Information on joint responsibility pursuant to Art. 26 (2) sentence 2 of the General Data Protection Regulation (GDPR)

What is the reason for shared responsibility?

Within the framework of the joint use of a CRM system (Customer Relationship Management), EFAFLEX (hereinafter referred to as Party 1) and its sales representatives (hereinafter referred to as Party 2) work closely together. This also concerns the processing of your personal data. The parties have jointly determined the order in which this data is processed in the individual process stages. They are therefore jointly responsible for the protection of your personal data within the process stages described below (Art. 26 DS-GVO).

For which process stages is there joint responsibility?

In a CRM system, the joint processing of personal data takes place primarily for the purpose of making offers and maintaining customer or business relationships. Both parties are allowed to create, modify or view this personal data in the context of lead, opportunity and contact management.

What have the parties agreed?

Within the scope of their joint responsibility under data protection law, Party 1 and Party 2 have agreed which of them fulfils which obligations under the GDPR. This concerns in particular the exercise of the rights of the data subjects and the fulfilment of the information obligations pursuant to Articles 13 and 14 of the GDPR.

This agreement is necessary because personal data is processed in the central CRM system in different process sections and systems operated by either Party 1 or Party 2.

SectionProcess section / EDP system  Fulfilment of duties through
1Operation of the central CRM system incl. the communication facilities invented for this purpose (network, active network components, firewall, VPN gateway) in the premises of party 1.Party 1
2Processing of personal data in the central CRM systemParty 1 and Party 2
3Operation of the IT systems (workstation computer. laptop, network components) of party 2 required for communication with the central CRM system.Party 2

What does this mean for those affected?

Even if there is joint responsibility, the parties shall fulfil the obligations under data protection law in accordance with their respective responsibilities for the individual process stages as follows:

  • Within the framework of joint responsibility, the
  • Party 1 is responsible for processing the personal data in Sections 1 and 2; and
  • Party 2 is responsible for processing the personal data in Sections 2 and 3.
  • Party 1 and Party 2 shall make the information required under Articles 13 and 14 of the GDPR available to data subjects free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language. In doing so, each party shall provide the other party with all necessary information from its sphere of influence.
  • The parties shall inform each other without delay of legal positions asserted by data subjects. They shall provide each other with all information necessary to respond to requests for information.
  • Data protection rights can be asserted both at party 1 and party 2. As a rule, data subjects receive the information from the body where the rights were asserted.