DATA PROCESSING AGREEMENT
(Regulation (EU) 2016/679)
BETWEEN
Digitalsoft Srl represented by its legal representative whose VAT number is 02144030695, whose registered office is in Chieti (CH), Via De Virgiliis, 2/4 – 66100, Tel. +39 0871 090000 e-mail info@digitalsoft.com (hereinafter referred to as the “Data Processor”).
AND
The subject designated in the contract of d-onenext as Company/ Customer, (hereinafter referred to as the “Data Controller”) hereinafter jointly referred to as the “Parties”).
Whereas
1- Should the Data Controller entrusts personal data processing to an external entity the latter shall be appointed as Data Processor, in pursuance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016, related to the protection of natural persons with regard to the personal data processing and the free movement of such data (General Data Protection Regulation – hereinafter also “GDPR”)
2- The Data Controller signed a contract with the Data Processor for the supply of d-onenext service and/or SCOOP portal (hereinafter the “Contract”);
3- The Data Processor provides sufficient guarantees in terms of expert knowledge, reliability and resources, to implement technical and organisational measures in compliance with the provisions of this Regulation, with regard to the personal data processing.
4- With this contract (hereinafter “Appointment”) the Data Controller wants to regulate the methods of personal data processing entrusted to the Data Processor in the performance of the Contract.
This being said, the parties agree as follows:
1 Scope of the Appointment.
1.1. The Data Controller hereby entrusts to the Data Processor the processing of personal data which are necessary for the execution of the activities provided for in the Contract.
1.2. The data processing entrusted to the Data Processor shall concern the personal data referred to customers and suppliers of the Data Controller, by way of example and not exhaustive: Tax Code and other identification numbers; Name, address, or other identification details; E-mail address; Province of residence.
1.3. Any activity executed to fulfill the Contract and not concerning the personal data processing is excluded from this Appointment.
2. Data Processor Obligations
2.1. The Data Processor undertakes to execute, on behalf of the Data Controller, the sole processing operations necessary for the execution of the activities set forth in the Contract to the extent permissible, in compliance with the Privacy Code, of European Regulation (hereinafter also “Legislation on the processing of personal data”) and of the instructions hereinafter designated.
2.2. The Data Processor shall set up its internal organisation in order to meet the specific needs of protection of personal data and shall process the personal data of the Data Controller in compliance with the following instructions:
a) The Data Processor carries out only the processing of personal data which are necessary to fulfill the Contract;
b) The Data Processor may not disclose personal data to a third party in any way and may not use personal data for other purposes and, in any case, he maintains complete confidentiality of the data processed and of the methods of processing carried out.
c) The Data Processor may nor transfer data to a non-EU country, and, if necessary, he informs the Data Controller of the solutions adopted in compliance with regulatory requirements;
d) The Data Processor adopts the proper technical and organisational measures to ensure adequate protection of the data provided by the Data Controller, in pursuance with the requirements of Article 32 GDPR and subsequent amendments and additions. In particular, the Data Processor undertakes to implement technical organisational measures to ensure a level of appropriate security in consideration of the risks that may arise from destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access to personal data processed.
The main security measures adopted by the Processor are listed on the website www.digitalsoft.com GDPR section;
e) The Data Processor periodically checks the adequacy of security measures, assessing whether changes in processing activity do not lead to different and more appropriate security measures.
f) The Data Processor adequately educate persons operating under its authority by having access to the personal data. Such persons shall commit themselves to confidentiality;
g) The Data Processor communicates to the Data Controller, as soon as he has knowledge of it, any personal data breach, including suspected personal data breaches or security incidents from which such violations may result;
h) The Data Processor assists the Data Controller in order to fulfill the latter’s obligation to respond to requests for the exercise of the data subject’s rights;
i) If required, the Data Processor shall cooperate with the Data Controller to carry out the impact assessment of the processing operations by considering the need for any prior consultation of the Supervisory Authority;
l) The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down herein and allow for and contribute to audits, including inspections, conducted by the Data Controller or another entity mandated by the latter or by the Supervisory Authority.
m) In the event of the contract termination the Data Processor proceeds to the cancellation or return to the Data Controller of all personal data processed in the context of the performance of the Contract.
3. Recourse to other Processors
3.1. The Data Controller authorizes the Data Processor, in the performance of this Appointment, to have recourse to other data processors. The Data Processor guarantees that the contract signed with any subprocessor provides for obligations similar to those arising from this contract. Therefore, the Data Processor shall be responsible for the actions, omissions or non-compliance of its subprocessors related to the obligations provided for herein.
3.2 The Data Processor, upon request, shall make available the list of subprocessors and shall inform the Data Controller as well as impose on the subprocessors, by way of a contract, the same data protection obligations as set forth herein.
4. Verification by the Data Controller
4.1 The Data Processor shall make available to the Data Controller, upon the latter’s request, all the information necessary to demonstrate compliance with the obligations set forth herein.
4.2 The Data Processor shall fully cooperate with the Data Controller regarding the verification activities.
4.3 The Data Controller, during the verification activities, undertakes not to prejudice and/or block the normal working activity of the Data Processor.
5. Term
The term of this Appointment coincides with the one provided for in the Contract, unless the provisions hereof do not entail additional obligations (including legal obligations) which require the extension of the data processing activity.
6. Data Controller Obligations
6.1 The Data Controller declares that it has fulfilled the requirements of the GDPR before communicating the personal data subject to processing to the Data Processor.
6.2 The Data Controller shall immediately and fully inform the Data Processor as soon as there are errors and/or irregularities in the processing of the data carried out by the latter.
7. Applicable law and disputes
This Appointment shall be governed by the laws of Italy. Any dispute arising from or in connection with it shall be the exclusive competence of the Court of Chieti.
Version 1.3 02.09.2020.