CONTRACT FOR THE PROCESSING OF DATA PURSUANT TO ART. 28 OF REGULATION (EU) 2016/679
The owner of the personal data processing can propose a natural person, a juridical person, a public administration and any other body, association or organism, which is responsible for the treatment of the data that is appointed among subjects who, for experience, ability and reliability, provide suitable guarantee of full compliance with current provisions regarding the processing of personal data, including the security profile; the controller must also present sufficient guarantees to implement adequate technical and organizational measures so that the treatment meets the requirements of the legislation, required by the pro tempore provisions in force on the subject, and guarantees the protection of the data subject’s rights;
the manager must proceed with the treatment according to the instructions given by the owner in writing with this contract and with any subsequent agreements;
It is the intention of the owner to allow access to both the manager and the persons authorized to process, only for personal data whose knowledge is necessary to fulfill the tasks assigned to them;
ALL THIS GIVEN,
1- Città Aurea, as the Data Controller responsible for the decisions regarding the purposes and methods of the processing of personal data (hereinafter the “Controller”), in the person of its legal representative, designates Gianluigi Melzi as Head of personal data processing (of following “Responsible”) carried out in relation to the collaboration of the agreement; these treatments are carried out for the following purposes: 1- Perform the defined training / teaching service agreement 2- Perform the administrative functions of payment / didactic coordination
2- In any case, the Data Controller entrusts the Manager with all – and exclusively – the processing operations of the personal data necessary to give full execution to the Service. In the event of damage deriving from the processing, the Manager will respond if he has not fulfilled the obligations of the pro tempore legislation in force regarding the processing of personal data specifically directed to the data processors or has acted in a manner different or contrary to the owner’s legitimate instructions. . The Data Controller undertakes to officially notify the Manager of any changes that may become necessary in the data processing operations. The Data Processor or the persons authorized to process them will not be able to carry out any data processing operation other than the necessary ones mentioned above; 3- The Manager, as far as his competence is concerned, is required by law and by this contract, for himself and for the persons authorized to process who collaborate with his organization, to implement the security measures provided for by the pro tempore legislation in force regarding the processing of personal data, providing assistance to the Data Controller in ensuring compliance with the same. The Manager, taking into account the state of the art and the implementation costs, as well as the nature, object, context and purposes of the treatment, as well as the risk of varying probability and seriousness for the rights and freedoms of natural persons , must ensure that the security measures prepared and adopted are suitable to guarantee a level of security appropriate to the risk, in particular against:
destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, preserved or otherwise processed
data processing not allowed or not in accordance with the purposes of processing operations;
4. The Manager will apply the security measures referred to in point previous, in order to guarantee:
if applicable, the pseudonymisation and encryption of personal data
the ability to permanently ensure the confidentiality, integrity, availability and resilience of systems and treatment services
the ability to promptly restore the availability and access of personal data in the event of a physical or technical accident.
The Manager, at the request of the Data Controller, assists the latter in the procedures before the competent Control Authority and the Judicial Authority in relation to the activities falling within its competence. The Manager, within the terms and in the manner provided by the pro-tempore legislation in force, undertakes to inform the Owner after becoming aware of violations of personal data and to provide the widest collaboration to the Owner himself and to the competent and involved Control Authorities in order to satisfy any applicable obligation imposed by the applicable pro tempore legislation (e.g. notification of the violation of personal data to the competent Control Authority; any communication of a violation of personal data to the interested parties). The Manager also assists the Owner in ensuring compliance with the obligations relating to any impact assessment on data protection as well as any prior consultation with the Control Authority.
The Manager, within the scope of his company structure, will identify the natural persons authorized to process. At the same time as the designation, the Manager takes care of providing adequate written instructions to the authorized persons regarding the methods of treatment, in compliance with the provisions of the law and this contract. By way of example and not exhaustively, the Manager, in designating in writing the persons authorized to process, must prescribe that they have access only to personal data whose knowledge is strictly necessary to fulfill the tasks assigned to them. He must also verify that the latter apply all the security provisions relating to the safekeeping of keywords (electronic processing) and, finally, verify that they keep the non-IT media containing documents or documents with particular categories of data in a safe place ( sensitive or judicial data) or their reproduction, by adopting lockable containers (paper processing of sensitive data). It will be the responsibility of the Manager to bind the persons authorized to the treatment to confidentiality or to an adequate legal obligation of confidentiality, also for the period following the termination of the collaboration relationship with the Owner, in relation to the processing operations they perform. Furthermore, as regards the treatments carried out to provide the Service by persons authorized to process with the duties of “System Administrator”, the Manager is also required to comply with the applicable pro tempore provisions relating to the regulation on system administrators contained in the provision of the Guarantor for the protection of personal data of 27 November 2008 modified on the basis of the provision of 25 June 2009. The Manager, in particular, undertakes to keep directly and specifically the identification details of the natural persons in charge as system administrators, and to promptly provide them to the Owner at the request of the same. In the event that the Manager receives requests from data subjects for the exercise of the rights recognized by the applicable legislation on the protection of personal data, he must:
give timely written notice to the Data Controller attaching a copy of the request;
taking into account the nature of the processing, assist the Data Controller with appropriate technical and organizational measures in order to satisfy the Data Controller’s obligation to follow up on requests for the exercise of the rights of the interested parties.
In particular, where applicable and in consideration of the processing activities entrusted to him, the Manager must:
allow the Data Controller to provide data subjects with their personal data in a structured format, commonly used and readable by an automatic device, as well as to transmit the data to another data controller;
allow the Data Controller to fully or partially guarantee the rights to object and limit the processing.
The Manager will have to perform the processing functional to the duties attributed to it in relation to the Service or deriving from written instructions from the Owner, also with reference to the possible transfer of personal data to a third country or an international organization. If there is a need for processing on personal data that is different and exceptional from those normally performed, the Manager must inform the Owner in advance.
With this contract, the Data Controller gives general written authorization to the Manager to be able to resort to any further data processors (“sub-manager / s”), in the provision of the Service. In the event that the Manager makes effective use of sub-managers, the same Manager undertakes to select supervisors from subjects who, by experience, ability and reliability, provide sufficient guarantees to implement adequate technical and organizational measures in such a way that the treatment satisfies the requirements of the applicable pro tempore legislation and guarantee the protection of the rights of the interested parties. The Manager also undertakes to enter into specific contracts, or other legal acts, with the sub-managers by means of which the Manager analytically describes their duties and requires these subjects to comply with the same obligations, with reference to the data protection regulation personal data, imposed by the Data Controller on the Manager in accordance with the pro tempore legislation in force and the applicable special provisions of the competent Control Authority, in particular by providing sufficient guarantees to implement adequate technical and organizational measures so that the treatment meets the requirements of this Regulation. If the sub-manager fails to comply with his data protection obligations, the Manager acknowledges that he retains full responsibility for the fulfillment of the obligations of the sub-managers involved towards the Data Controller, and undertakes to indemnify and hold harmless the Data Controller from any damage, claim, compensation, and / or sanction may derive from the Data Controller’s failure to comply with these obligations and more generally from the violation of the applicable legislation on the protection of personal data by the Manager and his sub-suppliers. The Manager also undertakes to inform the Owner of any changes envisaged regarding the replacement of other supervisors, thus giving the Owner the opportunity to oppose these changes. The Data Controller also expressly authorizes the Data Processor, who undertakes to do this, to stipulate on his behalf with any subcontractors, when established in a country outside the European Union for which the European Commission has not issued an adequacy judgment of the level of protection of personal data, an agreement for the transfer of data abroad containing the specific contractual clauses (and subsequent amendments) adopted by the European Commission itself with Decision 2010/87 / EU of 5 February 2010.
The Owner also declares that the data he has sent to the Manager: 1. they are relevant and not excessive in relation to the purposes for which they are used they were collected and subsequently processed; 2. in any case, personal data and / or particular categories of data personal, subject of the processing operations entrusted to Responsible, they are collected and sent respecting each prescription of the applicable legislation. It is understood that the responsibility of identifying the legal basis remains with the Data Controller of the processing of personal data of the interested parties.
The Data Controller remains responsible for the treatment of the information implemented through application procedures developed according to its specifications and / or through its own IT or telecommunications tools.
The Manager makes available to the Owner all the information necessary to demonstrate compliance with the obligations set out in this contract and the applicable legislation, allowing and contributing to the review activities, including inspections, carried out by the Owner or another person to be these in charge. For this purpose, the Manager recognizes the Data Controller and its agents, the right to obtain information about the processing operations or the place where data or documentation relating to this contract are kept. In any case, the Manager undertakes for himself and for the third parties appointed by him to ensure that the information provided to the Owner for verification purposes is used only for these purposes. The Manager will also be required to promptly communicate to the Data Controller requests from interested parties, disputes, inspections or requests from the Control Authority and from the Judicial Authorities, and any other relevant information in relation to the processing of personal data.
At the end of the processing operations entrusted, as well as upon the cessation, for any reason, of the processing by the Manager or termination of the Service, the Manager, at the discretion of the Owner and at the request of the latter, will be required to :
return to the Data Controller the personal data being processed or
provide for their complete destruction except in cases where the retention of data is required by law or other purposes (accounting, tax, etc.).
In both cases, the Manager will issue a written declaration to the Owner, upon his request, containing the certificate that the Manager does not have a copy of the owner’s personal data and ownership information. The Data Controller reserves the right to carry out checks and verifications aimed at ascertaining the veracity of the declaration. This appointment will be effective as long as the Service is provided, without prejudice to the specific obligations which by their nature are destined to remain. If the relationship between the parties ceases or becomes effective for any reason or the Service is no longer provided, this contract will also automatically disappear without the need for communications or revocations, and the Manager will no longer be entitled to process the data of the Owner.
It is understood that this contract does not entail any right of the Manager to a specific compensation and / or indemnity and / or reimbursement deriving from the same.
With this contract it is expressly intended to revoke and replace any other contract or agreement between the parties concerning the processing of personal data.
2021 All right reserved - Telaio delle Arti.