Agreement Between  Joint Controllers

In connection with the joint administration of data among entities within the EXTREGO capital group, we inform you that:

1. Each of the Joint Controllers is independently obliged to:
2. fulfill the informational obligations specified in Articles 13 and 14 of the GDPR, in the scope in which they collect or acquire individual categories of personal data, regardless of the purpose and method of further processing;
3. obtain consents for the processing of personal data from the persons concerned;
4. grant authorizations to process personal data to their employees;
5. continuously monitor and update data in the registers indicated in paragraph 1;
6. enter into agreements with Processors processing data on behalf of and on the order of a given Joint Controller and issue current instructions to the Processors.
7. The data subject may exercise their rights under the GDPR against each of the Joint Controllers, as well as direct requests in this regard to the joint contact point mentioned below. In cases where the data subject directs a request to exercise a right at the address of a Joint Controller who, according to the agreement, is not obligated to handle the request of that person, such Joint Controller shall immediately forward the directed request to the appropriate Joint Controller.
8. The Joint Controllers have decided that each Data Protection Officer appointed by EXTREGO Sp. z o.o. will be the contact point for:
9. The President of the Personal Data Protection Office as mentioned in Art. 39(1)(e) of the GDPR;
10. Individuals whose personal data are processed by any of the Joint Controllers. Contact with the Data Protection Officer is possible electronically via the contact form available at the email: rodo@extrego.com or at the address: Świlcza 146E, 36-072 Świlcza.
11. The Joint Controllers bear joint responsibility for:
12. Implementing the fundamental principles of personal data processing in accordance with Article 5 of the GDPR;
13. Preparing templates of technical and organizational measures included in the Data Protection Policy;
14. Conducting periodic reviews of the measures referred to in point b) above and updating them;
15. Incorporating data protection at the design phase and implementing technical and organizational measures allowing for default protection of personal data in accordance with Article 25 of the GDPR;
16. Reporting personal data breaches to the supervisory authority in accordance with Article 33 of the GDPR; notifying the data subject about a personal data breach in accordance with Article 34 of the GDPR;
17. Conducting an assessment of the impacts of planned processing operations on the protection of personal data before starting processing in accordance with Article 35 of the GDPR;
18. Consulting with the supervisory authority before starting processing if the impact assessment for data protection mentioned in point e) indicates that processing would involve a high risk according to Article 36 of the GDPR.
19. In cases where a personal data breach may result in a high risk to the rights and freedoms of natural persons, each of the Joint Controllers is required to notify the data subject of such a breach without undue delay.