That being so, and deemed to be an integral part of this Agreement, the Parties hereby stipulate the following:
The Data Controller of operation appoints the Service Provider as the Data Processor of operation for the duration of the Main Contract as reasonably necessary for the provision of the Services and in accordance with the obligations imposed by this DPA. By acceptance of this document by the Data Controller, NSI undertakes to carry out the activities of operation on the personal data in a lawful, transparent and fair manner and in full compliance with all the regulatory provisions relating to operation of personal data and the following specific instructions:
Subject of this agreement is the definition of the terms and conditions related to the operation data carried out by the Responsible of operation on behalf of the Owner in reference to the contract of services referred to above. By accepting this agreement, the Parties undertake to comply with the current national or supra-national legislation on the protection of personal data of individuals. The Parties acknowledge and agree that any breach of this Agreement by theResponsible operation or the Owner constitutes a breach of the Service Agreement and that, in such event and without prejudice to any other rights or remedies available to them, the Owner or the Responsible may elect to terminate the Master Agreement immediately in accordance with the termination provisions set out therein.
This Agreement shall be effective between the Parties for the entire duration of the UTOPIA Service Agreement and shall cease to be effective when the Customer terminates the Main Agreement.
The Owner of operation ensures that the data subject to this agreement has been collected in a lawful manner and in compliance with the regulations in force, and that the information transmitted to the person in charge of operation does not violate in any way the rights of the interested parties of operation data.
In this sense, the Owner relieves the Responsible from any responsibility consequent to possible unlawful operations by the Owner inherent to the use and the data contained in UTOPIA.
NSI will not process any personal data other than that which is necessary for the performance of the Main Agreement, unless the further operation is required by the Data Protection laws and regulations to which the Data Controller is obliged to operation. The Data Controller instructs the operation Manager to process only such personal data as is reasonably necessary for the provision of the Service and in accordance with the terms and conditions of the Main Contract and this Agreement. The type of personal data required for the implementation of the UTOPIA service is master data, as well as contact information. The nature of the operations performed on personal data pertains to the maintenance, support and updating of the service and data security (backup). For the execution of the main contract, the Owner makes available to the Manager any necessary information required.
In relation to the activities carried out by the person in charge of operation, with reference to data storage and system activities aimed at maintaining and updating the systems and databases, the personnel in charge of operation will be assigned the function of System Administrator. The person in charge of operation, before assigning this function, has assessed the subjective characteristics of the System Administrators and will keep a record of the relative accesses to the information systems, as provided for and required by the Provision of the Italian Guarantor for the protection of personal data of 27.11.2008. If requested by the Data Controller, the Manager will communicate the updated list of System Administrators.
The operation of the data will only be carried out by NSI personnel previously authorised to operation, pursuant to art. 29 GDPR, as well as duly instructed on their responsibilities. The person in charge of operation guarantees that the personnel dedicated to the execution of the main contract have been made aware of the confidential nature of the information received by the Owner. The Manager of operation shall also ensure that access to personal data is limited to those staff who have a need to access the relevant personal data, to the extent strictly necessary, for the purposes set out in the Main Contract and this Agreement.
NSI agrees to comply with the following requirements for the performance of the main contract:
The Responsible party will have to process the data for the purposes indicated above and for the execution of the contractual services undertaken. NSI will process the data in accordance with the provisions of the security policy document.
The data will be stored and processed by the Responsible of the operation within the European territory and if in the future the operation should be performed in non-EU countries, the Responsible of the operation will inform the Owner of the operation in order to agree on the appropriate guarantees that the same requires depending on the place where the operation will be carried out. In the event that the Responsible of the operation is required to carry out a transfer of data to a third country or an international organization by virtue of the laws of the Union or of the Member State to which it belongs, it shall inform the Owner of the operation of this obligation in order to obtain its authorization before the transfer. The personal data will be stored on behalf of the Data Controller of operation at the Amazon AWS (Amazon Web Services) datacenter.
The Manager of operation guarantees the confidentiality of personal data processed as part of the performance of the main contract. The Head of operation ensures that its authorised personnel have signed up to a legal duty of confidentiality and have received the necessary training on operation and the protection of personal data.
The security measures adopted by NSI are those indicated in the security policy document. NSI has taken appropriate technical and organisational measures to protect the security, confidentiality and integrity of personal data. These measures include, where appropriate
NSI has taken into account the risks relating to operation of personal data, in particular to prevent any breach of security or other substantially similar events, as defined by data protection laws and regulations.
The operation Manager shall immediately inform the Data Controller if, in its opinion, any further instructions provided by the Data Controller may be inconsistent with the GDPR or other data protection provisions of Member States or any other applicable legislation.
At the request of the Data Controller, NSI shall provide the information necessary to carry out the privacy impact assessment (DPIA), verification, certification of data protection and data security or for preliminary consultations with the Guarantor Authorities or other competent data protection Authorities, which the Data Controller considers adequate or necessary to comply with data protection laws and regulations, as far as it relates to the operation of personal data by the Manager of operation under the main contract.
The Data Controller of operation agrees that the Data Controller (or its designated representatives), upon reasonable notice, may inspect and audit the facilities and information systems for operation data carried out by the Data Controller (and/or those of its Sub-Responsible Persons) on behalf of the Data Controller of operation in order to ascertain their compliance with the terms of this DPA and the Data Protection Legislation. The Sub-Responsible operation will assist the Data Controller to mitigate and resolve promptly any non-compliance found during such audits.
If such activities involve burdens and expenses not provided for in this agreement or the main contract, all requests from the Owner shall be handled at the project level with an estimate of the costs necessary for their implementation (whether penetration testing activities, vulnerability assessment or other).
operationThe Data Processor of operation shall promptly and in any case without undue delay notify the Data Controller of any request received from a data subject of operation of personal data inherent to his/her right of access, rectification, restriction of operation, cancellation ("right to be forgotten"), data portability, right to object to operation, or any other request inherent to his/her personal data processed by the Data Controller.
At the request of the Data Controller, the Data Processor of operation shall provide the fullest assistance to the Data Controller in fulfilling such requests from the data subject. In this sense, taking into account the nature of operation, the Data Processor of operation must assist the Data Controller, by means of appropriate technical and organisational measures, in fulfilling the obligations of the Data Controller to respond to the requests of the data subject relating to the exercise of the rights provided for by current legislation on the protection of personal data.
NSI may use another manager only with the specific or general written permission of the principal. Acceptance of this DPA shall count as general written authorisation. However, the Principal of operation is always required to inform the Principal of the selection, addition or substitution of any sub-manager of operation, thereby giving the Principal the opportunity to consider, and where appropriate object to, such selection. Before allowing access, by the sub-processor, to personal data, the Data Controller operation shall ensure that such sub-processor is obliged, through a written contract or other legal act under Union or Member State law, to comply with the same or higher data protection obligations contained set out in this contract. In particular, the Manager of operation must provide sufficient guarantees in the latter case for the sub-manager to put in place appropriate technical and organisational measures in order to meet the regulatory requirements set out. The Manager of operation shall be responsible for the acts and omissions of any sub-manager.
The Data Processor of operation, taking into account the nature of the operation and the information available, will assist the Data Controller of operation in ensuring compliance with the obligations set out in Articles 32 - 36 GDPR. The Data Processor of operation shall send a communication to the Data Controller of operation without undue delay and, in any case, within twenty-four (24) hours of becoming aware of or reasonably suspecting a personal data breach.
The person in charge of operation shall notify the Data Controller, without undue delay and, in any case, within forty-eight (48) hours from the time when the person in charge of operation became aware of it, of a security incident or breach of security measures that led to the use, destruction, loss, unauthorized, accidental or unlawful disclosure, alteration, unlawful access to personal data or any other breach of security that results in a loss of confidentiality, integrity or availability of the personal data processed. The person in charge of operation must indicate, in the communication to the Data Controller, detailed information to allow the Data Controller to fulfil the consequent obligations to notify the competent Guarantor Authority or to inform the interested parties involved in the Data Breaches.
The person in charge of operation will provide the Data Controller of operation with sufficient information to allow the Data Controller to fulfil any obligation to report a personal data breach pursuant to current legislation.
As soon as practicable and following an actual Data Breach, the Head of operation shall carry out a detailed analysis of the causes of a Data Breach and, at the request of the Data Controller, shall share with the Data Controller the results of its analysis and the relevant recovery plan
The Manager at operation shall only process the personal data of the Holder of operation for the purpose of the performance of the main contract. The Responsible Party at operation shall not process, transfer, modify, correct or alter the personal data of the Holder of operation or disclose or permit the disclosure of such data to third parties except in accordance with the documented instructions of the Holder of operation, unless operation is required by the EU and/or the laws of the Member State to which the Responsible Party is subject and/or any legislation including supranational legislation to which the Responsible Party is subject. The Data Processor of operation shall, to the extent permitted by such laws, inform the Data Controller of operation of such legal requirements before further processing personal data and comply with the instructions of the Data Controller of operation to minimise, as far as possible, the scope of the disclosure.
The person in charge of operation, in the event of termination of the provision of services under the main contract or withdrawal from the same, must return or delete all personal data in his possession and delete any copies, digital or hard copy, existing. The data in the possession of the person in charge of operation must be returned at the request of the owner of operation through the delivery of a backup of the database or the files on which the personal data reside of a file in a structured format in common use and readable by an automatic device. The data will be returned (in JSON format) or deleted from the Amazon (AWS) data center at the latest within 90 days from the date of termination. The Owner of operation is aware that at any time he can proceed on his own to delete the data through the dedicated function ''Destroy domain'' present within the software application. For security reasons of its information systems, the Manager specifies that the data of the Owner will reside for 12 months from the termination of the main contract on backup media, which will be overwritten at the end of the mentioned period. The Responsible of operation may further store the data only to the extent and for the period required by the law of the Union or of the Member State, and always on the condition that the Responsible of operation guarantees the confidentiality of all personal data and ensures that they are only processed as necessary for the purposes specified in the laws of the Union or of the Member States and for no other purpose.
In order to exercise your rights and for any other type of communication regarding privacy regulations, you can contact the Data Protection Manager by writing to firstname.lastname@example.org
The signing of this DPA does not provide for any additional remuneration in favour of the Responsible party with respect to that already agreed in the main contract. For anything not expressly provided for, please refer to the general provisions in force on the protection of Personal Data.