GDPR DPA Schedule A: Joint Controller Addendum (JCA)
Last updated: July 22, 2025
The Parties agree they will be Joint Controllers for certain processing activities within the meaning of Art. 26 GDPR, as further defined in the GDPR General Terms and this JCA. The Parties enter into this JCA in order to satisfy the legal requirements as Joint Controllers and to set forth both Party’s rights and obligations.
1. Roles of the Parties
1.1 Joint responsibility. The Parties are jointly responsible for the Joint Data Processing (Art. 26 GDPR) for the Processing Purposes as further described and set forth the GDPR General Terms. The Parties shall jointly determine the purposes and means regarding the Joint Data Processing as joint controllers as set out in this JCA.
1.2 Scope. Any processing for purposes outside the Joint Processing Purposes shall be conducted by the Parties as independent Controllers or an alternative arrangement and shall not be subject to this JCA.
2. Allocation of Responsibility
2.1 Notwithstanding the fact that the Parties act as joint Controllers with respect to the processing of the Personal Data for the Processing Purposes, as between the Parties, the following allocation of primary responsibilities shall apply (hereinafter the “Sphere of Responsibility”).
2.2 Publisher’s Sphere: The Publisher will implement its data collection subject to the obligations contained in the Agreement, including the DPA. The Publisher shall ensure that no tracking technologies are set on its digital properties, and no Personal Data collected during a data subject’s use of its digital properties, before the data subject has given its consent for data collection for the Processing Purposes in accordance with applicable European Data Protection Law. Further, the Publisher is responsible for any storage of Personal Data on its IT systems.
2.3 Adagio’s Sphere: Adagio will ensure that the transfer to and the storage of Personal Data on its IT systems is protected by sufficient technical and organizational measures. Further, any Personal Data generated by Adagio are generated on a valid legal basis (including consent, where required) that permits the processing of such Personal Data for the Processing Purposes by the Parties in accordance with applicable European Data Protection Law.
3. Publisher’s Obligations
3.1 Information and transparency. In its digital properties, the Publisher shall provide information in an easily accessible and meaningful manner and in accordance with applicable European Data Protection Law about the Joint Data Processing. This information shall include a link to Adagio’s privacy policy. Adagio shall provide the information required to fulfil these obligations. Information about the Joint Data Processing will reflect the choices made by the Parties in Section 2 of the GDPR General Terms concerning the applicability of Processing Purposes.
3.2 Legal basis. The Publisher enables data subjects to consent and as applicable, to object to, the Joint Data Processing in accordance with the available legal basis indicated by Adagio in TCF for each relevant Processing Purpose. If, according to TCF settings, Adagio gives the Publisher the option to carry out certain processing operations on the basis of consent as well as on the basis of legitimate interests, the choice of the legal basis is made by the Publisher.
3.3 Disclosure. The Publisher shall make available to the data subjects the essence of this Agreement as it relates to the Joint Data Processing, provided that Adagio may provide the Publisher with standard text to support the Publisher in fulfilling its obligation within the TCF settings. To the extent further disclosures are required under Article 26(2) GDPR, the Parties undertake to make the essence of the arrangement under this JCA available to the data subjects and shall cooperate in good faith to agree on the exact content and form.
3.4 Consent Requirements. Publisher must obtain consent for the Joint Data Processing, which must be:
(a) voluntary, specific, informed and unambiguous;
(b) not be a pre-condition for access to a service or the performance of a contract;
(c) identify Adagio as the recipient of the data;
(d) contain an easily recognisable reference to the option to refuse consent; and
(e) be obtained again in accordance with the applicable legal requirements of Applicable Data Protection Law, or the TCF; whichever time is shorter.
3.5 Documentation and proof. The Publisher shall document each consent and, on reasonable request of Adagio, provide Adagio with evidence of the consent without undue delay either in the form of a signal in a bid request or upon separate request (email shall suffice).
3.6 TCF. If the Publisher supports IAB TCF, the Publisher undertakes to comply with all applicable TCF terms, policies, and specifications. If Publisher does not use TCF, the Publisher has to ensure compliance with all provisions of this JCA, the DPA, and the Agreement through other measures.
4. Obligations of Adagio
Adagio shall:
(a) process the data collected in the course of Joint Data Processing only for the Processing Purposes;
(b) not subject data subjects to a decision based on automated processing including profiling (scoring) which produces legal effects in relation to the data subject or significantly affects him/her in a similar way (Art. 22 GDPR).
5. Data Subject Rights
5.1 Requests. Data subjects can exercise their rights against either Party. Each Party, where relevant with the reasonable assistance of the other Party, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under this JCA without undue delay and at the latest within one month of the receipt of the enquiry or request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. Each Party shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
5.2 Withdrawal and objection. The Publisher will inform Adagio immediately about any withdrawal of a consent concerning the Joint Data Processing as well as any objection against the Joint Data Processing.
5.3 Support. Adagio is free to use standardised or automated methods to enable data subjects to exercise data subject rights. The Publisher shall use reasonable commercial endeavours to support such methods (e.g. by integrating a corresponding tool or opt-out link into the digital properties).
5.4 Notices. The Parties shall inform data subjects in a transparent and easily accessible format, through individual notice or on their website, of a contact point authorised to handle complaints. Each Party shall deal promptly with any complaints it receives from a data subject. In order to enable data subjects to effectively exercise their rights pursuant to the GDPR, the Parties shall inform them:
of its identity and contact details;
of the categories of personal data processed;
of the right to obtain a copy of the essence of the arrangements under this JCA;
where a Party intends to onward transfer the Personal Data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore.
Notwithstanding the foregoing, the above shall not apply where the data subject already has the information, including when such information has already been provided by one of the Parties, or providing the information proves impossible or would involve a disproportionate effort for the Parties. In the latter case, the Parties shall, to the extent possible, make the information publicly available.
6. Lawfulness of Data Processing
6.1 Each Party undertakes to ensure compliance of its processing of the Personal Data with GDPR and any other applicable European Data Protection Law. Personal Data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the Processing Purposes;
6.2 Either Party shall promptly inform the other Party if it is unable to comply with this JCA, for whatever reason. In the event that a Party is in breach of this JCA or unable to comply with this JCA, the other Party shall suspend the transfer of Personal Data to the noncompliant Party until compliance is again ensured or the Agreement is terminated.
7. Notification to Authorities and Data Subjects in Case of Data Breaches
7.1 In the event of a Data Breach concerning Personal Data processed by the Parties under this JCA, the Parties shall take appropriate measures to address the Data Breach, including measures to mitigate its possible adverse effects. Should a Data Breach occur with one Party, this Party will inform the other Party without undue delay and, where feasible, not later than 72 hours after having become aware of it. The Parties will cooperate with each other to minimize the impact of the Data Breach, and/or to remedy the Data Breach.
7.2 In case of a Data Breach that is likely to result in a risk to the rights and freedoms of natural persons, the Parties shall without undue delay notify both the other Party and the competent supervisory authority pursuant to this JCA. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the Parties to provide all the information at the same time, it may do so in phases without undue further delay.
7.3 As between the Parties, the Party in whose area of responsibility the data breach has occurred shall take the lead in handling any data breaches including the communication with the supervisory authorities and shall coordinate with the other Party accordingly as required to ensure compliance with the GDPR and any other applicable law.
8. Engagement of Processors
Whenever a Party wishes to commission a processor for the processing of the Personal Data for the Processing Purposes under this JCA, the Party retaining the processor undertakes to conclude a data processing agreement in accordance with Article 28 GDPR.
9. Storage Limitation and Retention
9.1 Each Party undertakes to comply with the principle of storage limitation as per Art. 5 (1)(e) GDPR.
9.2 The Parties shall retain the personal data for no longer than necessary for the Processing Purposes for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymization of the data and all back-ups at the end of the retention period.
9.3 The Parties shall independently ensure that they comply with all statutory retention obligations in relation to the Personal Data. This applies in particular in the event of termination of this JCA.
10. Data security and Information
10.1 Data security. Both Parties maintain appropriate technical and organisational security measures in their respective areas of responsibility to ensure a level of protection appropriate to the risk (Art. 32 GDPR).
10.2 Records of Processing Activities. The Parties shall each keep separate records of processing activities with respect to the Joint Data Processing. The Parties shall make such documentation available to the competent supervisory authority on request.
10.3 Information. If a claim is made against one of the Parties, alleging that the Joint Data Processing is unlawful in whole or in part, this Party shall inform the other Party without undue delay.
11. Liability
The Parties are jointly and severally liable in relation to affected data subjects for any damage caused in the course of Joint Data Processing by processing that does not comply with applicable European Data Protection Law. A Party shall be exempted from liability if it proves that it is in no way responsible in any way for the circumstance by which the damage occurred (Art. 82 GDPR).