Skip to content
English
Go to www.movetohappiness.com
  • There are no suggestions because the search field is empty.

JOINT CONTROLLERSHIP ARRANGEMENT

This arrangement forms an integral part of the Expert AI Coach Service Terms (hereinafter the "Agreement") between Move To Happiness Hub bv ("MTH") and the Expert. (Article 26 General Data Protection Regulation)

1. Definitions

"General Data Protection Regulation" or "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Data Subject" means the identifiable natural person whose Personal Data are processed via the AI Coach, being the End User.

"Data Breach" means a breach of security of Personal Data leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed via the AI Coach.

"Privacy Legislation" means the full body of Belgian and European legislation applicable to data protection, including the GDPR.

"Sub-processor" means any third party engaged by MTH or the Expert to process personal data on behalf of the AI Coach.

"Supervisory Authority" means, in Belgium, the Data Protection Authority (Gegevensbeschermingsautoriteit – GBA).

2. Subject Matter and Context

2.1 MTH and the Expert act as joint controllers within the meaning of Article 26 GDPR for the personal data processed in the context of the AI Coach.

2.2 The joint controllership arises from the fact that both MTH and the Expert jointly determine the purposes and means of the processing of personal data via the AI Coach:

  • MTH determines the technical means (Platform, AI Models, infrastructure) and processes personal data for the purpose of the operation of the Platform, account management, payment processing and platform analytics;
  • The Expert determines the substantive purposes of the AI Coach (type of coaching, target audience, interaction model) and configures the Content that co-determines the nature of the personal data processing.

2.3 This arrangement sets out the respective responsibilities of MTH and the Expert with regard to compliance with the GDPR, in particular with regard to the exercise of the rights of Data Subjects and the obligation to inform Data Subjects.

3. Allocation of Responsibilities

MTH is responsible for:

  • The technical security of the Platform and the AI Models, including encryption, access control and monitoring;
  • The hosting and storage of personal data within the EEA (Azure infrastructure);
  • Maintaining the record of processing activities for the platform-related processing operations (Article 30 GDPR);
  • Notifying Data Breaches to the Supervisory Authority within 72 hours of becoming aware thereof, insofar as the Data Breach relates to the platform infrastructure;
  • The technical implementation of Data Subject requests (access, rectification, erasure, data portability) via the Platform;
  • The processing of payment data via Stripe Connect;
  • The management of sub-processors engaged for platform services (hosting, AI infrastructure, payment processing);
  • Informing Data Subjects about the processing of their personal data via the AI Coach, in particular through a privacy statement made available to End Users;
  • Obtaining the required legal basis (in particular consent or legitimate interest) for the substantive processing operations via the AI Coach.

The Expert is responsible for:

  • The substantive configuration of the AI Coach and its impact on the processing of personal data;
  • Answering substantive questions from Data Subjects regarding the purpose and nature of the data processing via the AI Coach;
  • Notifying MTH of any Data Breach that comes to the Expert's attention, without undue delay and no later than 24 hours after becoming aware thereof;
  • Maintaining the record of processing activities for the processing operations for which the Expert determines the purposes (Article 30 GDPR);
  • Compliance with the professional rules and codes of conduct applicable to the substantive service provision via the AI Coach.

4. Contact Point for Data Subjects

4.1 In accordance with Article 26(1) GDPR, the Parties designate MTH as the primary contact point for Data Subjects wishing to exercise their rights. Data Subjects may contact support@movetohappiness.com.

4.2 Notwithstanding the foregoing, the Data Subject retains the right to exercise his or her rights with respect to and against each controller separately, in accordance with Article 26(3) GDPR.

4.3 Where MTH receives a request from a Data Subject that relates in whole or in part to the substantive processing operations of the Expert, MTH shall notify the Expert thereof without undue delay. The Expert shall provide all cooperation necessary to respond to the request within the statutory time limits.

4.4 Where the Expert receives a request from a Data Subject directly, the Expert shall notify MTH thereof without undue delay. MTH shall provide the technical cooperation necessary to fulfil the request.

5. Categories of Personal Data

5.1 In the context of the AI Coach, the following categories of personal data may be processed:

Platform data (responsibility of MTH):

  • Account data: name, email address, password (hashed);
  • Payment data: via Stripe Connect (MTH does not store full payment card details);
  • Technical data: IP address, device information, session data, log files.

AI Coach interaction data (joint responsibility):

  • Conversation data: the content of conversations between the End User and the AI Coach;
  • Usage data: frequency, duration and nature of interactions with the AI Coach;
  • Health or wellbeing data: insofar as the End User voluntarily shares such data in the context of the coaching (special category, Article 9 GDPR).

5.2 Where the AI Coach involves the processing of special categories of personal data (in particular health data), the Parties are obliged to implement additional safeguards, including the explicit consent of the Data Subject and a data protection impact assessment (DPIA).

5.3 The Expert determines, through its configuration of the AI Coach, which categories of personal data are actually processed. The Expert is obliged to inform MTH in advance if the AI Coach is designed to process special categories of personal data.

6. Security

6.1 The Parties shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

6.2 MTH implements in particular the following security measures:

  • Hosting within the EEA (Microsoft Azure);
  • Encryption of data in transit (TLS 1.3) and at rest (AES-256, RSA HSM 2048-bit);
  • Access control via Entra ID with single sign-on and multi-factor authentication;
  • Continuous monitoring and logging of platform activities;
  • Regular penetration tests and vulnerability assessments.

6.3 The Expert shall implement appropriate security measures for the systems and processes under its control, in particular with regard to access to the Expert account and the protection of Content containing personal data.

7. Sub-processors

7.1 MTH engages sub-processors for the delivery of the platform services. A current list of sub-processors is available via the Platform or upon request by the Expert.

7.2 MTH shall inform the Expert in advance of any intended changes to the list of sub-processors. The Expert has the right to raise a reasoned objection to a new sub-processor within thirty (30) calendar days of notification.

7.3 MTH shall conclude a data processing agreement with each sub-processor containing at least the same data protection obligations as this arrangement.

8. Data Breaches

8.1 In the event of a Data Breach, the Party that first becomes aware of the Data Breach shall inform the other Party without undue delay and no later than 24 hours after becoming aware thereof.

8.2 MTH bears responsibility for notifying the Data Breach to the Supervisory Authority in accordance with Article 33 GDPR, unless the Data Breach exclusively relates to processing operations for which the Expert is independently responsible.

8.3 The Parties shall provide each other with all necessary cooperation in investigating and remedying the Data Breach and in communicating with Data Subjects in accordance with Article 34 GDPR.

9. Data Protection Impact Assessment

9.1 Where a data protection impact assessment (DPIA) is required pursuant to Article 35 GDPR, the Parties shall carry it out jointly. MTH shall provide the technical input relating to the Platform and the AI Models; the Expert shall provide the input relating to the substantive purposes and the nature of the coaching.

9.2 The Parties shall consult each other in advance of any significant change in the processing that may require a new or supplementary DPIA.

10. International Transfers

10.1 Personal data are processed and stored by MTH within the European Economic Area (EEA).

10.2 Where the transfer of personal data outside the EEA is necessary (e.g. for specific sub-processors), such transfer shall take place exclusively on the basis of an adequacy decision of the European Commission or with the application of appropriate safeguards in accordance with Chapter V of the GDPR.

11. Retention Periods

11.1 Personal data shall not be retained longer than is necessary for the purposes for which they are processed.

11.2 Upon termination of the Agreement, the personal data of End Users shall be erased within ninety (90) calendar days, unless a statutory retention obligation applies. The Expert may request an export of the data prior to erasure.

12. Audit and Accountability

12.1 Each Party shall make available to the other Party all information necessary to demonstrate compliance with this arrangement.

12.2 The Expert has the right, upon prior written notice of at least thirty (30) calendar days, to have an audit carried out on the processing activities of MTH. Such audit shall be conducted by an independent third party bound by confidentiality obligations.

12.3 The costs of the audit shall be borne by the Expert, unless the audit reveals deficiencies attributable to MTH.

13. Duration

13.1 This arrangement shall enter into force on the Start Date of the Agreement and shall remain in force for as long as the Parties process personal data in the context of the AI Coach.

13.2 The obligations that by their nature are intended to survive termination shall continue to apply in full, in particular the obligations regarding confidentiality, security and cooperation in the