Data processing agreement

Given that

In the light of the foregoing and considered to be an integral part of this Agreement, the Parties agree as follows:

The Data Controller shall appoint the Service Provider as the Data Processor for the entire duration of the main contract, as reasonably necessary for the provision of the services and in accordance with the obligations imposed by this DPA.
By accepting this document from the Data Controller, NSI undertakes to carry out the processing of personal data in a lawful, transparent and correct manner and in full compliance with all legal provisions on the processing of personal data, as well as with the following and specific instructions:

1. Subject

The subject of this agreement is the definition of the methods and conditions related to the processing of data, carried out by the Data processor on behalf of the Data controller in reference to the service contract, referred to in the introduction. By accepting this agreement, the Parties undertake to comply with the current national or supra-national legislation concerning the protection of personal data of physical people. The parties acknowledge and accept that any violation of this agreement by the Data processor or the Data controller constitutes a violation of the service supply contract and that, in this case and without prejudice to any other right or solution available, the Data controller or the Data processor may decide to immediately terminate the main Contract as provided for by the resolution dispositions set forth therein.

2. Duration

This agreement will be effective between the Parties for the entire duration of the UTOPIA service supply contract and will no longer be effective when the Customer withdraws from the main contract.

3. Data source

The Data controller ensures that the data subject to this agreement have been collected in a lawful manner and in compliance with current legislation, and that the information transmitted to the Data processor does not, in any way, violate the rights of data subjects.

In this sense, the Data Controller indemnifies the Data Processor from any liability resulting from any unlawful processing by the Data Controller relating to the use and data contained in UTOPIA.

4. Types and nature of personal data

NSI will not process personal data other than those necessary for the execution of the Main Contract unless the further processing is required by the normative and regulations on Data Protection, to which the Data processor is subject. The Data controller instructs the Data processor to process only personal data as reasonably necessary for the provision of the service, and in accordance with the terms and conditions of the Main Contract and of this Agreement. The type of personal data required for the implementation of the UTOPIA service is of anagraphic type, as well as contact information. The nature of the operations performed on personal data refers to the maintenance, assistance and updating of the service and securing of the data. For the execution of the main contract, the Data controller makes available to the Data processor any necessary information requested.

5. Staff of the Data processor

The data processing will be carried out only by the authorised personel of NSI, previously authorized for processing, pursuant to art. 29 of GDPR, as well as duly instructed on its responsibilities. The Data processor ensures that the personnel dedicated to the performance of the main contract has been informed of the confidential nature of the information received from the Data controller. The Data processor also ensures that access to personal data is restricted to personnel who need access to relevant personal data, to the extent strictly necessary, for the purposes of the main contract and this agreement.

5.1  System administrators

In relation to the activities carried out by the data processor, with reference to the storage of data and system activities aimed at the maintenance and updating of systems and databases, the staff of the data processor will be appointed to the function of System Administrator. The Data Processor, prior to the assignment of this function, has evaluated the subjective characteristics of the System Administrators and will maintain the recording of the relative accesses to the information systems, as provided for and requested by the Provision of the Italian Guarantor for the protection of personal data of 27/11/2008. If requested by the Data Controller, the Data Processor will communicate the updated list of System Administrators.

6. Obligations of the Data processor

NSI undertakes to observe the following provisions for the execution of the main contract:

6.1  Data controller instructions

The Data processor must process the data for the purposes indicated above and for the performance of the contractual services undertaken. NSI will process the data in compliance with the provisions of the security policy document.

6.2  Place of processing

The data will be stored and processed by the Data processor within the European territory, and whenever, in the future, the processing should be performed in non-EU countries, the Data processor will inform the Data controller to approve the appropriate guarantees that the same requires will be met, according to the place where the processing will be carried out. In the event that the Data processor is required to transfer data to a third country or an international organization, under the laws of the Union or the Member State of origin, he must inform the Data controller of the obligation, to obtain the authorization before the transfer. Personal data will be stored on behalf of the data processor at the Amazon AWS (Amazon Web Services) data center.

6.3  Confidentiality

The Data processor guarantees the confidentiality of personal data processed as part of the execution of the main contract. The Data processor guarantees that its authorized personnel have entered into a legal obligation of confidentiality and that they have received the necessary training on the processing and protection of personal data.

6.4 Safety

The security measures adopted by the Data Controller are those indicated in the security policy document.

NSI has adopted appropriate technical and organizational measures to protect the security, confidentiality and integrity of personal data. These measures include, where appropriate:

NSI has taken into account risks related to the processing of personal data, in particular to prevent any security breaches or other events that are substantially similar, as defined by the normatives and regulations on data protection.

6.5 Information

The Data processor shall immediately inform the Data controller if, in his opinion, any further instruction given by the Data controller may be contrary to the GDPR or other data protection dispositions of the Member States or any other applicable law.

6.6 DPIA and preventive consultation

At the request of the Data Controller, NSI will provide the information necessary for carrying out the Privacy Impact Assessment (DPIA), verification, certification of data protection and security or for preliminary consultations with the Data Protection Authorities or other competent data protection authorities, which the Data Controller considers adequate or necessary to comply with the data protection laws and regulations, as far as the processing of personal data by the Data Controller referred to in the main contract is concerned.

6.7 Audit

The Data Processor agrees that the Data Controller (or its designated representatives), upon reasonable notice, may inspect and verify the installations and information systems for data processing carried out by the Data Processor (and/or those of its Sub-Processors) on behalf of the Data Controller in order to ensure compliance with the terms set out in this DPA and the legislation on the protection of personal data. The Data Processor will assist the Data Controller to reduce and promptly resolve any lack of compliance found during these checks.

If these activities involve charges and expenses not provided for by this agreement or by the main contract, all requests by the Data controller must be managed at project level with an estimate of the costs necessary for their implementation (whether these are penetration tests, vulnerability assessment or other).

6.8 Rights of the data subjects

The Data Processor shall promptly notify the Data Controller, without undue delay, of any requests received from a data subject for the processing of personal data concerning his/her right of access, rectification, restriction of processing, erasure ("right to be forgotten"), portability of data, right to object to processing, or any other request concerning his/her personal data processed by the Data Processor.

At the request of the Data Controller, the Data Processor will provide the Data Controller with the fullest assistance in processing such requests by the data subject. In this sense, taking into account the nature of the processing, the Data Processor must assist the Data Controller, through appropriate technical and organizational measures, to fulfill the obligations of the Data Controller to respond to the requests of the data subject relating to the exercise of rights under current legislation on the protection of personal data.

7. Sub-data processors

The Data processor may have recourse to another manager only with the written, specific or general authorization of the client. Acceptance of this DPA shall constitute general written consent.

The Data processor is, in any case, always obliged to inform the Data controller about the choice, addition or replacement of any sub-manager of processing, thus giving the Data controller the opportunity to evaluate it and, if necessary, oppose to it. Before allowing access by the sub-manager to personal data, the Data processor shall ensure that such sub-manager is obliged, through a written contract or other legal act according to the law of the Union or Member States, to comply with the same or higher data protection obligations indicated in this contract. In particular, the Data processor must provide, in the latter case, sufficient guarantees for the sub-manager to put in place suitable technical and organizational measures, in order to comply with the required regulatory requirements. The Data processor is responsible for the acts and omissions of any sub-manager.

8. Data breach

The Data processor, taking into account the nature of the processing and the information available, will assist the Data controller in ensuring compliance with the obligations set out in Articles 32 - 36 of GDPR.

The Data Processor shall notify the Data Controller, without undue delay and in any case within forty-eight (48) hours from the time the Data Processor becomes aware of it, of a security incident or breach of security measures which has led to the use, destruction, loss, unauthorised, accidental or unlawful disclosure, alteration, unlawful access to personal data or any other breach of security which results in a loss of confidentiality, integrity or availability of the personal data processed.

The Data Processor must indicate, in the communication to the Data Controller, detailed information to allow the Data Controller to fulfil the consequent obligations of notification to the competent Guarantor Authority or information of those involved in the Data Breaches.

The Data processor will provide the Data controller with sufficient information to allow the Data controller to comply with any obligation to report a violation of personal data, in accordance with current legislation.

As soon as possible and following actual Data Breach, the Data Processor shall carry out a detailed analysis of the causes of the Breach and, at the request of the Data Controller, shall share with the latter the results of his own analysis and recovery plan.

9. Data communication

The Data processor processes the personal data of the Data controller only for the purpose of execution of the main contract. The Data processor must not process, transfer, modify, correct or alter the personal data of the Data controller, or disclose, or allow it to be disclosed, to third parties except in accordance with the documented instructions of the Data controller, unless the processing is requested from the EU and/or the laws of the Member State to which the Data processor is subject, and/or any supranational legislation to which the Data processor is subject. The Data processor must, to the extent permitted by these laws, inform the Data controller of these legal requirements before further processing personal data, and follow the instructions of the Data controller to minimize, as far as possible, the scope of disclosure.

10. Cancellation or return of personal data

In the event of termination of the provision of the services referred to in the main contract or of withdrawal from the same, the Data processor must return or delete all personal data that he has acquired, and delete any existing digital or paper copies. The data held by the Data processor must be returned at the request of the Data controller through the delivery of the database backup or the files on which the personal data reside. The data will be returned (in JSON format) or deleted from the Amazon data center (AWS) within 90 days from the date of termination of the contract. The Data controller is aware that, at any time, he will be able to proceed in his own right to delete the data through the dedicated function ''Destroy domain'' present in the software application. For reasons of security of their information systems, the Data processor specifies that the data of the Data controller will reside for 12 months from the termination of the main contract on backup media, which will be overwritten at the end of the aforementioned period. The Data processor may further retain the data only to the extent and for the period required by the law of the Union or the Member State, and always on the condition that the Data processor guarantees the confidentiality of all personal data and guarantees that they are treated only as necessary for the purposes specified in the laws of the Union or the Member States and for no other purpose.

11. Privacy contacts

For the exercise of your rights and other types of communication relating to privacy regulations, you can contact the Data Protection Officer by writing to dpo@nsi.it.

12. Final provisions

The signing of this DPA does not provide for any additional remuneration in favour of the Data Processor with respect to that already agreed in the main contract. For anything not expressly provided for, please refer to the general provisions in force regarding the protection of Personal Data.