Appointment as data processor
A. Pursuant to the existing consultancy contract, the Data Controller makes use of the support of the aforementioned Data Processor who provides him with the services best indicated in the Contract between the parties (hereinafter, the “Services”);
B. The performance of these services involves the processing of personal data, as defined in Article 4, paragraph 1) of Regulation (EU) 2016/679;
C. the applicable legislation on the protection of personal data imposes a series of obligations and constraints on the processing of personal data by the Data Controller that influence the Processing in question, through which the Data Processor will be able to access, albeit only to contractual purposes and for the benefit of the Data Controller as well as in strict compliance with current regulations (including the applicable legislation on the protection of personal data), to Personal Data;
D. based on the references and skills claimed by the Data Processor in his field of activity, including the processing of data in general and the management of situations similar to those of the Processing, the Data Controller has conducted a positive assessment of the suitability and qualification of the Processor to satisfy, also from the point of view of the security of the processing, the necessary requirements of experience, capacity and reliability provided by the applicable legislation on the protection of personal data in order to ensure the required legal guarantees for the purposes of data processing in quality of Data Processor on behalf of the Data Controller pursuant to the applicable legislation on the protection of personal data in relation to the Processing of Personal Data required by the Contract;
E. With this agreement (hereinafter the “Agreement”) the Data Controller therefore intends to proceed with the appointment of the aforementioned Company/professional as Data Processor, giving him detailed instructions on the subject.
F. This agreement, with regard to duration and withdrawal and for everything not expressly established herein and as far as compatible, follows as annex the main consultancy contract between the parties
G. With this agreement (hereinafter the “Agreement”) the Data Processor therefore intends to proceed with the appointment of the aforementioned professional as Data Controller, giving him detailed instructions on the matter.
H. This agreement, in terms of duration and withdrawal and for everything not expressly established herein and as far as compatible, follows as an attachment the main consultancy agreement in place between the parties.
I. Everything here mentioned is forming an integral and substantial part of this Agreement, the following is agreed and stipulated between the Parties, as represented above.
All this being said and forming an integral and substantial part of this Agreement, between the Parties, as represented above, the following is agreed and stipulated. Hereby the Data Controller appoints the aforementioned company/professional with immediate effect, as Data Processor – Article 4, no. 8) of the Regulation – for the processing of personal data carried out within the scope of its tasks referred into the premises and better described in the main contract in place between the parties and necessary for the fulfillment of all the obligations related to the activity of competence below.
The appointed processor provides an appropriate guarantee, for preparation and experience, of full compliance with the current provisions on the processing of personal data, including the profile relating to the security of the processing.
He is authorized to proceed with the organization of any personal data processing operation, carried out by him, with or without the aid of electronic or automated tools, in full compliance with the rules laid down in the Regulation, as well as with the provisions of the operating instructions given by the Data Controller, also through its adequately trained collaborators and bound to the secrecy of the data processed in the sense indicated by the GDPR (EU Reg. 679/2016).
In particular, by way of example and not limited to, the processing carried out by the appointed Processor is necessary for the pursuit of the following purposes: The Data Processor verifies that the personal data processing of the Data Controller carried out within the scope of his task, do not differ from the purposes for which the data are collected, in accordance with the information issued to the Data Subjects pursuant to Article 13 of the Regulation. To this end, the appointed Data Processor shall keep track of the processing of his competence, making use of the collaboration of the structures and resources of other internal services of the Data Controller, also verifying the purposes and methods with which the processing of personal data takes place and their consistency with what is indicated in the information provided to the data subjects.
The appointed Data Processor has the power to perform everything necessary for compliance with the current provisions of the law on the processing of personal data in the activities carried out within its sphere of competence. In particular the Processor will have to:
1. except as already provided by the Data Controller, possibly appoint and identify within its organization the persons authorized to process, with reference to the preposition of one or more subjects to activities involving the processing of personal data;
2. respect the security measures already implemented or which will be prepared in the future pursuant to the applicable personal data protection legislation and enforce this to those authorized to process and other subjects who for any reason will come into contact with the processing of personal data;
3. check at least once a year that the access profiles assigned to those authorized to process are adequate and not exceeding the needs of the job or the organizational / operational unit to which they have been assigned;
4. assist the Data Controller if requested in the data protection impact assessment process (DPIA – Data Protection Impact Assessment) pursuant to Article 35 of the Regulation, as well as in the eventual phase of prior consultation with the Supervisory Authority pursuant to Article 36 of the Regulation, if the impact assessment on data protection indicates that the processing would present a high risk in the absence of measures taken by the Data Controller to mitigate the risk;
5. delete or return all personal data once processing has ceased and delete existing copies according to the instructions received from the Data Controller, unless the retention of data is provided for by Union or internal law;
6. collaborate with the Data Controller in order to satisfy his obligation to respond to requests for the exercise of the data subject’s rights referred into Chapter III of the Regulation and provide all the necessary support in order to allow a response within one month from the request , which can be extended to two months in cases of particular complexity, pursuant to Article 12, paragraph 3, of the Regulation;
7. promptly inform the Data Controller of any new processing and of any matter relevant for the purposes of the legislation on the protection of personal data, including any complaints made by the data subjects and any requests submitted to the Supervisory Authority;
8. in the event that the Data Processor uses other processors (sub-processors) for the execution of specific processing activities on behalf of the Data Controller, the sub-processors will be obliged to comply with the obligations set out in this agreement;
9. as part of the responsibilities entrusted to him, and in compliance with the relative instructions, the Data Processor will be in need, if necessary, to keep constantly with himself, and available at all times to the Data Controller, an updated register of all categories of activities relating to the processing carried out on behalf of the Controller, pursuant to Article 30 Regulation (EU) 2016/679, in writing or in electronic format. The same Data Processor will be responsible, exclusively, for the obligation to prepare and perform a periodic internal verification activity on the work of its sub-processors and those authorized to processing;
10. within the responsibilities entrusted to him, and within the limits of the relative instructions, the Data Processor shall also be given the related power to impart in writing the necessary instructions and binding provisions to the subjects authorized by him to process personal data;
11. the Data Processor shall comply with the regulations applicable from time to time and with the instructions given by the Data Controller, during the necessary processing operations and in the termination of the same. The Data Processor also undertakes to maintain and apply adequate security measures pursuant to the applicable legislation on the protection of personal data;
12. the Data Processor is responsible for providing in writing to those authorized to process, who operate under his direct authority, the necessary instructions and binding provisions in relation to compliance with the current provisions on personal data processing and to also bind them to confidentiality, providing a copy to the Data Controller.
13. Any changes to this Agreement shall be made in writing and can only be changed through a written declaration agreed between the Parties.
14. The invalidity, even partial, of one or more of the clauses of this Agreement does not affect the validity of the remaining clauses.
15. With this Agreement, the Parties expressly intend to revoke and replace any other contract or agreement existing between them, relating to the processing of personal data.
16. The Parties have read and understood the content of this Agreement and by signing it fully express their consent.