I. Purpose of this deed
The purpose of this deed is to define the conditions under which the Company Neogy s.r.l., identified as the Supplier under the contract to which this deed is annexed, is appointed as external data processor and as such undertakes to carry out on behalf of Cogeser Energia s.r.l. hereinafter Controller, the personal data processing operations defined below.
Within the scope of their contractual relations, the parties undertake to respect the confidentiality of the data set forth below as well as the current regulations applicable to the processing of personal data set forth in Legislative Decree. June 30, 2003, No. 196 "Code on the Protection of Personal Data" as amended (subsequent modifications and integrations) and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 applicable as of May 25, 2018 (hereinafter: GDPR).
II. Description of the treatment granted to the supplier under Article 28 of the GDPR
The Supplier is authorized to process, on behalf of the Data Controller, the personal data necessary to provide the services underlying the contract to which this is attached. Regarding the identification of the purpose, category of data, and categories of interested parties, please refer to the table below:
|
DATA CATEGORY
|
CATEGORIES OF INTERESTED PARTIES
|
|
Personal data
|
Clients
|
III. Duration of the contract
Please refer to the contract to which this act is annexed.
IV. Obligations of the Supplier towards the Data Controller
The Supplier agrees to comply with the following in the processing of data.
1. Purposes of data processing
The Supplier agrees to process data only for the purposes that are the subject of the contract of which this act is an annex. If the Supplier processes the acquired data for other purposes, it shall be considered an autonomous Controller and as such shall be liable for any violations.
2. Data processing
The Supplier agrees to process the data in accordance with the instructions made available by the Controller as an attachment to this document.
If the Supplier believes that an instruction constitutes a violation of the European Data Protection Regulation or any other provision of Union law or Member State law relating to data protection, it shall immediately inform the Data Controller.
In addition, if the Supplier is required to transfer data to a third country or international organization under Union law or the law of the Member State to which it is subject, it is required to inform the Data Controller prior to processing, unless the relevant law provides otherwise, such as in the case of important reasons of public interest.
3. Training of authorized personnel
The Supplier shall ensure that the persons authorized to process personal data stipulated in the contract:
- undertake to comply with legal obligations regarding the confidentiality of personal data;
- receive adequate training with reference to the protection of personal data.
4. Documentation that the Supplier makes available to the Controller
The Supplier agrees to demonstrate compliance with all its obligations under Article 28 of the GDPR and allows audits, including inspections, conducted by the Controller or appointed third party and agrees to contribute to related audits. The Supplier agrees to assist the Controller in the risk assessment on the protection of personal data processed, which is required according to regulations. The Controller shall notify the Responsible Party in writing, with at least 14 (fourteen) days' notice, of the date and the names of the persons who, on its behalf, will carry out the inspection and audit operations
5. Privacy by design and by default
The Supplier is committed to considering data protection principles in relation to its tools, products, applications or services from the design stage and by default.
6. Appointment of subcontractor by Supplier
The Supplier may require another supplier (hereafter referred to as "Subcontractor") to perform specific data processing activities.
The Supplier shall inform the Controller in advance, in writing, of any changes related to the addition or replacement of other subcontractors. This information must clearly state the subcontracted processing activities, the Supplier's identity and contact information, and the dates of subcontracting. The Controller has a minimum of 3 days from the date of receipt of this information to submit its objections. Subcontracting may only be carried out if the Controller has not objected within the agreed deadline, with the Controller obliged to give reasons for its objection.
Whether in the case of general or specific authorization, the Subcontractor is required to comply with the same obligations of this contract governed in the appropriate other on behalf of and according to the instructions of the Controller. The Supplier shall ensure that the Subcontractor presents sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the regulations, taking responsibility for them.
It follows that if the Subcontractor fails to comply with its data protection obligations, the Supplier remains fully liable to the Controller for the performance of the Subcontractor's obligations - without prejudice, however, to the Controller's ability to bring a direct action against the Sub-respondents, in which case the Controller holds Neogy harmless from any liability that may arise.
7. Duty to inform interested parties
The Data Controller is responsible for providing the required data protection information to the persons affected by the processing activities at the time of data collection and for making available the updated list of external data processors to the interested parties.
8. Exercise of people's rights
Whenever possible, the Supplier assists the Data Controller in complying with the obligation to fulfill requests to exercise the rights of the parties concerned.
The Supplier undertakes to promptly and within 5 working days notify the Controller of requests from interested parties concerning the processing operations governed by this Act and to cooperate with the Controller in handling them.
9. Personal data breach notification
The Supplier shall notify the Data Controller of any incidents and breaches of personal data without undue delay and within 48 hours of becoming aware of the breach by email to dpo@cogeser.it.
This notification shall be accompanied by any relevant documentation so that the Controller, if necessary, informs the competent Control Authority.
The notification must contain at least:
-
a description of the nature of the personal data breach including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records involved;
-
the name of the data protection officer or other contact point from which further information can be obtained;
-
a description of the likely consequences of the personal data breach;
-
a description of the measures taken by the Data Controller or the measures it intends to take to remedy the personal data breach, including, where appropriate, measures designed to mitigate possible adverse consequences.
If, and to the extent that, all such information cannot be provided simultaneously, the information may be provided at a later time without undue delay.
The Data Controller shall be responsible for immediately informing the interested party of the personal data breach, if the breach may create a high risk to the rights and freedoms of a natural person, through press release or other appropriate means.
10. Assistance of the Supplier in complying with obligations by the Data Controller
The Supplier shall assist the Data Controller in carrying out data protection impact assessments and, if necessary, in carrying out prior consultation with the supervisory authority.
11. Security precautions
The Supplier undertakes to implement technical and organizational measures appropriate to the contracted service in accordance with GDPR Art. 32.
12. Data processing procedures after termination of services
As instructed, the Supplier agrees to destroy all personal data processed or transfer it to the Controller within 45 days, except where the Supplier is required to retain the information collected in fulfillment of legal obligations. The return must be accompanied by the destruction of all copies in the Supplier's information systems. In the event that data are retained, the Supplier may indicate the reasons and criteria for retaining the data.
13. Data protection officer
The Supplier shall inform the Data Controller of the name and contact details of the person appointed as data protection officer, if any, pursuant to Article 37 of the European Data Protection Regulation.
14. Keeping a record of processing activities
Where applicable, The Supplier declares that it keeps written records of data processing activities in a manner consistent with the requirements of the regulations.
V. Obligations of the Controller towards the Supplier
The Data Controller undertakes to:
-
document in writing all data processing instructions to be provided to the Supplier;
-
supervise data processing, including conducting audits and inspections against the Supplier.
VI. Supplier's Responsibilities
According to the provisions of the regulations, where the Data Controller and the Provider are involved in the same processing and are held responsible for any damage caused to the affected persons, each party shall be jointly and severally liable for the full amount of the damage in order to ensure the effective compensation of the affected person. Should the Data Controller or the Supplier of the processing have paid the entire compensation for the damage, such Data Controller or Supplier of the processing has the right of recourse against the other party involved for the compensation of the share corresponding to its responsibility for the damage, in accordance with the conditions provided by the regulations.
Should the Provider perform any processing of personal data beyond what is agreed upon in the service contract of which this deed is a part, the parties agree to define in advance the roles under the GDPR and to enter into an additional appointment for such processing, if necessary