Hubenture S.r.l. with registered office in Via C. Bonazzi No. 2 in Castel Maggiore (BO), VAT No. 04217371204, e-mail privacy@dilaxia.com (hereafter, Manager of operation or Supplier)
The forewords form an integral part of this DPA.
All of the foregoing, Customer hereby designates Supplier, pursuant to and in accordance with Article 28 EU Reg. 2016/679 (hereinafter, GDPR), as the Responsible Party for operation for the entire duration set forth in the Contract, as reasonably necessary for the provision of the Services and in accordance with the obligations imposed by this DPA.
By signing this DPA, the person in charge of operation undertakes to carry out the activities of operation of the data in a lawful, transparent and fair manner as well as in full compliance with all regulatory provisions on operation of personal data, as well as the following and specific instructions:
1.1 The operation Manager agrees to comply with any applicable data protection laws or regulations and with respect to the information subject to operation shall not carry out any operations of operation further and/or other than those necessary for the performance of the Contract, unless such further operation activity is required by a law from time to time in force to which the operation Manager is subject .
1.2 The Customer authorizes the Processor to process personal data as reasonably necessary for the performance of the Contract as well as in accordance with the terms and conditions of this DPA.
1.3 The object of the activities of operation personal data is the provision of services under the Contract. The description of operations, including information regarding the duration, nature and purpose of operation, the types of personal data and the categories of persons covered by operation are governed in the recitals to this DPA, as integral and substantial parts thereof.
1.4 The Responsible Person undertakes to maintain a record of the activities of operation, as provided for in Article 30(2) of the GDPR, in which the characteristics of the operations it performs on behalf of the Client are indicated.
2.1 The Head of operation ensures that personnel involved in operation of personal data have been informed in advance of the confidential nature of the information being processed, have received appropriate instruction regarding their responsibilities, and have signed a specific binding legal obligation designed to protect the confidentiality of personal data processed.
2.2 The Manager of operation shall ensure that access to personal data is limited to personnel authorized in advance to pursue the purposes set forth in the Contract and this DPA.
3.1 The Responsible operation shall take appropriate technical and organizational measures for the security (including prevention from unauthorized operation , accidental or unlawful destruction, loss of availability or alteration or damage of data, unauthorized disclosure or unlawful access to personal data), confidentiality and integrity of personal data processed. These measures must include, in accordance with Article 32 GDPR, where appropriate and applicable:
3.2 In assessing the appropriate level of security, the operation Manager must take into account the risks regarding operation of personal data, particularly to prevent any breach of security, in accordance with the rules and regulations on data protection.
3.3 The Responsible of operation agrees that the Client or its designated representatives, with a notice of at least 15 (fifteen) working days, may inspect and verify the installations and information systems for the operation of the data carried out by the Responsible in order to ascertain their compliance with the terms of this DPA and the legislation on the protection of personal data. In the hypotheses provided for in this point, the Data Controller and/or the members of its organization, or the representatives designated by the latter, undertake to maintain loyal, cooperative and transparent behavior throughout the duration of the activities performed with respect to the Responsible.
4.1 The Manager of operation may use another Manager only with the specific or general written authorization of the Client. The Responsible Party shall provide, upon Customer's request, a list of its Sub-Responsible Parties operation in relation to operation referred to in the execution of the Contract. The signing of this DPA shall count as general written authorization.
4.2 The Manager of operation is required to inform the Client of the selection, addition or substitution of any additional Manager of operation.
4.3 Prior to allowing access by the additional Responsible Party to personal data, the Responsible Party of operation shall ensure that such other Responsible Party is obligated, through a written contract or other legal act under Union or Member State law, to comply with the same data protection obligations set forth in this DPA.
5.1 The Head of operation will notify the Client without undue delay of any instances received from a data subject relating to the exercise of a right of the data subject as provided for in Articles 15-22 of EU Regulation 2016/679.
5.2 Upon the Customer's request, the Manager of operation will provide reasonable assistance to the Customer in processing the requests referred to in 5.1 above.
6.1 The Responsible of operation must notify the Customer, without undue delay and, in any case, within forty-eight (48) hours after the Responsible of operation has knowledge of it with certainty, of the security incident or breach of security measures that led to unauthorized use, destruction, loss, disclosure, accidental or unlawful, alteration, unlawful access of personal data subject to operation or any other breach of security that results in a loss of confidentiality, integrity or availability of the processed personal data.
6.2 In its communication, the operation Manager must indicate any useful information to enable the Client to fulfill its obligations to notify the competent Supervisory Authority or to inform the data subjects involved in the Data Breach.
6.3 In the cases referred to in 6.2 above, the Manager shall assist the Client by initiating an analysis aimed at collecting the following information:
7.1 The Manager of operation undertakes to provide reasonable assistance to the Client in ensuring compliance with obligations relating to the data protection impact assessment as well as any prior consultation with the Supervisory Authority.
8.1 Upon request and at the Customer's option, from the expiration date of the Contract, the Responsible undertakes to delete and/or return all personal data processed on behalf of the Customer. The latter may obtain the deletion of the data subject to operation in the event that there is no legal obligation on the part of the Responsible to retain it, arising from the Community and/or national legislation in force.
9.1 This DPA shall be effective as of the date hereof and shall be in effect, including any renewals, until the termination of all effect of the Contract for any cause whatsoever.
10.1 WHEREAS, the General Measure of the Italian Guarantor for the Protection of Personal Data "Measures and expedients prescribed for the owners of operations carried out by electronic means with regard to the attributions of the functions of system administrator - of November 27, 2008" has introduced some specific fulfillments for system administrators as a result of the functions by means of which some operations of operation involve special and broader privileges for access to personal data, i.e., when the activities are carried out in a context that makes it technically possible to access, even incidentally, personal data, hence the need to provide greater protection for access to personal data.
10.2 WHEREAS, the System Administrator has been chosen because he or she provides sufficient and suitable guarantees of experience, ability, and reliability regarding the application of data protection regulations, including with specific reference to the security of the personal data processed.
10.3 The Customer entrusts the Manager with the function of System Administrator, specifying the following instructions:
10.4 The function of System Administrator assigned to the Manager of operation shall commence from the date of acceptance of this DPA and shall be effective until the termination of the Contract.
11.1 The Person in charge of operation undertakes to indemnify and hold harmless the Client from any loss, cost, penalty, damage and any liability ascribed to the latter arising from the violation by the Person in charge, its own authorized persons or its additional Persons in charge, of the provisions contained in this DPA and/or the applicable data protection provisions.
11.2 If the Responsible person violates any of the provisions of this agreement by determining the purposes and means of operation personal data, the same will be considered for all purposes as the Owner of the activities of operation for which he/she determined, independently and in violation of this DPA, the purposes and means of operation.
11.3 If one or more instructions, clauses, or obligations governed by the Contract or this DPA and addressed to the Manager result in a violation of data protection regulations, the Manager shall promptly notify the Owner in writing.
12.1 The Client warrants to the Manager that the data covered by operation:
13.1 The signing of this DPA does not provide for any additional compensation in favor of the Manager over and above that already agreed upon in the Contract.
13.2 For matters not expressly provided for, please refer to the applicable data protection regulations.
13.3 The Parties mutually acknowledge that this contract has been agreed to in its entirety, therefore, Articles 1341 and 1342 of the Civil Code do not apply.
14.1 The contact address of the Data Protection Officer of the Manager is: dpo@dilaxia.com
What does it mean to be part of the Community?
