Data Processing Agreement
DATA PROCESSING AGREEMENT
This Data Processing Agreement (hereinafter “Agreement”) supplements the terms and conditions of SEO Tester Online (hereafter the “Contract”) and the customer agreeing to the following provisions.
- whereas customer acknowledge that it is the controller (hereinafter “Controller”) of data (hereafter “Data”) processing (hereinafter “Processing”);
- whereas according to the GDPR Quarzio S.r.l. is qualified as processor (hereinafter “Processor”), according to the provision of art. 28 GDPR, on behalf of the Controller;
- whereas the Contract execution requests to process data regarding both individuals (hereinafter “Subjects”) and business related Data;
- whereas Data processed shall be considered confidential information of the Controller and are subjects to confidentiality between Controller and Processor;
- whereas the Controller determines type of Data, the duration of Data processing, the related nature and purposes and the categories of Data;
- whereas Processor guarantees that it can implement adequate technical and organisational measures so that the processing complies both with regards to confidentiality and GDPR;
- whereas Processor commits to process Data related to the Contract in a lawful and accurate way in respect of confidentiality and GDPR and in respect of Controller procedures and further instructions;
- Controller and Processor will be jointly referred as Parties.
Controller and Processor agree as follows:
- Purposes and processed Data
- Recitals are part of the present Agreement.
- Processing shall be performed from Processor only for fulfilling duties arising from the Contract and the present Agreement.
- Processing shall be strictly necessary for executing the Contract itself and shall be performed according to confidentiality and to the GDPR, as well to the duties stated in the present Agreement.
- Where it is necessary for the execution of the Contract, the processing is extended to special categories of Data, such as Data stated in the provisions of art. 9 and 10 GDPR.
- Data processed are the following:
- Name and surname
- Email address
- Phone number
- Security of Processing
- Processor shall adopt the security measures as set forth in art. 32 of GDPR and setting any appropriate technical and organizational measures to guarantee an adequate level of security regarding risks related to destruction, loss, amendment, non-authorised disclosure or access, accidentally or illegally, to processed Data.
- Controller acknowledges that Processor guarantees the following security measures:
|Physical access control||Processor implemented measures to avoid non-authorised access to workstations and to work devices where data are processed, both during the working hours and non-working hours. During non-working hours, the office space and the office building are locked.|
|Virtual access control||Processor adopts measures to avoid non-authorised access to virtual environments, where Data are processed, through anti-virus, firewall and proxy server.
Processor guarantees that virtual environment can be accessed only by an Authorised Person or a Sub-processor.
|Data integrity controls||Processor adopts measures to avoid that Data are accessed by non-authorised person and that Data are not copied, altered or lost. Employees are legally bound to confidentiality.|
|Availability Data controls||Processor adopt measures to avoid unintentional loss or destruction of Data. Processor adopts backups and policies of disaster recovery.|
|Technical and organisational measures||Processor regularly updates documents of its organisation and regulates each work relation, both internal and external, with the proper documentation.
Processor carries out regular checks of its technical infrastructure to control its compliance to GDPR.
Data communication and sub-processing
- Processor may communicate Data to third parties as it is necessary for the execution of the Contract and the Agreement and, for the same reason, may transfer Data to countries outside EU.
- Given what above, Processor is authorised to commission processors (hereafter “Sub-processors”) if it is necessary for the execution of the Contract.
- Controller may request at any time the list of Sub-processors commissioned by the Processor for the execution of the Contract.
- Processor shall guarantee that commissioned Sub-processors respect confidentiality and the provisions of paragraphs 3, 4 and 5 of art. 28 GDPR.
- In case a Sub-processor fails to fulfil its duties regarding Data processing, Processor shall remain fully liable to the Controller for the activities of the Sub-processor.
- Controller acknowledges that Processor commissioned the following Sub-processors:
|Amazon Web Services||Ireland||Cloud services|
- Person acting under the authority of Processor
- Processor, prior to Processing, shall identify and list any employee that works under its authority and who will process Data (hereinafter “Authorised Person”).
- Regarding each Authorised Person, Processor shall settle related access to Data and provide instructions (written and not) with respect of the Contract and the present Agreement.
- Authorised Person shall receive detailed instructions, with special regard to:
- Data confidentiality, Authorised Person shall be bind to keep confidentiality of Data it has access to and process;
- principles set in art. 5 of GDPR about lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity.
- DPIA, prior consultation, right of Subjects and Data breach
- Processor shall assist Controller regarding duties of Data Processing Impact Assessment (hereinafter “DPIA”) and prior consultation (hereinafter “Consultation”) according to the provisions of art. 35 and 36 of GDPR.
- Processor shall not use technologies, tools, modalities or undertake other Data processing that requires DPIA and/or Consultation without informing the Controller in advance and without receiving previous written authorisation from the latter.
- Processor shall assist Controller with adequate technical and organisational measures, through the disclosure of proper information, which are necessary for the latter to fulfil Subject requests to exercise their rights within the timeframe provided by GDPR.
- In case of a Data breach, Processor shall promptly inform the Controller with the necessary information in order to allow the latter take the mandatory step to limit eventual damages arising from the breach. In particular, Processor shall provide the following information:
- regarding the leak of Data that breach confidentiality;
- requested by art. 33 and 34 of GDPR, which are necessary for notification to the Controller supervising authority and to the Subjects.
- Monitoring right of the Controller
- Processor shall control that Data are processed according to the provision set forth in the Contract and in the present Agreement and according to the applicable law to confidentiality and GDPR.
- Processor shall promptly inform Controller about any situation that may expose the latter to a breach of law or results in an unlawful processing or may breach the confidentiality and integrity of Data or may become a risk regarding Processing.
- Controller may, directly or through an appointed person and/or entity, request to conduct auditing activity on the Processor, only regarding Processing. Auditing activity shall be scheduled between parties and shall be conduct according to rules agreed by both Parties.
- Processor shall collaborate and will provide the necessary information to demonstrate the respect of the the Contract, the present Agreement, the applicable law to confidentiality and the GDPR.
- Exclusion of liability
- Processor shall not be deemed liable for events not depending from its activity and/or will, including, without limitation, non-availability or disfunction of technical instruments, cables, electronics, hardware, transmissions, phone line, server malfunctioning, omissions or mistakes related to information and images provided during the development.
- Processor shall not be deemed liable for delays caused by events not depending from its activity and/or will.
- Termination of Processing and deletion of Data
- The present Agreement shall be terminated if the Contract is no longer in force between Parties. Termination will have immediate effect on the present Agreement.
- In case of termination Quarzio S.r.l. shall not be considered processor any longer. The same principle shall be applied to Sub-processor appointed according to fulfil obligations under the Contract and under the Agreement.
- Upon termination of the Agreement the Processor will return all Data to Controller and he will delete all the copies. The same apply in case of explicit request of the Controller.
- Data shall not be deleted in case there is a legal duty set forth in national or international provision that forces Processor to keep Data storage.
- The present Agreement shall be considered as the entire expression of the will of the Parties regarding the object of the Agreement.
- Each Party shall be intended as independent from the other and, therefore, it has no right to bind the other Party unless agreed in the present Agreement.
- Agreement cannot be interpreted as constitutive for any other relationship between Parties that is not stated and agreed in the Agreement itself.
- Parties acknowledges that if one of more articles shall breach the law, such articles shall not be effective within the limits of the violation without any prejudice for other articles or the Agreement itself.
- Any waiver, express or implied, of any Party to exercise one of its rights shall not be intended as a definitive waiver of such rights and to the possibility of the Party to request performance of what agreed.
- Any amendment to the present Agreement shall be previously agreed in written and signed by both Parties.
- Parties shall not cede to third Parties the Agreement, nor part of it, without the previous written consent of the other Party.
- Controller may communicate to Processor through the following addresses:
- Applicable law and jurisdiction
- The present Agreement is governed by Italian law, regarding both substantial and procedural law.
- Any dispute arising from or in connection with the present Agreement shall be decided by the Court of Milan which has exclusive jurisdiction.
Last update date: 20 January 2020.