PixelAdmin Logo
Legal

Joint Controllership Agreement for AI Model Training

This agreement outlines the distribution of responsibilities between the parties regarding data processing for training and improving AI models, in accordance with GDPR Article 26.

Last updated:June 17, 2025

1. Parties

Data Controller 1 is the customer using the PixelAdmin service (“Customer” or “Data Controller 1”).

Data Controller 2 is PixelAdmin ApS, CVR no. 45447588, Falkoner Alle 90, 2000 Frederiksberg, Denmark (“PixelAdmin” or “Data Controller 2”).

This joint controllership agreement (the “Agreement”) is entered into between Data Controller 1 and Data Controller 2 (collectively the “Parties”) and is an addendum to PixelAdmin’s Terms of Service and Data Processing Agreement.

2. Purpose, Scope, and Applicability

This Agreement establishes the allocation of responsibilities between the Parties for the specific processing activity of using Customer Content to train and improve PixelAdmin's artificial intelligence (AI) models. For all other processing activities where PixelAdmin processes data on behalf of the Customer, PixelAdmin acts as a Data Processor as described in the Data Processing Agreement.

In accordance with Article 26 of the GDPR, joint controllership exists when two or more controllers jointly determine the purposes and means of processing. The purpose of this Agreement is to transparently establish the Parties' respective responsibilities for complying with GDPR obligations for the specified processing activity.

The essence of the arrangement shall be made available to the data subjects. Irrespective of the terms of the arrangement, data subjects may exercise their rights under the GDPR in respect of and against each of the controllers.

This Agreement is an integral part of PixelAdmin’s Terms of Service and applies exclusively to customers subject to the EU General Data Protection Regulation (GDPR). The rights and obligations herein apply solely to processing activities involving personal data of data subjects within the European Union (EU) and the European Economic Area (EEA).

3. Overall distribution of responsibilities

Data Controller 1 (Customer) is responsible for the initial collection of personal data and for maintaining a valid legal basis for uploading Content to the Service. This includes informing data subjects about the processing. The Customer is the direct point of contact for data subjects.

Data Controller 2 (PixelAdmin) is responsible for providing the Service and for the subsequent technical processing of data within the Service, including data security, system integrity, and technical infrastructure.

4. Principles and Legal Basis for Processing

The Customer (Data Controller 1) is responsible for securing and documenting a valid legal basis for the collection and transfer of personal data to the Service.

Both Parties are individually responsible for complying with the principles relating to processing of personal data (Article 5 of the GDPR) within their respective areas of responsibility.

5. Data subject rights

To ensure a clear and practical process for data subjects, responsibility for facilitating data subject rights is allocated as follows:

The Customer (Data Controller 1) as the party with direct contact with data subjects, is primarily responsible for handling:

  • Information obligations upon collection of personal data (Articles 13 and 14).
  • The data subject's right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure (Article 17).
  • Right to object to processing (Article 21).

PixelAdmin (Data Controller 2) is responsible for handling requests related to the technical platform:

  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).

The Parties are obligated to assist one another. If a Party receives a request that falls under the other Party's responsibility, the request must be forwarded without undue delay. The Customer is designated as the central point of contact for data subjects, and will route requests to PixelAdmin as needed.

6. Processing Security

Both Parties are responsible for implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Articles 24, 25, and 32 of the GDPR.

PixelAdmin (Data Controller 2) is specifically responsible for the security of the technical platform and infrastructure. These measures are detailed in Appendix C of the Data Processing Agreement.

The Customer (Data Controller 1) is responsible for the security of its own systems and for secure behavior when using the Service (e.g., password management).

7. Use of Data Processors

Each Party is responsible for the data processors they engage. PixelAdmin's use of sub-processors to deliver the Service is governed by the Data Processing Agreement.

8. Records of Processing Activities

Each Party is responsible for maintaining a record of processing activities carried out under its responsibility, in accordance with Article 30 of the GDPR.

9. Personal Data Breach

In the event of a personal data breach, the Party that discovers the breach is responsible for notifying the other Party without undue delay.

PixelAdmin (Data Controller 2) is responsible for notifying the competent supervisory authority (the Danish Data Protection Agency) of the breach in accordance with Article 33 of the GDPR.

The Customer (Data Controller 1) is responsible for notifying the affected data subjects of the breach in accordance with Article 34 of the GDPR, with assistance from PixelAdmin.

10. Data Protection Impact Assessment (DPIA)

PixelAdmin (Data Controller 2) is responsible for conducting a Data Protection Impact Assessment (DPIA) for the Service in accordance with Article 35 of the GDPR, and for consulting the supervisory authority if required.

11. International Transfers

Any transfer of personal data to third countries must comply with Chapter V of the GDPR. PixelAdmin is responsible for securing a valid transfer mechanism for such transfers, as outlined in the Data Processing Agreement.

12. Complaints

The Parties are individually responsible for handling any complaints from data subjects regarding violations of the GDPR provisions for which the Party is responsible under this Agreement. Complaints shall be forwarded to the relevant Party as necessary.

13. Effective Date and Termination

This Agreement enters into force upon the Customer's acceptance of the Terms of Service.

This agreement remains valid as long as the processing occurs or until it is replaced by a new agreement.