DPA - Data Processing Agreement for Appointment as External Data Processor

 

TIESSE S.p.A. (hereinafter “Contractor” or “Processor”), pursuant to Art. 28 GDPR, in possession of adequate technical and organizational expertise and know-how regarding the purposes and methods of processing Personal Data, the security measures to be adopted in order to ensure the confidentiality, completeness and integrity of the Personal Data processed, as well as regarding the rules governing the protection of Personal Data, by reason of the processing of personal data on behalf of the client – Data Controller – within the scope of the provision of the services detailed in the signed contract, referable to the following service:

  • Design, production and support of physical and virtual network devices, including management and automation software 
  • Supply of goods on approval

is hereby appointed as a Data Processor pursuant to Article 28 GDPR, and the Data Controller intends to grant it a general authorization for the appointment of additional Data Processors.

The data subjects to whom the data refer are those managed by the Controller through the services provided.

  • Subject matter of the data processing for the purposes of this appointment, based on the activated services, may be:

    ☐  a) common personal data (e.g. name, surname, residence, date and place of birth, tax code, contact information such as telephone number, e-mail address);

    ☐  b) special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation).

With reference to the aforementioned appointment, by signing this document the Parties intend to regulate their reciprocal relations in relation to the processing of Personal Data carried out by the Processor on behalf of the Controller.eference to the aforementioned appointment, by signing this document the Parties intend to regulate their mutual relationship regarding the processing of Personal Data carried out by the Processor on behalf of the Controller.

All this being stated, in light of the above, the Parties stipulate as follows:

1. APPOINTMENT OF THE DATA PROCESSOR

By signing this deed, which forms an integral part of the Contract, the Data Controller appoints TIESSE S.P.A. as Data Processor pursuant to Art. 28 of Regulation (EU) 2016/679, with the task of carrying out the processing operations on Personal Data necessary for the fulfillment of the obligations arising from this Contract.

The Processor, by signing this agreement, accepts all the terms indicated below, confirms direct and thorough knowledge of the obligations undertaken in relation to the applicable regulatory provisions and undertakes to carry out the processing of Personal Data in compliance with the instructions received from the Controller through this appointment or those further provided during the activities performed in its favor.

2. NATURE AND DURATION OF THE PROCESSING

The processing shall be carried out by the Processor in execution of the existing contractual relationship with the Data Controller and for the purposes related thereto; this appointment shall take effect from the date of its signing and shall remain in force until the termination date of the Contract.

3. RIGHTS OF THE CONTROLLER

The Data Controller has the right to obtain from the Processor all information relating to the organizational and security measures adopted necessary to demonstrate compliance with the instructions and obligations entrusted.

The Controller also has the right to carry out – at its own care and expense – sample checks or specific audit activities in the field of personal data protection and security, making use of personnel expressly appointed for this purpose, at the Processor’s premises.

4. OBLIGATIONS OF THE PROCESSOR

In the fulfillment of its obligations, the Processor undertakes to comply with Regulation (EU) 2016/679, the Privacy Code as amended by Legislative Decree 10 August 2018 no. 101, and any other instruction imparted by the Controller, taking into account the measures issued from time to time by the Italian Supervisory Authority, or by the Article 29 Working Party and the European Data Protection Board, relating to the processing carried out.

The Processor undertakes:

  • to carry out the processing only of Personal Data that are necessary and/or instrumental to the execution of this Contract; 
  • from the date of signing this deed, to make available and communicate to its Subcontractors only those Personal Data strictly necessary for fulfilling contractual or legal obligations; 
  • to cooperate with the Controller at any time in order to ensure proper processing of Personal Data; 
  • to provide the Controller with all information or documents reasonably requested; 
  • to retain personal data for a strictly necessary period and specifically indicated to the Controller, after which the data will be deleted.

In particular, the Processor undertakes to comply with the obligations and instructions listed below.

4.1. Adequate technical and organizational measures and personal data breaches

The Processor shall adopt the appropriate technical and organizational measures provided for by Italian and European legislation on the protection of Personal Data, as well as any other provision deriving from the Supervisory Authority, or from the Article 29 Working Party and the European Data Protection Board.

The Processor, taking into account the knowledge acquired as a result of technical and technological progress, the nature of the Personal Data and the characteristics of the Processing operations, as well as the risks to the rights and freedoms of natural persons, implements appropriate technical and organizational measures and shall ensure that the security measures designed and implemented are capable of reducing the risk of intentional or accidental damage, data loss, unauthorized access to data, unauthorized processing or processing not compliant with the purposes of this Contract.

In particular, the Processor undertakes to:

4.1.1 adopt all the measures referred to in Art. 32 of Regulation (EU) 2016/679 in order to ensure the confidentiality, integrity and availability of the Personal Data processed, taking into account the measures issued from time to time by the Supervisory Authority relating to the processing carried out by the Processor, or by the Article 29 Working Party and by the establishing European Data Protection Board;

 4.1.2 not transfer the Controller’s Personal Data outside the usual place of work, unless such transfer is authorized by the competent public authorities, including regulatory and supervisory authorities;

4.1.3 establish and maintain the record of processing activities pursuant to Art. 30 GDPR for the activities carried out on behalf of the Controller;

4.1.4 communicate to the Data Controller the name and contact details of its possible Data Protection Officer appointed pursuant to Arts. 37 et seq. of the GDPR;

4.1.5 assist the Controller with regard to the Personal Data subject to processing, in ensuring – where applicable – compliance with the obligations relating to:

  • the security of processing; 
  • the notification of a Personal Data breach to the Supervisory Authority pursuant to Art. 33 GDPR; 
  • the communication of a Personal Data breach to the data subject pursuant to Art. 34 GDPR; 
  • the data protection impact assessment pursuant to Art. 35 GDPR; 
  • prior consultation pursuant to Art. 36 GDPR.

4.2. Personal data breaches

In the event of personal data breaches consisting in a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed and such as to put at risk the rights and freedoms of individuals whose personal data are processed by the Processor on behalf of the Data Controller (so-called data breach), the Processor must:

  • inform the Controller promptly and in any case no later than 24 hours from becoming aware of the event, by any appropriate means, that it has become aware of a breach, and provide all complete details of the breach suffered; in particular, providing a description of the nature of the personal data breach, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned, the impact of the personal data breach on the Controller, on the data subjects involved and the measures adopted to mitigate the risks;
  • provide assistance to the Controller in addressing the breach and its consequences, especially with regard to the data subjects involved.

The Processor shall take action to mitigate the effects of the breaches, promptly proposing corrective actions to the Controller, and promptly implementing all corrective actions approved and/or required by the Controller.

Such measures are required in order to ensure a level of security appropriate to the risk related to the processing carried out.

4.3 Privacy Documentation

The Processor shall adopt without delay the documentation relating to the protection of Personal Data provided for by Italian and European legislation and the related procedures concerning the appropriate technical and organizational measures.

4.4. Data Subject Requests

Taking into account the nature of the processing, the Processor undertakes to assist and support the Data Controller with appropriate technical and organizational measures, to the extent possible, in order to enable the Controller to fulfil its obligation to respond to requests for the exercise of data subject rights (within the scope and context of the role performed by the Processor) in compliance with the time limits provided for by Art. 12 of Regulation (EU) 2016/679.

In particular, should the Processor receive requests from data subjects aimed at exercising their rights, it shall:

  • update the data of the data subject (such as, for example: rectification, erasure, etc.);
  • in the case of reports from the data subject, or requests that fall outside the normal activity of the Processor, the latter shall:
    • coordinate, where necessary and within its competence, with the functions designated by the Controller to manage relations with data subjects;
    • assist and support the Data Controller with appropriate technical and organizational measures, in order to enable the Controller to fulfil its obligation to follow up on requests for the exercise of data subject rights (within the scope and context of the role performed by the Processor).

4.5. Authorized personnel for data processing

The Processor, within its corporate organization, shall:

  • instruct persons authorized to process data on the methods of data processing, providing them with precise operational instructions, also with regard to appropriate security measures in order to prevent risks of destruction, loss, or unauthorized disclosure of data to third parties;
  • monitor the processing activities carried out by authorized personnel and perform periodic checks in order to ensure compliance with the security instructions given and with legal obligations;
  • allow access by authorized personnel/persons to process only the data whose knowledge is strictly necessary to perform their assigned tasks;
  • periodically verify the continued existence of the conditions for maintaining authorizations to access data by authorized personnel;
  • ensure that persons authorized to process personal data are bound to confidentiality obligations;
  • ensure that its employees and collaborators are reliable and have full knowledge of primary and secondary legislation on the protection of personal data.

5. SUB-PROCESSORS AND THIRD PARTIES

The Processor may need to communicate or make available the Controller’s Personal Data to one or more Subcontractors, in order to entrust the Subcontractors with specific Processing activities in accordance with the provisions of this Contract.

In order to implement the provisions of Regulation (EU) 2016/679, the Privacy Code and this Contract, the Processor undertakes to designate the Subcontractors as Sub-Processors and to have them sign the same conditions applied in this act of designation as Processor, through the execution of specific legal acts or contracts with the Subcontractors.

The Sub-Processors may process Personal Data to the extent that such processing is strictly necessary for the execution of the contract entered into by the Processor with the Controller, and in any case in compliance with this Contract, it being understood between the Parties that the Sub-Processors shall also be obliged to comply with the limitations to which the Processor itself is subject.

Specifically, the Processor undertakes

  • to illustrate to the Data Controller, upon express request, the requirements of the Sub-Processor deemed adequate in terms of technical and organizational expertise and know-how regarding the purposes and methods of processing Personal Data, as well as the security measures already in place at the Sub-Processor;
  • to communicate to the Data Controller, upon express request, the specific activities that it intends to delegate to the Sub-Processor;
  • to enter into a written agreement (or specific act of appointment) with the Sub-Processors requiring them to comply with the same obligations regarding the protection of Personal Data to which the Processor is bound towards the Controller (on the basis of this appointment), including the adoption of security measures pursuant to Art. 32 GDPR, providing, in particular, sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of Italian and European legislation on personal data protection;

Should External Collaborators and Sub-Processors fail, in whole or in part, to fulfil their obligations regarding data protection, the Processor expressly declares and guarantees to hold harmless the Data Controller from any liability deriving from such omissions and/or negligent conduct.

The Processor undertakes not to communicate, transfer or share the Controller’s Personal Data with Third Parties, except where required by law and informing the Controller in advance.

6. CONTROLS AND AUDIT ACTIVITIES

The Processor undertakes to allow the Controller to verify compliance with this act of designation.

Should it be found that an instruction given by the Controller violates provisions relating to applicable data protection legislation, the Processor undertakes to immediately inform the Controller of such circumstance.

The Processor also acknowledges the Controller’s right to carry out audits relating to the processing operations concerning the Controller’s Personal Data with at least three working days’ notice.

For this purpose, the Controller may periodically submit to the Processor a questionnaire regarding the level of security and compliance with personal data protection legislation (which must be duly completed and returned) and has the right to carry out – at its own care and expense – sample checks or specific audit or reporting activities in the field of personal data protection and security, using personnel expressly appointed for this purpose, at the Processor’s premises.

For the reasons set out above, the appointed Processor is obliged to make available at any time and upon request of the Data Controller all information necessary to demonstrate compliance with the obligations of this appointment and to contribute to audit activities, including inspections, carried out by the Data Controller or by another party appointed by it.

Such checks may be carried out periodically by the Controller and according to methodologies agreed between the Parties.

7. TERMINATION OF THE PROCESSING

Following the termination of the Processing entrusted to the Processor, as well as following the termination of the underlying contractual relationship, for whatever reason, the Processor shall, at the discretion of the Controller:

  • return to the Controller the Personal Data processed and provide a written declaration that no copy of the data exists with it, without prejudice to any legal obligations;
  • delete all data from its physical and electronic archives, except for retention obligations provided by law.

8. AGREEMENT RELATING TO TRANSFER OF DATA ABROAD

The Processor undertakes to limit the scope of circulation and processing of Personal Data (e.g. storage, archiving and retention of data on its own servers or in cloud) to countries belonging to the European Union, with an express prohibition to transfer them to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, or in the absence of safeguards provided for by Regulation (EU) 2016/679 (country deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.).

The Processor, therefore, shall not transfer or carry out the processing of the Controller’s Personal Data outside the European Union for any reason, without the written authorization of the Controller. Should the Controller grant such authorization and a transfer of Personal Data outside the European Union be carried out, such transfer shall comply with the provisions of Regulation (EU) 2016/679 indicated above.

It is understood between the Parties that the Supplier shall guarantee that the transfer methods used, including compliance with the standard contractual clauses approved by the European Commission and based on the assumptions indicated in the same decision, allow the maintenance of constant and demonstrable standards of validity for the entire duration of this Contract

9. LIABILITY FOR BREACH OF PROVISIONS

Where, as provided for under Art. 82(4) GDPR, the Controller and the Processor are involved in the same processing and are, pursuant to paragraphs 2 and 3 of Art. 82 GDPR, responsible for any damage caused by the processing, both shall be jointly liable for the entire amount of the damage, in order to ensure effective compensation of the data subject.

The Processor undertakes to promptly notify the Controller of any subsequent circumstances which, due to changes in knowledge acquired as a result of technical progress or for any other reason, may affect its suitability for performing the assignment.

The Controller has the right to claim from the Processor the portion of any compensation for which it may be held liable towards third parties for violations committed by the Processor pursuant to Art. 82(5) GDPR.

In the event of failure or delayed notification of a data breach to the Controller by the Processor or by the Sub-Processor appointed by it, the Controller may request compensation for damages equivalent to the penalty imposed by the Authority, those deriving from compensation to data subjects and from reputational damage, following verification by the competent Authority of the actual damage suffered by the Controller.

Without prejudice to Articles 82, 83 and 84 of Regulation (EU) 2016/679, in the event of violation of the provisions contained in this appointment relating to the purposes and methods of data processing, action contrary to the instructions contained therein or failure to comply with obligations specifically addressed to the Processor by Regulation (EU) 2016/679, the Processor shall be considered as Data Controller and shall be directly liable from a sanctioning perspective.

10. FEES

No remuneration is due in relation to the activities covered by this Contract.

11. TERMINATION

Any violation of this Contract shall be considered a serious breach allowing the Controller to terminate the contract with immediate effect. Even in the absence of such violation, the Controller may withdraw with immediate effect at its own discretion if it considers that the Processor does not provide adequate guarantees under this Contract or the GDPR.

12. SURVIVAL OF CLAUSES

Upon termination, for any reason, of the Contract, those clauses which by their nature survive the termination of the legal relationship shall remain in force.

13. COMMUNICATIONS

Any communication between the Controller and the Processor under this Contract shall be made via email or certified email to the following address: privacy@tiesse.com

14. ACCEPTANCE OF THE APPOINTMENT

This appointment pursuant to Art. 28 of Regulation (EU) 2016/679 forms an integral part of the contract signed between the parties; by the same, the parties mutually acknowledge acceptance of all the conditions set out above and, in particular, the Processor accepts its appointment in relation to the personal data whose knowledge is essential for the fulfilment of the obligations under the Contract.

The Processor is aware of the obligations provided by Regulation (EU) 2016/679 and the Privacy Code and shall comply, in the performance of the tasks assigned to it, with the provisions and duties contained in this deed of appointment.

This appointment shall remain in force until the termination, for whatever reason, of the Contract.

Contact us