Appointment as Data Processor
pursuant to art. 28 of European Regulation no. 2016/679   BETWEEN The Client, as the Data Controller of the processing of personal data relating to the websites owned by the Client under the contract in force with Fortop S.r.l., (hereinafter, the “Data Controller”) AND Fortop S.r.l., having its legal seat in Corso Sempione, 10 – Milan, REA-MI 2010697, Fiscal Code and VAT No. 02001910500, in the person of its legal representative Dr Claudia Guerri (hereinafter, also the “Data Processor”) (hereinafter, jointly, also the “Parties”) WHEREAS
  • between the Data Controller and the Data Processor, together with other parties, there is a legal relationship for the management of the project defined in the agreement between the parties;
  • the Data Controller has engaged the Data Processor to carry out the digital project which is the subject of the agreement, (hereinafter also “Agreement“) and that, pursuant to European Regulation No. 2016/679 (hereinafter also “GDPR“), the performance of the Agreement involves the processing of personal data on behalf of the Data Controller by the Data Processor who shall organise, coordinate and carry out such processing operations;
  • with this deed of assignment (hereinafter, also, the “Assignment”) the Data Controller hereby appointed the Data Processor, pursuant to art. 28 of the GDPR, who accepts, as the data processor, and sets out instructions for personal data processing by the Data Processor for the purposes of executing the Activities.
  1. Premises and attachments
    • The premises and attachments shall be considered an integral and substantive part of the Assignment.
  1. Definitions
    • Without prejudice to the standard terms agreed above, for the purpose of ensuring the correct application of the personal data protection regulations in carrying out the Assignment granted to the Data Processor, it is noted that the definitions set out in art. 4 of the GDPR are understood as fully referenced herein.
    • Within this Assignment, in addition to the above, for the standard terms shown below, the definitions indicated for each one shall be understood:
  2. “Relevant Regulations”: shall mean the GDPR and any legislative or regulatory measures adopted by the national public authorities on personal data processing (including the measures taken by the Supervisory Authority), applicable during the period of validity of this Assignment.
  3. “Sub-Data Processor(s)”: shall mean any third party assigned by the Data Processor, in compliance with the procedures set out in this Assignment, that fully or partially carries out the personal data processing transactions under the responsibility of the Data Processor;
  4. “Security Measures”: shall mean the technical and organisational security measures, adopted pursuant to art. 32 of the GDPR, to which reference is made;
  5. “Requests”: shall mean requests for information (including informal requests)/complaints/ claims from third parties (merely by way of example, data subjects, Supervisory Authority or other legal or administrative authorities) receive by the Data Processor with regard to the processing operations pursuant to this Assignment;
  6. “European Economic Area”: the sovereign states included in the geographical scope of application pursuant to art. 3 of the GDPR.
  1. Relationship with the Agreement
    • This Assignment is expressly linked to the Agreement in force between the Parties. Therefore, for any aspect that is not expressly governed herein, reference should be made to the Agreement. In the event of conflict between the provisions of the Agreement and those set out in this Assignment, the latter shall prevail.
  1. Personal data processed and purposes
    • The Data Processor, for the purposes of the correct execution of the activities, as better specified in the existing contract, may process the personal data of the users.
    • Specifically, on the basis of the main services provided, different types of data may be processed in different ways, as indicated below:
Service name Category of data Purpose of processing
Market Analysis Aggregated and/or pseudonymised data, only where respondents are identifiable for particular reasons. Additional anonymisation operations for statistical purposes
Organic Visibility (access to Google Analytics or similar) IP of web users, even where subject to pseudonymisation, if by other means the data subjects are in any case identifiable by the platform processing of aggregate statistical information for commercial and marketing purposes
Organic Visibility (access to the website management CMS) Access data to application systems of the Data Controllers such as: active directories, employee company email address, common personal data of the web user, web user connection identifier, data relating to purchase orders, user profiling Management of services required for customers and web users in order to improve the marketing and sales performance of the website.
Analytics Tracking Plan Identification of the connection of web users, where the Analytics service employed grants visibility of it Management of services required in favour of customers and web users
GDPR compliance Identifier of Cookies and classification of choice of cookie profile (technical identifiers) Directing the correct management of cookies to comply with legislation (GDPR and local)
Media Management ADV Identifier of Cookies and Profiling Classification On-line advertising on the site addressed to the web users involved and who have given their consent
  • Such data may be processed exclusively for the purposes of performance, profiling and user segmentation as well as for the enrichment of the user profiles created and for the fulfilments related to such activities.
  • In the event that the Data Processor lacks sufficient information to process the personal data of the Data Controller, it shall promptly inform the Data Controller in writing. The Data Controller shall provide any clarifications requested, in writing.
  1. Instructions for processing personal data
    • Where the Data Processor deems that the instructions provided breach or conflict with the Relevant Regulations, it must promptly inform the Data Controller in order to ensure the necessary evaluations.
    • The Data Processor declares and warrants that:
  2. it shall process the personal data only and exclusively for the purposes of executing the Activities described in the Agreement;
  3. it shall verify that each activity of personal data processing carried out, in the interest or on behalf of the Data Controller, is carried out lawfully and correctly, in compliance with the principles of legitimacy, accuracy, updating, pertinence, completeness, adequacy and storage;
  4. it shall not implement any personal data processing (or, more generally, any action, omission or conduct relating to the personal data) for its own, autonomous purposes, and in general, for any purpose other than the mere execution of the activities under the Agreement;
  5. it shall carry out any obligation prescribed by this Assignment, and more generally, will take all steps required to prevent the Data Controller from breaching Relevant Legislation in relation to the personal data processed in performance of the Assignment;
  6. in executing this Assignment, it shall comply with and promptly align with all requirements of the Relevant Regulations, also informing the Data Controller of any new provisions that entail a change in the methods for and restrictions on personal data processing, as governed in this Assignment, or which entail an amendment to this Assignment. In particular, the Data Processor:
  • if required by virtue of the Relevant Regulations or on explicit request by the Data Controller, shall draw up, maintain and regularly update an electronic record of the processing carried out on behalf of the Data Controller, as regulated by art. 30 of the GDPR.
  • shall, if necessary considering the processing carried out on behalf of the Data Controller, appoint a Data Protection Officer pursuant to articles 37, 38 and 39 of the GDPR, and immediately notify the Data Controller of such appointment;
  • shall appoint system administrators, where present, as required by the Measure of the Data Protection Authority of 27 November 2008, as amended, “Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator”, if applicable;
  • adopt all internal procedures and security measures suitable for the protection of the processing and the personal data processed;
  • designate in writing the persons authorised to process the personal data;
  • provide the Data Controller with assistance and support in connection with the requirements of Articles 35 and 36 GDPR, with reference to the drafting of a data protection impact assessment
  • provide any support in relation to the obligations imposed on the Data Controller by Articles 32-36 GDPR.
    • On express request by the Data Controller, the Data Processor shall promptly upgrade its IT systems, the Security Measures, the tools and internal processes regarding personal data processing, in order to comply with art. 25 of the GDPR and ensure protection of the personal data processed by design (implementing procedures, tools and Security Measures that ensure, both at the time of the determination of the means for processing and at the time of the processing itself, greater protection of the data subjects) and by default (implementing procedures that process only the personal data strictly necessary for each purpose of the processing).
  1. Security Measures
    • The Data Processor shall adopt appropriate Security Measures to protect the personal data processed on behalf of the Data Controller. The Security Measures adopted must achieve a level of security for the personal data processed that is appropriate and proportionate, taking into account (i) the nature, scope, context and purposes of processing, (ii) the risks for the rights and freedoms of the data subjects, (iii) the state of the art and technology and, lastly, (iv) the costs of implementation and any upgrading of those Security Measures.
    • Specifically, the Data Processor shall adopt Security Measures to protect the personal data processed in general from any form of unlawful processing and, in particular, from destruction, amendment, dissemination or unlawful or unauthorised processing. The Security Measures adopted by the Data Processor shall include, if necessary:
  2. the pseudonymisation and encryption of the personal data;
  3. the ability to permanently ensure the confidentiality, integrity, availability and resilience of the processing systems and services;
  4. the ability to promptly restore the availability and access to personal data in the event of a physical or technical incident; and
  5. a process for regularly testing, assessing and evaluating the effectiveness of the Security Measures in order to guarantee the security of the processing.
    • Attachment A indicates the basic requirements for the implementation of the Security Measures that the Data Processor must adopt. Additional, specific Security Measures that are concretely adopted by the Data Processor with regard to all or some of the personal data processing carried out on behalf of the Data Controller must be communicated to the Data Controller.
  1. Data breaches pursuant to articles 33 – 34 of the GDPR
    • The Data Processor undertakes to notify the Data Controller promptly, without unjustified delay in relation to the discovery of the event or, in any event, within 72 hours of the discovery, of any security incident or any event that entails a breach or imminent threat of breach of the personal data processed (such as, merely by way of example, compromised operations of the IT system, unauthorised accesses, malware attacks, unauthorised dissemination, theft or loss of documentation), providing the necessary cooperation to resolve the incident.
    • The notifications pursuant to art. 7.1 must contain at least the information required by art. 33 of the GDPR.
    • The Data Processor shall provide all assistance and cooperation that may be requested by the Data Controller in order to remedy the breach of personal data, or to provide the Supervisory Authority with all information and clarifications requested.
  1. Relationships with third parties
    • Where the data subjects, the Supervisory Authority or any other third party (including, merely by way of example, legal and administrative authorities other than the Supervisory Authority) submit Requests to the Data Processor (also including requests to exercise the rights granted to the data subjects, such as the right to access, rectification, objection, the right to erasure, the right to restriction of processing, the right to data portability, the right not to be subject to a decision based on automated processing, including profiling), the Data Processor shall immediately (and, in any event, no later than 72 hours from receipt of the request for information/complaint/objection) inform the Data Controller in writing.
    • The Data Processor shall specifically transmit to the Data Controller a copy of the Requests received, also attaching any additional information or facts deemed useful.
    • It is understood that the Data Processor may reply to the Requests only after obtaining express written authorisation from the Data Controller (which, therefore, reserves the right to take autonomous action) and, in any event, in accordance with the directives, instructions and indications provided by the latter in writing. Therefore, the Data Processor may in no way act autonomously or as the representative/agent of the Data Controller (save for express indication of this in this regard).
    • The Data Processor is expressly prohibited from communicating or disclosing to third parties, also in response to the Requests, the personal data processed on behalf of the Data Controller or any other additional information relating to the personal data processing without first obtaining authorisations and instructions in writing from the Data Controller.
    • Where, in execution of regulatory obligations, or as a result of requests from legal, administrative or public safety authorities, it is required to disclose or communicate to third parties the data processed on behalf of the Data Controller or information relating to the processing. The Data Processor:
  2. shall immediately notify the Data Controller of that situation in writing;
  3. shall adopt all arrangements to limit or restrict the scope of the disclosure/communication (for example, omitting information not expressly requested);
  4. shall take all reasonable efforts to obtain confidentiality commitments from the recipients of the communications.
  1. Sub-Data Processors
    • If during the performance of the Assignment, the Data Processor expresses the need to involve Sub-Data Processors, the latter may carry out personal data processing operations upon written notice sent by the Data Processor to the Data Controller, containing the names and/or identification elements of the Sub-Processors. The appointment of the Sub-Data Processors shall be subject to the condition that any Sub-Data Processors sign an appointment agreement in which they are obliged to provide guarantees equivalent to those provided by the Processor.
    • In the event of any opposition to the appointment of one or more Sub-Data Processors, the Data Processor undertakes to submit to the Data Controller a further supplier of its choice for the performance of the processing operations identified.
    • In any case, the Sub-Data Processors indicated from time to time within the consultancy assignment formalised between the parties, as well as the suppliers of technological services underlying the envisaged activities, shall be deemed authorised as of now.
    • It is, in any case, understood that the Data Processor shall be responsible to the Data Controller for the correct, punctual and regular fulfilment of the obligations assumed by the Sub-Data Processors.
  1. Transfer of personal data
    • The Data Processor shall ensure that the personal data processed on behalf of the Data Controller are not transferred, even to third parties, to non-EU countries without the prior authorisation of the Data Controller.
    • The Data Controller acknowledges that in any case it allows the transfer of personal data to non-EU countries for technological reasons or in any case necessary due to the suppliers or the means used to carry out the activities, in any case in compliance with the requirements of the law and in particular by signing the Standard Contractual Clauses in the version in force, as approved by the European Commission.
    • If the transfer of personal data to third countries or international organisations is required by current legislation, the Data Processor shall inform the Data Controller of this legal obligation prior to processing, unless the law prohibits such information for important reasons of public interest.
  1. Audits, inspections and checks
    • The Data Processor undertakes to allow the verification and control by the Data Controller of the punctual compliance with the provisions issued, also with regard to security and data protection, by providing all the information necessary to prove compliance with the obligations arising from the legislation in force.
  1. Duration and allocation of the personal data
    • This appointment shall be effective for the entire duration of the Agreement and shall be revoked if the Agreement is terminated for any reason whatsoever.
    • In the event of termination of this appointment, the Data Controller shall require the Data Processor to return any personal data processed on its behalf, or to destroy them permanently, without retaining any copies, unless otherwise agreed or required by law.
    • Should the Data Controller fail, thirty days after the termination of the appointment, to inform the Data Processor how he intends to proceed, the latter shall be entitled to proceed with the cancellation and definitive destruction of any personal data.
  1. Liability and indemnities
    • The Data Processor shall indemnify the Data Controller against any liability arising directly from the performance by the Data Processor (and/or its appointed Sub-Data Processors) of the provisions of this Assignment in accordance with the requirements of the Relevant Legislation.
    • The Data Processor shall in any event not be obliged to indemnify and hold harmless the Data Controller if the liabilities arise from the execution of the instructions given by the Data Controller and the Data Processor has informed the Data Controller pursuant to clause 5.1 above.
  1. Communications
    • For the purposes of the Assignment and the communications between the Parties, the Parties declare that they elect their addresses for service at the registered offices indicated in the introduction.
    • All communications between the Parties shall be validly made in writing by way of registered letter with return receipt, or by certified email to the address shown in the chamber of commerce records search of each Party.
    • Any change to the addresses shown above shall take effect in relation to the Parties only when it has been notified to the other Party using the methods specified above.
  1. Miscellaneous
    • Any amendment to this Assignment must be made in writing, on pain of nullity.
    • The Assignment cancels and replaces all previous agreements or understandings between the Parties in relation to personal data processing carried out by the Data Processor on behalf of the Data Controller.
    • The Parties declare that all the clauses contained in this Assignment have been carefully and individually assessed and reflect their joint intentions.
    • Should any clause of this Assignment be declared invalid, said declaration shall not invalidate all of the other clauses contained herein. In that case, and to the extent possible, the invalid clause must be replaced by another whose effect is as equivalent as possible to that which the Parties intended at the time of entering into the Assignment.
    • Should the Data Controller not exercise one or more rights it is entitled to under this Assignment, this shall not constitute, nor may it be understood in any way as a waiver thereof.
    • The titles of the articles in this Assignment have the exclusive purpose of facilitating reference and cannot be used for the purpose of interpreting the content of this Assignment.
    • It is understood that the appointment as Data Processor does not grant the right to any consideration in addition to that set out in the Agreement, and is aimed at guaranteeing the correct data processing carried out by the appointed Data Processor.
Attachment A  Security Measures   A – Provisions on logic and IT security The Data Processor guarantees that:
  • the company organisation includes a structure in charge of controlling and implementing the security of the information and personal data processed;
  • said structure conducts the appropriate regular security checks and audits;
  • it works with third parties external to its company structure, provided that these parties meet the requirements of reliability and credibility with regard to the security measures adopted or to adopt.
The Data Processor must:
  1. adopt high standards of security (and keep them updated in consideration of the state of the art and technology);
  2. adopt a security procedure for the information and personal data processed that complies with sector best practices and is periodically updated. Said procedure shall be made available to the Data Controller on simple request;
  3. implement a procedure for reporting accesses to information and personal data (both at IT and logical/physical level), on a need-to-know basis (that is, only parties that need to know said information in order to execute the Activities may access it), and a procedure for addition/supplementation/elimination of said accesses;
  4. use complex passwords (minimum of 8 characters, upper and lower case, password reset on first access, password expiration) to access the IT systems;
  5. assign each user personal credentials (username and password) that are unique and cannot be assigned to other users;
  6. remove accounts that are inactive for more than 60 days or no longer necessary for the personal data processing on behalf of the Data Controller;
  7. be constantly and continuously up-to-date on regulatory provisions, technological innovations and any vulnerabilities relating to security;
  8. guarantee that all equipment used for archiving data and information from the Data Controller (including the equipment used for regular backups) is stored in secure, controlled areas in terms of environment, held, managed or contracted by the Data Processor. The archiving areas used to save that media must be programmed to reasonably reduce the impact deriving from environmental threats;
  9. ensure that all external connections to its systems (including, without any limitations, networks or remote access) are individually identified, verified, recorded and approved;
  10. ensure that wireless accesses to its systems are subject to authentication authorisation and encryption protocols in line with best practices and are permitted only from workstations approved by the Data Processor.
B – Provisions on physical security The Data Processor must:
  1. define and keep up-to-date procedures to guarantee physical security in the premises under its control;
  2. protect the data centre equipment and security systems used from environmental risks and infrastructural failures;
  3. physically protect and store portable media that contain personal data processed on behalf of the Data Controller while ensuring that access to it is only permitted to authorised personnel;
  4. adopt procedures and arrangements that ensure that the IT systems provide the possibility to immediately block access to data processing equipment, storage services and media.