint Controller with undue delay if it becomes aware of inaccuracies in the Application Information.

You hereby represent and warrant that:

• you will inform us of any Applicants’ complaints, claims or requests related to the respective Application Information,
• you will fulfil all data subjects’ requests related to the processing of personal data as specified herein without undue delay and according to your capacity; whether your capacity does not allow to fulfil the particular data subject’s request, you will undertake best possible efforts to facilitate the fulfilment of such request,
• you will inform us of any complaints, claims or requests from supervisory authority related to the respective Application Information and will not undertake any actions in this regard without the approval of the Company,
• you will promptly and properly deal with all inquiries from the Company regarding the processing of the Application Information,
• you will promptly notify the Company of the commencement of any litigation or proceedings against the Company or any of its officers/employees/contractors etc. in connection with the processing of the Application Information,
• you apply the appropriate security measures to protect the Application Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.

The Company fully relies on the representations and warranties provided above during the processing of the Application Information as specified hereunder.

You agree to indemnify and hold harmless the Company and each of its directors, officers, employees, contractors and any other relevant person, against any loss, liability, claim, damages or expense (including the reasonable cost of investigating or defending any alleged loss, liability, claim, damages, or expense and reasonable counsel fees incurred in connection therewith) arising, including without limitation by reason of:

• any actions or omissions committed by you, your directors, officers, employees, contractors or any related person,
• violation of any representations or warranties specified afore,
• filing complaints regarding the processing of the Application Information as specified hereunder regardless whether such complaints were filed by the Applicant(s) or not, and
• decisions of a supervisory authority that cannot be directly imputable to Us.

Data subjects rights

Each Joint Controller acknowledges the data subjects’ rights as specified in the relevant section (“Your Rights”) of the Privacy Policy, and also summarizes below:

• Withdrawal of Consent: Individuals have the right to withdraw their consent for data processing at any time.
• Objection to Processing: They have the right to object to the processing of their data, especially when the processing is based on legal grounds other than consent.
• Access to Data: Individuals can check if their data is being processed by the Controller, obtain information about the processing, and receive a copy of their data in a structured, machine-readable format.
• Verification and Rectification: They have the right to verify the accuracy of their data and request corrections or updates if necessary.
• Restriction of Data Processing: Individuals can request a restriction on the processing of their data, meaning it won't be used for any purpose other than storage.
• Data Deletion: They can request the erasure or removal of their data.
• Data Portability: Individuals have the right to receive their data in a structured, machine-readable format and, if possible, have it transferred to another data controller without hindrance.
• Filing a Complaint: They can file a complaint with the relevant data protection authority, depending on their location.

Requests of applicants

Each Joint Controller undertakes to inform the other Joint Controller without undue delay if receives any complaint, claim or request from an Applicant regarding the use of the respective Application Information.

You warrant to fulfil all data subjects’ requests related to the processing of personal data as specified herein without undue delay and according to your capacity. Provided that your capacity does not allow you to fulfil the particular data subject’s request, you will undertake best possible efforts to facilitate the fulfilment of such request.

Data Retention

The Company will make unavailable to You the Finioo Reports within 3 months from the Application Information submission. In the case you have stored the Application Information elsewhere, You commit to permanently delete and/or destroy the information after the lapse of such period.

Data breaches

In the event of a data breach, the affected party will immediately notify the other party and take necessary measures to mitigate the breach's impact. Both parties will cooperate to notify the relevant authorities and affected data subjects within 72 hours of becoming aware of the breach. The notification to the other party must include: (a) breach date, (b) the description and the magnitude of the breach, (c) The type of personal data affected, (d) the description of the actions taken to mitigate breach, (e) the status of breach investigation, and (f) the planned actions moving forward.

Right to audit

Each Joint Controller has the right to audit the other's data processing activities for compliance with data protection laws and this JCA. Audits may be conducted at reasonable intervals with prior notice and during business hours to minimize disruption. Audit findings will be treated confidentially and used solely for compliance purposes. Costs are borne by the auditing party unless non-compliance is found, shifting costs to the audited party.

Resolutions of disputes and claims related to personal data

If an Applicant, the data protection authority or any other person brings a dispute or claim concerning the processing of the Application Information against the Company or both parties, the Joint Controllers will inform each other about such disputes or claims and will cooperate with each other as far as permitted by the applicable laws and regulations.

Contacts

For any communication related this JCA, the Company can be contacted via the contact information reported in the T&C. For the Joint Controller, the main contact provided at sign-up of the service is the main contact with reference to this agreement, unless differently provided by You.

Term, Termination, duration and survival

This JCA will take effect when you tick the box “By registering, I accept the Terms and Conditions of the Service and the Joint Controller Agreement. Furthermore, I have read and understood the Privacy Policy.”. The termination of the JCA, on the other hand, takes place when there is no T&C in effect, and there is no processing activity involving the Application Information for You. For sake of clarity, the obligations set forth in this JCA shall survive the expiration or termination (for whatever reason) of the T&C for as long as the processing of the Application Information will take place and/or is still in place for You.

Final provisions

The JCA was originally drafted in German language. In case of contradictions or ambiguities between the German version and translations into other languages, the German version shall prevail.

If any provision of this JCA is or becomes invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by such valid and enforceable provision that comes closest to the economic purpose of the invalid or unenforceable provision. The same applies in case this JCA proves to be incomplete.

The headings in this JCA are for convenience only and have no legal significance.