Data processing agreement

Given that

Having said this, and considered an integral part of this agreement, the Parties stipulate the following:

1. Authorization

The Data controller authorizes the Data processor for the processing of personal data, the object of the service referred to in the introduction. The Data processor of personal data undertakes to process data in a lawful manner, according to correctness and in full compliance with all the issued dispositions regarding the processing of personal data, as well as the following specific instructions. The Data processor also specifies that it is able to offer sufficient guarantees to put in place technical and organizational measures, in such a way that the processing meets the requirements of the GDPR and ensures the protection of the rights of the data subjects.

2. Subject

The subject of this agreement is the definition of the methods and conditions related to the processing of data, carried out by the Data processor on behalf of the Data controller in reference to the service contract, referred to in the introduction. By signing this agreement, the Parties undertake to comply with the current national or supra-national legislation concerning the protection of personal data of physical people. The parties acknowledge and accept that any violation of this agreement by the Data processor or the Data controller constitutes a violation of the service supply contract and that, in this case and without prejudice to any other right or solution available, the Data controller or the Data processor may decide to immediately terminate the main Contract as provided for by the resolution dispositions set forth therein.

3. Duration

This agreement will produce effects between the Parties throughout the duration of the UTOPIA service supply contract, and will no longer be effective when the Customer terminates or wishes to conclude the main contract.

4. Data source

The Data controller ensures that the data subject to this agreement have been collected in a lawful manner and in compliance with current legislation, and that the information transmitted to the Data processor does not, in any way, violate the rights of data subjects.

5. Types and nature of personal data

The Data processor will not process personal data other than those necessary for the execution of the Main Contract unless the processing is required by the normative and regulations on Data Protection, to which the Data processor is subject. The Data controller instructs the Data processor to process only personal data as reasonably necessary for the provision of the service, and in accordance with the terms and conditions of the Main Contract and of this Agreement. The type of personal data required for the implementation of the UTOPIA service is of anagraphic type, as well as contact information. The nature of the operations performed on personal data refers to the maintenance, assistance and updating of the service. For the execution of the main contract, the Data controller makes available to the Data processor any necessary information requested.

6. Staff of the Data processor

The data processing will be carried out only by the authorised personel of the Data processor, previously authorized for processing, pursuant to art. 29 of GDPR, as well as duly instructed on its responsibilities. The Data processor ensures that the personnel dedicated to the performance of the main contract has been informed of the confidential nature of the information received from the Data controller. The Data processor also ensures that access to personal data is restricted to personnel who need access to relevant personal data, to the extent strictly necessary, for the purposes of the main contract and this agreement.

7. Obligations of the Data processor

The Data processor, on behalf of the Data controller, commits to observe the following obligations for the execution of the main contract:

7.1  Data controller instructions

The Data processor must process the data for the purposes indicated above and for the performance of the contractual services undertaken. The Data processor must process the data in compliance with the provisions of the security policy document.

7.2  Place of processing

The data will be stored and processed by the Data processor within the European territory, and when, in the future, the processing should be performed in non-EU countries, the Data processor will inform the Data controller to approve the appropriate guarantees that the same requires will be met, according to the place where the processing will be carried out. In the event that the Data processor is required to transfer data to a third country or an international organization, under the laws of the Union or the Member State of origin, he must inform the Data controller of the obligation, to obtain the authorization before the transfer. Personal data will be stored on behalf of the data processor at the Amazon AWS (Amazon Web Services) data center.

7.3  Confidentiality

The Data processor guarantees the confidentiality of personal data processed as part of the execution of the main contract. The Data processor guarantees that its authorized personnel have entered into a legal obligation of confidentiality and that they have received the necessary training on the processing and protection of personal data.

7.4 Safety

The data processor will process the data in the presence of the measures required pursuant to Article 32 of the European Data Protection Regulation. The security measures adopted by the Data processor are those indicated in the security policy document. The Data processor adopts appropriate technical and organizational measures to protect the security, confidentiality and integrity of personal data. These measures include, where appropriate:

The Data processor takes into account risks related to the processing of personal data, in particular to prevent any security breaches or other events that are substantially similar, as defined by the normatives and regulations on data protection.

7.5 Information

The Data processor shall immediately inform the Data controller if, in his opinion, any instruction from the Data controller may be contrary to the GDPR or other data protection dispositions of the Member States or any other applicable law.

7.6 DPIA and preventive consultation

The Data processor will provide the Data controller with reasonable assistance with any data protection impact assessment required by Article 35 of the GDPR and, after consultation, with any supervisory authority from the Data controller that is required pursuant to Article 36 of the GDPR, in any case solely in relation to the processing of personal data of the Data controller by the Data processor.

7.7 Codes of conduct

At the request of the Data controller, the Data processor must comply with any Code of conduct approved pursuant to Article 40 of the GDPR, and obtain any certification approved by Article 42 of the EU GDPR, with regard to the processing of Personal data of the Data controller.

7.8 Audit

The Data processor shall make available to the Data controller, upon request, all the information necessary to demonstrate compliance with the obligations set forth in this agreement, and allows and contributes to the audit activities, including inspections, carried out by the Data controller or by another person appointed by him, in charge of any location in which the processing of personal data of the Controller takes place. Each audit activity by the Data controller must be agreed with the Data processor. If these activities involve charges and expenses not provided for by this agreement or by the main contract, all requests by the Data controller must be managed at project level with an estimate of the costs necessary for their implementation (whether these are penetration tests, vulnerability assessment or other).

7.9 Rights of the interested parties

The Data processor must promptly notify the Data controller, within the limits permitted by law, if he receives requests from an interested party regarding his right to access, the right to rectification, limitation of processing, cancellation ("right to be forgotten"), data portability, the right to oppose the processing, or its right not to be subjected to an automated decision-making process, or any other request or information concerning personal data processed by the Data processor, in accordance with the main Contract. At the request of the Data controller, the Data processor must assist the Data controller in responding to requests from interested parties. Taking into account the nature of the processing, the Data processor must assist the Data controller by means of appropriate technical and organizational measures, as far as possible, for the fulfillment of the obligations of the Data controller to respond to requests of the data subject provided for by applicable laws and regulations of data protection.

8. Privacy contacts

To exercise your rights and for any other type of communication concerning privacy, just write to privacy@nsi.it

9. Sub-data processors

The Data processor may have recourse to another manager only with the written, specific or general authorization of the client. The Data processor is, in any case, always obliged to inform the Data controller about the choice, addition or replacement of any sub-manager of processing, thus giving the Data controller the opportunity to evaluate it and, if necessary, oppose to it. Before allowing access by the sub-manager to personal data, the Data processor shall ensure that such sub-manager is obliged, through a written contract or other legal act according to the law of the Union or Member States, to comply with the same or higher data protection obligations indicated in this contract. In particular, the Data processor must provide, in the latter case, sufficient guarantees for the sub-manager to put in place suitable technical and organizational measures, in order to comply with the required regulatory requirements. The Data processor is responsible for the acts and omissions of any sub-manager.

10. Data breach

The Data processor, taking into account the nature of the processing and the information available, will assist the Data controller in ensuring compliance with the obligations set out in Articles 32 - 36 of GDPR. The Data processor must send a communication to the Data controller without undue delay and, in any case, within twenty-four (24) hours from becoming aware of or having reasonably suspected of a violation of personal data. The Data processor will provide the Data controller with sufficient information to allow the Data controller to comply with any obligation to report a violation of personal data, in accordance with current legislation. This communication must:

11. Data communication

The Data processor processes the personal data of the Data controller only for the purpose of execution of the main contract. The Data processor must not process, transfer, modify, correct or alter the personal data of the Data controller, or disclose, or allow it to be disclosed, to third parties except in accordance with the documented instructions of the Data controller, unless the processing is requested from the EU and/or the laws of the Member State to which the Data processor is subject, and/or any supranational legislation to which the Data processor is subject. The Data processor must, to the extent permitted by these laws, inform the Data controller of these legal requirements before processing personal data, and follow the instructions of the Data controller to minimize, as far as possible, the scope of disclosure.

12. System administrators

In relation to the activities carried out by the data processor, with reference to data retention and system activities aimed at maintaining and updating the systems and databases, the staff of the data processor will be in charge of the function of System Administrator. The Data processor, before assigning the function, assessed the subjective characteristics of the System Administrators, to verify the activities carried out by them and to register the related accesses to the information systems, as envisaged and required by the Italian Supervisory authority Provision for the protection of personal data of 27.11.2008. If requested by the Data controller, the Data processor will communicate the updated list of System Administrators.

13. Cancellation or return of personal data

In the event of termination of the provision of the services referred to in the main contract or of withdrawal from the same, the Data processor must return or delete all personal data that he has acquired, and delete any existing digital or paper copies. The data held by the Data processor must be returned to the Data controller through the delivery of the database backup or the files on which the personal data reside. The data will be returned (in json format) or deleted from the Amazon data center (AWS) within 90 days from the date of termination of the contract. The Data controller is aware that, at any time, he will be able to proceed in his own right to delete the data through the dedicated function ''Destroy domain'' present in the software application. For reasons of security of their information systems, the Data processor specifies that the data of the Data controller will reside for 12 months from the termination of the main contract on backup media, which will be overwritten at the end of the aforementioned period. The Data processor may further retain the data only to the extent and for the period required by the law of the Union or the Member State, and always on the condition that the Data processor guarantees the confidentiality of all personal data and guarantees that they are treated only as necessary for the purposes specified in the laws of the Union or the Member States and for no other purpose.

14. Controls

The Data controller reserves the right to monitor, on the timely observance of the provisions of the law, on the processing of data by the Data processor and the observance of its instructions indicated in this agreement.