DATA PROCESSING AGREEMENT

between

DWSNET S.R.L.

and

the User

 

 

Table of contents
  1. DEFINITIONS
  2. SCOPE OF THE AGREEMENT
  3. INSTRUCTIONS TO THE DATA PROCESSOR
    1. General Instructions
    2. Instructions for Processor’s Personnel
    3. Technical and organisational measures
    4. Data Breaches
    5. Sub-Processor’s engagement
  4. DATA CONTROLLER’S RIGHTS
  5. LIABILITY
  6. DATA TRANSFER
  7. TERM AND TERMINATION
  8. GOVERNING LAW AND JURISDICTION
  9. ANNEX A
  10. ANNEX B
  11. ANNEX C

 

WHEREAS

  • DWSNET S.r.l., VAT n. IT10018841212, with registered office in Via Fedro n. 16, 80122 Napoli (NA) is a hosting service provider, allowing Users to remotely access computers and devices through DWService’s Application (hereinafter “DWService” or the "Data Processor").
  • The User has accepted the Conditions, which imply the processing of personal data.
  • In light of the contractual relationship between DWService and the User (jointly referred to as “the Parties”), the User will act as Data Controller, i.e. the entity that determines the purposes and means of the processing of personal data – (for brevity “the User”, or "the Data Controller") and DWSNET S.r.l. will act as Data Processor, i.e. the entity that will process the personal data on behalf of the Data Controller.
  • The Data Processor has adequate experience, ability and reliability in relation to the tasks entrusted and complies with the provisions in force on the processing of personal data, also with regard to data security and systems security.
  • By this Data Processing Agreement, the Parties intend to regulate the processing of personal data in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

All the above being stated

 

IT IS AGREED AS FOLLOWS

 

1. DEFINITIONS

Unless otherwise defined in this Agreement, the following words and phrases shall have the following meanings:

  • Agreement: means this Data Processing Agreement and its Annexes;
  • Conditions: the license contract entered into by the Parties that governs the relationship between DWService and its Users;
  • User: any person who accesses and uses the Application, as defined in the Conditions of DWService;
  • Data Protection Legislation: the General Data Protection Regulation 2016/679 (GDPR), and any legislation or regulation which amends, replaces, re-enacts or consolidates national data protection legislation and shall adapt the local laws to the GDPR and any binding decisions issued by a Supervisory Authority (such as Garante per la Protezione dei Dati Personali in Italy) and by the European Data Protection Board;
  • Personal Data: any information relating to an identified or identifiable natural person;
  • Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed occurred on the systems managed by the Processor or on which Processor can exercise its authority and control;
  • Sub-Processor: any third party to whom the Processor has sub-delegated a processing operation of Personal Data set under this Agreement and that, in performing such obligations, may receive Personal Data and perform processing operations;
  • Processor’s Personnel: the authorised person to process Personal Data under the supervision of the Processor, including but not limited to: employees, agents, consultants, representatives and any other subjects who work for the Processor, with the exclusion of Sub-Processor personnel;
  • Services: the services as defined in DWService’s Conditions;
  • Instructions: any instruction given by the User to the Processor in relation to the data processing operations according to this Agreement;
  • Supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51 GDPR.

 

2. SCOPE OF THE AGREEMENT

By virtue of the Conditions, DWService will provide its Services to the User, which entail Personal Data processing activities. Therefore, with this Data Processing Agreement, the User appoints DWSNET S.r.l. as Data Processor.

Within the scope of this Agreement, the User acts as Data Controller, by determining the purposes and manners of the processing of Personal Data.

DWService acts as Data Processor and shall process the Personal Data exclusively on behalf of Controller, for the solely purpose of providing the Services. In its capacity as Data Processor, DWService undertakes to process Personal Data only on the basis of the Instructions provided by the Data Controller in this Agreement, including those regarding Personal Data transfer to a third country or an international organization.

Each Party undertakes to comply with the applicable data protection law and to fulfil its obligations under this Agreement, also in order to prevent the User from breaching any of its obligations under the data protection law.

 

3. INSTRUCTIONS TO THE DATA PROCESSOR

The Data Processor undertakes to carry out all processing operations on Personal Data (referred to in Annex A) in accordance with the written Instructions of the Data Controller hereby. The Data Controller may change or amend the Instructions, when it founds it necessary, by giving a written notice (even in electronic format) to the Data Processor.

Processor shall immediately notify the User if, in its opinion, the Instructions (or their compliance) infringe the applicable Data Protection Legislation and may suspend the execution of any Instruction until Controller has either confirmed or changed said Instructions.

 

3.1 General Instructions

On a general basis, Processor agrees to:

  • comply with the principles of necessity, adequacy, relevance and non-excessiveness in carrying out personal data processing activities;
  • comply with the principle of proportionality of processing by keeping the data collected and processed only for the time necessary to achieve the purposes for which they were processed, and then deleting them, in accordance with the applicable Data Protection Legislation;
  • keep track of all data processing operations carried out within its area of competence and to make available to the Controller all information necessary to demonstrate compliance with the obligations laid down by Data Protection Legislation and by this Agreement;
  • cooperate with and assist the Data Controller in the event of Data Breaches and Data Subject’s requests, insofar as possible;
  • assist the Controller in ensuring compliance with the obligations referred to in Articles 32 to 36 of EU Regulation no. 679/2016, taking into account the nature of processing and the information available to the Processor;
  • notify the Data Controller of any circumstance relevant to EU Regulation no. 679/2016 (such as requests, inspection or other enquiries by a Supervisory Authority, data breaches, any deficiencies relating to security measures, etc.).
  • not to make copies of Personal Data, other than to the extent that is strictly required to properly perform the Agreement;
  • not to publish, disclose or divulgate any Personal without the previous written authorization of the User, unless it is required to comply with applicable law.

 

3.2 Instructions for Processor’s Personnel

The Data Processor shall maintain all Personal Data as strictly confidential. Therefore, it ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

With this regard, Processor limits access to Personal Data solely to those of its personnel on a need-to-know basis to deliver the Services and comply with the Processor obligations under this Agreement. On the other hand, Processor ensures that all of its Personnel involved in the processing:

  • are bound by appropriate confidentiality obligations;
  • have been duly instructed and trained in relation to compliance with their obligations as set under Data Protection Legislation;
  • will continue to receive, throughout the term of this Agreement, appropriate training to ensure they are aware and updated their obligations under this Agreement and under Data Protection Legislation.

 

3.3 Technical and organisational measures

Taking into account the state of the art, the nature and purposes of the processing of User’s Personal Data, Processor undertakes to take all technical and organizational measures provided for by Article 32 of EU Reg. no. 679/2016 and, in any case, those aimed at guaranteeing the confidentiality, integrity, availability and resilience of the data. The list of security measures adopted by the Data Processor is set out in Annex B to this Agreement.

In complying with these requirements, Processor agrees to assist the Data Controller both in the fulfilment of obligations regarding security measures and in carrying out a prior consultation with the Supervisory Authority pursuant to Article 36 of EU Regulation no. 679/2016.

 

3.4 Data Breaches

Data Processor shall notify the Data Controller without undue delay after becoming aware of a Data Breach. Such notification shall contain, insofar as possible:

  • the date and time when the Security Breach occurred;
  • the categories and approximate number of the Data Subjects concerned;
  • a detailed description of how and when the Security Breach occurred;
  • the security measures in place to prevent or mitigate the effect of such breach;
  • the likely consequences of the Security Breach.

The Processor also commits not to release or publish any filing, communication, notice or report concerning the security breach without the Data Controller’s express prior written approval (except where Processor is required to do so by applicable law, but always having pre-notified the Data Controller such Breach) and to keep as confidential any information regarding the Security Breach.

 

3.5 Sub-Processor’s engagement

The Data Controller hereby authorizes the Data Processor to engage the Sub-Data Processors indicated in Annex C to this Agreement, i.e. subjects specifically designated for the execution of specific processing activities on behalf of the Data Controller, pursuant to art. 28, paragraphs 2 and 4, of EU Regulation no. 679/2016.

Should the Data Processor wish to engage other Sub-Processors, it shall obtain prior general and written authorization from the Data Controller and inform the Controller of any intended changes concerning the addition or replacement of the list of Sub-Processors, thereby giving the Controller the opportunity to object to such changes.

When engaging further Sub-Processors to the ones listed in this Agreement, DWService shall impose on Sub-Data Processors the same obligations as set out in this Agreement, by providing sufficient guarantees to implement appropriate technical and organisational measures.

The Processor retains full responsibility for the fulfilment of the obligations imposed hereby on the Authorised Persons and any Sub-Processor, without prejudice to the right to seek recourse against them.

 

4. DATA CONTROLLER’S RIGHTS

The Data Controller reserves the rights to:

  • update the tasks and Instructions given to the Data Processor in relation to the processing of the data or to assign new ones;
  • carry out checks, through inspections or audit activities, on the effective performance of the activities and tasks entrusted;
  • periodically verify the Processor's experience, ability and reliability and compliance with all regulatory provisions on data security.

Processor shall support any such Controller’s rights and cooperate with Controller in exercising them. This shall include in particular the provision of all necessary information on Processor and its Sub-Processors, the relevant documentations, technical and organization measures and other circumstances of Processing Personal Data of the Controller.

It is the responsibility of the Data Controller, in any case, to keep the Data Processor informed and updated of any circumstance relevant to the processing activity delegated to it.

 

5. LIABILITY

With regard to the distribution of compensation liability between the Data Controller and the Data Processor, the provisions of art. 82 of EU Regulation no. 2016/679.

 

6. DATA TRANSFER

The Processor shall not transfer Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the User.

Processor undertakes hereby to process and store personal data exclusively on the European Union territory. However, the Parties acknowledge that the Processor may use nodes located outside the European Economic Area, as indicated on the dedicated page of the website, in order to meet technical and performance requirements to deliver the Service. The use of Nodes does not constitute a transfer of personal data nor a processing of personal data, as intended by the applicable legislation, but instead it constitutes a mere conduit activity.

 

7. TERM AND TERMINATION

This Agreement shall become effective as from the date of signature by both Parties and shall remain in force until termination, for any reasons whatsoever, of the Conditions.

Upon termination of the Conditions, at the choice of the Controller, Data Processor shall delete or return all of the Controller’s Personal Data processed in the execution of the Services provided by DWService and shall delete existing copies, unless Union or Member State law requires storage of such Personal Data.

 

8. GOVERNING LAW AND JURISDICTION

This Agreement is governed by the laws of Italy.

Any dispute arising in connection with this Agreement or the execution of the Conditions, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts where the Processor is located.

 

 

ANNEX A

PERSONAL DATA PROCESSED

Nature of the processingThe User has accepted DWService’s Conditions. By this contractual relationship, DWService will process Personal Data at the indication of the Controller.
Purpose of the processingThe purpose of the processing is to allow the performance of the Conditions, and specifically to allow DWService to provide the requested Service.
Type of Personal Data
  • data for authentication: e-mail, password and other non-mandatory personal information;
  • agent data: name, description, etc.
  • data on the actions taken by the user when using the Service: name, any access passwords;
  • access data: start time, end time, ip address;
  • any other data necessary to provide the requested Service and/or technical support;
  • any other data deriving from the User’s use of the Service.
Data Subjects
  • users
  • subjects whose personal data are held by the User
Permitted processing operationsCollection, storage, recording, duplication for back-up purposes, organisation, structuring, adaptation, modification, extraction, consultation, use, disclosure by transmission, dissemination or any other form of making available, comparison, interconnection, restriction, erasure or destruction.
Duration of processingThe Data Processor will carry out the processing of Personal Data on behalf of the Data Controller for the duration of the Service.
Place of processingProcessing takes place exclusively within the European Economic Area. With regard to connections redirected to nodes located outside the EEA that may be used when delivering the Service, see Paragraph 6 of this Agreement.

 

 

ANNEX B

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

DWService undertakes to implement the following measures:

1. Access control to data

Measures to prevent authorised users from accessing data beyond their authorised access rights and prevent the unauthorised [input, reading, copying, removal] modification or disclosure of data, include:

  • differentiated access rights (one account can only belong to one person);
  • access rights defined according to duties;
  • automated log of user access via IT systems;
  • two-factor authentication;
  • software security measures.

 

2. Disclosure control

Measures to prevent the unauthorised access, alteration or removal of data during transfer, and to ensure that all transfers are secure are implemented as follows:

  • all communication between components and between users and agents take place using TCP port 443 (https standard);
  • all communications are encrypted via a SSL certificate in accordance with current security standards;
  • all passwords are hashed in accordance with modern security standards. Password hashes are stored so that plaintext passwords cannot be retrieved;
  • no data that passes between users and agents is stored.

 

3. Storage control

Measures should be put in place to secure business facilities, data centres, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability.

 

 

ANNEX C

LIST OF SUB-PROCESSORS

Sub-ProcessorRegistered officePlace of Data Processing
OVH S.R.L.Via Carlo Imbonati n. 18, 20159 Milano (Italy)European Union
Hetzner Online GmbHIndustriestr. 25, 91710 Gunzenhausen (Germany)European Union