MAIN AGREEMENT FOR THE PROCESSING OF PERSONAL DATA – MASTER DATA PROCESSING
AGREEMENT
(ex art. 28 del Regolamento UE 2016/679)
TRA
This agreement for the protection of personal data is
concluded between Nutribook s.r.l.s.
with registered office in via Vittoria 23G, San Lazzaro di Savena (BO) Italy,
VAT number I03967501200 (hereinafter referred to as “Nutribook”
or the “Supplier”)
AND
the person indicated in the contract referred to the
Terms and Conditions as the Customer (hereinafter the "Customer")
jointly, the "Parties"
GIVEN THAT
a) The Customer has signed one or more contracts with
the Supplier relating to the use of services intended for the management of the
activity of Professionals who carry out activities in the nutrition sector
offered by the Supplier itself (hereinafter the "Contract");
b) For the purpose of the Customer's use of the
services offered by the Supplier, the latter processes the personal data of the
Interested Parties to whom the data refers, including those relating to Patients, entered into the platform and/or communicated to Nutribook by the Customer and /or by the Patient(s);
The Customer therefore intends to appoint Nutribook as the external Data Processor of the data
processed pursuant to the previous point of the premises and the Parties intend
to regulate in this "main agreement for the processing of personal data -
Master Data Processing Agreement" (hereinafter "MDPA" or
“Agreement”) the conditions and methods of processing of personal data carried
out by the Supplier within the scope of the Contract and the provision of the
Services and the responsibilities connected to the processing itself, including
the commitment undertaken by the Supplier, as external data processor of
personal data pursuant to art. 28 of the European General Data Protection
Regulation of 27 April 2016 n. 679 (hereinafter “GDPR”).
Given all of the above, the Parties agree as follows:
1. PREMISES AND ATTACHMENTS
1.1. The premises, the Attachments and the Terms and
Conditions on the website www.nutribook.app/gdpr constitute an integral part of
this Agreement.
2. DEFINITIONS
2.1.For the purposes of this
Agreement:
- for "Contract": the agreement
referred to in the Terms and Conditions published on the website
https://www.nutribook.app/termini in relation to the use of the Services
offered by the supplier Nutribook s.r.l.s..
- for "Professional": the Nutrition
Doctor, the Nutritional Biologist, the Dietitian, the Dietitian and in any case
the Nutrition Professional authorized to carry out the relevant activity;
- for "Customer": the Professional,
the professional partnership or the professional association that accesses the
Platform and uses the services upon payment of the relevant fee and the User of
the Platform who, by accessing the same, even free of charge, through the
related registration procedure, proceeds to create the Account and uses the
services offered by Nutribook as a Professional;
- for “Patient”: the Professional's client;
- for “Personal Data”: any information relating
to an identified or “identifiable” natural person, the latter being one
identified directly or indirectly, with particular reference to an identifier
such as a name, an identification number, location data, a
online identifier or to one or more characteristic elements of your physical,
physiological, genetic, mental or economic identity.
- for “Processing of personal data”: automated
and applied to personal data or sets of personal data, such as the collection,
transmission, storage, reception, processing, recording, organisation,
structuring, preservation, adaptation or modification, extraction,
consultation, use, communication by transmission, dissemination or any other
form of making available, comparison or interconnection, limitation,
cancellation or destruction ;
- for "Data Controller": the natural
or legal person, public authority, service or other body which, individually or
together with others, determines the purposes and means of the processing of
personal data;
- for "Data Controller": the natural
or legal person, public authority, service or other body that processes
personal data on behalf of the data controller;
- for “Adequacy Decision” a decision of the
European Commission on the basis of Article 45 of the GDPR regarding whether
the laws of a certain country guarantee an adequate level of protection, as
required by the Legislation on the Protection of Personal Data; “Notification
email” means the email address provided by the Customer, upon subscribing to
the Service or provided through another official channel to the Supplier, to
which the Customer intends to receive notifications from the Supplier;
- for "Instructions": the written
instructions given by the Owner in this Agreement and, possibly, in the
Contract;
- for “Legislation regarding the Protection of
Personal Data”: the GDPR (EU REG 679/2016), Legislative Decree no. 196/2003
and subsequent amendments. and any further implementing rules and/or
regulations issued pursuant to the GDPR, in any case in force in Italy
regarding the protection of Personal Data, as well as any binding provision
issued by the competent supervisory authorities regarding the protection of
Personal Data (e.g. Guarantor for the protection of personal data) and retains
binding effectiveness (including the requirements of the General Authorizations
for the processing of sensitive and judicial data, if applicable and where they
retain their binding effectiveness after 25 May 2018);
- for "Supplier Personnel": the
Supplier's employees, consultants and other personnel, with the exclusion of
the personnel of the Additional Data Processors and that relating to other
subjects who process the data as independent Data Controllers;
- for “Request”: access request of an
interested party, a request to delete or correct Personal Data, or a request to
exercise one of the other rights provided by the GDPR;
- for "Additional Data Processor":
any subcontractor to whom the Supplier has subcontracted any of the
contractually assumed obligations and who, in fulfilling such obligations, may
have to collect, access, receive, store or otherwise process Personal Data;
- "Service(s)" indicates the service
or services which are the subject of the Contract(s) signed between the
Customer and the Supplier;
- for "End User" the eventual end
user of the Service, Data Controller;
- for "Personal Data Security Breach":
the security breach which accidentally or unlawfully leads to the destruction,
loss, modification, unauthorized disclosure or access to Personal Data
occurring on systems managed by the Supplier or in any case over which the
Supplier has control.
3. ROLE OF THE PARTIES
3.1. The Parties recognize and agree that, except in
particular cases, the Supplier acts as the external data processor in relation
to the Personal Data and the Customer/User acts as the Data Controller of the
Personal Data.
3.2. If the Customer carries out processing operations
on behalf of another Data Controller, the Customer may act as Data Controller.
In this case, the Customer guarantees that the instructions given and the
activities undertaken in relation to the processing of Personal Data, including
the appointment by the Customer of the Supplier as further Data Controller
resulting from the stipulation of this Agreement has been authorized by the
relevant Data Controller and undertakes to exhibit and provide to the Supplier,
upon his simple written request, the documentation certifying the above.
3.3. Each of the Parties undertakes to comply, in the
processing of Personal Data and with their respective obligations deriving from
the applicable Personal Data Protection Legislation.
4. PROCESSING OF PERSONAL DATA
4.1. With the stipulation of this Agreement, the
Customer appoints Nutribook s.r.l.s. as external data controller in compliance
with all the rules of the discipline referred to in the reg. eu. n. 679/2016
and subsequent amendments. and entrusts the Supplier with the task of
processing the Personal Data of the Interested Parties entered by the latter or
by the Customer in the Platform or otherwise communicated to the Supplier for
the purpose of providing the Services, as better detailed in the Contract and in
this Agreement.
4.2. The processing of data by the supplier concerns
all personal data referred to in paragraph 4.1, such as, by way of example,
identification data, nutritional data, contact data, financial data, commercial
data, log data in systems and applications, data communicated spontaneously by
interested parties; the processing takes place to the extent that it is
necessary for the execution of the contract by the Supplier, on the basis of
the Contract referred to in the Terms and Conditions relating to the Nutribook
platform.
4.3. The legal bases of the processing are, depending
on the purposes pursued by the Data Controller, the following:
(i) the art. 6, first paragraph, letter. b), EU Reg.
n. 679-2016 (“processing is necessary for the execution of a contract of which
the interested party is a party or for the execution of pre-contractual
measures adopted at the request of the interested party”);
(ii) the art. 6, first paragraph letter. f)
("processing is necessary for the pursuit of the legitimate interests of
the data controller or of third parties, provided that the interests or
fundamental rights and freedoms of the interested party which require
protection of personal data do not prevail, in particular if the 'the
interested party is a minor')
(iii) the art. 6, first paragraph letter. e) (the
consent of the interested party" referred to in art. 9, second paragraph,
l. a), EU Reg. n. 679-2016;
(iv) point the art. 6, first paragraph, letter. c), EU
Reg. n. 679-2016 (“the processing is necessary to fulfil a legal obligation to
which the data controller is subject”).
4.4. The Customer acknowledges that the service is
intended for the management of patients, the activities of professionals in the
nutrition sector and could also include data of a particular nature referred to
in the art. 9 GDPR, including data suitable for revealing the state of health;
in this case the Customer assumes all responsibility for the processing of such
data, as provided for in the following art. 13.
4.5. The Supplier undertakes to comply with the
Customer's Instructions, without prejudice to the fact that, if the latter
requests variations compared to the initial Instructions, the Supplier will
evaluate the feasibility aspects and agree with the Customer on the
aforementioned variations and related costs.
4.6. In the cases referred to in art. 3.2 and in the
event of Customer requests involving the processing of Personal Data which are,
in the opinion of the Supplier, in breach of the Personal Data Protection
Legislation, the Supplier is authorized to refrain from carrying out such
Instructions and will promptly inform the client. In such cases the Customer
may evaluate any changes to the Instructions given or contact the Supervisory
Authority to verify the lawfulness of the requests made.
5. LIMITATIONS ON THE USE OF PERSONAL DATA
5.1. When processing Personal Data for the purposes of
providing the Services, the Supplier undertakes to process Personal Data:
5.1.1. only to the extent, and in the manner
necessary, to provide the Services or to appropriately fulfill its obligations
under the Contract and this Agreement or imposed by law or by a competent
supervisory or control body. In this last circumstance the Supplier will inform
the Customer (except where this is prohibited by law for reasons of public
interest) by means of a communication sent to the contact details indicated in
the art. 18 of this Agreement;
5.1.2. in accordance with the Customer Instructions.
5.2 The Supplier's personnel who access or otherwise
process Personal Data are responsible for processing such data on the basis of
appropriate authorizations and have received the necessary training also
regarding the processing of personal data. Such personnel are also bound by
confidentiality obligations and must comply with the confidentiality and
personal data protection policies adopted by the Supplier.
6. RELIANCE ON THIRD PARTIES
6.1. In relation to the entrustment of Personal Data
processing operations to Additional Data Processors, the Parties agree as
follows:
6.1.1. The Customer expressly agrees that some
Personal Data processing operations, related to the provision of services, are
entrusted by the Supplier to third parties, who offer guarantees of data
confidentiality.
6.1.2. The Customer expressly consents to the
assignment of data center services to Google, through the Cloud Saas service
and declares to be aware that the servers are located at the Google data center
- Google Cloud Platform within the territory of the European Union, as
indicated by Google (for further details the Parties refer to the following
link address: https://cloud.google.com/security/compliance/)
6.2. In cases where the Supplier uses Additional Data
Processors for the execution of specific Personal Data processing activities, the Supplier:
6.2.1. undertakes to make use of Additional Data
Processors who guarantee adequate technical and organizational measures and
guarantees that access to Personal Data, and the related processing, will be
carried out exclusively within the limits of what is necessary for the
provision of subcontracted services;
6.2.2. at least 15 (fifteen) days before the date of
start of the Personal Data processing operations by the Additional Data
Processor informs the Customer of the reliance on the third party (as well as
the identifying data of the third party, its location - and possibly, the
location of the servers on which the data will be stored, if applicable - and
of the entrusted activities) by sending an e-mail to the contact address
referred to in the art. 18 of this Agreement or other means deemed suitable by
the Supplier. The Customer may object to the processing by the Additional Data
Processor by communicating this opposition to the Supplier; The Supplier will
not use the Data Controller, unless it is necessary for the provision of the
services. The Customer may withdraw from the Contract within 15 (fifteen) days
of receiving the communication, without prejudice to the obligation to pay the
Supplier any amounts due on the date of termination of the Contract.
7. SUPPLIER SECURITY MEASURES
7.1. In carrying out the processing of Personal Data
for the purposes of providing the Services, the Supplier undertakes to adopt
adequate technical-organizational measures to avoid illicit or unauthorized
processing, accidental or illicit destruction, damage, accidental loss,
alteration and unauthorized disclosure of data, or access to Personal Data, as
described in Schedule 1 to this Agreement (“Security Measures”).
7.2. Annex 1 to the Agreement contains data store
protection measures commensurate with the level of risks present with respect
to the Personal Data to enable the confidentiality, integrity, availability and
resilience of the Supplier's systems and Services, as well as measures to
enable timely restoration of access to Personal Data in the event of a Personal
Data Security Breach, and measures to test the effectiveness of such measures
over time.
7.3. The Customer acknowledges, recognizes and accepts
that, taking into account the state of the art, the implementation costs, as
well as the nature, scope, context and purposes of processing of Personal Data,
the procedures and security criteria implemented by the Supplier guarantee a
level of protection appropriate to the risk regarding your Personal Data.
7.4. The Supplier may update and modify the Security
Measures indicated above over time, without prejudice to the fact that such
updates and modifications may not lead to a reduction in the overall security
level of the Services. The customer can always contact the supplier to request
specification of the security measures adopted.
7.5. The Customer acknowledges and accepts that the
Supplier, taking into account the nature of the Personal Data and the
information available to the Supplier, will assist the Customer in ensuring
compliance with the security obligations referred to in the articles. 32-34 of
the GDPR in the following ways:
(i) Implementing and keeping the Security Measures
updated in accordance with the provisions of the previous articles 7.2., 7.3.,
7.4. and 7.5, complying with the obligations set out in Article 9.
(ii) If the product allows integration with
third-party applications, the Supplier will not be responsible for the
application of the Security Measures relating to the third-party components or
the operating methods of the product deriving from the integration carried out
by the third parties.
8. CUSTOMER SECURITY MEASURES
8.1. Without prejudice to the obligations referred to
in the previous article of the Supplier, the Customer acknowledges and accepts
that, in the use of the Services, it remains the Customer's exclusive
responsibility to adopt adequate security measures in relation to the use of
the Services and declares to be aware of the conditions of use of the Platform,
as provided for in the Contract.
8.2. To this end, the Customer undertakes to use the
Services and the Personal Data processing functions in such a way as to
guarantee a level of protection adequate to the actual risk.
8.3. The Customer also undertakes to adopt all
appropriate measures to protect the authentication credentials, systems and
devices used by the Customer or by users of the End User to access the
Services.
9. SECURITY BREACHES
9.1. If the Supplier becomes aware of a Personal Data
Security Breach, it will:
9.1.1. will inform the
Customer without unjustified delay by means of a communication sent to the
notification email;
9.1.2. will take reasonable
measures to limit the possible harm and security of Personal Data;
9.1.3. will provide the
Customer, as far as possible, with a description of the Personal Data
Security Breach including the measures taken to avoid or
mitigate potential risks and the activities recommended by the Supplier to the
Customer for managing the Security Breach;
9.1.4. will consider
confidential information pursuant to the provisions of the Contract,
information relating to any Security Violations, the related documents, press
releases and notices and will not communicate data information to third
parties, except in cases strictly necessary for the fulfillment of the
Customer's obligations deriving from the Legislation regarding the Protection
of Personal Data without the prior written consent of the Data Controller.
9.2. In the cases referred to in the previous point
6.3, it is the exclusive responsibility of the Customer to fulfill, in the
cases provided for by the Legislation regarding the Processing of Personal
Data, the obligations of notifying the Security Breach to third parties (to the
End User if the Customer is a Data Controller of the Processing) and, if the
Customer is the Data Controller, to the Supervisory Authority and the
interested parties.
9.3. It is understood that the notification of a
Security Breach or the adoption of measures aimed at managing a Security Breach
does not constitute recognition of non-compliance or liability on the part of
the Supplier in relation to said Security Breach.
9.4. The Customer must promptly notify the Supplier of
any improper use of accounts or authentication credentials or any Security
Violations of which it has become aware regarding the Services.
9.5. The Supplier cannot be held responsible for any
delay by the Customer in communicating any data breaches and improper use of
the Accounts and/or Services, expressly undertaking to indemnify and hold the
Supplier harmless from any consequent damage, direct and/or indirect or
liability arising to third parties or to the Customer himself from the
violation of this clause.
10. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN
ECONOMIC AREA (EEA)
10.1. The Supplier will not transfer Personal Data
outside the EEA unless agreed with the Customer.
10.2. If, for the purposes of storage or processing of
Personal Data by a Data Controller, it is necessary to transfer Personal Data
outside the EEA to a country which does not have an adequacy decision from the
European Commission pursuant to the art. 45 of the GDPR, the Supplier:
10.2.1. will ensure that the Additional Data Processor
stipulates the standard contractual clauses provided for in the
European Commission Decision 2010/87/EU, of 5 February 2010, for the transfer
of personal data to data processors established in third countries (the
"Contractual Clauses Type”), or their equivalent, if modified over time.
Copies of the Standard Contractual Clauses signed by the Supplier on behalf of
the Customer will be made available to the Customer;
10.2.2. may propose to the Customer other methods of
transferring Personal Data that comply with the provisions of the Personal Data
Protection Legislation (e.g. Privacy Shield in the case of Additional Data
Processors located in the United States and for which compliance can be
verified through the official channels and registers, or intra-group transfers
of the Additional Data Processor who is part of a corporate group that has
obtained BCR approval for Data Processors).
10.3. In the cases referred to in the previous article
10.2.1. with this Agreement the Customer expressly mandates the Supplier to
sign the Standard Contractual Clauses with the Additional Data Processors and
it is understood that the signing of the Standard Contractual Clauses by the
Supplier with an Additional Data Processor must be understood as consent to the
assignment to the third of processing operations.
10.4. If the Data Controller is the End User, the
Customer undertakes to inform the End User of this transfer and declares that
the authorization to make use of the Additional Processor located outside the
EEA is equivalent to the above mandate.
11. VERIFICATIONS AND CONTROLS
11.1. The Supplier will have the right to appoint
independent professionals selected by the Supplier to carry out audits
according to international standards and/or best practices, the results of
which will be reported in specific reports ("Reports"). These
Reports, if released, constitute confidential information of the Supplier and
may be made available to the Customer to allow him to verify the Supplier's
compliance with the security obligations set out in this Agreement.
12. COMPLIANCE ASSISTANCE
12.1. The Supplier will provide assistance to the
Customer and will cooperate in the ways indicated below in order to allow the
Customer to comply with the obligations established by the Legislation
regarding the Protection of Personal Data.
12.2. If the Supplier receives Requests or complaints
from a Data Subject in relation to Personal Data, the Supplier will recommend
the Data Subject to contact the Customer or the End User, in the event that the
latter is the Data Controller. In such cases the Supplier will promptly inform
the Customer of receipt of the Request by sending a notification email and will
provide the Customer with the information available to him together with a copy
of the Request or complaint. It is understood that this cooperation activity
will be carried out on an exceptional basis, as the management of relationships
with the interested parties remains excluded from the Services and it is the
Customer's responsibility to manage any complaints directly and ensure that the
point of contact for the exercise of rights by the interested parties either
the Customer himself, or the End User if Data Controller. It will be the
responsibility of the Customer, or of the End User if he is the Data
Controller, to follow up such Requests or complaints.
12.3. The Supplier will promptly inform the Customer,
except where this is prohibited by law, with a notification email of any
inspections or requests for information presented by supervisory authorities
and police forces with respect to profiles concerning the processing of
Personal Data.
12.4. If, for the purposes of processing the Requests
referred to in the previous points, the Customer needs to receive information
from the Supplier regarding the processing of Personal Data, the Supplier will
provide the necessary assistance to the extent reasonably possible, provided
that such requests are submitted with adequate notice.
12.5. The Supplier, taking into account the nature of
the Personal Data and the information available to it, will provide reasonable
assistance to the Customer in making useful information available to allow the
Customer to carry out impact assessments on the protection of Personal Data in
the cases provided for by law. In this case, the Supplier will make general
information available based on the Service, such as the information contained
in the Contract, in this Agreement and in Annex 1. Any personalized assistance
requests may be subject to the payment of a fee by the Customer. It is
understood that it is the exclusive responsibility and burden of the Customer,
or of the End User if Data Controller, to proceed with the impact assessment
based on the characteristics of the processing of Personal Data carried out by
the same in the context of the Services.
12.6. The Supplier undertakes to provide Services
based on the principles of minimization of processing (privacy by design &
by default), without prejudice to the fact that it is the exclusive
responsibility of the Customer, or of the End User, if Data Controller, to
ensure that the processing is then carried out concretely in compliance with
said principles and verify that the technical and organizational measures of a
Service satisfy the Company's compliance requirements, including the
requirements established by the Legislation regarding the protection of
personal data.
12.7. The Customer acknowledges that, in the event of
requests for portability of Personal Data made by the respective interested
parties, and only in relation to the Services that generate Personal Data
relevant for this purpose, the Supplier will provide assistance to the Customer
by making available the information necessary to extract the requested data in
a format compliant with the provisions of the Legislation on the Protection of
Personal Data.
13. CUSTOMER OBLIGATIONS AND LIMITATIONS
13.1. The Customer undertakes to give Instructions in
compliance with the legislation and to use the Services in a manner compliant
with the provisions of the Terms and Conditions (the Contract), with the
Legislation relating to the Protection of Personal Data and only to process
Personal Data that has been collected in compliance to the Legislation on the
Protection of Personal Data.
13.2. Any processing of Personal Data referred to in
the articles. 9 and 10 of the GDPR will be permitted only where the Customer,
Data Controller, is expressly authorized following the express consent of the
interested party or where there is another legal basis referred to in the art.
6 GDPR, such as, by way of example, the execution of a contract of which the
interested party is a party or the adoption of pre-contractual measures and the
rules referred to in the articles are respected. 9 and 10 GDPR
13.3. The Customer undertakes to fulfill all
obligations placed on the Data Controller (and, in cases where such obligations
are on the End User, guarantees that similar obligations are imposed on the End
User) by the Legislation in regarding the Protection of Personal Data,
including the information obligations towards the interested parties. The
Customer also undertakes to ensure that the processing of Personal Data carried
out through the use of the Services occurs only in the presence of a suitable legal
basis.
13.4. If the release of the information and the
obtaining of consent must take place through the product covered by the
Contract, the Customer declares to have evaluated the product and that it meets
the Customer's needs. It is also the Customer's responsibility to evaluate
whether any forms made available by the Supplier to facilitate the fulfillment
of the information and consent obligations (e.g. privacy policy model for Apps
or information present in the applications), when available, comply with the Legislation
regarding the Protection of Personal Data and adapt the same where
deemed appropriate, being the only one
13.5. It is also the exclusive responsibility of the
Customer to manage the Personal Data in accordance with the Requests made by
the Interested Parties, and therefore to provide, for example, for any updates,
additions, rectifications and deletions of the Personal Data.
13.6. It is the Customer's responsibility to keep the
account connected to the notification email, active and updated.
13.7. The Customer therefore declares that the
Personal Data processing activities carried out by the Customer as Data
Controller, with the methods described in the Contract and in this Agreement
are lawful.
14. DURATION
14.1. This Agreement will be effective from the
effective date of the Contract referred to in the Terms and Conditions between
the Customer and the Supplier and will cease automatically on the date of
deletion of all Personal Data by the Supplier, as provided for in this
Agreement.
15. RETURN OR DELETION OF PERSONAL DATA
15.1. The Personal Data identifying the Customer will
be retained by the Supplier only for the Duration of the Contract and for ten
years following the conclusion of the Contract for administrative and
accounting reasons defined by law. The documentation supporting the activities
managed is kept for the time necessary for the legal protection of the Supplier
for the time necessary to extinguish the limitation period of the related
rights.
15.2. Upon termination of the Contract and/or use of
the Service(s), for whatever reason, the Supplier will cease all processing of
Personal Data and:
15.2.1. will delete the Personal Data (including any
copies) from the Supplier's systems or from those over which the Supplier has
control within the term set out in the Contract, except in the case in which
the retention of the data by the Supplier is necessary for the purpose of
comply with a provision
Italian or European law, the Order of the Authority or
judicial authorities or is necessary for the protection of the Supplier's
rights;
15.2.2. will destroy any Personal Data stored in paper
format in its possession, except in the case in which the retention of the data
by the Supplier is necessary for the purposes of compliance with Italian or
European laws; And
15.2.3. will keep the Personal Data available to the
Customer for extraction for the period of 12 (twelve) months following the
termination of the Contract. During this period, the processing will be limited
only to conservation aimed at keeping the Personal Data available to the
Customer for the extraction referred to in point 12.2.
15.3. Without prejudice to anything else provided in
this Agreement, the Customer acknowledges that it can extract the Personal
Data, upon termination of the Service, in the ways agreed in the Contract and
agrees that it is its responsibility to provide for the total or partial
extraction of only the Personal Data that it deems useful to keep and that this
extraction must be carried out before the expiry of the deadline referred to in
point 15.2.1.
16. RESPONSIBILITY
16.1. Each Party is responsible for fulfilling its
obligations under this Agreement and the Personal Data Protection Legislation.
16.2. Without prejudice to the mandatory limits of
law, the Supplier will be required to compensate the Customer in the event of
violation of this Agreement and/or the related DPA - Special Conditions within
the maximum limits agreed in the Agreement.
17. MISCELLANEOUS PROVISIONS
17.1. This Agreement replaces any other agreement,
contract or understanding between the Parties with reference to its subject
matter as well as any instructions provided in any form by the Customer to the
Supplier prior to the date of this Agreement regarding the Personal Data
processed in the context of the execution of the Contract .
17.2. This Agreement may be modified by the Supplier
by giving written notice (also via e-mail or with the aid of computer programs)
to the Customer. In this case, the Customer will have the right to withdraw
from the Contract with written communication sent to the Supplier by registered
mail with acknowledgment of receipt within 15 days of receipt of the Supplier's
communication. In the absence of exercise of the right of withdrawal by the
Customer, in the terms and in the manner indicated above, the modifications to
this Agreement will be considered definitively known and accepted by them and
will become definitively effective and binding.
17.3. In the event of a conflict between the
provisions of this Agreement and the provisions of the Contract for the
provision of the Services, or in Customer documents not expressly accepted by
the Supplier in derogation of this Agreement, the provisions of this Agreement
will prevail.
18. CONTACT DETAILS
18.1. For any communication provided for by this
contract or information to be forwarded to the Supplier, the latter expressly
indicates the following contact details: privacy@nutribook.app.
ATTACHMENT 1
Technical-organizational measures
In addition to the security measures provided for in
the Contract and the Agreement, the Data Controller applies the following
organizational security measures depending on the type of Service with which
the product is provided or licensed:
CLOUD SAAS - GOOGLE
Organizational security measures
User policies and regulations - The Supplier applies
detailed policies and regulations, with which all users with access to the
information systems are obliged to comply and which are aimed at guaranteeing
suitable behavior to ensure compliance with the principles of confidentiality,
availability and integrity of data in the use of IT resources.
Logical access authorization
The Supplier defines the access profiles in compliance
with the least privilege necessary for the execution of the assigned tasks. The
authorization profiles are identified and configured before the start of
processing, so as to limit access to only the data necessary to carry out the
processing operations. These profiles are subject to periodic checks aimed at
verifying the existence of the conditions for the conservation of the assigned
profiles.
Management of assistance interventions
Assistance interventions are regulated with the aim of
guaranteeing the execution of only the contractually foreseen activities and
preventing the excessive processing of personal data whose ownership lies with
the Customer or the End User.
Data Protection Impact Assessment (DPIA)
In compliance with the articles. 35 and 36 of the GDPR
and on the basis of document WP248 – Guidelines on impact assessment in data
protection adopted by the Working Group pursuant to art. 29, the Supplier has
prepared its own methodology for the analysis and evaluation of treatments
which, considering the nature, object, context and purposes of the processing,
present a high risk for the rights and freedoms of natural persons at the
purpose of proceeding with the assessment of the impact on the protection of
personal data before starting the processing.
Incident Management
The Supplier has created a specific Incident Management
procedure in order to guarantee the restoration of normal service operations in
the shortest possible time, guaranteeing the maintenance of the best service
levels.
Data Breach
The Supplier has implemented a specific procedure
aimed at managing events and incidents with a potential impact on personal data
which defines roles and responsibilities, the detection process (presumed or
confirmed), the application of enforcement actions, the response and the
containment of the incident / violation as well as the methods through which to
communicate personal data violations to the Customer.
Technical security measures
Firewall, IDPS - Personal data are protected against
the risk of intrusion pursuant to art. 615-quinquies of the penal code through
Intrusion Detection & Prevention systems kept updated in relation to the
best available technologies.
Security of communication lines
As far as it is concerned, secure communication
protocols are adopted by the Supplier in line with what technology makes
available.
Protection from malware – Systems are protected
against the risk of intrusion
and the action of programs through the activation of
suitable electronic tools updated on a periodic basis.
Authentication credentials
The systems are configured with methods suitable to
allow access only to subjects equipped with authentication credentials that
allow their unique identification. Among these, code associated with a keyword,
confidential and known only to the user; authentication device in the
possession and exclusive use of the user, possibly associated with an
identification code or keyword.
Keyword
With regards to the basic characteristics, i.e.
obligation to modify upon first access, minimum length, absence of elements
that can easily be traced back to the subject, complexity rules, expiry,
history, contextual evaluation of robustness, visualization and archiving, the
keyword is managed in accordance with the best practices. The subjects to whom
the credentials are attributed are provided with precise instructions in
relation to the methods to be adopted to ensure their secrecy.
Logging
The systems can be configured with methods that allow
the tracking of accesses and, where appropriate, of the activities carried out
by the different types of users protected by adequate security measures that
guarantee their integrity.
The access system to the Customer's Account is
guaranteed through double authentication of the same; the Customer can change
the settings relating to the security measures connected to the authentication
of the same when accessing the platform, assuming all consequent
responsibility, also in relation to the obligations incumbent on the Data
Controller based on the type of data processed.
Backup & Restore
Suitable measures are adopted to guarantee the
restoration of access to the data in the event of damage to the data or
electronic instruments, within certain times compatible with the rights of the
interested parties. Where contractual agreements provide for it, an operational
continuity plan integrated, where necessary, with the disaster recovery plan is
put into use; they guarantee the availability and access to the systems even in
the event of significant negative events that persist over time.
Vulnerability Assessment & Penetration Test
The Supplier periodically carries out vulnerability
analysis activities aimed at detecting the state of exposure to known
vulnerabilities, both in relation to infrastructural and application areas,
considering the systems in operation or in the development phase.
Where deemed appropriate in relation to the potential
risks identified, these checks are periodically integrated with specific
Penetration Test techniques, through intrusion simulations that use different
attack scenarios, with the aim of verifying the security level of
applications/systems/networks through activities that aim to exploit the
vulnerabilities detected to evade physical/logical security mechanisms and gain
access to them.
The results of the checks are promptly and in detail
examined to identify and implement the improvement points necessary to
guarantee the high level of safety required.
Data Centers
Physical access to the Data Center is limited to
authorized individuals only. For details of the security measures adopted with
reference to the data center services provided by the Additional Data
Processors, such as Google and further communicated by the Supplier, please
refer to the security measures indicated described by the same Additional Data
Processors and made available on the relevant institutional sites to following
addresses (or those that will subsequently be made available by the Additional
Managers):
For Data Center services provided by Google cloud
Platform: https://cloud.google.com/security/compliance/