APPOINTMENT OF DATA CONTROLLERThe User (hereinafter "Owner" or "Customer" or "Data Controller"),by express acceptance of the Terms and Conditions of "Review Merlin"(hereinafter "Provider" or the "Data Processor"), accepts this addendum on theprocessing of personal data, which constitutes an integral part of the relationshipbetween the Parties. This Addendum is signed pursuant to Article 28 of Regulation679/2016 and governs the manner in which the Data Processor will processpersonal data on behalf of the Data Controller. Data Controller and DataProcessor, may also be referred to individually as the "Party" and jointly as the"Parties".WHEREAS.-the processing operations of personal data carried out by the Data Controller arelisted in the register of processing operations kept by the Data Controller;-for some processing operations the Data Controller makes use of the cooperationof the Supplier;-the Supplier, as part of the services offered to the Data Controller, as betterdetailed in the specific contract in place, may carry out personal data processing onbehalf of the Data Controller;-the Data Controller and the Provider have signed an agreement for the provisionof an integrated web and tablet for creating, managing and sending reviewrequests ("Service"), of which this document is an integral part;-with reference to the Service made available by the Provider, the latter mayprocess data personal data owned by the Controller and, more specifically,common data (first name, last name, contact details) of the Holder's endcustomers;-the purpose of the processing is to provide a technological solution that allowsthe Holder to be able to take advantage of the Service;-in accordance with Article 28.1 of Regulation (EU) 2016/679, General DataProtection Regulation (henceforth "GDPR"), "where a processing is to be carriedout on behalf of the Controller of the Processing, the latter shall only use datacontrollers."-the Data Controller has verified that the Provider, again pursuant to Article 28.1of the GDPR, presents "sufficient guarantees to put in place appropriate technicaland organizational measures so that the processing meets the requirements of theRegulation and ensures the protection of the rights of the data subject."The Data Controller appoints the Provider as the "PERSONAL DATA PROCESSINGRESPONSIBLE" (henceforth also simply "Processor" or "Processor"), with respect tothe personal data that Supplier may process in the performance of its activities andthose that may be entrusted to Supplier in the future.In accordance with the GDPR, the activity performed by the Processor will begoverned as follows:
DURATION. This appointment shall be effective for the duration of the
Processor's relationship with the Controller and shall be deemed automaticallyrevoked in the event of termination of the same.
PURPOSE OF THE PROCESSING. The data that are entrusted to the Manager, as
part of the activities entrusted to him/her for the use of the Service, may beprocessed only for the purposes indicated in the mandate entrusted and/or in thecontract entered into with the Owner. In particular, the data will be processed bythe Provider only for the purpose of being able to guarantee the provision of theService to the Owner who, in any case, will remain the only entity obliged to haveto communicate to the end customer the purposes and obtain consent to theprocessing, as well as the communication of the data to third parties.
METHODS OF PROCESSING. The data may be processed on paper or digital
media, depending on the activities carried out, provided that the tools are properlyidentified and inventoried by the Manager and systematically communicated tothe Owner for his approval. In particular, the data will be processed by means ofthe "Review Merlin" software platform.
DUTIES AND TASKS OF THE RESPONSIBLE PERSON. The Data Processor, as
stipulated in Article 28 of the GDPR, undertakes to:(a) process the entrusted personal data only on the documented instruction of theController, even in case of transfer of personal data to a third country, unlessotherwise provided by law. In this case, the Responsible Party is still obliged toinform the Controller;(b) ensure that the persons authorized to process have committed toconfidentiality, or have an appropriate legal obligation of confidentiality. To thisend, the Responsible Party to periodically verify that the persons in charge: (i) carryout the processing in a lawful and correct manner, exclusively for the purpose ofproviding the services covered by the contractual relationship between the Parties;(ii) process personal data solely for purposes inherent to the tasks assigned tothem; (iii) do not communicate or disseminate personal data without the priorauthorization of the Data Controller; (iv) verify, in case of even temporaryinterruption of work, that the processed personal data are not accessible tounauthorized third parties; (v) guard and keep authentication credentials strictlyconfidential; (vi) comply with the security measures required by the DataController and/or the Data Controller;(c) ensure adequate and proven training for persons authorized to process,pursuant to Article 29 of the GDPR;(d) take, pursuant to Article 32 of the GDPR, all appropriate technical andorganizational measures to ensure a level of security appropriate to the risk, takinginto account the state of the art and the costs of implementation, as well as thenature, object, context and purposes of the processing, as well as the risk ofvarying likelihood and severity to the rights and freedoms of natural persons, so asto minimize the risks of destruction or loss, including accidental loss of the datathemselves, of unauthorized access or processing that is not permitted or not inaccordance with the purposes of collection
e) to inform the Data Controller, in accordance with Article 28 GDPR, if it is
necessary to use another Data Processor;
f) assist the Controller in complying with the legal obligations under Articles 32
(Security of Processing), 33 (Notification of a Personal Data Breach to theSupervisory Authority), 34 (Notification of a Personal Data Breach to the DataSubject), 35 (Data Protection Impact Assessment), 36 (Prior Consultation), takinginto account the nature of the processing and the information available to theController.
g) provide for the updating, modification, rectification of personal data if this is
necessary in relation to the purposes of the processing, and delete or returnpromptly, upon the request of the Controller, all personal data and existing copiesof which the Responsible is in possession without being able to retain any copies,unless expressly agreed otherwise or provided for by law. In any case, deleteand/or destroy, as required by law (such as "wiping" for digital data), personal datawhen the purposes for which the data were collected and processed have beenachieved in the absence of a legal obligation or the need for further retention;
h) allow the Controller to exercise the power of control under Article 28 GDPR: in
this context, make available to the Controller all information necessary todemonstrate compliance with the obligations of this Addendum and todemonstrate compliance with legal obligations and allow verification activities(Audit), carried out by the Controller or by third parties commissioned by theController, in order to ascertain the observation of these data processing methodsand compliance with legal requirements. The Data Controller shall have the rightto verify, with at least 20 (twenty) working days' notice, also at the DataController's premises, the compliance of the procedures adopted by the latter withwhat is indicated in this Addendum or required by law;
i) undertake to comply with the General Provision of the Guarantor for the
Protection of Personal Data of November 27, 2008 "Measures and expedientsprescribed for the holders of data processing carried out with electronicinstruments in relation to the attributions of the functions of systemadministrator" as amended by the Order of the Guarantor of June 25, 2009"Amendments to the order of November 27, 2008 on prescriptions to the holdersof processing carried out with electronic tools with regard to the attributions ofsystem administrator and extension of the time limits for their fulfillment," as maybe amended or replaced by the same Guarantor, and to any other relevantmeasure of the Authority;
j) to cooperate for the purposes of the exact application of the law, including
through periodic meetings and to act within the scope and limits of their duties,autonomously, but always in accordance with the directives established by theController.
SUPERVISION. The Data Controller may supervise the punctual compliance with
the instructions given herein to the Data Processor and will verify the continuationof the requirements of experience, capacity and reliability that influenced thedesignation of the Data Processor.
VIOLATION. The Processor is hereby made aware that if he/she violates the
provisions of the law by independently determining the purposes and means of theProcessing, or disregarding the instructions received from the Controller, he/shewill be considered the Controller of the Processing in question;
ASSISTANCE TO THE CONTROLLER IN CASE OF A BREACH. In the event of a
personal data breach, the Provider agrees to inform the Controller without unduedelay from the time it has knowledge of the breach. The Supplier shall assist theHolder by initiating a preliminary analysis aimed at collecting data concerning theanomaly and compiling an event sheet, containing all information collected and atthat time available, such as, but not limited to:- Date of event, also the presumed date of occurrence of the violation (in whichcase it should be specified)- Date and time when knowledge of the violation was obtained;- Reporting source;- Type of violation and information involved;- Description of abnormal event;- Number of data subjects involved;- Numerousness of personal information alleged to have been breached;- Indication of the date, including alleged date, of the breach and when it becameKnowledge;- Indication of the place where the data breach occurred, also specifying whether itoccurredOccurred as a result of loss of devices or portable media;- Concise description of the data processing or storage systems involved, withindication of their location.
CONFIDENTIALITY. The Processor agrees to keep strictly confidential and
confidential and to use only for the performance of the obligations under thecontract, any information relating to the other Party and/or those involved in theprocessing of personal data and/or products, services, organization, business ortechnical strategy received from the other Party or of which come to theirknowledge during the execution of the contract related to the Service (hereinafterreferred to as "Confidential Information"). The Responsible Party undertakes notto use the Confidential Information outside the purposes envisaged by thisagreement, nor to disclose it to parties not envisaged by this agreement, withoutthe written approval of the Owner. The Manager shall take all necessary measuresnot to disclose or make available in any way the Confidential Information of theOwner and/or interested parties to third parties, and shall in any case be helddirectly liable to the Owner for any violation by its employees and/orsubcontractors of the confidentiality obligations set forth in this article. Theprovisions of this Article shall not apply or shall cease to apply to those individualpieces of information that the Controller can prove: (i) have already become publicknowledge for reasons other than the breach by the Controller itself; (ii) werealready known prior to having been received by the Controller; (iii) were disclosedor disclosed in compliance with a lawful order of any authority or by virtue of alegal obligation. Disclosed Confidential Information shall remain the property ofthe Data Controller. Upon written request by the Owner itself such informationshall be returned or destroyed by the Responsible Party.
AMENDMENTS AND ADDITIONS. The Parties shall have the right to make such
amendments and adjustments to this Agreement as may be necessary at any time,including to comply with any regulatory updates. Notice of any request foramendment will be given to the Manager by registered letter with return receiptor certified e-mail. Following the aforementioned change request, the Managerwill have 60 days to withdraw from the agreement. After this period, the changeswill be deemed accepted by the Processor. For anything not expressly provided forin this agreement, please refer to the general provisions in force regarding theprotection of personal data.
APPLICABLE LAWS. In the event of any dispute concerning the validity,
interpretation, performance and termination of this Addendum, the Parties agreeto seek a fair and amicable settlement among themselves. Should the dispute notbe settled amicably, it shall be deemed to fall under the exclusive jurisdiction ofthe Judicial Authority of the Court of Rome. For the resolution of any disputeconcerning the validity, interpretation, execution and termination of thisagreement the Italian Law will be applied.It is understood that this appointment does not imply any right of the Supplier toany specific compensation and/or indemnity and/or reimbursement arising fromthis appointment, beyond what is already provided for in the terms and conditions.