EXTERNAL DATA PROCESSING AGREEMENT in accordance with article 28 of regulation 2016/679 (EU) of the European Parliament and of the council of 27.4.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing directive 95/46/ec (general regulation on data protection – “GDPR”).
Between
The Customer who has purchased a Service offered for sale by SupportHost OÜ on the website https://supporthost.com/it/, as the Data Controller, in the person of its legal representative
and
SupportHost OÜ, with the registered office at Ahtri tn 12, Tallinn, 10151, Estonia, as the Data Processor, in the person of its legal representative.
(the Data Controller and the Data Processor jointly, the “Parties“).
I. Purpose
The purpose of these clauses is to define the conditions under which the Data Processor undertakes to carry out on behalf of the Data Controller the Personal Data Processing operations defined below. In the context of their contractual and professional relations, the Parties undertake to comply with the Personal Data Protection Legislation applicable from time to time and, in particular, the GDPR.
II. Definitions
“Agreement”: the agreement entered into between the Data Controller and the Data Processor and of which this document is an addendum.
“Addendum”: this document, including any attachments thereto.
“Personal Data”: the personal data, as defined in Article 4.1 of the GDPR, which is the subject of this Addendum.
“GDPR”: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Data Subject” has the meaning set forth in Article 4.1 of the GDPR.
“Personal Data Protection Legislation”: means any law or regulation, including the laws and regulations of the European Union, Member States and the UK, applicable to the processing of Personal Data, including the GDPR.
“Data Processor”: has the meaning set forth in Article 4.8 of the GDPR.
“Data Controller” has the meaning set forth in Section 4.7 of the GDPR.
“Processing” has the meaning set forth in Section 4.2 of the GDPR.
“Personal Data Breach” has the meaning set forth in Section 4.12 of the GDPR.
III. Description of the Processing entrusted to the Data Processor
The Data Processor is authorized to process on behalf of the Data Controller the Personal Data necessary to fulfill the Agreement (“Services”).
The Processing operations delegated to the Data Processor are as follows:
- Storage
- Consultation
- Use
- Collection
- Organization
- Communication by means of transmission, diffusion or any other form of making available
The purpose of the Processing entrusted to the Data Processor is solely to execute the Agreement by providing the Services.
The categories of Personal Data whose Processing is entrusted to the Data Processor are the following:
- Firstname
- Lastname
- Address of residence
- Home address
- ZIP CODE
- Phone number
- Country
- Fiscal code or VAT number
- Contractual data
- Log
The categories of Data Subjects to whom the Personal Data whose processing is entrusted to the Data Processor refer are the customers or potential customers of the Data Controller.
IV. Term of Addendum
This Addendum is effective from the date of its signature and for the duration of the Agreement, so that once the Agreement is terminated for any reason, the effects of this Addendum will also immediately cease. The obligations relating to confidentiality and prohibitions of dissemination and/or communication shall be observed by the Data Processor even after the termination of the Agreement and this Addendum.
V. Obligations of the Data Processor towards the Data Controller.
The Data Processor undertakes:
- to process Personal Data solely for the purposes set forth in this Addendum and, in particular, as indicated in point III above, solely and exclusively for the purposes of the proper execution of the Agreement and the proper provision of the Services, consequently;
- not to communicate, disseminate, disclose, in any way, Personal Data to third parties, with the exception of further processors, if designated by the Data Processor in accordance with Article 28 GDPR and Article VI below, and persons authorized to process Personal Data under the authority of the Data Processor (“Persons in Charge”), if they are instructed to do so by the Data Processor, in accordance with Article 29 GDPR, and are formally designated by the same, in accordance with this Article;
- to process Personal Data in accordance with any instructions that may be provided by the Data Controller (“Instructions”), including in the case of a transfer of Personal Data to a third country or an international organization, unless required to do so by Union law or national law to which the Data Processor is subject; in such case, the Data Processor shall inform the Data Controller of such legal obligation prior to Processing, unless Union law or the law of the Member State in question prohibits such information for important reasons of public interest. If the Data Processor considers that an instruction constitutes a breach of the GDPR and/or another provision of Union law or the law of one of the Member States relating to the protection of personal data, the Data Processor shall notify the Data Controller immediately.
VI. Additional Data processing
General authorization
The Data Controller authorizes the Data Processor, on a general basis, to use one or more data processors (“Additional Data Processors” or “Sub-Processors”) to perform specific processing activities, pursuant to Article 28.2 of the GDPR.
VII. Information to be provided to the data subject
It is the responsibility of the Data Controller to provide Data Subjects with the information referred to in Articles 13 and 14 of the GDPR, in the cases, in the manner and within the timeframe referred to in those articles and in Article 12 of the GDPR.
VIII. Retention of Personal Data during the term of the Addendum and its cancellation or return after its termination
During the term of the Addendum, the Data Processor undertakes to retain Personal Data only and exclusively for the time strictly necessary to achieve the purposes of the Processing and for the proper fulfillment of the obligations under the Addendum, as indicated by the Data Controller in the Instructions, without prejudice to the need to retain Personal Data by reason of obligations imposed on the Data Processor by the law of the Union or of the Member State to which it is subject.
In the event of termination, for any cause, of the Addendum, the Data Processor shall:
(a) cease Processing; and
(b) subject to any Personal Data retention obligations imposed on the Data Processor by the law of the Union or the Member State to which it is subject, at the option of the Data Controller, within 90 business days:
- destroy and/or delete all Personal Data, irreversibly and permanently and, in any event, based on the Instructions; or
- return all Personal Data; or
- send the Personal Data to a data processor designated by the Data Controller.
The return or sending must be accompanied by the deletion and/or destruction of all copies existing in the Data Processor’s information systems, unless Union or Member State law provides for the retention of such data. Once destroyed, the Data Processor must justify the destruction in writing.
IX. Data Protection Officer (or Data Protection Officer – “DPO”)
The Data Processor shall notify the Data Controller of the name and contact details of the DPO, if designated, pursuant to the provisions of Article 37 GDPR, or on a voluntary basis.
X. Processing Register
The Data Processor shall disclose whether it keeps a register of processing operations carried out on behalf of the Data Controller, pursuant to and with the content set forth in Article 30.2 of the GDPR, and the manner in which such register is kept, undertaking to make it available to the Data Controller upon request. In the event that the Data Processor does not keep the register referred to in Article 30.2, the Data Processor undertakes to provide the Data Controller with documentation of the assessment carried out to exclude the applicability of the obligation in question. The Parties note that the Data Processor may draw up the register of processing operations in accordance with the indications provided in this regard by the Italian Data Protection Authority.
XI. Documentation
The Data Processor shall make available to the Data Controller all information and documentation necessary to demonstrate compliance with the obligations set forth in the GDPR, including Article 28 thereof, and set forth in this Addendum, by allowing and contributing to audit activities, including inspections, carried out by the Data Controller or another person appointed by the same.
XII. Obligations of the Data Controller towards the Data Processor
The Data Controller undertakes to provide the Data Processor with Personal Data in the event that, by reason of the Agreement and/or the Services, such Personal Data is not collected and/or acquired directly by the Data Processor, on behalf of the Data Controller.
XIII. Transfer of Personal Data to a third country
In the event that the Data Processor intends to transfer the Personal Data to a non-EU country, the Data Processor undertakes to: (i) communicate such intention in advance to the Data Controller, by email, indicating the third country of destination, the recipient and the adequate safeguards that, pursuant to Chapter V of the GDPR, allow the transfer; (ii) carry out the transfer only and exclusively in the absence of opposition by the Data Controller, communicated in writing and within the term of 15 working days from the receipt of such communication or once such term has expired.
In the event that the transfer of data to third countries is necessary for the execution of the contract itself, the transfer will be made pursuant to art. 49, lett. b) GDPR without the need for any prior authorization and without any liability in this regard by the Data Processor.
XIV. Communications
All communications provided for in this Addendum must be made to the contacts indicated in the epigraph.
XV. Applicable Law and Jurisdiction
This Addendum is subject to Estonian law. Any disputes concerning its application and/or interpretation shall be submitted to the exclusive and indisputable jurisdiction of the Court of Tallinn, Estonia.
XVI. Miscellaneous
The Parties acknowledge that this Addendum does not limit or reduce the commitments that the Data Processor has made to the Data Controller in the Agreement, it is understood that in the event of any conflict between the provisions of the Agreement and those of the Addendum concerning the processing of personal data and/or the protection of personal data, the provisions of the Addendum will prevail.