Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”), the User who subscribes to the General Conditions (hereinafter, the “User” or “Data Controller”),
Given the above, the User hereby
The Supplier as the External Data Processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.
In this letter of appointment (hereinafter, the “Appointment” or “DPA”) the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings:
“Applicable Law” the Regulation, as well as any other personal data protection legislation applicable in Italy, already in force or that will enter into force after this Appointment comes into force, including the provisions of the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued in implementation of the Code;
“Security Measures” are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation;
“Sub-supplier” (or “Sub-Processor”), natural or legal persons who carry out their business for the Supplier by dealing with Personal Data belonging to the User.
2. Obligations of the Parties
2.1 Obligations of the Supplier
2.1.1 Processing purposes
The Supplier, as Data Processor, is committed to:
2.1.2 Security measures
The Supplier undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation.
Also based on new solutions provided by technical and technological progress and, taking into account the nature of the data and the characteristics of the processing, the Supplier undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.
2.1.3 Authorized persons
The Supplier agrees to:
2.1.4 Rights of the data subjects
The Supplier must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify the User of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.
The Supplier undertakes to cooperate with the User to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.
2.1.5 Data communication and transfer abroad
The Supplier will not be able to exercise autonomous control over the Personal Data and undertakes to refrain from disseminating or communicating said data to third parties, unless expressly provided for in the Contract or authorized by the User in writing, and in any case in compliance with the provisions of the information given to the data subjects and any consents they may have given in relation to the different processing purposes.
In the event of transfer of Personal Data outside the territory of the European Economic Area (EEA), the Supplier undertakes to ensure that such transfer takes place in compliance with the guarantees set forth in Chapter V of the Regulation.
If the Supplier intends to entrust a Sub-Supplier with all or part of the performance of the Contract, and this is permitted by the Contract or authorized by the User, the Supplier shall first notify the User whether its Sub-Supplier shall process Personal Data of which the User is the Data Controller.
If so, the User may directly appoint the authorized Sub-Supplier as its Data Processor, or the User may authorize the Supplier to appoint the Sub-Supplier by a deed of appointment substantially equivalent to this DPA.
Verification activities involving any Sub-Supplier shall be conducted in accordance with the Sub-Providers’ access rules and security policies.
In Sub-Annex 2 of this DPA, the User and the Supplier list the approved Sub-Suppliers as of the date of the signing of this DPA.
2.2 Obligations of the Controller
2.2.1 The User represents and warrants that any mode of collection of personal data processed under this DPA:
2.2.2 Given what is stated in Article 2.2.1 above in particular, the User guarantees and expressly declares that it will ensure that:
The Supplier acknowledges that, in compliance with art. 28 of the Regulations, the User may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the User as Controller.
The User will also have the right to access offices, computers and other IT systems / documents of the Supplier and its Sub-Suppliers, where this is deemed necessary to verify that the Supplier or its Sub-Supplier acts in compliance with the obligations agreed in virtue of this DPA.
In the event of access to the Supplier’s or Sub-Supplier’s premises by the User, it will be required to give the Supplier written notice of at least 7 working days. The User expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.
Nothing contained in this DPA presupposes Supplier’s consent to disclosure to the User, as well as User’s access to:
4. Statements and guarantees of the Supplier
The Supplier states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.
Without prejudice to what was established in the Contract, the Supplier will carry out its function as Data Processor without payment, unless otherwise agreed with the User.
This Appointment takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.
If the Contract is terminated for whatever reason, the Supplier will return the Personal Data in its possession to the User and will delete any copies thereof. Upon the User’s request and at its full discretion, the Supplier must alternatively delete the Personal Data in its possession, giving written confirmation to the User without delay, unless the retention of data is required by law.
The personal data processed concern the following categories of data subjects:
The personal data processed concern the following data categories:
Special categories of personal data (if applicable)
The personal data processed concern the following special categories of data:
There is no processing of special categories of data.
The personal data processed fall under the following basic processing activities:
Below are name, address and services provided by the Sub-Processors authorized at the date of signature of this DPA. The updated list of Sub-Processors authorized should be maintained by the Supplier for internal registration purposes and any changes notified: