Joint Data-Controllership Addendumata

This Joint Data-Controllership Addendum (“Addendum“) is entered into by and between Revealense Ltd. (“Revealense“, “Company“) and the Joint-Controller using the Company’s software-as-a-service cloud-based deep tech solution for assessment of individuals’ neurofeedback based on video footage, bio-feedback reactions and emotion-feedback reactions (the “Platform” and the “Joint-Controller“, respectively).

WHEREAS, in order to account for the implications of the provision of the Platform on the parties’ interrelated activities on processing personal data pursuant to applicable data protection and privacy law, the Joint-Controller and the Company desire to introduce the following understandings and arrangements which determine the rights and obligations of the parties for the joint processing of personal data, in accordance with Art. 26 of the GDPR;

THEREFORE, the parties have agreed as follows:

1. Definitions. Capitalized terms not defined in this Addendum shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
2. Scope. This Addendum applies to the parties’ jointly-coordinated collection and Processing of Personal Data in the context of the Platform. With respect to other areas of Processing the same or other Personal Data (such as those performed outside the scope of the Platform or those subsequently performed by a party for its own independent purposes), where the parties do not jointly determine the purposes and means of data processing, each party is an independent controller pursuant to Article 4(7) of the GDPR.
3. Nature of Joint-Controllership
   1. In context of joint controllership, the Joint-Controller influence the Processing of Personal Data due to: (a) its determination of the overall purpose of Processing in its election to use the Platform; (b) the determination of the Data Subjects from which Personal Data is collected and Processed; and (c) the content Data Subjects interact and engage with, that triggers the production of Personal Data to be collected and Processed.
   2. In context of joint controllership, Revealense influences the Processing in determining: (a) which Personal Data the Platform needs to Process in order to operate properly; (b) the purposes for which the Platform is designed; and (c) how to analyze and Process the Personal Data as per the Platform’s unique algorithm.
   3. The Processing concerns the following categories of Personal Data:
      1. Identity of the data subject; written or oral statements and physical reactions as captured by the Platform; neurofeedback data; the assessment reports and other related data regarding Data Subjects that the Platform generates based on the above (“Assessment Data”)
      2. The frequency of the Platform, interaction with the Platform’s user interface, the performance of the Platform when use by the Joint-Controller, the Platform’s compatibility and interoperability (“Service Data”).
   4. The Processing concerns the following purposes and legal bases, and shall not be processed and used except as follows, unless legally required:
      1. Processing Assessment Data for use by the Joint-Controller shall be based on the Data Subject’s explicit consent.
      2. Processing Service Data for the Company shall be based on the Data Subject’s explicit consent.
4. Compliance. Each party shall ensure compliance with the legal provisions of the GDPR, particularly in regard to the lawfulness of Processing under joint-controllership. Both parties shall ensure that only Personal Data which are necessary for the legitimate conduct of the Processing are collected and agree to observe the principle of data minimization within the meaning of Article 5(1)(c) of the GDPR.
5. Notice to Data Subjects.
   1. Joint-Controller bears the sole and exclusive liability for obtaining Data Subject’s informed and express consent to Processing of their Personal Data for each of the purposes indicated above, prior to collecting their Personal Data through the Service. In doing so, Joint-Controller shall:
      1. Inform Data Subjects, that their Personal Data will be transferred to the Company for the purposes of providing Joint-Controller with the Assessment Data;
      2. Seek End Users’ separate consent (and record such consent), prior to them engaging with the Assessment Tools, to transfer their Personal Data to Revealense and process it for the purpose of improving and enhancing the Service. To obtain such consent, Joint-Controller shall present to End Users an unticked checkbox with the following text: “I acknowledge that in the process of assessing my answers to the questionnaire/exam/test, [Joint-Controller name] utilizes the services of Revealense Ltd., a third-party neurofeedback assessment service. I hereby consent to the processing of my personal data by Revealense Ltd. for the purpose of improving and enhancing their service, in a manner that will not directly identify me”

         An End User will be considered to have assented to the above when they check this checkbox prior to commencing their assessment process.

      3. Joint-Controller shall be solely responsible for determining the terms and conditions for obtaining consent from End Users and the circumstances under which such consent is lawful, according to applicable laws. Joint-Controller shall only use End Users’ Personal Data under those circumstances.
   2. Data Subject Requests. The parties shall take all necessary technical and organizational measures to ensure that the rights of Data Subjects, in particular those pursuant to Articles 12 to 22 GDPR, are guaranteed at all times within the statutory time limits. To this end:
      1. The Company shall store personal data in a structured, commonly used, and machine-readable format.
      2. Because the GDPR provides that the data subject may exercise their rights under Articles 15 to 22 GDPR against each of the parties, if one party receives a Data Subject request concerning the joint-controllership Processing described in this Addendum, it shall communicate that request to the other party as soon as possible.
      3. Unless otherwise agreed by the parties in a particular case, the Joint-Controller shall be responsible to handle the Data Subject’s request and to respond and communicate with the Data Subject regarding their request, insofar as it concerns the joint-controllership Processing described in this Addendum. The Joint-Controller shall also verify the Data Subject’s identity before substantively addressing their request.
      4. If Personal Data are to be deleted at the request of a Data Subject, the parties shall inform each other in advance. A party may object to the deletion for a legitimate interest, for example, if there is a legal obligation to retain the data set for deletion.
      5. The parties shall cooperate and provide each other with the necessary information regarding their respective Processing activities to allow for the proper handling of Data Subject requests.
   3. Errors and Omissions. The parties shall inform each other immediately if they become aware of any material errors or suspected issues regarding their data protection obligations concerning the joint-controllership Processing described in this Addendum.
   4. Personal Data Breach. Both parties are obliged to inform their applicable Supervisory Authority and the Data Subjects affected by a Personal Data Breach in accordance with Articles 33 and 34 of the GDPR concerning the joint-controllership Processing described in this Addendum. The parties shall inform each other about any such notification to the Supervisory Authority without undue delay, and to the extent practicable, in advance thereof. The parties also agree to forward the information required for the notification to one another without undue delay.
   5. Data Protection Impact Assessment. If a data protection impact assessment pursuant to Article 35 of the GDPR is required, the parties shall provide reasonable support to each other.
   6. Documents
      1. Documentations within the meaning of Article 5(2) of the GDPR, which serve as proof of proper Personal Data Processing, shall be archived by each party beyond the end of the contract in accordance with legal provisions and obligations.
      2. Each party shall include the joint-controllership Processing described in this Addendum in the records of processing activities pursuant to Article 30(1) of the GDPR, in particular, with a comment on the nature of the Processing operation as one of joint responsibility.
   7. Confidentiality.The parties shall ensure that all employees authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Articles 28(3), 29, and 32 of the GDPR for the duration of their employment, as well as after termination of their employment. The parties shall also ensure that they observe the confidentiality provisions prior to taking up their duties and are familiarized with the data protection legislation and rules relevant to them.
   8. Data Security. The parties shall independently ensure that they are able to comply with all existing storage obligations with regard to the Personal Data for each of their storage activities. For this purpose, they must each implement appropriate technical and organizational measures (Article 32 et seq. of the GDPR).
   9. Data Protection By Design and By Default. The implementation, default-setting, and operation of the systems shall be carried out in compliance with the requirements of the GDPR and other regulations. In particular, compliance with the principles of data protection by design and data protection by default will be achieved through the implementation of appropriate technological and organizational measures corresponding to the state of the art.
   10. Cross-Border Data Transfer.

       The Company and the Joint Controller will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses).

   11. Processors
       1. Each party undertakes to conclude a contract pursuant to Article 28 of the GDPR with regard to its use of Processors in the Processing of the Personal Data for which the party administers.
   12. Precedence. In the event of any conflicting stipulations between this Addendum and the Agreement or any other agreement in place between the parties, this Addendum shall prevail but only to the extent the conflicting stipulations directly relate to the joint-controllership Processing described in this Addendum
   13. Disputes. The dispute resolution and governing law provisions of the Agreement shall apply to this Addendum as well.
   14. Liability. The parties’ respective liabilities to each other shall be as specified in the Agreement.
   15. Survival. All provisions of this Addendum which by their nature and purposes should persist following termination of the Agreement, shall survive shall continue to apply after the expiry or termination of the Agreement between the parties, insofar that a party continues to hold Personal Data applicable to the joint-controllership Processing described in this Addendum.