IN ACCORDANCE WITH ART. 28 OF EU REGULATION 2016/679
Last modified: 20 November 2019
Capitalized terms used in this Data Protection Agreement shall have the following meaning:
1.1. “Data Protection Agreement“: means this Agreement for the Protection of Personal Data.
1.2. “Account“: means an account created with a username and password.
1.3. “Audit“: means the verification activity requested by the Controller, carried out by an independent expert aimed at ascertaining that the Processor complies with its obligations arising from this Data Protection Agreement.
1.4. “Supervisory Authority” means the Garante della Privacy which is the Italian national supervisory authority on personal data protection.
1.5. “CUSTOMER” means an individual/legal entity to which QUENTRAL provides services based on the execution of an Agreement.
1.7. “Contract” means the relationship between QUENTRAL and CUSTOMER created by the completion of an Order and governed by the General Terms and Conditions – Quentral srl.
1.8. “Data Breach“: means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.9. “Personal Data” or simply “Data”: means any information relating to any identified or identifiable natural person which the Processor processes in order to perform the Contract with the Controller.
1.10. “Data Subject“: means the natural person whose Personal Data is subject to Processing.
1.11. “Requests” means any request by the Data Subjects for the exercise of their rights under the applicable Personal Data protection legislation.
1.12. “Party/Parties“: means QUENTRAL and CUSTOMER if considered jointly (“Parties”) or individually (“Party”).
1.13. “Platform“: means QUENTRAL proprietary software made available to the CUSTOMER upon payment of a fee.
1.14. “Profile / Profile information” means all the information in the “Profile” section of the Services, including, but not limited to, full name, email address, password and profile picture.
1.15. “Data Processor” (as defined under the GDRP 2016/679) or simply “Processor”: means a natural or legal person which processes personal data on behalf of the Data Controller. The Processor is QUENTRAL.
1.16. “Services” means all the services to be delivered to the CUSTOMER as set out in the Order Confirmation.
1.17. “Data Controller” (as defined under the GDRP 2016/679) or simply “Controller”: means the natural or legal person which alone and/or jointly with other Controllers determine(s) the purposes and means of the Processing of personal data. The Controller is CUSTOMER.
1.18. “Processing” as in “to Process“: means any operation or set of operations, performed with or without the aid of automated means in relation to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Processing of Personal Data by the Processor
2.1. The Controller entrusts the Processor with all – and exclusively – the processing operations of Personal Data necessary to fully perform the Service according to the detailed instructions and criteria under the Contract, under this Data Protection Agreement and the other technical annexes.
2.2. The categories of Personal Data processed by the Processor are the Accounts created on QUENTRAL’s Platform including, but not limited to, the Profile information and the created Contents.
2.3. The Processor must process the received Personal Data only and exclusively on the basis of Controller’s written instructions, the Processing is carried out only to perform this Data Protection Agreement. The aforesaid is without prejudice to any Processing carried out by the Processor requested and/or in compliance with any provision under applicable law or legislation of the EU or any Member State. In such cases the Processor shall notify the Controller of such legal requirement before the Data Processing begins, unless the current applicable legislation prevents and/or prohibits such notification on important grounds of public interest, where it is expressly provided for the fulfilment of a specific rule of law and/or specific request to that effect as decided by the competent authorities.
2.4. The Processor has no control over the purposes and means of the Processing of Personal Data. Nothing under this Data Protection Agreement shall be construed as to transfer neither under any circumstance Personal Data control to the Processor.
2.5. The Processor is not allowed to:
2.5.1. Process Personal Data for personal purposes;
2.5.2. Process Personal Data for purposes other or more extensive than those reasonably necessary for complying with the Agreement;
2.5.3. Disclose Personal Data to third parties unless permitted under the Contract and/or the Data Protection Agreement and/or any mandatory legal provisions which require the Processor to disclose the Personal Data to the supervisory or investigation authorities.
3. Compliance with the GDPR and other laws
3.1. Parties shall act in accordance with the provisions of the GDPR, other applicable laws, and any future national or European laws, or such others on Personal Data processing which may come into force in the future. If future rules of law and of other nature were to determine the need to adapt this Data Protection Agreement, the Parties shall consult in order to create new Agreements implementing the content of this Data Protection Agreement in the broadest way possible consistent with the necessary changes pursuant to the new regulatory requirements.
3.2. The Processor commits to cooperate with the Controller to support the latter in the implementation of a Privacy impact assessment to the greatest extent possible, given the information at Processor’s disposal and the nature of the Processing. The Controller shall bear any reasonable costs related to this obligation to collaborate.
3.3. To the extent that the Controller must, under rules of law or of other nature, provide information on the Personal Data Processing to a supervisory authority, the Processor must, under prior request from the Controller, give maximum availability to cooperate with the Controller, in order to ensure that the supervisory authority can access the required information and be also adequately informed.
3.4. The Processor shall not be held responsible nor liable for any administrative fines by a supervisory authority (including, the Italian authority for data protection represented by the Garante della Privacy) or for any loss or damage suffered by the Data Subject except in cases of misconduct or gross negligence by the Processor.
4.1. The Processor agrees to keep Personal Data confidential and to ensure that any subject authorised to Personal Data processing agrees to such a confidentiality obligation.
4.2. This confidentiality obligation shall continue to remain in effect and binding even after the termination of this Data Protection Agreement, except for information that is already available to the public without prejudice to the breach of such confidentiality obligation.
5. Mandatory security measures by the Processor
5.1. The Processor shall implement appropriate technical and organizational measures to guarantee Data security as set out in the “Data Security Statement”.
5.2. When implementing the technical and organizational security measures, the Processor shall take into account the state of the art and the implementation of security measures costs, as well as the nature, scope and context of the Processing operations, the purposes and the use of the Services, processing risks and the different expected risks in terms of likelihood and severity, related to the rights and freedoms of the Data Subjects, considering the intended use of the Services.
5.3. When assessing the appropriate security level, the Processor shall take into account the risks related to the Processing, mainly those related to: i) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data, transmitted, stored or otherwise processed; ii) data processing not allowed or non-compliant with the operations purposes.
5.4. The Processor shall implement the security measures to ensure: i) the capability to ensure the ongoing confidentiality, integrity and availability of the systems and processing services; ii) the ability to promptly restore the availability and access to Personal Data in the event of a physical or technical incident; iii) a procedure for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; iv) any other provision related to the processing security according to art. 32 of the GDPR.
6. Monitoring by the Controller
6.1. The Processor agrees to guarantee to the Controller, should the latter require it, to verify the Processor’s compliance with the provisions of this Data Protection Agreement.
6.2. Controller shall have the right to hire an independent expert to carry out an Audit to ascertain if the Processor complies with its obligations arising out of this Data Protection Agreement. Such independent expert shall keep strictly confidential its tasks. The Processor shall cooperate with the independent expert in relation to the Audit activities and shall promptly make available all the information reasonably relevant for the Audit. The Controller shall bear the costs of the Audit, except where the Processor fails to comply with its obligations arising from performance of this Data Protection Agreement in which case Processor shall bear such costs.
6.3. Should the Audit reveal that the measures implemented by the Processor are insufficient and/or inadequate or do not comply with the provisions under the GDPR and/or other applicable laws, the Processor shall promptly implement any measure it considers necessary, taking into due account the risks of Processing related to its Service, the state of the art, implementation costs, the market of reference and the purpose and target of use of its Service.
7. Responsibilities of the Controller
7.1. The Controller declares that the Users’ Personal Data it transmitted to the Processor:
- is relevant and not exceeding the purposes for which it was collected and processed;
- in any event, Personal Data and/or special categories of Personal Data to be Processed by the Processor is collected and transmitted in accordance with every and each provision under the applicable legislation. It is understood that the Controller is responsible for identifying the legal basis for the Personal Data Processing of the Data Subjects and provide them with proper and adequate information.
7.2. The Controller is solely responsible for any Personal Data processing autonomously implemented and without the help of the Processor, through application procedures developed according to its specifications and/or through its own information or telecommunication technology which do not engage Processor’s activities, goods or tools.
7.3. Personal Data processing autonomously implemented by the Controller can under no circumstances infringe the provisions under the General Terms and Conditions – Quentral srl and/or other annexes and agreements signed by the Parties.
7.4. The Controller shall indemnify the Processor for any loss, damage and costs resulting from any compensation claims by third parties, expressly including the Data Subjects, the supervisory authorities (such as the Italian authority for data protection), relating to or arising from unlawful Processing and/or any other breach of the GDPR or of this Data Protection Agreement attributable to the Controller.
8. Notification of Data-Breach
8.1. In the event of Personal Data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach, in any case no later than 48 hours from when it became aware of such breach. The timely notification to the Controller is necessary so that the latter can notify the breach to the supervisory authority without undue delay.
8.2. The Processor shall keep the Controller adequately informed on any action taken to address the data-breach and its effectiveness. The Processor must provide any relevant information regarding the consequences caused by the data-breach. The Processor shall take any necessary and reasonable measures in order to address and/or mitigate the unintended and/or detrimental consequences arising out of unauthorized access, in the manner considered to be the most effective possible, taking into account the state of the art, the implementation costs, the market of reference and the purpose and target of use of the Service.
8.3. The Processor shall notify the data-breach exclusively to the Controller. The Processor can inform the Data Subjects and/or the supervisory authorities about the data-breach, only with express written instructions from the Controller.
9.1. Pursuant to this Agreement, the Controller confers general written authorisation to the Processor for the appointment of any other Processor (“Sub-Processor/s”) to perform the Service.
9.2. In the event that the Processor engages any Sub-Processors, the Processor commits to select such Sub-Processors from among subjects which by experience, ability and reliability provide sufficient guarantees to implement appropriate technical and organisational measures, so that the Processing meets the requirements under the pro tempore applicable legislation and guarantees the protection of the Data Subjects’ rights.
9.3. The Processor also undertakes to sign specific contracts, or other legal acts, with the Sub-Processors through which the Processor analytically describes their duties and requires them to comply with the same obligations, with reference to the Personal Data protection regulations, required by the Controller to the Processor according to the pro tempore applicable legislation and the special provisions by the competent Supervisory Authority, especially including sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of this Data Protection Agreement.
9.4. The Controller shall always be aware of the subjects to whom the Personal Data of the Data Subjects has been entrusted and shall always have the power to object to the assignment of the Processing to such subjects, by requiring their removal at any time. Now, therefore, without prejudice to the fact that the Processor remains exclusively responsible for the selection of the Sub-Processors, the Processor commits to notify to the Controller the list of any appointed Sub-Processor (with their company name, registered office, VAT number and company email address) as well as to inform the Controller on any change related to the removal or replacement of such Sub-Processors, so that the Controller has the opportunity to object at any time to the assignment of the Processing to one or more Sub-Processors chosen by the Processor.
9.5. The Processor commits to sign with any Sub-Processor, if established in a country outside the European Union for which the European Commission has not issued an opinion on the adequacy of the level of Personal Data protection, an agreement for data transfer abroad containing the specific contract clauses (as amended) adopted by the European Commission itself.
9.6. If the transfer of Personal Data to third parties, including those outside the European Union or to international organizations, is required by European Union law or by the law to which the Processor is subject to, the latter shall inform the Controller before the transfer, of such legal requirement unless such law prohibits the information on important grounds of public interest pursuant to art.28.3(a) of the GDPR.
10. Exercise of rights by Data Subjects
10.1. If the Processor receives any Request from Data Subjects for the exercises of their rights under the applicable Personal Data protection legislation, the Processor shall:
- provide prompt written notice to the Controller attaching a copy of the Request;
- assist the Controller with appropriate technical and organisational measures in order to fulfil the Controller’s obligation to address the Request of the Data Subjects for the exercise of their rights.
In particular, where applicable and in consideration of the Processing activities to be carried out, the Processor shall:
- enable the Controller to provide the Data Subjects with their Personal Data in a structured, commonly used and machine-readable format and the right to transmit the data to another controller;
- enable the Controller to guarantee, in whole or in part, the rights to object, and restriction to Processing, as well as the other rights under the GDPR.
10.2. If the Requests of the Data Subjects are received by the Controller, the latter shall notify such Requests to the Processor, which shall cooperate with the Controller pursuant to art. 10.1 above.
10.3. The Processor shall carry out its functional Processing in relation to the Service or arising from Controller’s written instructions, also with reference to any transfer of Personal Data to a third country or international organization. Should the necessity arise for a different and exceptional Processing of Personal Data compared to the ones normally carried out, the Processor shall inform the Controller in advance.
10.4. The Processor reserves the right to charge the Controller a reasonable fee for such cooperation.
11. International Flow of Personal Data of Data subjects
11.1. The Processor shall ensure that any Personal Data Processing carried out by or on behalf of the Controller, including any third parties appointed by it in order to perform the Agreement, is carried out within the European Economic Area (EEA) or from or to countries that offer an adequate level of protection in accordance with the GDPR. By way of derogation from such prohibition, transfer to third countries is also allowed in the cases mentioned by article 26, paragraph 1, of Directive 95/46 (Data Subject’s consent, necessity for the transfer for purposes of contractual/precontractual measures, important public interest, etc.), as well as on the basis of contractual clauses that provide adequate protection (article 26, paragraph 2, of Directive 95/46).
11.2. Now, therefore, without Controller’s prior written consent, the Processor cannot transfer Personal Data or store it in a country outside the EEA or make Personal Data accessible to a non-EEA country, unless the latter can guarantee an adequate level of protection or applicable provisions under Union or Member States’ laws in relation to the Personal Data processing. In such cases, the Processor shall notify the Controller, before the processing, of such legal requirement, unless the mentioned legislation prohibits such notification on important grounds of public interest.
12. Data Processor Obligations
In addition to anything already provided for and set out in the above articles of this Data Protection Agreement, the Processor shall:
- ensure compliance with the obligations set forth in this Data Protection Agreement. This Data Protection Agreement forms an integral part of the General Terms and Conditions, and the (entire) responsibility of the Processor is therefore limited to the provisions set forth in the General Terms and Conditions.
- implement, by law and pursuant to this Data Protection Agreement, and if falling within its responsibilities, the security measures required by the applicable pro tempore legislation on Personal Data processing by providing assistance to the Controller in ensuring compliance with such legislation.
- assist the Controller upon request of the latter, before the Supervisory Authority and Judicial Authority in accordance with the activities falling within its responsibilities.
- ensure that within its corporate structure, the individuals designated and authorized to Processing, receive adequate written instructions regarding Processing modalities, in accordance with the law provisions and this Data Protection Agreement, as well as verify and ensure application of all security provisions. The Processor shall bind those subjects authorized to Processing to confidentiality or to an adequate legal obligation of confidentiality, even after the termination of the working relationship with the Processor in relation to the Processing they have performed.
- promptly notify the Data Controller if, the Processor believes that, any specific instruction breaches any provision under the GDPR, or other national or Union provision related to Personal Data protection.
13. Data Protection Agreement Term
13.1. This Data Protection Agreement shall become effective when the Contract becomes effective and shall remain so effective for the duration of the Contract term.
13.2. Upon termination of the assigned Processing operations, as well as upon termination for any reason of the Service or of the Processing by the Processor, at Controller’s discretion and request, the Processor shall: (i) return the Personal Data subject to processing to the Controller, or (ii) completely destroy it except where data storage is required by law or for other purposes (accounting, tax, etc.). In both such cases, the Processor shall provide the Controller, upon request by the latter, with a specific written statement declaring that the Processor holds no copies of the Personal Data and proprietary information of the Controller.
13.3. The Data Controller reserves the right to carry out checks and inspections aimed at verifying the truthfulness of such declaration. This appointment will be effective for as long as the Service is provided, without prejudice to the specific obligations which shall survive by their nature. If for any reason the relationship between the Parties and/or the Contract terminates or loses effectiveness, or the Service is no longer provided, this Data Protection Agreement shall also automatically terminate without communications or revocation, and the Processor shall no longer be entitled to process the Controller’s data pursuant to the provisions under paragraph above.
14. Applicable law – Competent jurisdiction
14.1. This Data Protection Agreement is governed exclusively by Italian law and European laws directly applicable in Italy.
14.2. Should any dispute arise in relation to this Data Protection Agreement, the Court of Milan shall have exclusive jurisdiction.
15.1. Any amendment and supplements to this Data Protection Agreement shall be valid only if agreed in writing by the Parties.
15.2. This Data Protection Agreement was originally written in English, therefore, in the event of inconsistency with translated versions in other languages, the English version shall prevail.
16. Personal Data Processing Authorisation
Any communication to be sent under and related to this Data Protection Agreement, shall be in writing and shall be deemed as regularly made to a Party if sent by email or registered mail with return receipt.
From the section available in its Account CUSTOMER can write to QUENTRAL via email at the following address: firstname.lastname@example.org