Gruppo Informatica e Servizi GIES S.r.l., with registered office at Via Genghettino, 11 - 47892, Acquaviva, Republic of San Marino, represented by its legal representative pro tempore ("GIES" or "Data Processor") and the Client ("Controller" or "Client"), as better identified, entered into a contract for the provision of the Processor's Services, which involves the processing of personal data (hereinafter, as amended or updated from time to time, the "Contract").
This data processing agreement (including its attachments, the "Data Processing Agreement") contains the provisions of Article 28 of the GDPR and is entered into between GIES and the Client, supplementing the Contract and forming an integral and essential part thereof. The Data Processing Agreement will be effective, and will replace any other previously applicable agreement between the parties relating to the same subject matter (including any amendments or data processing addenda relating to the Processor's Services), from the Effective Date and for the entire Term.
1. Preamble
The Data Processing Agreement reflects the parties' agreement regarding the processing of Customer Personal Data as regulated by European and national legislation.
2. Definitions
2.1 All capitalized terms used in the Data Processing Agreement have the following meanings:
"Supervisory Authority" means a "supervisory authority" as defined in the GDPR.
"Effective Date" means the effective date of the Contract and the Data Processing Agreement.
"Customer Personal Data" means the personal data processed by GIES on behalf of the Client in GIES' provision of the Processor Services.
"Security Documentation" means any security certification or documentation (e.g., organizational and technical security measures, disaster recovery and business continuity plans, etc.) that GIES makes available in connection with the Processor Services. This definition includes the evidence referred to in Sections 7.4 (Security Certification), 8 (Impact Assessments and Prior Consultation), and 11.3(a).
"Term" means the period from the Effective Date until the end of GIES' provision of the Processor Services under the Contract.
"GIES" means Gruppo Informatica e Servizi GIES S.r.l., a party to the Agreement.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"Incident" means a breach of GIES' security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems operated or otherwise controlled by GIES.
"Notification Email Address" means the email address provided by the Customer under the Agreement or subsequent instructions to receive any communications related to this Data Processing Agreement.
"Additional Instructions" means the additional instructions reflecting the parties' agreement on additional terms governing the processing of certain data in connection with certain Processor Services.
"European and National Legislation" means the GDPR and the applicable EU Member State legislation for the processing of Customer Personal Data.
"Transfer Mechanisms" means a binding decision issued by the European Commission permitting the transfer of personal data from the EEA to a third country whose domestic law provides an adequate level of protection for personal data. Where such a binding decision is not present or effective, the Standard Contractual Clauses approved from time to time by the European Commission for the transfer of personal data shall apply.
"Security Measures" means the provisions of Section 7.1.1. (Security Measures on GIES Systems).
"EEA" means the European Economic Area.
"Processor Services" means the services offered under the Agreement and described collectively in Appendix 1.
"Subprocessors" means the third parties authorized under this Data Processing Agreement to process Customer Personal Data for the purpose of providing partand the Processor's Services and/or any related technical support.
2.2 The terms "Personal Data", "Data Subject", "Processor", "Controller", and "Processing" have the meanings set forth in the GDPR.
2.3 The terms "include" and "included" are illustrative and are not the sole example of a particular concept.
2.4 Any reference to a law, regulation, statute, or other legislative instrument is a reference to that law, regulation, statute, or other legislative instrument, as amended or restated from time to time.
2.5 If this Data Processing Agreement is translated into another language and there is a discrepancy between the Italian text and the translated text, the Italian text shall prevail.
3. Term
This Data Processing Agreement is effective for the entire Term and until the Processor deletes all Customer Personal Data.
4. Scope
4.1 Application of the Processor's Services. This Data Processing Agreement applies only to the services for which the parties have agreed to apply it, and therefore to the services indicated in the Agreement.
4.2 Application of Additional Instructions. The Controller may, during the Term, provide GIES with Additional Instructions, which GIES may not unreasonably refuse if such Additional Instructions are necessary to enable the Controller to comply with any obligations imposed on the Controller under European and national legislation. In all other cases, GIES shall have the right to negotiate the content of the Additional Instructions with the Controller and shall not be obliged to implement them until an agreement is reached. Once both Parties have confirmed the Additional Instructions, they shall be considered an integral part of this Data Processing Agreement.
4.1.1 Costs arising from the implementation of the Additional Instructions The Additional Instructions and/or their integration, modification, or reduction shall not result in additional costs for GIES; otherwise, the Data Controller acknowledges and agrees that all costs arising, directly or indirectly, from GIES's compliance with the Additional Instructions shall be borne exclusively by the Data Controller.
5. Data Processing
5.1 Roles, Responsibilities, and Instructions
5.1.1 The Parties acknowledge and agree that: (a) Appendix 1 describes the scope and details of the processing of Customer Personal Data; (b) GIES acts as Data Controller for Customer Personal Data under European and national legislation; (c) the Client acts as Controller or Processor, as applicable, of the Client's Personal Data and in accordance with European and national legislation; and (d) each party will comply with its obligations under European and national legislation with respect to the processing of the Client's Personal Data.
5.1.2 Authorization by Third-Party Controller. If the Client acts as Processor on behalf of a different Controller, the Client warrants to GIES that the Client's instructions and actions in relation to the Client's Personal Data, including the appointment of GIES, have been authorized by the respective Controller.
5.2 Instructions from the Controller. Under this Data Processing Agreement, the Controller instructs GIES to process the Client's Personal Data: (a) only in compliance with applicable law; (b) only to provide the Processor Services and any related technical support; (c) as further specified/indicated by the Customer through its use of the Processor Services (including changes to the settings and/or functionality of the Processor Services) and any related technical support; (d) as documented in the Agreement, including this Data Processing Agreement; and (e) as further documented in any written instructions provided by the Controller to GIES as additional instructions for the purposes of this Data Processing Agreement.
5.3 GIES Compliance with Instructions. GIES will comply with the instructions in Section 5.2 (Controller's Instructions) unless the European or national legislation to which it is subject requires it to undertake a different or further processing of the Customer's Personal Data (e.g., transfer of personal data to a third country or an international organization), in which case GIES will promptly inform the Customer at the Notification Email Address (unless such legislation prohibits GIES from doing so for important reasons of public interest).
6. Deletion and Export of Data
6.1 Deletion and Export for the Term
6.1.1Processor Services with Export Functionality. To the extent that the Processor Services include the ability for the Controller to independently export the Customer's Personal Data in an interoperable format, GIES undertakes, to the extent possible, to ensure that this operation is guaranteed for the entire Term and up to 90 days after the Term.
6.1.2 Processor Services with Deletion Functionality. To the extent that the Processor Services include the ability for the Customer to independently delete the Customer's Personal Data, GIES undertakes, to the extent possible, to ensure that such deletion from its systems is carried out as soon as reasonably possible and within a maximum period of 90 days, unless European and national legislation requires retention. In the latter case, GIES will process the Customer's Personal Data only for the purposes and for the duration defined by such legislation.
6.1.3 Processor Services without Deletion or Extraction Functionality. If, for the Term or part thereof, the Processor Services do not include the ability for the Controller to independently extract and/or delete the Customer's Personal Data, GIES will comply with any Customer request to facilitate this operation in the same manner and within the timeframes indicated in Section 6.1.1 (Processor Services with Export Functionality) and Section 6.1.2 (Processor Services with Deletion Functionality), respectively.
6.2 Deletion upon Expiration of the Term. Except as provided in Section 6.1.1 (Processor Services with Export Functionality), upon expiration of the Term, the Customer shall instruct GIES to delete all Customer's Personal Data (including existing copies) from GIES' systems in accordance with applicable law. GIES will execute this instruction as soon as reasonably practicable and within a maximum of 90 days by confirming this to the Notification Email Address, unless European and national legislation requires retention. In the latter case, GIES will process the Customer's Personal Data only for the purposes and for the duration defined by such legislation.
7. Data Security
7.1 Security Measures and Assistance by GIES
7.1.1 Security Measures on GIES Systems. GIES will adopt and maintain technical and organizational measures to protect the Customer's Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Appendix 2. Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context, and purposes of the processing carried out with the Processor's Services, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Appendix 2 must at all times include security measures designed to: (a) encrypt personal data; (b) help ensure the ongoing confidentiality, integrity, availability, and resilience of GIES's systems and services; (c) help promptly restore personal data following an incident; and (d) periodically review their effectiveness. GIES reserves the right to update or modify the Security Measures, provided that such updates and modifications do not result in a deterioration in the overall security of the Processor's Services.
7.1.2 Security Measures for GIES Personnel. GIES will take appropriate measures to ensure compliance with the Security Measures by all those operating under its authority, including its employees, agents, contractors, and Subprocessors to the extent applicable to them based on the actual performance of their duties, including ensuring that all persons authorized to process Client Personal Data have committed to confidentiality or are subject to an appropriate obligation of confidentiality in accordance with European and national legislation.
7.1.3 Data Security Assistance by GIES. GIES will assist the Controller in ensuring compliance with any of the Controller's obligations regarding personal data security and personal data breaches, including (where applicable) the Controller's obligations under Articles 32 to 34 of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Security Measures on GIES Systems);
(b) implementing the provisions of Section 7.2 (Data Incidents); and
(c) providing the Controller with Security Documentation in accordance with Section 7.5.1 (Review of Security Documentation) and the information required in this Data Processing Agreement.