DATA PROCESSING AGREEMENT
ACCORDING TO ARTICLE 28 REGULATION (EU) 679/2016 (“Regulation”)
The user (“Data Controller”), by accepting the Terms and Conditions of Eventboost S.A. (“Data Processor”), agrees also to the present addendum governing the processing of personal data by the Data Processor on behalf of the Data Controller; this agreement is part of the contract signed by the Parties.
Data Controller and Data Processor may be referred individually as “Part” and jointly as “Parties”.
– The Data Controller responsible for processing personal data may appoint a natural or legal person, public administration or any other entity or association to act as Data Processor for the processing of personal data on the Data Controller’s behalf among entities that can suitably guarantee, by virtue of their experience, capabilities and reliability, compliance with the applicable provisions in force applied to the relevant processing operations, including with regard to security matters;
– The Data Processor shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the applicable law and ensure the protection of the data subjects’ rights;
– The Data Processor shall process the data, abiding by the detailed written instructions provided by the Data Controller by means of this contract and related amendments;
– The Data Controller intends to allow the Data Processor, and the persons authorized to process personal data within its organization, access solely to personal data, the knowledge of which is necessary for them to carry out their duties;
– With regard to the service providing an integrated web and tablet solution for the creation, organization and promotion of events, (“Service”) Eventboost S.A. may process personal data on behalf of the Data Controller.
– More precisely:
– the purpose/purposes of the processing is/are: providing an integrated web and tablet solution for the creation, organization and promotion of events
– the type of personal data is: common data, particular data, judicial data, etc.
– the categories of data subjects are: those subjects whose personal data the Data Controller will provide to the Data Processor
IN CONSIDERATION OF THE ABOVE
1) The Data Controller is responsible for decisions regarding and determining the purposes of the processing of personal data and thus hereby designates and instructs the Data Processor for the processing operations carried out within the framework of the Service.
2) In any event, the Data Controller entrusts the Data Processor with all personal data processing operations for the purposes necessary to achieve full performance of the Service. The Data Processor will be accountable for damages resulting only from gross negligence or serious misconduct and shall not be liable for issues or data breaches caused by malfunctioning of the Data Controller internet connection, including possible interceptions and interruptions, or, any form of alteration or modification of Personal Data arising from acts or omissions of the Data Controller.
The Data Controller shall adopt any adequate measure needed to keep the confidentiality of identities and password of employees of the Data Controllers using the Service.
The Data Controller shall be responsible of any consequence arising from a misuse of the Service from the Data Controller employees.
3) The Data Controller undertakes to notify the Data Processor of any variation that may be necessary in the processing of data. The Data Processor, or the persons authorized to process personal data within its organization, will refrain from performing any data processing other than as is necessary to perform its obligations under the Service.
4) The Data Processor undertakes to process personal data only for the purposes related to the provision of the Service. Whereas the need for a different processing activity arises, the Data Processor undertakes to give prior notice to the Data Controller, allowing him to oppose any such processing activity.
5) The Data Processor, insofar as falling within its competence, is bound by applicable law and this contract, for itself and for the persons authorized to process personal data on its behalf, to observe obligations regarding the security measures set forth in the applicable law and to assist the Data Controller in ensuring compliance with it. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such as:
– accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed;
– unlawful processing or in any case processing not aligned with the Data Controller’s written instructions.
The Data Controller may require to the Data Processor a list containing a summary of such implementations.
6) The Data Processor will implement the security measures in order to ensure:
– pseudonymization and encryption of personal data (if feasible);
– the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
– the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
The Data Processor will implement a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, promptly forwarding to the Data Controller the technical documentation concerning the on-going security measures and any changes subsequently adopted.
The Data Processor undertakes to inform the Data Controller of any personal data breach without undue delay after having become aware of it and to provide full assistance to the Data Controller and the relevant Supervisory Authorities to comply with each and all obligations set forth in the applicable law (e.g., notification of a personal data breach to the Supervisory Authority; where applicable, communication of a personal data breach to the data subjects).
The Data Processor undertakes to verify that the information notice request by Article 13 Regulation is forwarded to the data subjects. To this end, the Data Controller and Data Processor shall decide in good faith a consistent version and define delivery procedures of said information notice. The Data Processor shall also manage, by means of appropriate procedures, custody, non-modification and easy retrieval of all the documents related to every formal procedure requested by the Regulation.
Furthermore, the Data Processor assists the Data Controller in ensuring compliance with the obligations relating to the data protection before the relevant Supervisory Authority or judicial authority.
7) The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this contract and in the applicable law, allowing for and contributing to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller as described in clause 15 of the present agreement. For this purpose, the Data Processor shall, furthermore, notify promptly the Data Controller whenever he believes that an instruction may infringe the Regulation o any other applicable provision of law relating to protection of Personal Data.
8) The Data Processor, within the sphere of its company structure, shall identify the natural persons authorized to process personal data. At the time of the appointment, the Data Processor shall impose on such persons suitable written instructions concerning the modalities of processing, in compliance with the provisions of the applicable law and this contract. By way of example and by no way of limitation, in designating in writing the persons authorized to process personal data, the Data Processor will establish that they have access only to those personal data for which their knowledge is strictly necessary to carry out the duties assigned to them and that they apply all necessary security measures concerning the safeguarding of passwords to digital data processing operations. Lastly, the Data Processor will ensure the safekeeping of non-electronic storage media containing acts or documents with special categories of personal data. The Data Processor guarantees that the persons authorized to process personal data commit themselves to confidentiality over the processing operations performed or are under an appropriate statutory obligation of confidentiality also after the termination of their relationship with the Data Processor.
Moreover, with regards to the processing operations necessary to provide the Service and carried out by natural persons appointed by the Data Processor as System Administrators (“Amministratori di Sistema”), the Data Processor undertakes to comply with the provisions applicable to these subjects as currently set forth in the Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator, dated 27 November 2008, and amended by a Decision of the Italian Data Protection Authority dated 25 June 2009. More specifically, the Data Processor undertakes to keep, update regularly and make available at any moment for the Data Controller an internal document containing the list of the natural persons working as system administrators.
9) In the event of the Data Processor receiving a request from a data subject to exercise his/her rights, it will:
– promptly notify the Data Controller in writing, attaching a copy of the request;
– taking into account the nature of the processing, assist the Data Controller by way of appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights.
10) The Data Processor undertakes to inform the Data Controller of other Data Processors (sub-processor/s – see Annex “Sub-processors”, if any), that are engaged in the processing operations for the performance of the Service.
By means of this contract, the Data Controller provides the Data Processor with a general written authorization to engage sub-processors for the performance of the Service.
In the event the Data Processor engages other sub-processors, the Data Processor undertakes to select sub-processors among subjects capable of providing sufficient guarantees to implement the appropriate technical and organizational measures defined in Annex “Security Measures” in such a manner that the processing will meet the requirements of the applicable law and ensure the protection of the rights of the data subjects. The Data Processor undertakes to stipulate with selected sub-processors, specific contracts, or other legal acts, which analytically describe their tasks and impose on them the same data protection obligations set out in this contract between the Data Controller and the Data Processor. Such contracts must always provide sufficient guarantees with regard to the implementation of the appropriate technical and organizational measures defined in Annex “Security Measures” in such a manner that the processing will meet the requirements of the applicable law and the decisions issued by the relevant Supervisory Authority.
Where the sub-processor fails to fulfill its data protection obligations, the Data Processor undertakes to remain fully liable towards the Data Controller for the performance of the sub-processor’s obligations. Furthermore, the Data Processor agrees to indemnify and hold harmless the Data Controller from any damage, claim, compensation, and/or penalties caused to the Data Controller by failure to comply with these obligations and, more generally, by the infringement of the applicable law on the protection of personal data by the Data Processor and its sub-processors.
The Data Processor undertakes to inform the Data Controller of any intended changes concerning the addition or replacement of the sub-processors, thereby giving the Data Controller the opportunity to object to such changes.
Finally, when selected sub-processors are established in a country outside the European Union which has not received an adequacy decision in terms of data protection safeguards by the European Commission, the Data Controller expressly authorizes the Data Processor, who accepts, to conclude a data transfer agreement with such sub-processors containing the standard contractual clauses (as may be amended) adopted by the European Commission in its Decision 2010/87/UE on 5 February 2010 together with Annex “Security Measures” below, which shall be deemed as Annex 2 to the standard contractual clauses.
11) The Data Processor undertakes to process personal data only for the purposes related to the provision of Service and/or only upon documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization. Should the Data Processor be required to carry out processing operations beyond the purposes declared in the Service, the Data Processor will inform in advance the Data Controller of such processing.
12) The Data Controller declares, furthermore, that the personal data, transmitted by him to the Data Processor:
– are pertinent and not redundant insofar as concerns the purposes for which they were collected and subsequently processed;
13) In any case, the Data Controller declares that the personal data and/or other special categories of personal data forming the subject of the processing operations entrusted to the Data Processor are collected and transmitted in compliance with the provisions of the applicable law. It is understood that the Data Controller remains responsible for defining the legal basis of the processing of personal data.
The Data Controller is responsible for any further obligation needed to transfer Personal Data to Data Processors and Sub-Processor according to the Applicable Provisions in the field of Personal Data Protection.
14) The Data Controller remains responsible for the data processing method implemented by means of applicative procedures developed according to its specifications and/or through its electronic instruments or telecommunications.
15) The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this contract and in the applicable law, allowing for and contributing to audits, including inspections. For this purpose, the Data Controller or another auditor mandated by the Data Controller shall give a prior notice of at least 15 days to the Data Processor.
The Data Controller undertakes to agree that every information gathered by the Data Controller or persons acting under his authority within the framework of such operations is used only for verification purposes
The Data Processor shall, furthermore, notify promptly the Data Controller every data subject request, verification, inspection or request of the Supervising Authority o judicial authority, alongside with every relevant information related to the processing of personal data.
The Data Controller accepts that, whenever said cooperation and assistance require a significant amount of resource by the Data Processor, the effort will be chargeable upon the Data Controller, provided notification and a following agreement.
16) In case of a data breach, the Data Processor shall notify without undue delay the Data Controller, using the contact details provided by the Data Controller, and assist him with the performance of a preliminary analysis regarding the anomaly and filling a schedule containing all available information, such as:
– Time of the event, even if just suspected
– When the data breach became known
– Source of the alert
– Category of data breaches and involved information
– Description of the anomaly
– Number of data subjects involved
– Volume of personal data violated
– Place of the data breach, specifying whether or not it has happened after the loss of mobile devices
– Summary description of computer programs or data storing systems involved, specifying their location
After a preliminary analysis, the Data Processor shall verify if the alert was a false positive with a I level analysis; the Data Processor shall then gather detailed information on the event for a II level analysis and fill a schedule to be sent to the Data Controller, either via certified mail or other contact provided by the Data Controller.
The anomaly shall be registered in a specific record of data breaches.
17) Communications between the parties, for the purposes of this assignment will take place:
– for the Data Controller, at the email provided during registration or at other contact details specifically identified for compliance with the obligations set forth in the present agreement.
– for the Data Processor, at firstname.lastname@example.org
18) Upon termination of processing operations, and upon cessation, for whatsoever cause, of processing by the Data Processor or the underlying relationship, including termination of the Service free trial, the Data Processor will store relevant data for a maximum of 6 months, where the Data Controller shall instruct, at his discretion, the Data Processor to either: (i) return to the Data Controller the personal data forming the object of the processing or, (ii) arrange for their complete destruction, with the sole exception of those cases in which the preservation of the data is required by law or for other purposes (accounting, fiscal, etc.).
The Data Controller shall be notified every two months of this possibility.
At the end of the six months period, the Data Controller instructs the Data Processor to delete data object of the processing activities detailed in the present agreement.
This contract will have the same duration as the Service. In the event of termination of the Service for any cause, this contract will automatically terminate, without any communication or revocation, and the Data Processor will no longer be allowed to process the Data Controller’s data other than for performing the data processing operations strictly necessary to fulfill its post-contractual duties under the Contract.
19) It is understood that this contract does not confer the Data Processor the right to receive financial compensation deriving from the activities to be carried out within said contract.
This contract supersedes, expressly revokes and substitutes any other assignment regarding any type of data.