Vai al contenuto

PERSONAL DATA PROCESSING AGREEMENT

(pursuant to Article 28 of EU Regulation 2016/679)

1. INTRODUCTION

1.1 This Personal Data Processing Agreement (hereinafter "Agreement") is an integral part of the Terms of Service relating to the Electronic Invoicing API (hereinafter "Main Contract") and governs the relationship between the Client, as Data Controller (hereinafter "Controller"), and C.I.R. 2000 snc, as Data Processor (hereinafter "Processor"), with reference to the processing of personal data carried out by the Processor on behalf of the Controller within the scope of the execution of the Main Contract.

1.2 The terms used in this Agreement have the same meaning as attributed to them in EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR") and in Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 (hereinafter "Privacy Code").

2. SUBJECT

2.1 With this Agreement, the Controller appoints the Processor as data processor pursuant to Article 28 of the GDPR, entrusting it with the task of carrying out, on behalf of the Controller, the personal data processing operations necessary for the execution of the Main Contract.

2.2 The Processor accepts the appointment and undertakes to process personal data on behalf of the Controller in compliance with the instructions given by the Controller, this Agreement, the GDPR, and the applicable personal data protection legislation.

3. NATURE AND PURPOSE OF PROCESSING

3.1 The Processor will process personal data exclusively for the execution of the Main Contract and, in particular, to allow the Controller to generate, transmit, and manage electronic invoices in accordance with current legislation.

3.2 The processing operations that the Processor may perform on personal data include: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction.

4. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

4.1 In executing the Main Contract, the Processor may process the following types of personal data: a) Personal and identification data (name, surname, tax code, VAT number, address, etc.) of customers, suppliers, employees, and collaborators of the Controller; b) Contact data (telephone number, email address, etc.) of customers, suppliers, employees, and collaborators of the Controller; c) Tax and accounting data necessary for electronic invoicing; d) Any other personal data necessary for the execution of the Main Contract and communicated by the Controller to the Processor.

4.2 The categories of data subjects whose personal data may be processed by the Processor are: a) Customers of the Controller; b) Suppliers of the Controller; c) Employees and collaborators of the Controller; d) Any other categories of data subjects whose data are necessary for the execution of the Main Contract.

5. OBLIGATIONS OF THE PROCESSOR

5.1 The Processor undertakes to: a) Process personal data only on documented instructions from the Controller, including in case of transfer of personal data to a third country or an international organization, unless required by Union or national law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; b) Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; c) Implement all security measures required pursuant to Article 32 of the GDPR; d) Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (sub-processor); e) Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR; f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor; g) At the choice of the Controller, delete or return all the personal data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data; h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

6. GENERAL AUTHORIZATION FOR THE APPOINTMENT OF SUB-PROCESSORS

6.1 The Controller authorizes the Processor to engage sub-processors for carrying out specific processing activities on behalf of the Controller, subject to prior communication to the Controller of the identity of the sub-processors and the processing activities entrusted to them.

6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes.

6.3 The Processor shall impose on sub-processors, by means of a written contract, the same data protection obligations as set out in this Agreement. Where the sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

7. SECURITY MEASURES

7.1 The Processor declares and guarantees that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

7.2 The security measures implemented by the Processor include, among others: a) The pseudonymization and encryption of personal data, where applicable; b) The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services; c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

7.3 The Processor undertakes to periodically review and update the security measures implemented, in light of technological developments and industry best practices.

8. PERSONAL DATA BREACH (DATA BREACH)

8.1 The Processor undertakes to inform the Controller, without undue delay and in any event within 24 hours of discovery, of any personal data breaches (data breach) that could pose a risk to the rights and freedoms of natural persons.

8.2 The communication to the Controller shall contain at least the following information: a) Description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; b) Name and contact details of the data protection officer or other contact point where more information can be obtained; c) Description of the likely consequences of the personal data breach; d) Description of the measures taken or proposed to be taken to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

8.3 The Processor undertakes to document any personal data breach, comprising the facts relating to the breach, its effects, and the remedial action taken.

9. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

9.1 The Processor undertakes to provide the Controller with all necessary assistance in carrying out data protection impact assessments (DPIA) and in any prior consultations with the supervisory authority, in the cases provided for by Articles 35 and 36 of the GDPR.

10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

10.1 The Processor shall not transfer personal data to a third country or an international organization, unless such transfer is required by Union or national law to which the Processor is subject or has been expressly authorized by the Controller and takes place in compliance with the conditions established by Chapter V of the GDPR.

11. LIABILITY

12.1 The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

12.2 The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

12. DURATION AND TERMINATION

13.1 This Agreement has the same duration as the Main Contract and will automatically terminate at the end of the same.

13.2 In the event of termination, for any reason, of this Agreement, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data.

13. FINAL PROVISIONS

14.1 This Agreement, together with its attachments, forms an integral part of the Main Contract and replaces any previous agreement between the parties regarding personal data protection.

14.2 Any amendment to this Agreement must be made in writing and signed by both parties.

14.3 In the event of a conflict between the provisions of this Agreement and those of the Main Contract, the provisions of this Agreement shall prevail with regard to aspects relating to personal data protection.

14.4 For anything not expressly provided for in this Agreement, reference is made to the provisions of the GDPR and the applicable legislation on personal data protection.