Appointment of the Supplier’s Data Processor
Definition of the processing context relative to the Appointment of the Supplier’s data processor with the stipulation of the contract and agreement between the parties for the provision of assistance and maintenance services
1 – Appointment – In the performance of the SERVICE, pursuant to and in accordance with Art. 4 comma 1 lett. f) and Art. 28 of Legislative Decree 30 June 2003, no. 196, the DATA COLLECTOR is the CLIENT and it is up to the CLIENT, DATA COLLECTOR, to perform all operations foreseen by the above regulation for the processing of personal records by which we refer to the informative note, the filing of consent, the implementation of all authorizations, appointments and storage measures and any other kind of measure even for the introduction of a Security System.
For the tasks that, according to the SERVICE CONTRACT remain assigned to the SUPPLIER, the latter is appointed DATA PROCESSOR pursuant to Art. 4 c.1 lett. g) and Art. 29 of the Legislative Decree no. 196/03. Those appointed by the SUPPLIER shall be in charge of the data processing procedure in accordance with Articles 4 c. 1 lett. h) and 30 of the aforementioned regulation and in this regard shall be appointed by the SUPPLIER/(DATA PROCESSOR).
The SUPPLIER’S/(DATA PROCESSOR’S) data processing operations will therefore be carried out by appointed persons who shall operate under the direct authority of the SUPPLIER/(DATA PROCESSOR) and follow the instructions it shall impart. The appointment shall be ratified in writing and shall specifically identify the scope of allowed processing. The same effect shall be obtained by the documented appointment of a physical person to a specific unit for which the scope of processing for the personnel manning said unit is provided in writing.
The processing even extends to sensitive or judiciary data (if any), as defined in Art. 4 c. 1 lett.d) and e) of the Legislative Decree no. 196/2003 for which the SUPPLIER/(DATA PROCESSOR) issues authorization to the persons it has appointed to process or maintain the data.
Seeing as the data processing is also performed directly by the CLIENT/(DATA CONTROLLER), for direct processing the CLIENT/(DATA CONTROLLER) shall insure compliance with all legal obligations and free and clear the SUPPLIER/(DATA PROCESSOR) of all responsibility.
The SUPPLIER/(DATA PROCESSOR), may, at any time, even during the duration of the SERVICE CONTRACT and despite the SERVICE still being provided, terminate the DATA PROCESSOR qualification in the future, requiring the CLIENT/(DATA CONTROLLER) to provide one instead. The CLIENT/(DATA CONTROLLER) may also terminate such an appointment. In these cases the parties shall jointly decide to whom the data processing for the SERVICE should be assigned to.
2 – Guarantees – The data that the CLIENT/(DATA CONTROLLER) has already provided and shall provide must have already been granted consent by the interested parties in accordance with art. 23 of Legislative Decree no. 196 of 30 June 2003, except in those cases where it is excluded as foreseen by art. 24 of the same regulations and the interested parties will have already received the informative note detailed in art. 13 of Legislative Decree no. 196 of 30 June 2003.
The CLIENT/(DATA CONTROLLER) guarantees the SUPPLIER/(DATA PROCESSOR) that it has the legitimate right to use all the information (texts, data, news, signs, images, sounds and whatever else) that it shall hand over to the SUPPLIER/(DATA PROCESSOR) for processing, further ensuring that said information does not violate in any way, either directly or indirectly, the rights of any third parties.
The CLIENT/(DATA CONTROLLER) shall retain ownership of the information that shall be communicated to the SUPPLIER/(DATA PROCESSOR) for the service and expressly takes on all and every responsibility relating to the content of said information and relieves the SUPPLIER of every obligation and/or duty to directly or indirectly verify and/or check the content referred to above.
In order for an appropriate data processing procedure to be guaranteed, the SUPPLIER, to whom the processing is entrusted so that the SERVICE may be provided, and thus in this regard operates as PERSONAL DATA PROCESSOR, undertakes to perform the following duties:
1. the data processing shall be carried out for the sole purpose of executing the task assigned;
2. as determined in this deed and for all tasks that shall be undertaken as part of the implementation of this CONTRACT the operations of the SUPPLIER /(PERSONAL DATA PROCESSOR) shall be performed in compliance with the obligations foreseen by the Code for the protection of personal data;
3. the SUPPLIER/(PERSONAL DATA PROCESSOR), in performing its activity, in compliance with the CONTRACT, shall follow all specifically agreed instructions for the processing of personal data and if necessary shall integrate the existing procedure in order to best observe the obligations ensuing from the regulations on Privacy relative to the task to be performed relative to the CONTRACT;
4. the SUPPLIER/ (PERSONAL DATA PROCESSOR), if anomalous or emergency situations occur, shall report on a regular basis on the security measures introduced – even through questionnaires or check lists – and immediately inform the data controller.
3 – Obligations – Pursuant and in accordance with Art. 29 c. 4 of the Legislative Decree no. 196/2003 which requires that the tasks assigned to the processor must be clearly listed in writing by the CONTROLLER, it is further specified that the task as assigned to the SUPPLIER/(DATA PROCESSOR) are those indicated in the previously indicated CONTRACT, that regulates the SERVICE.
The SUPPLIER/(PERSONAL DATA PROCESSOR), in performing the processing operations in order to perform the SERVICE, must ensure that appropriate security measures are adopted to minimize the risk of:
· unauthorized access;
· forbidden processing or processing non-compliant to the purpose for which the data was collected.
The CLIENT/(DATA CONTROLLER) acknowledges that, for the SERVICE, the SUPPLIER/(DATA PROCESSOR) has adopted appropriate security measures in compliance with articles 31 to 35 of the Legislative Decree no. 196/2003.
For personal data processed using the SUPPLIERS/(DATA PROCESSORS) computer systems, the same shall be nevertheless required to structure the data processing system in accordance with the minimum security requirements and, if requested by the CLIENT/(DATA CONTROLLER), once the service has been terminated, to erase from its database the data communicated by the CLIENT/(DATA CONTROLLER) for the performance of the SERVICE; in which case, the SUPPLIER/(DATA PROCESSOR), shall erase them as soon as they are no longer required for the performance of the service or any subsequent operation.
The CLIENT/ (DATA CONTROLLER), considering the complexity of the technical operations involved in electronic data processing for the SERVICE and the SUPPLIERS’ /(DATA PROCESSORS’) need to employ specialized personnel or highly technological equipment which may, understandably, not be available at their premises, hereby authorizes the SUPPLIER/ (DATA PROCESSOR), under its own responsibility, to assign the execution of computer data processing to sector companies that thanks to their experience, know-how and reliability can guarantee full compliance with the law, particularly where security is concerned.
4 – Processing purpose and method – The CLIENT/ (DATA CONTROLLER) hereby states that the processing is assigned to the SUPPLIER/ (DATA PROCESSOR) for the performance of the SERVICE as best described in the CONTRACT.
As far as it is within its competence the SUPPLIER /(DATA PROCESSOR) shall process the data required for the provision of the SERVICE in compliance with Art. 11 of the Legislative Decree no. 196 of 30 June 2003 concerning the “Processing methods and data prerequisites” and therefore the personal data to be processed shall be: a) processed in a legal and correct fashion as contractually agreed for the SERVICE; b) collected and registered for the SERVICE and therefore for specific, explicit and legitimate purposes, and used in other processing operations compatibly with said purposes; c) exact and if necessary updated based on the communications made by the CLIENT; d) pertinent, complete and not excessive relative to the purposes for which the data has been collected or subsequently processed; e) preserved in a form that will make the interested party identifiable for a period of time after the SERVICE has been provided.
5 – Processing or SERVICE termination – With the termination of the assignment or of the service that is the object of the CLIENT’S/ (DATA CONTROLLER’S) request, the data in the possession of the SUPPLIER / (DATA PROCESSOR) must be destroyed. Any copies of the same data, unless other agreements are reached, shall be destroyed by the SUPPLIER/(DATA PROCESSOR) within an appropriate time frame compatible with the additional requirements that may present themselves with the termination of the SERVICE and in any case within 24 months of the aforementioned termination and in the interim period between the end of the contractual relationship and said term they shall be stored by the SUPPLIER / (DATA PROCESSOR) purely for inspection purposes and so that its work can be verified. They shall not be communicated or divulged.
6 – Inspections – The CLIENT / (DATA CONTROLLER) reserves the right to supervise the correct observance of legal dispositions regarding the processing of the data and compliance with the instructions included in this document, even by means of inspections. The SUPPLIER / (DATA PROCESSOR) must enable the CLIENT / (DATA CONTROLLER) to carry out regular inspections, guaranteeing full collaboration, to verify the appropriateness of the security measures adopted and compliance with the law.