This agreement is an integral part of the general conditions of service and the specific conditions relating to web services and cloud services by Next Data (hereinafter, service or main contract).
This agreement describes the duties, tasks and specific requirements for the processing of personal data by the Data Processor.
With reference to data processing, in the event of a discrepancy between this document and the main contract, this agreement shall prevail.
Any breach of this agreement will constitute a material breach of the Master Agreement.
The Client company assumes, pursuant to art. 4 GDPR, the qualification of Data Controller of personal data and that Next Data srl assumes the qualification of Data Processor (hereinafter, the Parties).
Having said this and considered an integral part of this agreement, the Parties stipulate the following:
The Data Controller authorizes the Data Processor to process personal data subject to the service referred to in the introduction. The person in charge of the processing of personal data undertakes to process the data lawfully, fairly and in full compliance with all the provisions issued regarding the processing of personal data, as well as the following specific instructions. The controller also specifies that he is able to offer sufficient guarantees to implement technical and organizational measures in such a way that the processing meets the requirements of the GDPR and guarantees the protection of the rights of the data subjects.
The object of this agreement is the definition of the methods and conditions related to the data processing carried out by the Data Processor on behalf of the Data Controller with reference to the service contract referred to in the introduction. By signing this agreement, the Parties undertake to comply with current national or supra-national legislation on the protection of personal data of individuals. The parties acknowledge and accept that any breach of this agreement by the Data Processor or the Data Controller constitutes a breach of the service supply contract and that, in this case and without prejudice to any other right or remedy available, the Data Controller o the Manager may choose to immediately terminate the main Contract in accordance with the provisions of the termination provisions set forth therein.
This agreement will produce effects between the Parties for the entire duration of the service supply contract by Next Data and will no longer be effective when the Customer terminates or wishes to conclude the main contract.
4. Origin of the data
The Data Controller ensures that the data covered by this agreement have been collected lawfully and in compliance with current legislation and that the information transmitted to the data controller does not in any way violate the rights of the data subjects.
5. Types and nature of personal data
The Data Processor will not process personal data other than those necessary for the execution of the main Contract, unless the processing is required by the laws and regulations on Data Protection to which the Data Processor is subject. The Data Controller instructs the Data Processor to process only personal data as reasonably necessary for the provision of the service and in accordance with the terms and conditions of the main contract and this agreement. The type of personal data required for the implementation of the service by Next Data is of the personal data type, in addition to contact information. The nature of the operations carried out on personal data refers to the maintenance, assistance and updating of the service. For the execution of the main contract, the Data Controller makes any necessary information requested available to the Manager.
6. Personnel of the Data Processor
Data processing will be carried out only by personnel of the Data Processor previously authorized for processing, pursuant to art. 29 GDPR and art. 2-quaterdecies of Legislative Decree 196/2003 and duly instructed on their responsibilities. The data controller guarantees that the staff dedicated to the execution of the main contract have been made aware of the confidential nature of the information received from the Data Controller. The Data Processor also guarantees that access to personal data is limited to personnel who need to access the relevant personal data, to the extent strictly necessary, for the purposes set out in the main contract and in this agreement.
7. Obligations of the Manager
The Data Processor entrusted with the data processing on behalf of the Data Controller undertakes to observe the following obligations for the execution of the main contract:
7.1 Owner's instructions
The Manager must process the data for the purposes indicated above and for the execution of the contractual services undertaken. The Data Processor must process the data in accordance with the provisions of art. 32 GDPR.
7.2 Place of processing
The data will be stored and processed by the Data Processor within the European territory and if in the future the processing should be carried out in non-EU countries, the Data Processor will notify the Data Controller to agree on the appropriate guarantees that the same requires depending on the place where the treatment will be carried out. In the event that the Data Processor is required to transfer data to a third country or an international organization by virtue of the laws of the Union or of the Member State of origin, he must inform the Data Controller of this obligation in order to to obtain authorization prior to the transfer. Personal data will be stored on behalf of the data controller at the following datacenters:
DC OV1 – 59100 Roubaix, Nord-Pas-de-Calais-Picardie (Francia)
DC AR1 – Via S. Clemente, 53, 24036 Ponte San Pietro – Bergamo (Italia)
DC FX1 – Via Bologna 714 44124 Ferrara (Italia)
The Data Processor guarantees the confidentiality of the personal data processed as part of the execution of the main contract. The Data Processor guarantees that its authorized personnel have signed a legal obligation of confidentiality and that they have received the necessary training in the field of processing and protection of personal data.
The data controller will proceed with the data processing in the presence of the measures required pursuant to art. 32 GDPR. The Data Processor adopts adequate technical and organizational measures to protect the security, confidentiality and integrity of personal data. These measures include, where appropriate:
the assessment of the adequate level of security, in particular of all risks associated with the processing, for example due to accidental or illegal destruction, loss, or alteration, storage, access, communication or unauthorized or illegal access of personal data;
the pseudonymisation and encryption of personal data;
the ability to guarantee the confidentiality, integrity, availability and resilience of the processing systems and services on a permanent basis;
the ability to restore availability and access to personal data, in a timely manner, in the event of a physical or technical incident;
a procedure for testing, determining and periodically evaluating the effectiveness of the technical and organizational measures aimed at guaranteeing the security of the processing of personal data;
measures to identify vulnerabilities relating to the processing of personal data in the systems used to provide the service to the Data Controller.
The Data Processor takes into account the risks concerning the processing of personal data, in particular to prevent any breach of security or other substantially similar events, as defined by the laws and regulations on data protection.
The Data Processor immediately informs the Data Controller if, in his opinion, any instruction by the Data Controller may differ from the GDPR or other data protection provisions of the Member States or any other applicable legislation.
7.6 Impact assessment and prior consultation
The Data Processor will provide the Data Controller with reasonable assistance with any data protection impact assessment required by Article 35 of the GDPR and after consultation with any supervisory authority by the Data Controller that is required pursuant to Article 36 of the GDPR, in any case only in relation to the processing of the personal data of the Data Controller by the Data Processor.
7.7 Codes of conduct
At the request of the Data Controller, the Data Processor must comply with any Code of Conduct approved pursuant to Article 40 of the GDPR and obtain any certification approved by Article 42 of the EU GDPR, regarding the processing of the Personal Data of the Data Controller.
The Data Processor must make available to the Data Controller, upon request, all the information necessary to demonstrate compliance with the obligations set out in this agreement and allow and contribute to the audit activities, including inspections, carried out by the Data Controller or by another person appointed by them of any location in which the processing of personal data of the Data Controller takes place. Any audit activity by the Data Controller must be agreed with the Data Processor. If these activities involve charges and expenses not foreseen by this agreement or by the main contract, all the requests of the Data Controller must be managed at the project level with an estimate of the costs necessary for their implementation (whether these are penetration test, vulnerability assessment or other activities. ).
7.9 Rights of interested parties
The Data Processor must promptly notify the Data Controller, within the limits permitted by law, if he receives requests from an interested party regarding his right of access, the right of rectification, limitation of treatment, cancellation ("right to be forgotten" ), data portability, the right to oppose the processing, or your right not to be subject to an automated decision-making process, or any other question or information regarding the personal data processed by the Data Processor in accordance with the provisions of the main Contract. At the request of the Data Controller, the Data Processor must assist the Data Controller in responding to the requests of the interested parties. Taking into account the nature of the processing, the Data Processor must assist the Data Controller by means of adequate technical and organizational measures, as far as possible, for the fulfillment of the Data Controller's obligations in response to the requests of the interested party provided for by the applicable laws and regulations on the subject. of data protection.
9. Sub responsible
The Data Processor may have recourse to another manager only with the customer's specific or general written authorization. The Data Processor is in any case always obliged to inform the Data Controller about the choice, addition or replacement of any sub-manager of the processing, thus giving the Data Controller the opportunity to evaluate it, and if necessary to oppose it. Before allowing access by the sub-processor to personal data, the Data Processor must ensure that this sub-processor is obliged, through a written contract or other legal act pursuant to Union law or the Member States, in compliance with the same or higher obligations regarding the protection of the data contained in this contract. In particular, the Data Processor must provide in the latter case sufficient guarantees so that the sub-processor implements adequate technical and organizational measures in order to meet the regulatory requirements. The Data Processor is responsible for the acts and omissions of any sub-processor.
10. Data breach
The Data Processor, taking into account the nature of the processing and the information available, will assist the Data Controller in ensuring compliance with the obligations set out in Articles. 32 - 36 GDPR. The Data Processor must send a communication to the Data Controller without undue delay and, in any case, within twenty-four (24) hours of becoming aware of or having reasonably suspected a violation of personal data. The Data Processor will provide the Data Controller with sufficient information to allow the Data Controller to fulfill any obligation to report a personal data breach pursuant to current legislation. This communication must:
Describe the nature of the personal data breach, the categories and number of data subjects, as well as the categories and number of personal data records affected by the breach;
Describe the estimated risk and likely consequences of the Personal Data Breach;
Describe the measures taken or proposed to manage the Personal Data Breach.
11. Data communication
The Data Processor processes the personal data of the Data Controller only for the purpose of executing the main contract. The Data Processor must not process, transfer, modify, correct or alter the personal data of the Data Controller or disclose or allow it to be disclosed to third parties except in accordance with the documented instructions of the Data Controller, unless the processing is required. the EU and / or the laws of the Member State to which the Manager is subject and / or any legislation, even supranational, to which the Manager is subject. The Data Processor shall, to the extent permitted by such laws, inform the Data Controller of such legal requirements before processing personal data and follow the Data Controller's instructions to minimize, as far as possible, the scope of disclosure. .
12. System administrators
In relation to the activities carried out by the data controller, with reference to data retention and systemic activities aimed at the maintenance and updating of systems and databases, the personnel assigned to the data controller will be in charge of the System Administrator function. The Data Processor, before assigning the function, assessed the subjective characteristics of the System Administrators, to verify the activities carried out by them and to register the relative accesses to the information systems, as foreseen and required by the Provision of the Italian Guarantor for the protection of personal data of 27.11.2008. If requested by the Data Controller, the Manager will communicate the updated list of System Administrators.
13. Cancellation or return of personal data
The Data Processor, in the event of termination of the provision of the services referred to in the main contract or withdrawal from the same, must return or delete all personal data he has come into possession and delete any existing digital or paper copies. The data held by the Data Processor must be returned to the Data Controller by delivering the backup of the database or the files on which the personal data reside. The data will be returned within 90 days from the date of termination of the contract. The Data Controller is aware that at any time he can proceed to delete the data on his own. For reasons of security of its information systems, the Data Processor specifies that the Data Controller's data will reside for 12 months from the termination of the main contract on backup media, which will be overwritten at the end of the aforementioned period. The Data Processor may further keep the data only to the extent and for the period required by the law of the Union or of the Member State, and always on condition that the Data Processor guarantees the confidentiality of all personal data and guarantees that the same are processed exclusively as needed for the purposes specified in the laws of the Union or of the Member States and for no other purpose.
The Data Controller reserves the right to monitor the timely compliance with the provisions of the law on the processing of data by the Data Processor and compliance with its instructions indicated in this agreement.