DATA PROCESSING AGREEMENT
1.1 The Parties expressly acknowledge and accept that, with reference to the processing of Personal Data, the Company performs the role of Data Controller. As such, it is solely responsible for the correctness and legitimacy of the Personal Data, for its use under the Contract and the legitimacy of the methods with which such data was acquired.
1.2 The Company appoints the Supplier, pursuant to Article 28 of the GDPR, as Data Processor for the Personal Data processing connected to the provision of the Services.
- Scope of the data processing
The purpose of the Personal Data processing by the Supplier is the provision of the Services under the Contract. The nature of the data processing, the type of Personal Data processed and the categories of Data Subjects are better described in Annex 1: Scope of the data processing.
- General obligations of the Data Processor
3.1 The Personal Data shall be processed by the Data Processor in accordance with applicable rules on the processing of personal data, with this Data Processing Agreement, with any reasonable instructions received in writing by the Company, provided that these instructions are consistent with the terms of this Data Processing Agreement, and only and exclusively insofar as this is strictly necessary for the provision of the Services covered by the Contract, expressly excluding any other and different use.
3.2 The only possible exception from the prohibition referred to in the preceding paragraph 3.1 is the existence of a legal obligation, or the reasoned request by an Administrative or judicial authority, including the Supervisory Authorities (hereinafter: “Authority”), in which case the Data Processor, within the limits permitted by law or by the Authority’s provisions, shall inform the Company of its need to process the Personal Data differently or outside the limits of the provisions set out in this Data Processing Agreement.
3.3 It is expressly understood that the Personal Data under the ownership of the Company:
- shall not be disclosed, even in part, to third parties, without the Company’s written consent;
- may not be transferred, for any reason whatsoever, outside the European Economic Area, without the Company’s prior written consent. For all such transfers, the Data Processor will apply Company’s instructions.
3.4 The Data Processor undertakes to create, update and transmit to the Company, upon written request from the latter, the register of data processing activities carried out by the Data Processor on behalf of the Company, including all the information required by law.
- Security-related obligations
4.1 The Data Processor shall adopt and maintain suitable technical and organisational measures to protect the security, confidentiality and integrity of the Personal Data, taking into account, inter alia, of the type of data processing, the purposes, the context and the specific circumstances in which the data processing takes place, as well as the applicable technology and implementation costs.
4.2 The Data Processor undertakes to adopt the necessary physical, organisational and logical measures referred to in Annex 2: Security measures. These measures may be changed only on condition that a security level which is at least equivalent to that existing at the time this Data Processing Agreement is signed, is maintained.
4.3 Any developments and/or changes of security measures, to be applied during the Contract to address the changing needs of the Company and/or due to changes and updates to applicable legislation on the protection of personal data, including changes and updates needed for the purpose of adapting to the provisions of the Regulation, shall be adopted and implemented by the Supplier and/or its subcontractors, at the Company’s responsibility and expense and upon express request and indication by the latter, as well as on the basis of an impact assessment which shall be its responsibility to carry out as Data Controller, if necessary with the collaboration of the Supplier.
- Sersons authorised to process the data
5.1 Without prejudice to the provisions of Article 12 below, the Data Processor guarantees that access to the Personal Data shall be limited to its own employees and collaborators, whose access to the Personal Data is necessary for the execution of the relevant Services and on condition that the individuals involved are appropriately instructed with regard to the processing of Personal Data and to the technical and organisational security measures required to protect the Personal Data.
5.2 The Data Processor shall also be required to attend to their training, monitor their actions and, on specific request, provide the Company with an updated list of said employees and collaborators.
- Personal Data Breaches (so-called “Data Breach”)
The Data Processor undertakes to inform the Data Controller, without undue delay, of any security breach, which may involve the accidental or illicit destruction, loss, modification, unauthorised disclosure or access to Personal Data transmitted, stored or otherwise processed, as well as to provide all necessary support to the Data Controller concerning the fulfilment of its obligation to notify the aforementioned breaches to the Authority, pursuant to Article 33 of the GDPR or to communicate them to the data subjects, pursuant to Article 34 of the GDPR.
- Impact assessment (so-called “Data Protection Impact Assessment”)
The Data Processor undertakes to provide the Data Controller with each and every element useful to the latter for the purpose of carrying out the impact assessment on data protection, where it is required to carry out such an assessment pursuant to Article 35 of the Regulation, as well as all necessary collaboration in carrying out any prior consultation with the Italian Data Protection Authority, pursuant to Article 36 of the same Regulation.
- Obligations concerning the Provision of the Italian Data Protection Authority of 27 November 2008 concerning System Administrators (for the processing of personal data covered by Italian legislation)
This section is applicable when at least one of the following conditions is met: i) to Italian Companies engaging Italian/non-Italian Suppliers for System Administrators activities; ii) to non-Italian Companies engaging Italian Suppliers for System Administrators activities.
The Supplier undertakes to comply with the General Provision of the Italian Data Protection Authority of 27 November 2008 “Measures and mechanisms required from data controllers of data processed using electronic means with regard to system administrator duties”, as amended by the subsequent Provision of 25 June 2009 on “Amendments to the Provision of 27 November 2008 containing requirements for data controllers of data processed using electronic means with regard to system administrator duties and the extension of deadlines for their fulfilment”, as potentially amended or replaced by the same Italian Data Protection Authority, and any other relevant provision of the Authority.
In particular, the supplier undertakes to:
- designate as system administrators the professional figures dedicated to the management and maintenance of processing systems or their components with which Personal Data processing is carried out;
- draft and maintain a list containing the identification details of the individuals qualified as system administrators and the functions assigned to them;
- transmit the updated list of system administrators to the Data Controller upon express request by this latter;
- audit the work of system administrators on an annual basis, informing the Data Controller on the findings of such audits;
- keep log files in accordance with the provisions of the aforesaid measure.
- Relations with the Authorities
The Data Processor, at the Data Controller’s request, undertakes to assist the latter in the event of defence proceedings before the Supervisory Authority or the Judicial Authority, including by allowing the prompt presentation of privacy forms and supporting documents which fall within the competence of the Data Processor.
- Requests from data subjects/interested parties
10.1 To the extent permitted by law, the Data Processor shall inform the Company of any request received from a data subject to exercise his/her rights of access, modification, limitation of data processing, deletion, portability of data, opposition to the processing of data or the right not to be subject to decision-making processes based solely on automated processing, attaching a copy of the request to the communication.
10.2 In view of the nature of the data processing, the Data Processor shall assist the Company by way of appropriate technical and organisational measures, to the extent possible, in the fulfilment of the Company’s obligation to respond to requests from data subjects, in compliance with applicable standards.
10.3 It is expressly understood that the Data Processor shall not follow up on requests received pursuant to the preceding paragraph 10.1, without the prior written consent of the Company.
- additional obligations
11.1 The Data Processor shall provide the Data Controller with all the information needed to demonstrate compliance with the obligations laid down in the applicable legislation and/or the Data Controller’s instructions referred to in this Data Processing Agreement; moreover, it shall allow the Data Controller to exercise the appropriate control and inspection powers, providing all reasonable collaboration in the audit activities carried out by the Data Controller or by another body appointed or authorised by it, which shall not be a competing company of the Data Processor, with the aim of verifying the fulfilment of the obligations and instructions referred to in this Data Processing Agreement. It is understood that any audit conducted pursuant to this paragraph 11.1 shall be carried out in such a way as not to interfere with the Data Processor’s normal course of business and by providing at least 20 working days prior notice.
11.2 The Data Processor undertakes to:
- collaborate, if requested by the Company, with other Data Processors, in order to harmonise and coordinate the end-to-end data processing process;
- promptly inform the Data Controller of any issues that are relevant for legal purposes and in particular, by way of example and without limitation, in cases where it becomes aware, in any way, that applicable legislation on personal data protection has been breached, or that the data processing presents specific risks to the rights, the fundamental freedoms and/or the dignity of the data subject, and if, in its opinion, an instruction violates national or European Community legislation on data protection.
- Sub-Data Processors
12.1 The Supplier may use additional Data Processors to process the Personal Data owned by the Company (hereinafter: “Sub-Data Processors”), only if the Company has given its prior written consent. It is hereby noted that the subcontracting of the service or part thereof is authorised in relation to the companies of the Data Processor’s Group.
12.2 The Data Processor undertakes to impose in writing to its Sub-Data Processors, by way of appropriate binding agreements, the same obligations regarding the protection of Personal Data with which the Data Processor is required to comply by virtue of this Data Processing Agreement, in particular with regard to security requirements.
12.3 The Data Processor expressly undertakes to inform the Company of any changes concerning the addition or replacement of the Sub-Data Processors; moreover, the Company shall have the right to oppose these changes, communicating its objection in writing within 15 (fifteen) calendar days from the Data Processor’s notification. The Data Processor shall not resort to the Sub-Data Processors to which the Company has objected. In the absence of any objections by the Company, the changes shall be deemed to have been accepted.
12.4 It is expressly understood that the Data Processor shall remain directly accountable to the Company with regard to the actions and omissions of its Sub-Data Processors.
The Data Processor shall be liable for all damages resulting from breaches of or non-compliance with the instructions referred to in this Data Processing Agreement, any subsequent ones transmitted in writing by the Company, as well as with the provisions of the GDPR specifically directed to the Data Processor, within the limits of 100% of the value of the Services Contract. It is understood that under no circumstances shall the Data Processor, and more generally any company belonging to the Data Processor’s Group, as well as its agents, employees and/or authorised representatives, be liable to the Company for: (i) any indirect, incidental, special, punitive and/or consequential damage of any kind; (ii) any lost profits (whether direct or indirect); (iii) any loss of income (direct or indirect); or (iv) any damage to the latter’s reputation, in connection with or arising out of this Contract.
- return and deletion of personal data
Upon the expiry of the Contract and/or termination of the Services or, in any case, in the event of termination, for any reason, of the effectiveness of this Data Processing Agreement, except where a legal obligation or national and/or Community regulation exists that foresees the retention of the Personal Data, the Data Processor shall interrupt all data processing operations relating to the Personal Data in question and provide, at the Data Controller’s discretion, for the immediate return of Personal Data to the same or for its full deletion, in both cases, providing a written statement that no copy thereof is held by the Data Processor. In the event of a written request by the Data Controller, the Data Processor shall specify the technical mechanisms and procedures used for the deletion/destruction of the data.
This Data Processing Agreement shall be effective from the date on which it is signed by the Parties and shall be valid until the termination of the Contract for any reason and/or, in any case, of the Services, or until the premature termination for any reason by the Data Controller, it being understood that, even after termination of the Contract or Services or revocation thereof, the Data Processor shall maintain the maximum confidentiality of the data and information relating to the Data Controller of which it has became aware while fulfilling its obligations.
- data protection officer (so-called “DPO”)
The Data Processor shall appoint a Data Protection Officer, pursuant to Article 37 of the GDPR and undertakes to inform the Company of such appointment.
Based on the activities supplied, as applicable to the purpose of the Contract, the Data Processor and any authorised Sub-Data Processors, shall respect the following security measures.
- Asset management: where the service offered by the Supplier provides for the management of IT assets, an inventory of the assets used for the data processing and a list of the types of data processed shall be defined and maintained.
- At the end of the working relationship and in the case of the reuse, disposal or sale of electronic devices or storage media to third parties, procedures for the secure deletion and destruction of data processed on behalf of the Company shall be provided for, in agreement with the Data Controller (e.g. demagnetisation or physical destruction). Secure disposal modes shall also be adopted for paper documentation.
- Physical security: adequate security measures shall be adopted where activities conducted on behalf of the Company are carried out at the Supplier’s premises.
- Logical access control: the processing of unauthorised information shall be prevented through the definition of correct user access methods. If the Supplier requires access to the Company’s resources, within the context of the activities it performs, it shall comply with the authorisation procedures defined by the Company in question. If the Supplier has the power to autonomously manage users, within the scope of the service offered:
- Access to the information shall be restricted through the adoption of appropriate technical and organisational controls.
- Access to the information and resources shall be restricted according to the principles of: “need to know1”; “least privilege2”; “separation of duties3”, where possible.
- A user identification and authentication process must be implemented to access data stored in the various systems and the relevant authorisations must be configured in compliance with the principles of the previous point.
- System administrator users with special privileges must be managed with particular care and in compliance with applicable legal provisions.
- A user management process that includes all stages of the credential life cycle, from creation to deactivation, must be defined and documented.
- Policies for managing passwords, which provide mechanisms for changing passwords and ensuring the complexity thereof must be adopted. Passwords must be stored and transmitted securely.
- Infrastructure systems must be appropriately protected and segregated, whenever possible, so as to minimise the possibility of unauthorised logical access. Particular attention shall be given to systems that have connections with the outside world.
- Operational management of systems, networks and telecommunications: within the context of information systems management carried out on behalf of the Company, where provided for contractually, an adequate level of information system security shall be ensured during the operating phase, in order to adequately protect the data processed.
- Appropriate measures shall be taken to ensure the prevention and detection of potentially harmful software (e.g. viruses, malware, etc.).
- Plans and procedures must be defined for managing operating system, software and data backups, where such activities are planned.
- The constant monitoring of patches released for the systems used must be guaranteed; moreover, a process must be defined for evaluating and, if deemed necessary, applying the new security patches.
- The network must be appropriately designed to ensure that data is protected. IT systems used and maintained within the scope of the activities carried out for the Company must be protected at perimeter level, from any unauthorised access.
- Development, maintenance and acquisition of IT systems: IT systems (applications, operating systems, middleware, etc.), must be developed or acquired and maintained over time, in such a way as to preserve the confidentiality, integrity and availability of data.
- Where the services provided by the Supplier concern design and development activities, security requirements shall be appropriately considered, implemented and verified, including in accordance with the principles of Privacy by design/by default.
- Security measures adopted in the case of subcontracting If authorised by the Company, the subcontracting of activities must be conducted ensuring that the security requirements that govern the relationships are correctly defined and respected.
- Security incident management In the event of an incident, the prompt detection, communication to the Company and, if applicable, the management of any damage or impact, shall be guaranteed in the shortest time possible, including in agreement with what has been defined in the Data Breach Notification process.