The forewords form an integral part of this DPA.
All this being said and considered, the Owner of operation designates Dilaxia S.p.A., pursuant to and in accordance with Article 28Reg. UE 2016/679 (hereinafter, GDPR), as the Responsible Party for operation for the entire duration of use of the Utopia SaaS, as reasonably necessary for the provision of services and in accordance with the obligations imposed by this DPA.
By signing this DPA, the person in charge of operation undertakes to carry out the activities of operation of the data in a lawful, transparent and fair manner as well as in full compliance with all regulatory provisions on operation of personal data, as well as the following and specific instructions:
1.1 The operation Manager agrees to comply with any applicable data protection laws or regulations and with respect to the information subject to operation shall not perform any operation operations further and/or other than those necessary for the operation, maintenance and development of Utopia, unless the further activity of operation is required by a law from time to time in force to which the operation Manager is subject.
1.2 The Owner authorizes the Manager to process personal data as reasonably necessary to perform the service as well as in accordance with the terms and conditions of this DPA.
1.3 The object of the activities of operation personal data is the provision of SaaS service in favor of the Owner. The description of operations, including information regarding the duration, nature and purpose of operation, the types of personal data and the categories of persons covered by operation are governed in the recitals to this DPA, as integral and substantive parts thereof.
1.4 TheResponsible person undertakes to maintain a record of the activities of operation, as provided for in Article 30(2) of the GDPR, in which the characteristics of the operations he/she performs on behalf of the Owner are indicated.
2.1 The Head of operation ensures that personnel involved in operation of personal data have been informed in advance of the confidential nature of the information being processed, have received appropriate instruction regarding their responsibilities, and have signed a specific binding legal obligation designed to protect the confidentiality of personal data processed.
2.2 The Manager of operation shall ensure that access to personal data is limited to personnel authorized in advance to pursue the purposes of the service and this DPA.
3.1 The Responsible operation shall take appropriate technical and organizational measures for the security (including prevention from unauthorized operation , accidental or unlawful destruction, loss of availability or alteration or damage of data, unauthorized disclosure or unlawful access to personal data), confidentiality and integrity of personal data processed. These measures must include, in accordance with Article 32 GDPR, where appropriate and applicable:
3.2 In assessing the appropriate level of security, the operation Manager must take into account the risks regarding operation of personal data, particularly to prevent any breach of security, in accordance with the rules and regulations on data protection.
3.3 The Responsible of operation agrees that the Owner or its designated representatives, with at least 15 (fifteen) working days' notice, may inspect and verify the installations and information systems for the operation of the data carried out by the Responsible in order to ascertain their compliance with the terms of this DPA and the legislation on the protection of personal data. In the hypotheses provided for in this point, the Data Controller and/or the members of its organization, or the representatives designated by the latter, undertake to maintain loyal, cooperative and transparent behavior throughout the duration of the activities performed with respect to the Responsible.
4.1 The Manager of operation may use another Manager only with the specific or general written authorization of the Owner. The Responsible Party shall provide, upon request of the Owner, the list of its Sub-Responsible Parties operation in relation to the operation referred to in the execution of the service.The signing of this DPA shall count as general written authorization.
4.2 The Manager of operation is required to inform the Owner about the selection, addition, or replacement of any additional Manager of operation.
4.3 Prior to allowing access by the additional Responsible Party to personal data, the Responsible Party of operation shall ensure that such other Responsible Party is obligated, through a written contract or other legal act under Union or Member State law, to comply with the same data protection obligations set forth in this DPA.
5.1 The Head of operation will notify the Data Controller without undue delay of instances received from a data subject relating to the exercise of a right of the data subject as provided for in Articles 15-22 of EU Regulation 2016/679.
5.2 Upon the Holder's request, the Manager of operation will provide reasonable assistance to the Holder in processing the requests referred to in section5.1 above.
6.1 The Person in charge of operation must notify the Owner, without undue delay and, in any case, within forty-eight (48) hours from the time the Person in charge of operation becomes aware of it, of the security incident or breach of security measures that led to unauthorized use, destruction, loss, disclosure, accidental or unlawful, alteration, unlawful access of the personal data subject to operation or any other breach of security that results in a loss of confidentiality, integrity or availability of the processed personal data.
6.2 In its communication, the operation Manager must indicate any useful information to enable the Holder to fulfill its obligations to notify the competent Supervisory Authority or to inform the data subjects involved in the Data Breach.
6.3 In the cases referred to in 6.2 above, the Manager shall assist the Owner by initiating an analysis aimed at collecting the following information:
7.1 The Data Protection Officer at operation undertakes to provide reasonable assistance to the Data Controller in ensuring compliance with obligations relating to the data protection impact assessment as well as any prior consultation with the Supervisory Authority.
8.1 Upon request and at the choice of the Owner, from the date of expiration of theService, the Manager undertakes to delete and/or return all personal data processed on behalf of the Owner within 90 (ninety) days. The latter may obtain the deletion of the data subject to operation in the event that there is no legal obligation on the part of theResponsible to retain them, arising from the Community and/or national legislation in force.
9.1 This DPA shall be effective as of the date of the Holder's subscription, exercisable by specific check mark at the time of first access to Utopia SaaS, and shall be valid, including any renewals, until the termination of all effect of the Service, for whatever cause occurred.
10.1 WHEREAS, the General Provision of the Italian Guarantor for the Protection of Personal Data "Measures and expedients prescribed for the owners of operations carried out by electronic means with regard to the attributions of the functions of system administrator - of November 272008" has introduced some specific requirements for system administrators as a result of the functions by means of which some operations of operation involve special and broader privileges for access to personal data, i.e., when the activities are carried out in a context that makes it technically possible to access, even incidentally, personal data, hence the need to provide greater protection for access to personal data.
10.2 WHEREAS, the System Administrator has been chosen because he or she provides sufficient and suitable guarantees of experience, ability, and reliability regarding the application of data protection regulations, including with specific reference to the security of the personal data processed.
10.3 The Owner assigns the function of System Administrator to the Manager, specifying the following instructions:
10.4 The function of System Administrator assigned to the Manager of operation shall commence from the date of acceptance of this DPA and shall be effective until the termination of the Service.
11.1 The Person in charge of operation undertakes to indemnify and hold harmless the Owner from any loss, cost, penalty, damage and any liability ascribed to the latter arising from the violation by the Person in charge, its own authorized persons or its additional Persons in charge, of the provisions contained in this DPA and/or of the applicable data protection provisions.
11.2 If the Responsible person violates any of the provisions of this agreement, determining the purposes and means of operation personal data, the same will be considered for all purposes as an autonomous owner of the activities of operation for which he/she determined, independently and in violation of this DPA, the purposes and means of operation.
12.1 The Owner warrants to the Manager that the data covered by operation:
13.1 The signing of this DPA does not provide for any additional compensation to the Manager over and above that already agreed upon in the Service.
13.2 For matters not expressly provided for, please refer to the applicable data protection regulations.
12.1 The contact address of the Data Protection Officer of the Manager is: dpo@dilaxia.com