Hubenture S.r.l., with registered office in Via C. Bonazzi n. 2, Castel Maggiore (BO), VAT number 04217371204, email privacy@hubenture.com (hereinafter referred to as the operation Manager operation Supplier)
The forewords form an integral part of this DPA.
All of the foregoing, Customer hereby designates Supplier, pursuant to and in accordance with Article 28 EU Reg. 2016/679 (hereinafter, GDPR), as the Responsible Party for operation for the entire duration set forth in the Contract, as reasonably necessary for the provision of the Services and in accordance with the obligations imposed by this DPA.
By signing this DPA, the person in charge of operation undertakes to carry out the activities of operation of the data in a lawful, transparent and fair manner as well as in full compliance with all regulatory provisions on operation of personal data, as well as the following and specific instructions:
1.1 The operation Manager agrees to comply with any applicable data protection laws or regulations and with respect to the information subject to operation shall not carry out any operations of operation further and/or other than those necessary for the performance of the Contract, unless such further operation activity is required by a law from time to time in force to which the operation Manager is subject .
1.2 The Customer authorizes the Processor to process personal data as reasonably necessary for the performance of the Contract as well as in accordance with the terms and conditions of this DPA.
1.3 The object of the activities of operation personal data is the provision of services under the Contract. The description of operations, including information regarding the duration, nature and purpose of operation, the types of personal data and the categories of persons covered by operation are governed in the recitals to this DPA, as integral and substantial parts thereof.
1.4 The Responsible Person undertakes to maintain a record of the activities of operation, as provided for in Article 30(2) of the GDPR, in which the characteristics of the operations it performs on behalf of the Client are indicated.
2.1 The Head of operation ensures that personnel involved in operation of personal data have been informed in advance of the confidential nature of the information being processed, have received appropriate instruction regarding their responsibilities, and have signed a specific binding legal obligation designed to protect the confidentiality of personal data processed.
2.2 The Manager of operation shall ensure that access to personal data is limited to personnel authorized in advance to pursue the purposes set forth in the Contract and this DPA.
3.1 The operation Controller operation appropriate technical and organizational measures to ensure the security (including protection against operation , accidental or unlawful destruction, loss of availability, alteration, or damage to data, unauthorized disclosure, or unlawful access to personal data), confidentiality, and integrity of the personal data processed. These measures include, pursuant to Article 32 of the GDPR, where appropriate and applicable:
For further information, please visit https://www.utopiathesoftware.com/privacy/security-policy.
3.2 In assessing the appropriate level of security, the operation Manager must take into account the risks regarding operation of personal data, particularly to prevent any breach of security, in accordance with the rules and regulations on data protection.
3.3 The Responsible of operation agrees that the Client or its designated representatives, with a notice of at least 15 (fifteen) working days, may inspect and verify the installations and information systems for the operation of the data carried out by the Responsible in order to ascertain their compliance with the terms of this DPA and the legislation on the protection of personal data. In the hypotheses provided for in this point, the Data Controller and/or the members of its organization, or the representatives designated by the latter, undertake to maintain loyal, cooperative and transparent behavior throughout the duration of the activities performed with respect to the Responsible.
3.4 The Customer acknowledges and accepts that the costs incurred by the Customer for audit activities are solely borne by the Customer.
3.5 The Customer is informed and accepts that audit activities must take into account the rules relating to security and/or confidentiality criteria, which may impose limits on the scope of the audit. In particular, no provision of this DPA may require the Supplier to disclose or allow access to the Customer or its third-party auditor to:
(i) data relating to any other customer of the Supplier;
(ii) internal accounting or financial information of the Supplier;
(iii) trade secrets and know-how of the Supplier;
(iv) any information which, in Hubenture's reasonable opinion, could compromise the security of Hubenture's systems or premises; or cause Hubenture to breach its obligations under European data protection legislation or its security obligations to the Customer or third parties;
(v) any information that the Customer or its third-party auditor seeks to access for reasons other than the good faith fulfillment of the Customer's obligations under European and national legislation;
3.6 The performance of verification and control activities is subject to the conclusion of a specific confidentiality agreement between all parties involved.
4.1 The Customer grants general authorization for the use of Sub-Processors for the provision of the Processor's Services. The Processor shall provide, at the Customer's request, a list of its Sub-Processors in relation to operation execution of the Contract. The signing of this DPA shall constitute general written authorization.
4.2 The operation Manager operation required to inform the Customer of the selection, addition, or replacement of any additional operation Manager. Failure by the Customer to object within 10 days of notification of a new Sub-Manager constitutes (even tacit) consent to the use of each Sub-Manager.
4.3 Prior to allowing access by the additional Responsible Party to personal data, the Responsible Party of operation shall ensure that such other Responsible Party is obligated, through a written contract or other legal act under Union or Member State law, to comply with the same data protection obligations set forth in this DPA.
4.4 The Customer accepts and authorizes the Supplier to process (including through Sub-processors) the Customer's Personal Data within and outside the EEA, provided that such operations supported by appropriate Transfer Mechanisms.
5.1 The Head of operation will notify the Client without undue delay of any instances received from a data subject relating to the exercise of a right of the data subject as provided for in Articles 15-22 of EU Regulation 2016/679.
5.2 At the Customer's request, the operation Manager operation reasonable assistance to the Customer in fulfilling the requests referred to in point 5.1 above. The Customer acknowledges and accepts that, in the event that such cooperation and assistance require a significant use of resources on the part of the Manager and the Customer is able to acquire such information independently, such effort shall be chargeable to the Customer, subject to prior notice and agreement.
6.1 The operation Manager operation notify the Customer, without undue delay and, in any case, within forty-eight (48) hours from the moment the operation Manager becomes aware operation with certainty, the security incident or breach of security measures that has led to unauthorized use, destruction, loss, accidental or unlawful disclosure, alteration, operation unlawful access to personal data subject to operation any other security breach that results in a loss of confidentiality, integrity, or availability of the personal data processed.
6.2 In its communication, the operation Manager must indicate any useful information to enable the Client to fulfill its obligations to notify the competent Supervisory Authority or to inform the data subjects involved in the Data Breach.
6.3 In the cases referred to in 6.2 above, the Manager shall assist the Client by initiating an analysis aimed at collecting the following information:
7.1 Upon request by the Customer made sufficiently in advance, the Head of operation to provide reasonable assistance to the Customer in ensuring compliance with the obligations relating to the data protection impact assessment and any prior consultation with the Supervisory Authority.
8.1 If the Controller's Services include the possibility for the Customer to independently export the Customer's Personal Data in an interoperable format, the Supplier shall ensure that this operation is guaranteed for the entire Term, unless otherwise agreed in writing with the Customer.
8.2 If the Controller's Services include the possibility for the Customer to independently delete the Customer's Personal Data, the Supplier shall ensure that such deletion from its systems is carried out as soon as reasonably possible, unless European and national legislation and/or agreements with the Data Controller require retention.
8.3 If, during the Term, the Data Processor's Services do not include the possibility for the Customer to independently extract and/or delete the Customer's Personal Data, the Supplier will follow up on any request from the Customer to facilitate this operation in the same manner and within the same timeframes indicated in the previous Sections.
8.4 The Processor may retain the Customer's Personal Data that has been stored through regular backup operations in accordance with the disaster recovery and business continuity protocols of the Processor and/or Subprocessors, provided that the Processor does not process, and does not allow its Subprocessors to process, such Customer Personal Data actively or intentionally for any purpose other than the provision of the Processor's Services.
8.5 Subject to the provisions of the preceding Sections, upon expiry of the Term, the Customer shall request the Supplier to delete all Customer Personal Data (including existing copies) from the Supplier's systems in accordance with applicable European and national legislation. The Supplier shall comply with this instruction as soon as reasonably possible, except to the extent that European and national legislation requires retention and except as provided in Section 8.4.
9.1 This DPA shall be effective as of the date hereof and shall be in effect, including any renewals, until the termination of all effect of the Contract for any cause whatsoever.
10.1 WHEREAS, the General Measure of the Italian Guarantor for the Protection of Personal Data "Measures and expedients prescribed for the owners of operations carried out by electronic means with regard to the attributions of the functions of system administrator - of November 27, 2008" has introduced some specific fulfillments for system administrators as a result of the functions by means of which some operations of operation involve special and broader privileges for access to personal data, i.e., when the activities are carried out in a context that makes it technically possible to access, even incidentally, personal data, hence the need to provide greater protection for access to personal data.
10.2 WHEREAS, the System Administrator has been chosen because he or she provides sufficient and suitable guarantees of experience, ability, and reliability regarding the application of data protection regulations, including with specific reference to the security of the personal data processed.
10.3 The Customer entrusts the Manager with the function of System Administrator, specifying the following instructions:
10.4 The function of System Administrator assigned to the Manager of operation shall commence from the date of acceptance of this DPA and shall be effective until the termination of the Contract.
11.1 The Parties acknowledge and agree that if the Data Subject ("Injured Party") complains against the Parties for having suffered damage—whether material or immaterial—caused by a violation of European and national legislation:
(a) the Party directly responsible for the breach, pursuant to Art. 82(2) GDPR, shall be fully liable for any material or immaterial damage caused to the Data Subject, hereby declaring that it shall indemnify and hold harmless the other Party if it has failed to comply with the obligations of European and national legislation specifically applicable to it;
(b) if the Supplier and the Customer are involved in the same operation are both responsible for the damage caused to the Injured Party, pursuant to paragraphs 2 and 3 of Article 82 of the GDPR, each of them shall be jointly and severally liable for the entire amount of the damage, without prejudice to the right of each of them to seek compensation from the other for the share of compensation due to them on the basis of the damage caused, as defined in Article 11.2; the right of recourse against the other for the share of compensation due to them based on the damage caused, as defined in Article 11.2;
(c) if the damage caused to the Injured Party is due to a breach of the provisions of this DPA or of European and national legislation and is entirely attributable to the Supplier, the Supplier shall be required to fully compensate the Customer if the latter has compensated the Injured Party for all or part of the damage;
(d) Each Party shall indemnify or compensate the other Party if and to the extent that it has contributed to causing the damage claimed by the Injured Party or has failed to take appropriate mitigation measures, or has violated provisions of this DPA or European and national legislation.
11.2 In the case referred to in Section 11.1(c), the amount of compensation or indemnity, based on the portion of liability for the extent of the damage caused, shall be determined jointly by the Parties through an agreement negotiated in good faith.
11.3 In the event of disputes relating to the execution or interpretation of this DPA, the Parties assign exclusive jurisdiction to the Court of Bologna, with express derogation from any provisions to the contrary established by international laws or conventions.
12.1 The Client warrants to the Manager that the data covered by operation:
13.1 The signing of this DPA does not provide for any additional compensation in favor of the Manager over and above that already agreed upon in the Contract.
13.2 For matters not expressly provided for, please refer to the applicable data protection regulations.
14.1 The contact address of the Data Protection Officer of the Data Controller is: dpo@hubenture.com
15.1 The Supplier may amend this operation Agreement if the amendment:
(a) is expressly permitted by the operation Agreement;
(b) is mandatory to comply with applicable law, a court order or other court order, or guidelines issued by a Supervisory Authority or government authority.
c) does not result in a deterioration of the overall security of the Controller's Services;
d) does not extend the scope of (or remove any restrictions on) Hubenture's right to process data within the scope of the Customer's Instructions or its operation Customer's Personal Data;
e) does not otherwise adversely affect the Customer's rights under this Agreement for the operation Data, as reasonably determined by Hubenture.
15.2 Except as provided in Section 15.1(b), where the amendment is immediately effective between the parties, if Hubenture intends to amend this DPA, Hubenture shall notify the Customer before the amendment takes effect. If the Customer objects to such amendments within 15 working days of notification, the Parties undertake to cooperate in good faith to identify suitable solutions to allow the Contract to continue and, if this is not possible, each Party may withdraw from the Contract by giving written notice to the other Party within 30 days of Hubenture's notification of the amendment; if the right of withdrawal is not exercised within the aforementioned period, the change shall be binding between the Parties for all legal and contractual purposes.
What does it mean to be part of the Community?
See live how our software can simplify your work with the support of an expert.
