Joint controllership arrangement between country entities and PNO Holding

Joint Data Controllership Arrangement

Between

Data controller 1

Each of the companies listed in appendix 1

And

Data controller 2

PNO Holding A/S
Company Registration Number 26 10 14 09
Århusgade 118
2150 Nordhavn
Denmark

Each a “party” and collectively, the “parties”

January 2026

1 Joint Controllership

This arrangement sets out the division of responsibilities between Data controller 1 and Data controller 2 in relation to the processing of personal data in the context the PNO platform for equipment management (“the Platform”) and related processing, such as analysis of data derived from the platform.

1.1

According to Article 26 of the General Data Protection Regulation, joint Data controllership exists when two or more Data controllers jointly determine the purposes and means of the processing.

In the case of joint Data controllership, the joint Data controllers shall determine in a transparent manner their respective responsibilities for compliance with the obligations under the General Data protection Regulation, in particular to exercise the data subject’s rights and their respective obligations to provide the information referred to in Articles 13 and 14, by means of an arrangement between them, unless and to the extent that the respective responsibilities of the Data controllers are laid down in Union or Member States’ national law to which the Data controllers are subject.

The arrangement shall, in accordance with Article 26(2) of the General Data Protection Regulation, duly reflect the respective roles of the joint data controllers and their relationship with the data subjects. The main content of the arrangement must also be made available to data subjects.

However, regardless of the terms of the arrangement, the data subject may exercise their rights under the General Data Protection Regulation with regard to and against the individual data controller.

Similarly, the “internal” division of responsibilities in the joint data controller arrangement does not prevent the supervisory authority from exercising its powers in relation to both Data controller 1 and Data controller 2.

1.2

Data controller 1 and Data controller 2 agree that they are joint data controllers in the context of administration of lease agreements and related property. In assessing this, account has been taken, inter alia, to the following factual circumstances:

Data controller 1 is providing leasing of trailers and is the contractual counterparty of the respective lessees in the leasing contracts.
Data controller 2 is providing a common platform for management of equipment (“the Platform”), which is used by each of the legal entities listed as Data Controller 1 and offered by each of these legal entities to their respective customers
User-IDs for the Platform and related contact information for users at Data controller 1 and users at lessees is managed by the legal entity holding the customer relationship (a Data controller 1 legal entity) jointly with Data controller 2
Data controller 2 is deriving knowledge from analysis of non-personal information from customers of all of the legal entities listed as Data controller 1 and using this information to help optimize the business of all Data controller 1 legal entities
The activities of the parties in relation to the platform and the data processed through the platform as well as the purposes for which this data is processed are inextricably linked

1.3

This arrangement is designed to enable Data controller 1 and Data controller 2 to comply with the joint liability requirements of Article 26 of the General Data Protection Regulation. The arrangement sets out the respective responsibilities of Data controller 1 and Data controller 2 to comply with the obligations of the General Data protection Regulation, in particular to exercise the data subject’s rights and the obligation to provide the information referred to in Articles 13 and 14.

1.4

With respect to all processing activities not defined in clause 2.2 below, each Party is an independent controller within the meaning of Article 4 No. 7 of the General Data Protection Regulation.

2 Overall allocation of responsibilities

2.1

Each Party acknowledges and confirms that they will observe all applicable requirements of data protection laws including the GDPR, particularly with regard to the lawfulness of the joint processing operations, and the terms of this Arrangement and irrelevant of the allocation of responsibilities agreed on in this arrangement.

2.2

The Parties have determined the following processing activities as further described in their respective privacy notices:

Processing activity	Purpose of processing	Categories of processed data
Management of user information	Creating, maintaining and discontinuing user profiles with related user information	User-ID Name Company Email address
Documentation of events	Check-in and check-out of equipment	User-ID Time and location for check-in or check-out of a specified trailer
Management of workflow	Ensuring and documenting communication about equipment between different stakeholders, such as the respective PNO leasing entities (Data controller 1), lessees and garages	User-ID Information about specific equipment (non-personal data)

2.3

The Parties shall store the personal data in a structured common and machine-readable format.

2.4

The Parties safeguard that only personal data is collected that is necessary for the legitimate handling of the respective process.

3 Principles and legal basis

3.1

Data controller 2 is responsible for ensuring that all processing activities are in compliance with the fundamental principles as set out in article 5 of the General Data Protection Regulation, and that there is a valid legal basis for any and all processing activities.

3.2

Data controller 1 and Data controller 2 are both responsible for complying with the Principles for the Processing of Personal Data to the extent that the rules apply to the Data controller’s responsibilities under this arrangement.

4 Rights of data subjects

4.1

Data controller 1 fulfills the information obligations towards the data subjects pursuant to Articles 13, 14 of the General Data Protection Regulation for the joint processing operations and takes the appropriate and necessary measures for this purpose. This also includes information on the transfer of personal data subject to this arrangement to data processors and third parties.

4.2

Data controller 1 fulfils the information and notification obligations under Articles 15 to 22 of the General Data Protection Regulation for the joint processing operations and takes the appropriate and necessary measures to ensure compliance with the following rules of the General Data Protection Regulation:

the obligation to provide information when collecting personal data from the data subject,
the obligation to provide further information if personal data have not been collected from the data subject,
the data subject’s right of access,
the data subject’s right of rectification,
the right to erasure (right to be forgotten),
the data subject’s right to restriction of processing,
the obligation to provide information in relation to the rectification or erasure of personal data or the restriction of processing,
the data subject’s right to data portability (except for public authorities);
the data subject’s right to object to processing; and
the data subject’s right to withdraw consent.

4.3

All practical handling of requests from data subjects shall be taken care of by Data controller 2.

4.4

If Data controller 1 receives a request or an enquiry from a data subject, it shall be transmitted to Data controller 2 for reply as soon as possible.

4.5

Both Parties shall be responsible for assisting each other to the extent appropriate and necessary for both Parties to comply with their obligations to data subjects.

5 Security of processing and documentation of compliance with the General Data Protection Regulation

5.1

Data controller 2 will be responsible to implement appropriate technical and organisational measures to ensure and demonstrate that the processing is in compliance with the General Data Protection Regulation; taking into account the nature, scope, context and purposes of the processing involved, as well as the risks of varying degrees of likelihood and severity for the rights and freedoms of natural persons. The measures shall be documented, reviewed and updated as necessary (Article 24(1) sentence 2 of the General Data Protection Regulation). This may involve, for example, Data controller 2 establishing procedures for dealing with security breaches, access requests or compliance with the obligation to provide information.

5.2

The measures shall include, where proportionate to the processing activities, the implementation of appropriate data protection policies.

5.3

The Data controller 2 shall be responsible for compliance with the data protection by design and data protection by default rule of Article 25 of the General Data Protection Regulation.

5.4

Data controller 2 is responsible for complying with the requirement of Article 32 of the General Data Protection Regulation on security of processing. This implies that Data controller 2, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing operation concerned, as well as the risks of varying probability and severity to the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure an appropriate level of security appropriate to those risks.

Data controller 2 shall carry out and document a risk assessment and then implement measures to mitigate the identified risks.

6 Use of data processors and sub-processors

6.1

Data controller 2 is entitled to use data processors and sub-processors in connection with the joint processing operation.

6.2

In the event of the use of processors and/or sub-processors, Data controller 2 shall be responsible for complying with the requirements of Article 28 of the General Data Protection Regulation. Accordingly, Data controller 2 shall, inter alia:

use only processors that can provide the necessary guarantees that they implement appropriate technical and organizational measures in such a way as to ensure that processing complies with the requirements of this Regulation and safeguards the rights of the data subject,
ensure that a valid data processing arrangement is in place between Data controller 2 and the processor; and
ensure that there is a valid sub-processor arrangement between the processor and any sub-processor.

6.3

Data controller 1 shall be informed, upon request, whether the personal data is processed by processors and, where applicable, sub-processors of Data controller 2.

6.4

If personal data is processed by data processors and, where applicable, sub-processors, Data controller 1 shall be informed, upon request, of the content of the arrangements between Data controller 2 and the processor/sub-processor.

7 Records of processing activities

7.1

Data controller 2 shall be responsible for complying with the requirement of Article 30 of the General Data Protection Regulation on records of processing activities. This implies that Data controller 2 shall establish a record of the processing activities for which the Parties are joint controllers in respect of the associated processing of personal data.

7.2

Data controller 2 shall inform Data controller 1 of the content of the above record.

7.3

Data controller 1 shall establish – based on the contents of the Data controller 2 record – their own record of the processing activities covered by the arrangement.

8 Notification of personal data breaches to the supervisory authority

8.1

Data controller 2 shall be responsible for compliance with Article 33 of the General Data Protection Regulation on the notification of personal data breaches to the supervisory authority for all data breaches, regardless of where they appear.

9 Communication of personal data breaches to the data subject

9.1

Data controller 2 shall be responsible for compliance with Article 34 of the General Data Protection Regulation regarding the communication of personal data breaches to the data subject.

10 Data protection impact assessment and prior consultation

10.1

Data controller 2 shall be responsible for compliance with the requirement of Article 35 of the General Data Protection Regulation on data protection impact assessments. This implies that, where a type of processing, in particular using new technologies and by virtue of its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons, Data controller 2 shall, prior to the processing, carry out an analysis of the implications of the envisaged processing activities for the protection of personal data.

10.2

Data controller 2 shall also comply with the requirement of Article 36 of the General Data Protection Regulation to consult the supervisory authority in advance, where appropriate, including provision of the necessary information to the authority under Article 36(3) of the General Data Protection Regulation.

11 Transfer of personal data to third countries or international organizations

11.1

Data controller 2 may decide that personal data may be transferred to third countries or international organizations.

11.2

Data controller 2 shall be responsible for compliance with the requirements of Chapter V of the General Data Protection Regulation in the event of transfers of personal data to third countries or international organizations.

12 Complaints

12.1

The Parties shall each be responsible for handling any complaints from data subjects, if the complaints relate to a breach of the provisions of the General Data Protection Regulation, for which the Party is responsible under this arrangement.

12.2

If one of the Parties receives a complaint, which should rightly be dealt with by the other Party, the complaint shall be forwarded to that controller as soon as possible.

12.3

If one of the Parties receives a complaint, part of which should rightly be dealt with by the other Party, that part shall be forwarded to the Party for reply as soon as possible.

12.4

The data subject shall be informed of the essential content of this arrangement when one Party forwards a complaint or part thereof to the other Party.

13 Informing the other Party

13.1

The Parties shall inform and liaise with each other of any material facts affecting the joint processing operation and this arrangement.

14 Regulation of other matters

14.1

Data controller 2 shall handle all practical matters in relation to processing of personal data subject to this Joint Data Controllership Arrangement, whether specifically described in the above clauses or not.

14.2

Data controller 2 shall be responsible for ensuring that all processing activities carried out under this Joint Data Controllership Arrangement are carried out in a manner that is compliant with the General Data Protection Regulation, including that documentation necessary to ensure compliance with the General Data Protection Regulation is produced.

15 Entry into force and termination

15.1

This Joint Data Controllership Arrangement shall enter into force upon signature by both Parties hereto.

15.2

The Joint Data Controllership Arrangement shall remain in force for as long as the personal data concerned are processed or until it is replaced by a new arrangement laying down the division of responsibilities in relation to the processing.

15.3

Signature

On behalf of [Data controller 1]

See separate signature page (next page)

On behalf of [Data controller 2]

___________________________

Name:______________________

Position:____________________

Date: ______________________

Data controller 1 signatures

Company	Date	To
PNO Denmark A/S Company Registration Number.: 29173982 Mossvej 17 8700 Horsens Denmark		Name: Signature:
PNO Deutschland GmbH Company no.: 15 245 00093 Friesenweg 10 22763 Hamburg Germany		Name: Signature:
PNO Nederland B.V. Company Registration Number: 70338132 Horsterweg 74C 597ING Grubbenvorst Netherlands		Name: Signature:
PNO Norge AS Company no.: 995955733 Hasleveien 28A 0571 Oslo Norway		Name: Signature:
PNO Polska sp. z.o.o. Company no.: 0000956885 ul. Promienista 132 Poznań 60-142 Poland		Name: Signature:
PNO Sverige AB Org. no.: 556472-9027 Stenbrovägen 48 253 68 Helsingborg Sweden		Name: Signature:
PNO Trailer Oy Company no.: 0824553-9 Kervovägen 507 04150 Martinkylä Finland		Name: Signature:

Appendix 1 – companies each acting as data controller 1

Company	From	To
PNO Denmark A/S Company Registration Number.: 29173982 Mossvej 17 8700 Horsens Denmark	1. January 2026
PNO Deutschland GmbH Company no.: 15 245 00093 Friesenweg 10 22763 Hamburg Germany	1. January 2026
PNO Nederland B.V. Company Registration Number: 70338132 Horsterweg 74C 597ING Grubbenvorst Netherlands	1. January 2026
PNO Norge AS Company no.: 995955733 Hasleveien 28A 0571 Oslo Norway	1. January 2026
PNO Polska sp. z.o.o. Company no.: 0000956885 ul. Promienista 132 Poznań 60-142 Poland	1. January 2026
PNO Sverige AB Org. no.: 556472-9027 Stenbrovägen 48 253 68 Helsingborg Sweden	1. January 2026
PNO Trailer Oy Company no.: 0824553-9 Kervovägen 507 04150 Martinkylä Finland	1. January 2026