ANNEX 1 - DATA PROCESSING AGREEMENT (DPA)
This DPA constitutes an attachment to the End User License Agreement (EULA) accepted by the Customer. The Customer is the Data Controller concerning this DPA. XCALLY S.r.l. is the Data Processor concerning this DPA.
WHEREAS
a. The Data Controller may propose a natural person, a legal person, a public administration and any other entity, association or body as Data Processor to be appointed from among persons whose experience, capacity and reliability provide suitable guarantees of full compliance with the current provisions on the processing of personal data, including the security profile; the Data Processor must also present sufficient guarantees to put in place appropriate technical and organizational measures so that the processing meets the requirements of the regulations required by the pro tempore provisions in force on the subject, and guarantees the protection of the rights of the data subject;
b. The Data Processor shall proceed with the processing under the instructions given by the Data Controller in writing by this contract and any subsequent agreements;
c. The Owner intends to allow access both to the Manager and to the persons authorized to the processing for only those personal data whose knowledge is necessary to fulfil the tasks assigned to them;
d. About the service provided by the Manager, the description of the processing activities is contained in the attached 2
DEFINITIONS
a) Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
b) Processor: means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller; in this DPA is The Licensor and/or any other software distributor appointed by The Licensor;
c) Data Protection Laws: shall mean, as binding on either party or the Services:
- the General Data Protection Regulation (EU) 2016/679 ("GDPR");
- any law implementing such legislation (e.g., Legislative Decree 101/2018);
- any law replacing, extending, reintroducing, consolidating or amending any of the above;
d) Data Subject: means an identified or identifiable natural person;
e) DPA: This Data Processing Agreement;
f) International Organization: means an organization and its subordinate bodies governed by public international law, or any other body established by, or based on, an agreement between two or more countries.
g) Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identified or identifiable natural person ("data subject"). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more characteristic features of that natural person's physical, physiological, genetic, mental, economic, cultural, or social identity;
h) Personal data breach means a breach of security involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed;
i) Data processing: "Processing" means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adjustment, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
j) Protected Data means personal data received from or on behalf of the Data Controller in connection with the performance of the Data Controller's obligations under this DPA;
k) Sub-processor means any agent, subcontractor or other third party (excluding its employees) engaged by the Processor to perform any processing activities on behalf of the Data Controller about the Protected Data.
The Data Controller, the entity responsible for decisions regarding the purposes and methods of the processing of Personal Data, in the person of its legal representative, shall designate the Data Processor for the processing of Personal Data carried out under the contractual agreements in force. The Processor shall process the Protected Data only under Schedule 1 of this DPA (and not otherwise, unless alternative processing instructions are agreed in writing between the Parties) unless otherwise required by applicable law (in which case, it shall inform the Data Controller of such legal requirement before processing unless the applicable law prevents this for important public interest reasons).
If the Processor believes that any instruction received from the Data Controller is likely to violate data protection laws, it shall promptly inform the Data Controller and shall have the right to cease the processing in question until the parties have agreed on appropriate modified instructions that do not violate the law.
In any case, the Controller entrusts the Processor with all - and exclusively - the personal data processing operations necessary to fully execute the Service. The Owner undertakes to officially notify the Responsible of any changes that may become necessary in the data processing operations. The Person in charge or the persons authorized to process the data will not be able to carry out any data processing operations other than those necessary mentioned above.
The Manager, to the extent of his or her competence, is obliged by law and this contract, for himself or herself and for the persons authorized to process data who collaborate with his or her organization, to implement the security measures provided for by the pro tempore regulations in force regarding the processing of personal data by assisting the Controller in ensuring compliance therewith. The Controller, taking into account the state of the art and costs of implementation, as well as the nature, object, context and purpose of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, must ensure that the security measures prepared and adopted are adequate to guarantee a level of security appropriate to the risk, in particular against:
- accidental or unlawful destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
- processing of data that is not permitted or not under the purposes of the processing operations.The Data Processor will apply the security measures, referred to in the previous point, upon request of the Data Controller, and assist the latter in the procedures before the competent Control Authority and the Judicial Authority concerning the activities falling under its competence. The Manager undertakes to inform the Controller no later than 36 hours from the knowledge of personal data breaches and to provide the widest cooperation to the Controller itself as well as to the competent and involved Control Authorities to fulfil any applicable obligation imposed by the applicable pro tempore legislation (e.g. notification of the personal data breach to the competent Control Authority; possible communication of a personal data breach to the data subjects).
The Officer also assists the Data Controller in ensuring compliance with obligations related to the data protection impact assessment as well as any prior consultation with the Supervisory Authority.
The Responsible Party, within its corporate structure, will identify the natural persons authorized for processing. At the same time as the designation, the Person in charge will be responsible for providing appropriate written instructions to the individuals authorized to process the data regarding the manner of processing, in compliance with the provisions of the law and this contract. In addition, where necessary and insofar as it pertains to the processing carried out to provide the Service by the persons authorized to process in the capacity of "System Administrator," the Responsible Party is also required to comply with the pro tempore applicable provisions relating to the discipline on system administrators contained in the provision of the Guarantor for the Protection of Personal Data of November 27, 2008, as amended based on the provision of June 25, 2009. The Manager, in particular, undertakes to directly and specifically store the identification details of the natural persons appointed as system administrators, and to promptly provide them to the Data Controller upon the latter's request; to adopt suitable systems for the registration of logical access (computer authentication) to processing systems and electronic archives by system administrators. If the Data Processor receives requests from data subjects to exercise the rights recognized by the applicable data protection regulations, he/she shall:
- give timely written notice to the Data Controller;
- taking into account the nature of the processing, assist the Data Controller with appropriate technical and organizational measures to meet the Data Controller's obligation to comply with requests for the exercise of data subjects' rights.
In particular, where applicable and because of the processing activities entrusted to him/her, the Controller shall:
- enable the Controller to provide data subjects with their data in a structured, commonly used and machine-readable format, as well as to transmit the data to another Controller;
- allow the Controller to grant in whole or in part the rights of objection and restriction of processing.
With this contract, the Controller grants general written authorization to the Data Processor to be able to use any additional data processors ("sub-Processor(s)") in the provision of the service. If the Processor makes effective use of sub-processors, the Processor undertakes to select sub-processors from among individuals whose experience, capacity and reliability provide sufficient guarantees to put in place the appropriate technical and organizational measures so that the processing meets the requirements outlined in the applicable pro tempore regulations and guarantees the protection of the rights of the data subjects. The Responsible Party also undertakes to enter into specific contracts or other legal acts, with sub-processors employing which the Responsible Party describes their duties analytically and requires such parties to comply with the same obligations, regarding the personal data protection regulations, imposed by the Controller on the Responsible Party under the applicable pro tempore legislation and the applicable special measures of the competent Control Authority, providing in particular sufficient guarantees to put in place the appropriate technical and organizational measures such that the processing meets the requirements of the applicable legislation and the measures issued by the Control Authority.
Should the sub-Manager fail to fulfil its data protection obligations, the Manager acknowledges that it retains towards the Controller full responsibility for the fulfilment of the obligations of the sub-managers involved, as well as undertakes to indemnify and hold the Controller harmless from any damage, claim, compensation, and/or sanction that may result to the Controller from the failure of the Manager and its sub-providers to comply with these obligations and more generally from the breach of the applicable data protection legislation.
The Responsible party also undertakes to inform the Controller of any planned changes or replacements concerning sub-providers, thereby allowing the Controller to object to such changes.
The Responsible Party is also authorized to transfer personal data to third countries outside the EU or the European Economic Area ("EEA") per the Owner's documented instructions. When personal data is transferred to a country that does not ensure an adequate level of data protection, the Data Controller shall ensure that the transfer is subject to the existence of adequate safeguards as outlined in Chapter V of the GDPR. To this end, the Data Controller may rely on the standard contractual clauses set out in the Annex to the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and the Council ("CSS"), or on decisions and clauses that may replace or amend them. The Data Controller acknowledges and agrees that the Data Controller or Sub Data Controller, as the case may be, may use different forms of the SCCs as appropriate, and that form 3 of the SCCs in most cases will be the applicable form. To the extent required by law, the Service Manager will perform a risk assessment with the transfer of data to a third country. If the obligation to conduct such an assessment falls instead on a Sub responsible person appointed by the Service Manager, the Service Manager will require the Sub responsible person to conduct such an assessment. Some Sub Managers may post information in this regard, such as risk assessments, on their respective websites that are beyond the control of the Controller. The Data Controller acknowledges that such information, including any assessments performed, is beyond the control of the Data Controller and that the Data Controller agrees to rely on such information and assessments.
The Data Controller authorizes the appointment of Sub-Processors listed on the XCALLY website: the full list is available at www.XCALLY.com/list-of-subprocessors-2.pdf
Where the Processor employs a Sub-Processor with whom it is not reasonably practicable to impose or negotiate the same terms as in this DPA (e.g., without limitation, where the Sub-Processor operates under fixed, non-negotiable terms), but where such terms are consistent with the obligations of Processors under Article 28 of the GDPR, provided that the Processor has notified the Controller in writing of the sub-processors identifying information in writing, such Sub-processors terms, as updated from time to time by the Sub-Processor (i) shall apply to the processing carried out by the Sub Responsible; and (ii) shall be deemed to set forth the entire set of obligations and responsibilities of the Responsible Party to the processing in question, as if the Responsible Party were carrying out such processing under such Sub Responsible's terms instead of the Sub Responsible Party.
The Data Controller further declares that the data it has transmitted to the Responsible Sub:
- are relevant and not excessive concerning the purposes for which they were collected and subsequently processed;
- in any case, the personal data and/or special categories of personal data, which are the subject of the processing operations entrusted to the Data Processor, are collected and transmitted in compliance with every requirement of the applicable legislation. It is understood that the burden remains on the Data Controller to identify the legal basis for the processing of the personal data of the data subjects.
Â
The Owner retains responsibility for the processing of information implemented through application procedures developed according to its specifications and/or through its own computer or telecommunications tools.
he Manager shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this contract and applicable regulations.
For communications between the parties, for this assignment, the Responsible Party can be contacted at the following address: ufficio.privacy@technesy.it
Upon completion of the entrusted processing operations, as well as upon termination for any cause of the processing by the Manager or the Service, the Manager at the discretion of the Owner will be required to: (i) return to the Controller the personal data subject to processing or (ii) provide for their destruction except only in cases where the retention of the data is required by law or other purposes (accounting, tax, etc.). In both cases, the Data Processor will provide the Data Controller with an appropriate statement in writing containing the attestation that no copy of the personal data and information owned by the Data Controller exists at the Data Controller. This appointment will be effective for as long as the Service is provided, subject to specific obligations that by their nature are intended to remain in place. Should the relationship between the parties terminate or become ineffective for any reason, or should the Service no longer be provided, this contract will also automatically terminate without the need for notice or revocation, and the Processor will no longer be entitled to process the Controller's data.
The Processor will treat and keep the ProtectedData confidential. The Processor will not disclose the Protected Data to third parties or take copies of the Protected Data unless strictly necessary for the processing. All terms of the DPA apply to all employees of the Data Processor, and the Data Processor must ensure that its employees comply with the DPA. The Data Processor must limit access to protected data to only those employees for whom access to such protected data is necessary to fulfil the Data Processor's obligations to the Data Controller. The Data Controller shall treat the confidential information received by the Processor confidentially and shall not unlawfully use or disclose the confidential information.
The Parties may agree at any time to amend this DPA. Changes must be shared in a specific written amendment. The Data Processor may not assign or transfer any of its rights or obligations under this DPA without the prior written consent of the Data Controller.
This DPA shall become effective upon acceptance of the EULA by the Data Controller. The DPA may be renegotiated by either party if legislative changes or disagreements in the DPA make it necessary. This DPA is valid for the duration of the processing of the Protected Data. Regardless of the termination of the contractual obligation entered into by the Parties, the DPA for Data Processing will remain in effect until the effective termination of the Processing.
The Data Controller shall indemnify and hold harmless the Data Processor against all losses, claims, damages, liabilities, fines, penalties, interest, penalties, costs, charges, expenses, compensation paid to the Data Subjects, legal and professional claims and costs (calculated on an indemnity basis and in each case whether or not arising from any investigation by a supervisory authority) arising out of or in connection with any breach by the Data Controller of its obligations under this document or imposed by the GDPR and applicable Data Processing legislation.