DESIGNATION OF THE DATA PROCESSOR
pursuant to Article 28 of EU Regulation 2016/679
As part of the activities and services provided for and governed by the service agreement for access to and use of the ‘Cyber Guru’ cloud software platform entered into with Cyber Guru S.p.A. (the ‘Agreement’), the Client company, (‘Data Controller’)
Given that:
- Article 28, paragraph 3, of EU Regulation 2016/679 (General Data Protection Regulation), hereinafter also ‘GDPR’, provides that the processing carried out on behalf of the Data Controller by a Data Processor shall be governed by a contract or other legal act that determines the subject matter of the processing, the duration, nature and purpose, the type of personal data processed and the categories of data subjects, the obligations and rights of the Data Controller;
- Article 28 of EU Regulation 2016/679 also grants the Data Controller the right to use one or more Data Processors, who have the experience, skills and knowledge to implement technical and organisational measures that meet the requirements of the Regulation, including with regard to the security profile;
hereby designates
the company Cyber Guru S.p.A., in the person of its Legal Representative pro tempore, with registered office in Rome (Italy), Viale della Grande Muraglia 284, 00144 Rome, Tel. (+39) 065159281, Fax (+39) 0651963515, as DATA PROCESSOR, taking into account the processing activities necessary and/or appropriate to implement the agreed obligations, considering, for the purposes of the appointment, that the Data Processor has sufficient guarantees to implement adequate technical and organisational measures to meet the requirements of EU Regulation no. 2016/679.
This appointment does not entail any change in the professional status of the Data Processor and/or the obligations agreed between the Parties and shall be governed by the following agreements.
ART. 1 - NATURE AND PURPOSE OF THE PROCESSING
The processing of personal data is carried out exclusively for the proper performance of the activities agreed upon in the access to and use of the software platform of the products/services provided by Cyber Guru, as better described in the agreement.
ART. 2 - CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA PROCESSED
The Data Processor, in order to carry out the activities on behalf of the Data Controller, directly and/or indirectly processes the following categories of personal data and information relating to the described categories of data subjects, within the limits of the services purchased:
| Purpose | Data Processed | Data Subject Categories |
|---|---|---|
| First name, last name, company role, email address, IP address, learner profile (test results, data on interaction with the platform), and any other personal data that may be entered by the user when interacting with the product (if the chatbot service is activated). | Employees, collaborators, or other individuals authorized by the Data Controller |
| First name, last name, company role, email, phone number (if smishing service is activated), IP address, learner profile (click rate) | Employees, collaborators, or other individuals authorized by the Data Controller |
| First name, last name, user ID, company role, email address | Employees, collaborators, or other individuals authorized by the Data Controller |
| First name, last name, email address, user ID, browsing data | Employees, collaborators, or other individuals authorized by the Data Controller |
ART. 3 - OBLIGATION OF CONFIDENTIALITY
As part of the activities carried out by the Data Processor, only the personal data referred to in Article 4 no. 1 of EU Reg. 2016/679 will be processed, excluding special categories. The Data Processor and its employees and collaborators are bound to absolute confidentiality and undertake to process the data in a confidential and reserved manner, avoiding any communication and/or knowledge by unauthorised parties.
ART. 4 - AVAILABILITY, USE OF DATA AND TERMINATION OF PROCESSING
Whatever the purpose and duration of the processing carried out by the Data Processor:
- the data may not be sold or transferred, in whole or in part, to other parties;
- the Data Processor undertakes not to claim any rights over the data and materials viewed;
- in line with the provisions of the GDPR, it is explicitly forbidden for the Data Processor to send advertising, commercial and promotional messages and in any case to contact the Data Subjects for purposes other than those in this deed.
Once the processing operations covered by the Contract have ceased, unless renewed, the Data Processor undertakes to return to the Data Controller personal data acquired, received or processed by the Data Processor in connection with the performance of the services provided and, only subsequently, undertakes to delete them from its files or to destroy them 90 days after the termination of the Contract, except in cases where the data must be retained by virtue of legal obligations. It is understood that the demonstration of the reasons justifying the continuation of the conservation obligations is the responsibility of the Data Processor and that the only purposes that can be pursued with such data are exclusively limited to responding to these regulatory requirements.
ART. 5 - VALIDITY AND REVOCATION OF THE DESIGNATION
This appointment shall be valid for the entire duration of the legal relationship between the Parties and may be revoked at the discretion of the Data Controller.
This appointment does not constitute an additional burden for the Data Processor, as it falls within the regulatory obligations governing relations with the Data Controller in terms of the protection of natural persons with regard to the processing of personal data.
ART. 6 - SUB-PROCESSORS
The Data Processor is authorised to use, in accordance with the provisions of Article 28, paragraph 4 of the GDPR, to another entity (hereinafter ‘Sub-Processor’) for the performance of specific processing activities on behalf of the Data Controller, regulating the relationship by a legal act or contract aimed at circumscribing the respective areas of responsibility and having the Sub-Processor sign the same conditions applied in this deed of appointment with express adoption of the obligations regarding the protection of personal data already incumbent on the Data Processor and deriving from the signing of this deed.
The Data Processor undertakes to transmit to the Data Controller, upon formal request by the latter, the list of Sub-Processors identified.
The Data Processor shall ensure that the Sub-Processor offers sufficient guarantees of reliability and confidentiality and implements appropriate technical and organisational measures in such a way that the processing meets the requirements of the GDPR and that it returns (or deletes) the personal data subject to the processing and any copies at the end of the service. If any Sub-Processor, the executor of the processing, fails to fulfil its obligations regarding the protection of personal data, the Data Processor expressly declares and guarantees that it will retain full responsibility for the fulfilment of the obligations of that Party.
The Data Processor must transmit to the Company the name of the Sub-Processor, as well as any other change concerning the addition or replacement with other Sub-Processors, giving the Data Controller the opportunity to object.
ART. 7 - DESIGNATION AND AUTHORISATION OF THE PERSONS IN CHARGE
The Data Processor guarantees the timely identification of the subjects operating in any capacity in its organisation as ‘authorised’ subjects for processing.
In particular, the Data Processor undertakes to allow access to and processing of personal data only to duly trained and specifically designated personnel, also pursuant to Article 2-quaterdecies of Legislative Decree 196/2003 and subsequent amendments and integrations.
The Data Processor undertakes to make the appointments in writing and to limit access to and processing of personal data only to that which is necessary for the performance of the activities covered by the Agreement.
Authorised personnel must receive appropriate and specific training in relation to compliance with organisational and technical measures, in particular the security measures adopted, adequate to ensure the protection of personal data processed in compliance with the relevant regulatory provisions and practice.
Specifically, the Data Processor:
- identifies the persons authorised to process the data by giving them, in writing, detailed instructions on the operations permitted and the security measures to be taken in relation to the critical nature of the data processed;
- regularly supervises the timely application by the authorised persons of the requirements, including through periodic checks;
- guarantees the adoption of the different authorisation profiles of the persons in charge, so as to limit access to only the data necessary for the processing operations permitted with respect to the tasks performed;
- periodically verifies the existence of the conditions for the retention of the authorisation profiles of all the persons in charge, promptly modifying said profile where necessary (e.g. change of job);
- takes care of the training and professional updating of the authorised persons working under its responsibility regarding the legal and regulatory provisions on the protection of personal data.
The Data Processor, upon request, sends to the Data Controller, by certified email, the list of names with specific evidence of the relative tasks of the subjects authorised to process personal data carried out on its behalf and within the scope of the Agreement.
ART. 8 - DATA PROTECTION OFFICER
The Data Processor, pursuant to Article 37 et seq. of the GDPR, has appointed a Data Protection Officer whose contact details are: privacy@cyberguru.it.
ART. 9 - RIGHTS OF DATA SUBJECTS
Given that the exercise of the rights granted to the data subject pursuant to Articles 15 et seq. of the GDPR will be managed directly by the Data Controller, the Data Processor is available to collaborate with the Data Controller by providing it with all the information necessary to satisfy any requests received in this regard.
The Data Processor undertakes to assist the Data Controller with appropriate technical and organisational measures in order to fulfil the Data Controller’s obligation to comply with requests to exercise the rights of the Data Subject.
In particular, the Data Processor must notify the Data Controller, without delay and in any case no later than 72 hours from receipt, of any requests received and made by the Data Subjects by virtue of the rights provided for by current legislation (e.g. right of access, etc.) and to provide the necessary information in order to allow the Data Controller to process them within the terms established by the legislation.
ART. 10 - DATA PROCESSING REGISTER
The Data Processor – where this obligation also applies to the Data Processor itself based on the provisions of paragraph 5 of Article 30 of the GDPR – keeps a register (in written form and/or also in electronic format) of all the categories of activities related to the processing carried out on behalf of the Data Controller, containing:
- the name and contact details of the Data Processor and/or its Sub-Processors;
- the categories of processing carried out on behalf of the Data Controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation and, for transfers referred to in the second paragraph of Article 49 of the GDPR, the documentation of the appropriate safeguards adopted;
- where possible, a general description of the technical and organisational security measures referred to in Article 32, paragraph 1 of the GDPR.
The Data Processor also guarantees to make the aforementioned processing register available to the Data Controller and/or the Supervisory Authority upon request.
The Data Processor undertakes to assist the Data Controller in drawing up its own Register of processing activities, also indicating, to the extent of its competence, any changes to be made to the Register.
ART. 11 - SECURITY OF PERSONAL DATA
In carrying out the processing of Personal Data for the purpose of providing the Services, the Data Processor undertakes to adopt and maintain adequate security measures, both technical and organisational, to ensure a high level of protection of personal data and to prevent unlawful or unauthorised processing, accidental or unlawful destruction, damage, accidental loss, alteration and unauthorised disclosure of, or access to, Personal Data (‘Security Measures’).
The Data Processor may update and modify the above-mentioned Security Measures over time, it being understood that such updates and modifications may not result in a reduction in the overall security level of the Services.
The Data Processor will be required to update the measures when this is required by the specific processing activity and/or by the Legislation on the Protection of Personal Data, in compliance with the provisions of Article 32, paragraph 1 of the GDPR, i.e. ‘taking into account the state of the art and the costs of implementation, as well as the nature, subject, context and purposes of the processing, and the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons’.
The list of security measures implemented as of the date of execution of this designation deed is available upon request by the Data Controller.
ART. 12 - SYSTEM SECURITY AND ADMINISTRATION (SSA)
The Data Processor shall provide the Data Controller with the list of names of the ADS, by which is meant the natural persons who, on behalf of the Data Processor and in the performance of the tasks agreed and entrusted by the Data Controller, carry out the management and maintenance of processing facilities with which personal data are processed, including database management systems, complex software that processes the Data Controller’s data, the Data Controller’s local networks and security equipment, or in any case that may intervene on the security measures to protect the same data. With reference to the identified subjects, the Data Processor must communicate the tasks and operations carried out with respect to each one.
ART. 13 - TASKS, INSTRUCTIONS AND METHODS OF PROCESSING AND REQUIREMENTS OF PERSONAL DATA
The Data Processor has the power and duty to process the personal data indicated in compliance with current legislation, following both the instructions provided below and those that will be disclosed by the Data Controller through specific procedures and/or communications.
The Data Processor expressly declares that it will comply with the instructions set out below and undertakes to implement, within the scope of the tasks contractually entrusted to it, all the obligations prescribed by the relevant legislation on the protection of personal data in order to minimise the risks of destruction or loss, including accidental loss, of data, unauthorised access and processing that is not permitted or does not comply with the collection.
The Data Processor undertakes to:
- process directly, or through its employees, external collaborators, consultants, etc. – specifically designated and authorised to process – the personal data of the Data Controller, for the sole purposes related to the performance of the activities provided for in the Agreement, in a lawful and correct manner, as well as in full compliance with the provisions of the GDPR and these instructions;
- not disclose or make known to third parties – for any reason and at any time, present or future and even after the processing operations covered by the Agreement have ceased – the personal data received from the Data Controller that have come to its knowledge in connection with the performance of the service provided, unless previously authorised in writing by the Data Controller, without prejudice to any legal obligations or orders of the Judicial Authority and/or competent administrative authorities;
- cooperate with the Data Controller to ensure timely compliance with and adherence to data protection legislation;
- give immediate notice to the Data Controller in the event of termination of the agreed processing;
- not create new databases without the express authorisation of the Data Controller, except when this is strictly necessary for the performance of the obligations undertaken;
- in the event of receipt of specific requests made by the Italian Data Protection Authority or other authorities, assist the Data Controller to the extent of its competence;
- report any critical issues to the Data Controller that may jeopardise the security of the data, in order to allow appropriate interventions by the same;
- assist, upon request, the Data Controller and the subjects indicated by the latter in the drafting of the documentation necessary to comply with the sector regulations, with reference to the data processing carried out by the Data Processor in execution of the assigned activities;
- immediately inform the Data Controller if, in its opinion, an instruction provided by the same determines the violation of the Regulation or other applicable legislation on the protection of personal data and to refrain from any further processing activity. Any processing based on an instruction from the Data Controller shall in no case result in the liability of the Supplier
If the European Commission establishes, or a supervisory authority adopts, standard contractual clauses for the matters referred to in Article 28(3) and Article 28(4) of the Regulation pursuant to Article 28(7) or Article 28(8) of the Regulation (if applicable), and the Data Controller informs the Data Processor of its intention to include any element of these standard contractual clauses in this Agreement, the Data Processor will accept the changes requested by the Data Controller in order to include these elements in writing, where commercially reasonable.
ART. 14 - DATA BREACH
The Data Processor undertakes to notify the Data Controller, without undue delay from the time of knowledge, and in any case within 72 hours, with a communication to be sent to the Data Controller’s certified email address, of any personal data breach and/or security incidents relating to the processing entrusted to it, also providing:
- a description of the nature of the breach and an indication of the categories of personal data and the approximate number of data subjects involved;
- the name and contact details of the DPO or other point of contact able to provide further information;
- a description of the likely consequences;
- a description of the measures taken or available to remedy the breach or, at least, to mitigate its possible negative effects.
Without prejudice to the foregoing, the Data Processor undertakes to provide the Data Controller with all possible assistance in order to enable it to fulfil its obligations under Articles 33 - 34 of the GDPR.
Once the reasons for the breach have been defined, the Data Processor, in agreement with the Data Controller/or other person indicated by the latter, upon request, will take action to implement as soon as possible all the physical and/or logical and/or organisational security measures aimed at stemming the occurrence of a new breach of the same kind as the one that occurred, in this regard also making use of the work of sub-suppliers.
ART. 15 - IMPACT ASSESSMENT AND PRIOR CONSULTATION
With reference to Articles 35 and 36 of the GDPR, the Data Processor undertakes, upon request, to assist the Data Controller in the activities necessary to fulfil the obligations set out in the aforementioned articles, on the basis of the information in its possession, by reason of the processing carried out as Data Processor, including information relating to any processing carried out by the Sub-Processors.
ART. 16 - TRANSFER OF PERSONAL DATA
The Data Processor undertakes to limit the areas of circulation and processing of personal data (e.g., storage, archiving, storage of data on its servers) to countries belonging to the European Union, with the express prohibition of transferring them to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, or, in the absence of protection tools provided for by EU Regulation 2016/679 – CHAPTER V.
ART. 17 - AUDIT ACTIVITIES
The Data Processor undertakes to make available to the Data Controller all the information necessary to demonstrate compliance with the security obligations described in this document and, in general, compliance with the obligations assumed under this deed and the GDPR, allowing and, upon request, contributing to the audit activities, including inspections, carried out by the Data Controller by another person appointed by it.
If the Data Controller detects conduct that differs from the provisions of the relevant legislation as well as the provisions contained in the provisions of the Italian Data Protection Authority, it will notify the Data Processor, without this affecting the autonomy of the Data Processor’s business activity or being qualified as interference in its activity.
The checks and any inspections referred to in the previous paragraphs of this article must be agreed between the Company and the Supplier with a notice of at least 15 working days before the date of verification/inspection by means of communications to the notification emails.
Prior to the audit/inspection, the Parties shall agree on the subject matter, timing and duration of the audit/inspection, it being understood that the audit/inspection shall have a maximum duration of 2 consecutive working days and may be performed only once per year of the duration of the Agreement. If, at the request of the Company, the audit/inspection lasts for a period exceeding 2 consecutive working days or the Company requests more than 1 audit/inspection for each contractual year, the Company undertakes to reimburse the Supplier for all excess costs/expenses.
The Company shall promptly provide the Supplier with a written report of a confidential nature containing a summary of the subject matter and results of the audit/inspection. The Supplier has the right to use this report and the information contained therein at its own discretion.
In the event of an audit/inspection, whether the Company carries out this activity directly or entrusts it to auditors or consultants, the Company undertakes to keep all information acquired during the inspection or found in the documentation confidential and not to communicate and/or disseminate such information/documents to third parties.
ART. 18 - ADDITIONAL INSTRUCTIONS
The Data Processor shall promptly notify the Data Controller of any change in the organisational or ownership structure that may occur after the assignment of the task, so that the Data Controller can ascertain the possible lack of the requirements provided for by current legislation or the lack of sufficient guarantees to implement adequate technical and organisational measures to ensure the correct processing of the data covered by this appointment.
The Data Processor shall inform the Data Controller of any deficiencies, anomalous or emergency situations detected in the context of the service provided – in particular where this may concern the processing of personal data and the security measures adopted by the Data Processor – and of any other relevant episode or fact that occurs and that in any case concerns the application of the GDPR (e.g. requests from the Italian Data Protection Authority, the outcome of inspections carried out by the Authorities, etc.) or of national legislation, even if applicable.
ART. 19 - CODES OF CONDUCT AND CERTIFICATIONS
The Data Processor undertakes to notify the Data Controller of adherence to codes of conduct approved pursuant to Article 40 of the GDPR and/or the obtaining of certifications that impact on the services offered to the Data Controller, including those governed by Article 42 of the GDPR.
ART. 20 - PROCESSOR LIABILITY AND RESPONSIBILITIES
The Data Controller, having given the aforementioned instructions and without prejudice to the tasks identified above, reserves the right, within the scope of its role, to give in writing any further instructions that may be necessary for the correct and compliant performance of the data processing activities related to the agreement in force between the Parties, also to complete and supplement what has been defined above.
The Data Processor hereby declares that it shall indemnify and hold harmless the Data Controller from any damage, burden, expense and consequence that may arise to the Data Controller as a result of the breach, by the Data Processor or its Sub-Processors, of the commitments relating to compliance with the rules on the protection of personal data or the instructions contained in the relevant deeds of appointment, also as a result of conduct attributable to their employees, representatives, collaborators in any capacity.
ART. 21 - RESPONSIBILITIES OF THE DATA CONTROLLER
The Data Controller hereby declares that it shall indemnify and hold harmless the Data Processor from any damage, burden, expense and consequence that may arise to the Data Processor as a result of instructions, indications and/or requests by the Data Controller that violate the regulatory provisions and/or practices in force regarding the protection of personal data.
Automatic Translation Notice
This DPA is drafted in Italian and in English. Both versions are considered official and have equal legal value. Any versions in languages other than Italian and English, made available through automatic translation tools (including those integrated in digital platforms), are not considered official versions and have no legal value. Such translations are provided for informational purposes only.