Data controller

APPOINTMENT OF EXTERNAL DATA PROCESSOR IN ACCORDANCE WITH ART. 28 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27.4.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GENERAL DATA PROTECTION REGULATION - “GDPR”)

Between

Placenti Nicolò Data Controller (as below defined), in the person of its legal representative pro tempore.

And

ProjectXsport by Placenti Nicolò. Data Controller (as below defined), in the person of its legal representative pro tempore.

Art. 1 Object

1.1 The purpose of these clauses is to define the conditions under which the Data Processor undertakes to carry out the Personal Data Processing operations defined below on behalf of the Data Controller.

1.2 In the context of their contractual relations, the Parties undertake to comply with the Personal Data Protection Legislation applicable from time to time and, in particular, the GDPR.

Art. 2 Definitions

  1. “Agreement”: the contract signed between the Data Controller and the Data Processor and of which this document constitutes an addendum.
  2. “Addendum”: this document, including any attachments thereto.
  3. “Personal Data”: personal data, as defined in art. 4.1 of the GDPR, which is the subject of this Addendum.
  4. “GDPR”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  5. “Data Subject”: has the meaning given to it in art. 4.1 of the GDPR.
  6. “Data Protection Law” means any law or regulation, including European Union, Member State and UK laws and regulations, applicable to the processing of Personal Data, including the GDPR.
  7. “Data Controller”: has the meaning given in art. 4.8 of the GDPR.
  8. “Data Controller”: has the meaning given in art. 4.7 of the GDPR.
  9. “Processing”: has the meaning given to it in art. 4.2 of the GDPR.
  10. “Personal Data Breach”: has the meaning given in Art. 4.12 of the GDPR.

Art. 3 Description of the Processing entrusted to the Data Controller

3.1 The Data Processor is authorized to process on behalf of the Data Controller the Personal Data necessary to fulfill the Agreement (“Services”).

3.2 The Processing operations delegated to the Data Controller are the following:

  • Collection of personal data.
  • Data collection.
  • Retention of personal data.
  • Use.
  • Deletion of personal data.

3.3 The purpose of the Processing entrusted to the Data Controller is solely to execute the Agreement, providing the Services.

3.4 The categories of Personal Data whose Processing is delegated to the Data Controller are the following:

  • E-mail.

3.5 The categories of Interested Parties to whom the Personal Data whose processing is delegated to the Data Controller refer are the users or potential users of the Data Controller.

Art. 4 Duration of the Appointment as Data Controller

This Addendum takes effect from the moment of its signature and for the entire duration of the Agreement. Upon termination of the Agreement, for any reason, the effects of this Addendum will also immediately cease. The obligations relating to confidentiality and the prohibitions on dissemination and/or communication must be observed by the Data Controller even after the termination of the Agreement and this Addendum.

Art. 5 Obligations of the Data Processor towards the Data Controller

5.1 The Data Controller undertakes:

  1. to process the Personal Data solely for the purposes set out in this Addendum and, in particular, as indicated in point III above, solely and exclusively for the purposes of the correct execution of the Agreement and the correct provision of the Services, consequently;
  2. not to communicate, disseminate, reveal, in any way, the Personal Data to third parties, with the exception of additional data controllers, if designated by the Data Controller in accordance with art. 28 GDPR and art. VI below, and of the persons authorized to process personal data under the authority of the Data Controller (“Data Processors”), if they are instructed to do so by the Data Controller, in accordance with art. 29 GDPR, and are formally designated by the same, pursuant to this article;
  3. process Personal Data in accordance with any instructions provided by the Controller (“ Instructions ”), including in the event of transfer of Personal Data to a third country or an international organisation, unless required to do so by Union law or by national law to which the Processor is subject; in such case, the Processor shall inform the Controller of this legal obligation prior to the Processing, unless Union or Member State law in question prohibits such information for important reasons of public interest. If the Processor considers that an instruction constitutes a violation of the GDPR and/or another provision of Union law or the law of a Member State relating to the protection of personal data, the Processor shall immediately inform the Controller.

Art. 6 Further Data Controllers

General authorization

The Data Controller authorizes the Data Processor, in general, to use another data processor (“Additional Data Processor” or “Sub-Processor”) for the performance of specific processing activities, pursuant to art. 28.2 of the GDPR.

Art. 7 Information to be provided to the interested party

7.1 The Data Controller is responsible for providing the Data Subjects with the information referred to in Articles 13 and 14 of the GDPR, in the cases, in the manner and within the timeframes referred to in such Articles and in Article 12 of the GDPR.

Art. 8 Retention of Personal Data during the term of the Addendum and their deletion or return after its termination

8.1 During the validity of the Addendum, the Data Controller undertakes to retain the Personal Data only and exclusively for the time strictly necessary to achieve the purposes of the Processing and for the correct fulfillment of the obligations set out in the Addendum, as indicated by the Data Controller in the Instructions, without prejudice to the need to retain the Personal Data by reason of obligations imposed on the Data Controller by Union law or by the Member State to which it is subject.

8.2 In the event of termination, for any reason, of the Addendum, the Data Controller undertakes to:

a) cease the Processing; and

b) without prejudice to the obligations to retain Personal Data imposed on the Data Controller by Union or Member State law to which it is subject, at the Data Controller's discretion, within 10 working days:

  • destroy and/or delete all Personal Data possibly stored by the Data Controller, irreversibly and permanently and, in any case, on the basis of the Instructions; or
  • return all Personal Data; or
  • send the Personal Data to a data controller indicated by the Data Controller.

8.3 The return or sending must be accompanied by the deletion and/or destruction of all copies existing in the information systems of the Data Controller, unless Union or Member State law requires the retention of such data. Once destroyed, the Data Controller must justify the destruction in writing to the Data Controller.

Art. 9 Data Protection Officer (or Data Protection Officer - “DPO”)

9.1 The Data Processor undertakes to communicate to the Data Controller the name and contact details of the DPO, if designated, in accordance with the provisions of art. 37 GDPR.

Art. 10 Register of Treatments

The Data Processor shall communicate whether it keeps a register of the processing carried out on behalf of the Data Controller, pursuant to and with the content referred to in art. 30.2 of the GDPR, and the methods of keeping such register, undertaking to make it available to the Data Controller, upon request. In the event that the Data Processor does not keep the register referred to in art. 30.2, the Data Processor undertakes to provide the Data Controller with documentation of the assessment carried out to exclude the applicability of the obligation in question. The Parties acknowledge that the Data Processor may draw up the register of processing based on the indications provided in this regard by the Italian Data Protection Authority.

Art. 11 Documentation

11.1 The Data Processor shall make available to the Data Controller all information and documentation necessary to demonstrate compliance with the obligations set forth in the GDPR, including art. 28 thereof, and in this Addendum, enabling and contributing to audit activities, including inspections, carried out by the Data Controller or another person appointed by the same.

Art. 12. Obligations of the Data Controller towards the Data Processor

12.1 The Data Controller undertakes to provide the Data Processor with Personal Data in the event that, by virtue of the Agreement and/or the Services, they are not collected and/or acquired directly by the Data Processor, on behalf of the Data Controller.

12.2 The Data Controller will monitor, for the entire duration of the Addendum, compliance with the obligations imposed on the Data Processor by the Instructions, the Addendum and the Personal Data Protection Regulations, including the GDPR, and will supervise the Processing carried out by the Data Processor, including by carrying out audits and/or inspections at the Data Processor. Such inspections and/or audits will be preceded by advance notice. The Data Controller reserves the right to ask the Data Processor, with the same methods and within the same timeframe, to carry out audits and/or inspections at the Sub-Processors, jointly with the Data Processor, the latter undertaking to provide evidence of this right in the contract or other related legal act with the Sub-Processor.

12.3 The notice period indicated in the preceding article is equal to 2.

Art. 13 Communications

All communications provided for in this Addendum must be made to the following contacts: for the Data Controller, email info@projectxpadel.com; for the Data Processor, email info@projectxpadel.com.

Art. 14 Applicable law and competent court

14.1 This Addendum is subject to Italian law.

14.2 For any dispute regarding the application and/or interpretation of this document, the Court where the Data Controller is based shall have exclusive and mandatory jurisdiction.

Art. 15 Miscellaneous

The Parties acknowledge that this Addendum does not limit or reduce the commitments that the Data Processor has undertaken towards the Data Controller in the Agreement, provided that in the event of a conflict between the provisions of the Agreement and those of the Addendum regarding the processing of personal data and/or the protection of personal data, the provisions of the Addendum shall prevail.

Place and date: _______________________

The Data Controller: _______________________

The Data Controller:_______________________