Data Processing Agreement

This Data Processing Agreement (“Agreement”) is entered into by and between
you, as the Controller and

Twproject s.r.l.
Via Don Giulio Facibeni, 8A
50141, Florence
Italy

as the Processor.

1. Definitions

1.1. In addition to what is otherwise expressly defined herein, the following terms, with capital letter, shall have the meaning attributed thereto in this article:

  • “Personal Data” means any information concerning the Data Subject (as defined hereinafter).
  • “Personal Data Protection Authority” means the Italian Personal Data Protection Authority. ● “GDPR” means the Regulation (EU) 2016/679 (“GDPR”).
  • “Designated Persons” means any individual authorized and instructed to perform Personal Data processing activities under the authority of the Data Processor and/or its Data Subprocessors, if any (as defined hereinafter).
  • “Special Categories of Data” means Personal Data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, as well as genetic data, biometric data having the purpose to uniquely identify an individual, data concerning health or sex life of the Data Subjects (as defined hereinafter).
  • “Data Subjects” means the individuals identified or identifiable to whom Personal Data is referred (an individual who can be identified, directly or indirectly, with particular reference to any identification data like name, ID number);
  • “Processing” means any operation or set of operations, made with or without the assistance of automated processes and applied to Personal Data or sets of Personal Data, as collection, registration, organization, retention, adaptation or modification, retrieval, consultation, use, communication through transmission, dissemination or any other form of disclosure, comparison or interconnection, restriction, erasure or destruction;
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.
  • “Sub-processor” means a legal person, sole proprietorship or self-employed professional appointed by the Data Processor to carry out Personal Data Processing activities on behalf of the Data Controller;

1.2. The singular terms used herein shall refer also to the plural and vice versa.

 

2. Purpose of the appointment as data processor

2.1. Twproject undertakes to act as Data Processor for the purposes specified in the following Articles in accordance with the personal data protection legislation applicable from time to time as well as with the terms and instructions established hereunder.

 

3. Categories of Personal Data being Processed

3.1. For the performance of the Agreement and for the purposes of this Deed, the Data Processor shall solely process the following categories of Personal Data:

  •  The Personal Data entered by the User with defined permission, i.e. name, last name, personal and/or company email, where applicable;
  • All the Personal Data contained and/or retrievable from the User Database, including: the personal and contact data of the resources allocated to single projects/activities, names and contact data of the clients of the Data Controller, names and contact data of the clients of the suppliers of the Data Controller and all other contents, of any kind and format, uploaded, entered, saved, managed, processed, stored, developed by the Client on the Platform and through the Software.

3.2. Without prejudice to the provisions of the following Article 11, subject to a prior written request by the Data Controller, the Data Processor undertakes to update, change, correct or erase the processed Personal Data in the shortest time possible and, in any case, within 15 (fifteen) days.

 

4. Categories of Data Subjects

4.1. The Personal Data processed by the Data Processor specified in the foregoing Article 3 is exclusively referable to the following categories of Data Subjects:

  • Twproject users (as better identified and defined in the Agreement);
  • any other third party subjects the data and/or information of which are contained in and/or retrievable from the User Database.

 

5. Data Processor’s Obligations

5.1. The Data Processor shall perform the obligations envisaged under the Agreement and hereunder. More specifically, the Data Processor shall:

  •  Accurately follow the Data Controller’s instructions and make solely the Personal Data Processing operations agreed with the Data Controller and indicated by the latter, and strictly necessary to perform the contract;
  • Taking into account the nature, object, context, purposes of the Processing, as well as any risk to the rights and freedom of the Data Subjects, adopt the appropriate technical and organizational measures to guarantee a level of security adequate to the risk and, in any case, the integrity, the exactness of the Personal Data processed and the lawfulness of the Processing. In particular, in order to guarantee:
  1. the capability to promptly restore the availability of Personal Data as well as the access to the same, in case of any physical or technical incident;
  2. the capability to permanently ensure the confidentiality, integrity, availability and resilience of Processing systems and services;
  3. a procedure to regularly test, verify and assess the effectiveness of the technical and organizational measures adopted in order to guarantee the Processing security; and
  4. other technical and organizational measures aimed at preventing any risk of destruction, loss or alteration of Personal Data, access to Personal Data by unauthorized subjects, use of Personal Data not compliant with the declared purposes of collection and/or any unauthorized use of the Data Used.
  • Guarantee to the Data Controller the possibility to follow up the requests for the exercise of the rights of Data Subjects, including, by way of example without limitation, the right to access the Personal Data concerning them, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to portability, the right to opposition, the right not be subject to decisions based on an automated decision-making process;
  • Identify on a name basis in writing the Designated Persons, procure that the same adhere to the instructions provided by the Data Controller and also guarantee that – with reference to Personal Data processed by the Data Processor on behalf of the Data Controller – the Designated Persons are bound by the confidentiality obligations established under the Agreement, with regard to Confidential Information (as defined under the Agreement);
  • Make available to the Data Controller all the information requested by the same to prove the fulfillment of the obligations envisaged by the personal data protection legislation applicable from time to time;
  •  Based on the information available to it and following reception of a written request by the Data Controller, assist the latter in performing the obligations envisaged by the applicable personal data protection legislation, with special reference to the implementation of technical and organizational measures, to the performance of the activities required as a result of a Personal Data Breach, as well as to the execution of an impact valuation on Personal Data protection;
  •  Contribute to the review activities, including any inspections, made by the Data Controller and/or by any other subject authorized by the same.

 

6. Record of processing activities

6.1. The Data Processor shall create and prepare a record of processing activities carried out on behalf of the Data Controller pursuant to Article 30, Paragraph 2, of the GDPR (the “Record”).

6.2. The Data Processor undertakes to maintain the Record separate from any other registers kept or, alternatively, to report in its record of Processing activities any Processing made on behalf of the Data Controller separately from any other Processing made as data controller or data processor.

6.3. Upon request by the Personal Data Protection Authority, the Data Processor shall promptly provide a copy of such Record.

 

7. Processing of Personal Data to Third Countries

7.1. The Data Processor shall carry out the data Processing by using servers located within the European Union, avoiding any transfer to Non-EU third countries.

7.2. Subject to the above, the transfer of Personal Data processed by the Data Processor on behalf of the Data Controller is allowed in case of a European Commission adequacy decision.

 

8. Subprocessors

The Controller acknowledges and accepts that the Processor may engage Subprocessors to carry out processing activities under this Agreement. The currently engaged Subprocessors are hereby deemed as accepted by the Controller.

A list of Subprocessors can be requested by using the ticketing system or the email address support@twproject.com.

The Processor commits to notify the Controller in advance about any planned change of Subprocessors and to collect the Controller’s approval before performing such change. The Processor shall in any case impose on Subprocessors the same data protection obligations as set out in this Agreement.

 

9. Purposes of Processing by Data Processor

9.1. The Data Processor, within the limits envisaged under the Agreement and hereunder, shall process Personal Data on behalf of the Data Controller for the following purposes:

  •  Performance of SaaS Services, i.e. upload, download, organization, management, classification, creation, modification, saving data, contents and attachments of files; share of such data and, generally, of all that is contained in the User Database with other Users based on their Authorisation Levels; and
  •  Retention and storage of the Client Database;
  •  Sending to the Client technical-operational and service communications, regarding updates, changes or technical adjustments of the Software.

9.2. It is hereby agreed that personal data associated with the purposes as per the foregoing Paragraph 9.1 shall be visible exclusively to the Client that processes it as data controller; Twproject shall process such data exclusively on behalf of the Client and only storing and recording it to allow the full use of the SaaS Services by the Client

 

10. Term of the Deed

10.1. This Deed shall be effective starting from the date of its stipulation (service activation) and for the entire Term of the Agreement (as defined thereunder), subject to revocation by the Data Controller pursuant to Article 11 below.

10.2. Upon expiration, termination of or withdrawal from the Agreement for any reason whatsoever, the Deed shall automatically terminate its effects, without any notice.

10.3. Upon expiration of the Agreement or in case of revocation as per Article 11 below, the Data Processor shall return to the Data Controller all the materials – of any kind whatsoever and in any form – containing Personal Data to which it may have had access and that have been delivered to the same in performing the Agreement.The Data Processor shall also erase any Personal Data processed on behalf of the Data Controller from its files and/or folders, and the relevant copies in digital and/or paper format, except for all Personal Data the retention of which is requested by the law applicable from time to time.

 

11. Data Controller’s rights and obligations

11.1. The Data Controller may request information from the Data Processor and make reviews for the purpose of assessing the technical, organizational and security measures adopted by the Data Processor, in order to verify that the Data Processor acts in compliance with the obligations envisaged hereunder and under the personal data protection legislation applicable from time to time.

11.2. If, following the audit activities as per the foregoing Paragraph 11.1, the Data Controller believes on the basis of founded written reasons previously notified to the Data Processor that the warranties mentioned in are no longer applicable, and/or ascertains any breach by the Data Processor of the obligations envisaged hereunder, the Data Controller may revoke the Data Processor mandate with immediate effect.

 

12. Personal Data Breach

12.1. In the event of a Breach of the Personal Data processed by the Data Processor on behalf of the Data Controller, also as a consequence of the conduct of any Sub-processors, the Data Processor undertakes to:

  •  Inform the Data Controller without any unjustified delay; and
  •  Prepare and update a record describing the type of any Personal Data Breach occurred, the Data Subjects involved, the possible consequences as well as the security measures implemented, also in agreement with the Data Controller, in order to limit the negative effects of the event and restore the situation existing before any such breach.

 

13. Liability

13.1. The Data Processor shall be liable to the Data Controller – also for any fact related to its Designated Persons – for any delay and/or inexact or failed performance of the obligations hereof.

13.2. The Data Processor shall also be exclusively liable for any breach of the personal data protection legislation applicable from time to time, that may occur for any reason attributable to the same and as a consequence of the non-compliance with the instructions provided by the Data Controller in this Deed and in the Agreement, pursuant to and within the limits envisaged by the applicable law.

13.3. In the event that the Data Processor determines the purposes and means of Personal Data Processing, in breach of the obligations envisaged hereunder, the same will be considered a data controller.

 

14. Applicable law and competent court

14.1 This Deed is governed by the Italian laws.

14.2 Any dispute arising in relation to the performance, interpretation and/or application hereof shall be submitted to the court of Florence, having exclusive jurisdiction.

Latest update: November 25, 2024