Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”), you, as the end user of services (hereinafter referred to as “User”)
Given the above, the User hereby
The Company as the External Data Processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.
In this letter of appointment (hereinafter, the “Appointment” or “DPA”) the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings:
“Sub-supplier” (or “Sub-Processor”), natural or legal persons who carry out their business for the Company by dealing with Personal Data belonging to the User;
“Applicable Law” the Regulation, as well as any other personal data protection legislation applicable in Italy, already in force or that will enter into force after this Appointment comes into force, including the provisions of the Data Protection Authorities issued in implementation of the Regulation;
“Safety Measures” are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation.
2. Obligations of the Parties
2.1 Obligations of the Company
2.1.1 Processing purposes
The Company, as Data Processor, is committed to:
The Company undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation.
Also based on new solutions provided by technical and technological progress, and taking into account the nature of the data and the characteristics of the processing, the Company undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.
The Company agrees to:
The Company must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify the User of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.
The Company undertakes to cooperate with the User to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.
The Company cannot exercise independent control of the Personal Data, and refrains from disclosing or communicating this data to third parties, unless expressly authorized by the Contract, or by the User in writing, and in any case in compliance with the provisions of the information statement provided to the Data Subject and with the consents, if expressed, in relation to the different purposes of processing.
If the Company intends to entrust to a Sub-Supplier in whole or in part the execution of the Contract, and this is permitted by the Contract or authorized by the User, he must previously inform the latter if his Sub-Supplier will process Personal Data of which the User is the Data Controller.
In this case, the User may directly appoint the authorized Subcontractor as its own Data Processor, or the User may authorize the Company to appoint the Sub-Supplier with an appointment deed substantially equivalent to this DPA.
In Annex 2, the User and the Company report the Sub-Suppliers approved at the date of signing this DPA.
2.2.2 The Controller declares and guarantees that any form of collection of personal data processed under this DPA:
a) contains a clear privacy notice, simple to understand but at the same time complete and compliant with Applicable Law, and that:
it is easily usable by the interested parties;
identifies the methods for collecting and using the personal data obtained;
b) offers to the data subjects the opportunity to remain excluded from such collection and use of such personal data;
c) provides for the obtaining of all the consents of the data subjects, to which the personal data refer, as required by the Applicable Law.
a) the data subjects have given the Data Controller consent to the processing of their data through a free, specific, informed and unequivocal manifestation of will, for each purpose of the processing covered by the DPA.
b) the data were collected by the Data Controller according to the principles of correctness and lawfulness and for purposes corresponding to those for which they are processed under the DPA.
The Company acknowledges that, in compliance with art. 28 of the Regulations, the User may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the User as Controller.
The User will also have the right to access offices, computers and other IT systems / documents of the Company and its Sub-Suppliers, where this is deemed necessary to verify that the Company or its Sub-Supplier acts in compliance with the obligations agreed in virtue of this DPA.
In the event of access to the Company’s or Sub-Supplier’s premises by the User, it will be required to give the Company written notice of at least 7 working days. The User expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.
Nothing contained in this DPA presupposes Company’s consent to disclosure to the User, as well as User’s access to:
The Company states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.
The Company declares that it has not identified the Data protection Officer (DPO), as it is not subject to the obligation of designation provided for by Article 37 of the Regulation, and confirms the aforementioned declaration with a letter signed by its legal representative attached to this DPA.
Without prejudice to what was established in the Contract, the Company will carry out its function as Data Processor without payment, unless otherwise agreed with the User.
This Appointment takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.
If the Contract is terminated for whatever reason, the Company will return the Personal Data in its possession to the User and will delete any copies thereof. Upon the User’s request and at its full discretion, the Company must alternatively delete the Personal Data in its possession, giving written confirmation to the User without delay, unless the retention of data is required by law.
The personal data processed concern the following categories of data subjects:
The personal data processed concern the following data categories:
The personal data processed fall under the following basic processing activities: