Data processing addendum
DATA PROCESSING ADDENDUM
This data processing addendum (“DPA”) has has the purpose of regulating the privacy relations of Exporium as Data Processor
Any entity or person who uses the services provided by Exporium S.r.l. in its capacity as Data Controller (hereinafter also "Controller") and Exporium S.r.l. acts as Data Processor (hereinafter also "Processor") you must consider that:
- Article 28 of the EU Regulation n. 2016/679, also known as GDPR, allows data controllers to appoint a natural or legal person, public administration or any other entity or association to act as data processor in order to process personal data on the data controller’s behalf for several purposes;
- Exporium is a platform that allows the creation of buyer and seller profiles, active in the food chain, and, for this purpose, the companies register themselves and operate on the platform for commercial exchanges;
- all Personal Data subject to be treated by Exporium will be processed in accordance with Article 28 GDPR and all applicable European Union and European Economic Area (“EEA”) laws and regulations (“Data Protection Legislation”);
- the Parties, by this document, intend to regulate the conditions and methods of processing of personal data for the processing purposes for which the data are transferred;
- Exporium in its quality of Data Processor, by this document, declares and guarantees to possess the appropriate skills and technical knowledge in relation to the processing activities that are delegated by the Data Controller;
- this DPA shall be in force for the duration of the contract and, in any case, during the execution of the service offered by Exporium, and it will expire upon completion of the service, subject to the provisions at paragraph 8 on the data return and deletion.
Terms and Conditions
1. Obbligation of the Data Controller
The Controller undertakes to give instructions in accordance with the Data Protection Legislation (GDPR and the Personal Data Protection Code) and to use the services provided by the Processor in a manner that complies with the same legislation and only to transfer to the Process personal data that have been collected in accordance with the Legislation on the Protection of Personal Data.
2. Obligations of the Data Processor
The Processor agrees to:
- ensure the confidentiality of any personal data which comes to his knowledge during the performance of the service;
- process personal data only for the purposes described in the working agreements, unless required to do so by Union or Member State law to which the Processor is subject. (in this last case, the Processor will inform, in a timely manner, the Controller of the existence of this obligation, unless prohibited by that law on important grounds of public interest);
- adopt preventive security measures aimed at eliminating or at least reducing to a minimum any risk of destruction or loss, even accidental, of processed personal data, unauthorized access or unauthorized or non-compliant processing and adopt security procedures that guarantee the confidentiality and integrity of personal data, in accordance with article 32 of the GDPR. These measures include, among others: (i) pseudonymisation and encryption of personal data; (ii) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access of personal data in a timely manner in the event of a physical or technical incident; (iv) a procedure to regularly test, verify and assess the effectiveness of the technical and organisational measures to ensure the security of the processing;
- assist the Controller in ensuring its compliance with its obligations under articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor;
- properly trained the personnel on current legislation regarding the processing of personal data. The Processor must ensure that (i) the instructions given are duly observed, (ii) the authorised personnel receives adequate training in data protection matters, and (iii) the authorised personnel are under an appropriate obligation of confidentiality;
- allow for and contribute to audits on Processor’s systems and locations used to process Personal Data conducted by the Controller, its auditors or authorized agents. The Controller shall inform beforehand the Processor. Any information gathered on Processor’s activities will be subject to confidentiality, except where mandatory applicable laws or binding orders from law enforcement authorities require information to be disclosed. The costs incurred for the audit shall be equally shared;
- maintain written records of all types of processing activities carried out on behalf of the Controller in accordance with article 30 of the GDPR;
- notify the Controller, unless legally prohibited from doing so, without undue delay and in any case no later than 48 hours after having become aware of any contact, communication or correspondence it may receive from the relevant Supervisory Authority, courts or law enforcement authorities, in relation to the processing of Personal Data;
- to immediately inform the Controller when, in the Processor’s opinion, an instruction received from the Data Controller violates the GDPR or other applicable national or European Union laws or regulations related to data protection;
- promptly communicate and assist the Controller in any requests for access, rectification, integration or deletion of personal data proposed by the Data Subject. The Data Processor shall not respond to that request itself, unless and until it has been authorized to do so by the Controller;
- ensure the ability to promptly restore availability and access to personal data in the event of a physical or technical incident with a disaster recovery and business continuity plans, the summary of which will be made available to Data Controller upon request.
The Controller authorizes Exporium to use sub-processors, including all the Exporium Affiliates from time to time involved in the processing; it remains always guaranteed the ability to object as provided below.
In using any Sub-Processor, Exporium will ensure through a written agreement that:
- the Sub-Responsible person accesses and use data only to the extent necessary to perform the obligations subcontracted to it, in accordance with the agreement (including this DPA) and the provisions of Section 5 Transfers;
- if the GDPR applies to the processing of personal data, the data protection obligations set forth in Section 28(3) GDPR, as described in this DPA, are imposed on Sub-processors;
- shall remain fully responsible for all obligations subcontracted, Sub-processors' actions and omissions.
The Controller may always objects to changes and the appointment of new third parties as Sub-processor. Exporium will, at least 30 days before the new Sub-processor starts to process any data, notify the Controller the engagement (including the name and location of the relevant sub-processor and the activities it will perform).
The Controller may, within 90 days of such notification, objects by immediately terminating the agreement by notifying to Exporium.
4. Privacy by Design and Privacy by Default
In the event that new products, services or software solutions are developed in order to process data by the Processor for the Data Controller, the Processor commits to adopt appropriate technical and organisational measures. These measures are imed to ensure that, from the very beginning of the process, the GDPR principles are taken into account and implemented effectively (in accordance with Article 25 of the GDPR). The development process must, by default, be set to ensure that only the personal data needed for each purpose is processed.
Exporium processes and retains personal data within the EEA. In the event of transfers of personal data to countries outside the EEA, the Processor shall:
- adopt the guarantees required by the GDPR,
- provide information about the destination country and the legal basis that allows such transfer,
- notify the Controller of the intended transfer in order to give the Controller the opportunity to object to the transfer.
Exporium agrees to maintain sufficient financial and personnel resources to fulfil the obligations agreed in this DPA and to indemnify and hold the Controller harmless from costs, damages, expense, financiary losses, third party claims resulting from the violation of the data protection legislation or of this DPA by the Processor, by a Sub-processor or by a person or entity on which the Processor relies to conduct its activities.
The Controller will be entitled to withdraw from the contract at no costs and without penalties if the Processor breaches this DPA except when the latter adopts corrective measures required by the Controller within 15 (fifteen) days from receipt the request.
7. Return and Deletion of Data
The Processor agrees to return or delete any copy of personal data in its possession or in that of sub-processors:
- without undue delay and no later than five (5) business days at the Controller’s request, at no cost to the Controller;
- no later than ten (10) business days from the expiration or earlier termination of this DPA, unless otherwise requested by Controller in writing.
In each of the cases the Processor must provide a statement to Controller certifying the return or deletion of personal data, or both, as applicable.
In the event that the obligations referred to above are subject to mandatory laws or binding orders from competent judicial, law enforcement or regulatory authorities that prevent compliance to these obbligation, the Processor must notify the Controller providing adequate information regarding any legal obligation to retain personal data, without undue delay and no later than five (5) days from receipt of the Controller’s request or from the expiration or earlier termination of this DPA.
If the Processor retails personal data in order to comply with mandatory laws or binding orders or to keep regular computer back-up operations in compliance with the recovery and business continuity protocols, the Processor must not process any personal data for any purpose other than to provide the service. Morover, in the cases above mentioned, the Processor will remain bound to this DPA (even after its expiration or earlier termination) regarding any personal data so retained.
8. In case of data berach
The Processor agrees to:
- notify the Controller any Data Breach as soon as possible, and in any event no later than 36 (thirty-six) hours after the Data Processor becomes aware of the Data Breach at the following address: and provide the Controller with all the information requested;
- cooperate with the Controller to investigate any Data Breach;
- take appropriate actions to contain and mitigate any Data Breach. It I salso important to fully cooperate with the Controller in order to develop and implement a plan to address the personal Data Breach;
- where the data protection legislation requires that the personal Data Breach is notified to relevant Supervisory Authorities and to parties involved, follow and comply with any instructions from the Controller.
- refrain from spreading any notice and/or announcement on the Data Breach unless instructed to do so by the Controller.
- accept that the Controller will determine the measures to be taken to comply with applicable data protection legislation and to address any risk.
9. Cloud Computing
If the Processor or any of Sub-processor use cloud platforms, the Processor agrees to:
- comply with the EDPB or Article 29 WP guidelines;
- ensure the isolation of the personal data from those processed on behalf of other customers of the Processor.
10. System Administrators
If applicable, in order to provide the Service, the ata Processor is required to ensure the timely adoption of the measures referred to in the decision of the Italian Data Protection Authority “Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator”, of 27 November 2008 (as amended). Specifically, the Processor shall (i) appoint system administrators in written form on an individual basis, listing in detail the scope of the activities the given administrator is allowed to carry out based on the relevant authorisation profile, (ii) prepare and keep the list of system administrators updated and (iii) provide the list of system administrators to the Controller in a timely manner where requested.