Data processing agreement

EXTERNAL DATA PROCESSING AGREEMENT in accordance with article 28 of regulation 2016/679 (EU) of the European Parliament and of the council of 27.4.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing directive 95/46/ec (general regulation on data protection - "GDPR").

Between

The Customer who has purchased a Service offered for sale by SupportHost OÜ on the website https://supporthost.com/it/, as the Data Controller, in the person of its legal representative

and

SupportHost OÜ, with the registered office at Ahtri tn 12, Tallinn, 10151, Estonia, as the Data Processor, in the person of its legal representative.

(the Data Controller and the Data Processor jointly, the "Parties").

I. Purpose

The purpose of these clauses is to define the conditions under which the Data Processor undertakes to carry out on behalf of the Data Controller the Personal Data Processing operations defined below. In the context of their contractual and professional relations, the Parties undertake to comply with the Personal Data Protection Legislation applicable from time to time and, in particular, the GDPR.

II. Definitions

"Agreement": the agreement entered into between the Data Controller and the Data Processor and of which this document is an addendum.

"Addendum": this document, including any attachments thereto.

"Personal Data": the personal data, as defined in Article 4.1 of the GDPR, which is the subject of this Addendum.

"GDPR": the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

"Data Subject" has the meaning set forth in Article 4.1 of the GDPR.

"Personal Data Protection Legislation": means any law or regulation, including the laws and regulations of the European Union, Member States and the UK, applicable to the processing of Personal Data, including the GDPR.

"Data Processor": has the meaning set forth in Article 4.8 of the GDPR.

"Data Controller" has the meaning set forth in Section 4.7 of the GDPR.

"Processing" has the meaning set forth in Section 4.2 of the GDPR.

"Personal Data Breach" has the meaning set forth in Section 4.12 of the GDPR.

III. Description of the Processing entrusted to the Data Processor

The Data Processor is authorized to process on behalf of the Data Controller the Personal Data necessary to fulfill the Agreement ("Services").

The Processing operations delegated to the Data Processor are as follows:

Storage
Consultation
Use
Collection
Organization
Communication by means of transmission, diffusion or any other form of making available

The purpose of the Processing entrusted to the Data Processor is solely to execute the Agreement by providing the Services.

The categories of Personal Data whose Processing is entrusted to the Data Processor are the following:

Firstname
Lastname
Address of residence
Home address
ZIP CODE
E-mail
Phone number
Country
Fiscal code or VAT number
Contractual data
Log

The categories of Data Subjects to whom the Personal Data whose processing is entrusted to the Data Processor refer are the customers or potential customers of the Data Controller.

IV. Term of Addendum

This Addendum is effective from the date of its signature and for the duration of the Agreement, so that once the Agreement is terminated for any reason, the effects of this Addendum will also immediately cease. The obligations relating to confidentiality and prohibitions of dissemination and/or communication shall be observed by the Data Processor even after the termination of the Agreement and this Addendum.

V. Obligations of the Data Processor towards the Data Controller.

The Data Processor undertakes:

to process Personal Data solely for the purposes set forth in this Addendum and, in particular, as indicated in point III above, solely and exclusively for the purposes of the proper execution of the Agreement and the proper provision of the Services, consequently;
not to communicate, disseminate, disclose, in any way, Personal Data to third parties, with the exception of further processors, if designated by the Data Processor in accordance with Article 28 GDPR and Article VI below, and persons authorized to process Personal Data under the authority of the Data Processor ("Persons in Charge"), if they are instructed to do so by the Data Processor, in accordance with Article 29 GDPR, and are formally designated by the same, in accordance with this Article;
to process Personal Data in accordance with any instructions that may be provided by the Data Controller ("Instructions"), including in the case of a transfer of Personal Data to a third country or an international organization, unless required to do so by Union law or national law to which the Data Processor is subject; in such case, the Data Processor shall inform the Data Controller of such legal obligation prior to Processing, unless Union law or the law of the Member State in question prohibits such information for important reasons of public interest. If the Data Processor considers that an instruction constitutes a breach of the GDPR and/or another provision of Union law or the law of one of the Member States relating to the protection of personal data, the Data Processor shall notify the Data Controller immediately.

VI. Additional Data processing

General authorization

The Data Controller authorizes the Data Processor, on a general basis, to use one or more data processors ("Additional Data Processors" or "Sub-Processors") to perform specific processing activities, pursuant to Article 28.2 of the GDPR.

VII. Information to be provided to the data subject

It is the responsibility of the Data Controller to provide Data Subjects with the information referred to in Articles 13 and 14 of the GDPR, in the cases, in the manner and within the timeframe referred to in those articles and in Article 12 of the GDPR.

VIII. Retention of Personal Data during the term of the Addendum and its cancellation or return after its termination

During the term of the Addendum, the Data Processor undertakes to retain Personal Data only and exclusively for the time strictly necessary to achieve the purposes of the Processing and for the proper fulfillment of the obligations under the Addendum, as indicated by the Data Controller in the Instructions, without prejudice to the need to retain Personal Data by reason of obligations imposed on the Data Processor by the law of the Union or of the Member State to which it is subject.

In the event of termination, for any cause, of the Addendum, the Data Processor shall:
(a) cease Processing; and

(b) subject to any Personal Data retention obligations imposed on the Data Processor by the law of the Union or the Member State to which it is subject, at the option of the Data Controller, within 90 business days:

destroy and/or delete all Personal Data, irreversibly and permanently and, in any event, based on the Instructions; or
return all Personal Data; or
send the Personal Data to a data processor designated by the Data Controller.

The return or sending must be accompanied by the deletion and/or destruction of all copies existing in the Data Processor's information systems, unless Union or Member State law provides for the retention of such data. Once destroyed, the Data Processor must justify the destruction in writing.

IX. Data Protection Officer (or Data Protection Officer - "DPO")

The Data Processor shall notify the Data Controller of the name and contact details of the DPO, if designated, pursuant to the provisions of Article 37 GDPR, or on a voluntary basis.

X. Processing Register

The Data Processor shall disclose whether it keeps a register of processing operations carried out on behalf of the Data Controller, pursuant to and with the content set forth in Article 30.2 of the GDPR, and the manner in which such register is kept, undertaking to make it available to the Data Controller upon request. In the event that the Data Processor does not keep the register referred to in Article 30.2, the Data Processor undertakes to provide the Data Controller with documentation of the assessment carried out to exclude the applicability of the obligation in question. The Parties note that the Data Processor may draw up the register of processing operations in accordance with the indications provided in this regard by the Italian Data Protection Authority.

XI. Documentation

The Data Processor shall make available to the Data Controller all information and documentation necessary to demonstrate compliance with the obligations set forth in the GDPR, including Article 28 thereof, and set forth in this Addendum, by allowing and contributing to audit activities, including inspections, carried out by the Data Controller or another person appointed by the same.

XII. Obligations of the Data Controller towards the Data Processor

The Data Controller undertakes to provide the Data Processor with Personal Data in the event that, by reason of the Agreement and/or the Services, such Personal Data is not collected and/or acquired directly by the Data Processor, on behalf of the Data Controller.

XIII. Transfer of Personal Data to a third country

In the event that the Data Processor intends to transfer the Personal Data to a non-EU country, the Data Processor undertakes to: (i) communicate such intention in advance to the Data Controller, by email, indicating the third country of destination, the recipient and the adequate safeguards that, pursuant to Chapter V of the GDPR, allow the transfer; (ii) carry out the transfer only and exclusively in the absence of opposition by the Data Controller, communicated in writing and within the term of 15 working days from the receipt of such communication or once such term has expired.

In the event that the transfer of data to third countries is necessary for the execution of the contract itself, the transfer will be made pursuant to art. 49, lett. b) GDPR without the need for any prior authorization and without any liability in this regard by the Data Processor.

XIV. Communications

All communications provided for in this Addendum must be made to the contacts indicated in the epigraph.

XV. Applicable Law and Jurisdiction

This Addendum is subject to Estonian law. Any disputes concerning its application and/or interpretation shall be submitted to the exclusive and indisputable jurisdiction of the Court of Tallinn, Estonia.

XVI. Miscellaneous

The Parties acknowledge that this Addendum does not limit or reduce the commitments that the Data Processor has made to the Data Controller in the Agreement, it is understood that in the event of any conflict between the provisions of the Agreement and those of the Addendum concerning the processing of personal data and/or the protection of personal data, the provisions of the Addendum will prevail.

Cookie	Duration	Description
_dc_gtm_UA-*	1 minute	Google Tag Manager cookie for controlling the loading of a Google Analytics script tag.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
promocode	Until the coupon code expires, maximum 1 year	This cookie is set when you visit a page via a link that includes a discount code. The name of the discount code is remembered to remind the user that they can get a discount on the service.
RefID	90 days	This cookie stores the ID of the referral that sent the friend so that if the customer places an order within the next 90 days following the referral, the referral receives a gift for it.
user_currency_pref	11 months	This cookie is set to remember the user's currency.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
WHMCSAffiliateID	90 days	This cookie stores the ID of the affiliate that made the referral so that if the customer places an order within the next 90 days following the referral, the affiliate receives a commission for it.
WHMCSInstanceID	session	This cookie stores the unique session ID for each visitor and enables variables to pass between page loads. The cookie only contains a reference to a session on the web server. The user's browser won't store any personal information.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.

Cookie	Duration	Description
cf_chl_*	1 hour	This cookie is used to check whether the Cloudflare Edge server supports cookies.
cf_chl_prog	1 hour	These cookies are used by Cloudflare for the execution of Javascript or Captcha challenges. They are not used for tracking or beyond the scope of the challenge.
cf_chl_rc_ni	1 hour	These cookies are for internal use which allows Cloudflare to identify production issues on clients.
cf_chl_seq_*	session	These cookies are used by Cloudflare for the execution of Javascript or Captcha challenges. They are not used for tracking or beyond the scope of the challenge.
pvc_visits*	1 day	These Cookies are used by Posts View Counter plugin to count visits to specific posts, pages and tutorials.
WHMCSLinkID	364 days	This cookie remembers the link the visitor followed to get to our website, and the system uses it when receiving an order, to be able to associate the conversion with a link to be able to provide stats.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__stripe_mid	1 year	This cookie is used to prevent credit card frauds.
__stripe_sid	1 year	This cookie is used to prevent credit card frauds.
WHMCSUser	364 days	This cookie is used for the remember me functionality of the client area. The system only sets it if a client chose to have the system remember their details, ensuring that they don't need to log in multiple times. It is persistent and lasts for 365 days, or until logout.

Data processing agreement

Search the blog

Popular articles

Best sellers

Free Trial