Data Processing Agreement
Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”), the Client, as identified in the Order Form (hereinafter, the “Client”),
Whereas:
- The Client and Audioboost S.r.l., with registered office in Maglie (LE), via Scorrano 57, Tax Code/VAT No. IT05170040751 (hereinafter, the “Supplier”) have entered into a contract, concerning the provision of the Speakup-Article™ Suite for the purpose of the automatic generation of Spoken Articles on the online properties of (i) the Client or (ii) the third party represented by the Client (the “Controller”), of which this document is an integral and substantial part (hereinafter referred to as the “Contract”).
- The Client acts as Data (i) Controller or (ii) Processor with reference to the personal data processed in order to implement (i) the Contract and/or (ii) the related Data Processing Agreement(s) with the Data Controller (hereinafter, the “Data Processing Agreement”) and indicated more precisely in Annex 1 (hereinafter the “Personal Data”);
- Pursuant to Article 28 of the Regulation, the Data (i) Processor or (ii) Sub-Processor is optionally designated by the Data (i) Controller or (ii) Processor and, if appointed, is identified among subjects who, due to experience, capacity and reliability, provide the appropriate guarantee of full compliance with the applicable provisions on processing, including the safety profile;
- The tasks entrusted to the Data (i) Processor or (ii) Sub-Processor must be specified in writing by (i) the Data (i) Controller or (ii) Processor, and the Data (i) Processor or (ii) Sub-processor must comply with the instructions given by the Data (i) Controller or (ii) Processor, who, also through periodic checks, ensure that they are strictly observed;
- The Client has found that – and the Supplier guarantees that – the Supplier, by virtue of its experience, capacity, and reliability, can provide sufficient guarantees regarding compliance with the applicable provisions on protection of personal data, including the safety profile, as required by the Applicable Law, as defined below;
- It is the intention of the Client, as Data (i) Controller or (ii) Processor, to appoint the Supplier, who accepts, as Data (i) Processor or (ii) Sub-Processor.
Given the above, the Client hereby
Appoints
the Supplier as Data (i) Processor or (ii) Sub-processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.
- Definitions
In this letter of appointment (hereinafter, the “Appointment” or “DPA”) the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings:
“Applicable Law” the Regulation, as well as any other personal data protection legislation applicable in Italy, already in force or that will enter into force after this Appointment comes into force, including the provisions of the Italian Data Protection Authority (i.e. Garante per la Protezione dei Dati Personali) issued in implementation of the privacy regulations;
“Security Measures” are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation;
“Sub-Suppliers” (or “Sub-Processors”), natural or legal persons who carry out their business for the Supplier by dealing with Personal Data belonging to the Client.
- Obligations of the Parties
2.1 Obligations of the Supplier
2.1.1 Processing purposes
The Supplier, as Data (i) Processor or (ii) Sub-Processor, is committed to:
- Processing the Personal Data for the exclusive purpose of executing the Contract, and within the limits what it was established by it, while strictly adhering to the instructions given by (i) the Client or (ii) the Client and the Controller;
- Only processing the Personal Data that is strictly required for a correct and full implementation of the Contract, or to fulfil legal obligations;
- Making sure that its employees and Sub-Suppliers have access and only process the Personal Data that is strictly required for a full and correct implementation of the Contract, or to fulfil legal obligations;
- Processing the Personal Data in a lawful manner, according to fairness and in full compliance with the Applicable Law.
2.1.2 Security measures
The Supplier undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation.
Also based on new solutions provided by technical and technological progress and, taking into account the nature of the data and the characteristics of the processing, the Supplier undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.
2.1.3 Authorized persons
The Supplier agrees to:
- Instruct, according to article 29 of the Regulation, those responsible for processing operations (hereinafter “Authorized Persons”), choosing from among its employees who, by experience, capacity, and training, can ensure compliance with Applicable Law;
- Give to the Authorized Persons detailed operational instructions in writing regarding the methods for carrying out the processing entrusted to them as well as to strictly monitor the exact fulfilment of the instructions received;
- Implement physical, technical and organizational measures to ensure that each Authorized Persons may have access only to Personal Data that may be processed based on its authorization profile;
- Draft and update a list of Authorized Persons, and annually checking the scope of processing allowed.
2.1.4 Rights of the data subjects
The Supplier must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify (i) the Client or (ii) the Client and the Controller of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.
The Supplier also undertakes to cooperate with (i) the Client or (ii) the Client and the Controller to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.
2.1.5 Data communication and transfer abroad
The Supplier will not be able to exercise autonomous control over the Personal Data and undertakes to refrain from disseminating or communicating said data to third parties, unless expressly provided for in the Contract or authorized by (i) the Client or (ii) the Client and the Controller in writing, and in any case in compliance with the provisions of the information given to the data subjects and any consents they may have given in relation to the different processing purposes.
In the event of transfer of Personal Data outside the territory of the European Economic Area (EEA), the Supplier undertakes to ensure that such transfer takes place in compliance with the guarantees set forth in Chapter V of the Regulation.
2.1.6 Sub-Suppliers
If the Supplier intends to entrust a Sub-Supplier with all or part of the performance of the Contract, and this is permitted by the Contract or authorized by (i) the Client or (ii) the Client and the Controller, the Supplier shall first notify (i) the Client or (ii) the Client and the Controller whether its Sub-Supplier shall process Personal Data of which (i) the Client or (ii) the Client and the Controller is/are the Data Controller(s).
If so, the Client may directly appoint the authorized Sub-Supplier as its Data Processor, or the Client may authorize the Supplier to appoint the Sub-Supplier by a deed of appointment substantially equivalent to (i) this DPA and/or (ii) the Data Processing Agreement, it being understood that, in the event under (ii), the Controller may exercise its right to object to the appointment of the Sub-Supplier pursuant to Article 28 of the Regulation.
Verification activities involving any Sub-Supplier shall be conducted in accordance with the Sub-Supplier’s access rules and security policies.
In Annex 2 of this DPA, the Client and the Supplier list the approved Sub-Suppliers as of the date of the signing of this DPA.
2.2 Obligations of (i) the Client and/or (ii) the Controller
2.2.1 The Client declares and warrants that (in the case under (ii), the Controller has guaranteed that) any mode of collection of personal data processed under this DPA:
- will take place following the presentation to the data subjects of a privacy policy that is clear, simple to understand but at the same time complete and compliant with the Regulation, (i) is easily usable by the data subjects and (ii) identifies how the information obtained will be collected and used;
- offers data subjects the opportunity to remain excluded from such collection and processing of such information;
- provides, when necessary, for obtaining all the consents of the data subjects, to whom the personal information relates, as required by the Regulation.
2.2.2 Given what is stated in Article 2.2.1 above in particular, the Client guarantees and expressly declares that (in the case under (ii), the Controller has guaranteed that):
- those affected by the processing give consent to the Client, where applicable, to the processing of their data through a free, specific, informed and unambiguous manifestation of will, for each purpose referred to in the processing operations covered by this DPA;
- the data shall be collected in each case pursuant to an appropriate legal basis, as well as in accordance with fairness and lawfulness and for purposes corresponding to those for which they are processed under this DPA.
- Audit
The Supplier acknowledges that, in compliance with art. 28 of the Regulations, the Client may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the Client as Controller.
The Client will also have the right to access offices, computers and other IT systems / documents of the Supplier and its Sub-Suppliers, where this is deemed necessary to verify that the Supplier or its Sub-Supplier acts in compliance with the obligations agreed in virtue of this DPA. In the event of access to the Supplier’s or Sub-Supplier’s premises by the Client, the latter will be required to give the Supplier written notice of at least 7 working days.
The Client expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.
Nothing contained in this DPA presupposes Supplier’s consent to disclosure to the Client, as well as Client’s access to:
- internal accounting or financial data of the Supplier;
- Supplier’s trade secrets;
- information which, on the basis of reasonable objections raised by the Supplier, could: (A) compromise the security of the Supplier’s systems or offices; or (B) entail the violation of the obligations of the Supplier as per the Applicable Law or of its obligations regarding security and / or confidentiality towards the Client or third parties; or
- information to which the Client (or any external auditors appointed by the latter) seek to access for reasons beyond the duty of good faith in fulfilling the obligations of the Client as set out in the Applicable Law.
- Statements and guarantees of the Supplier
The Supplier declares and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.
The Supplier declares that it has not identified the Data protection Officer (DPO), as it is not subject to the obligation of designation provided for by Article 37 of the Regulation.
Fee
Without prejudice to what was established in the Contract, the Supplier will carry out its function as Data (i) Processor or (ii) Sub-Processor without payment, unless otherwise agreed with the Client.
- Duration
This Appointment takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.
If the Contract is terminated for whatever reason, the Supplier will return the Personal Data in its possession to the Client and will delete any copies thereof. Upon the Client’s request and at its full discretion, the Supplier must alternatively delete the Personal Data in its possession, giving written confirmation to the Client without delay, unless the retention of data is required by law.
ANNEX 1
Description of the processing
Data Subjects
The personal data processed concern the following categories of data subjects:
- natural persons whose data are contained in the text articles published on the online properties of (i) the Client or (ii) the Controller and used for generating Spoken Articles through the Speakup-Article™
Data categories
The personal data processed concern the following data categories:
- Main data, e.g. title, name, surname, Company, address.
Special categories of personal data (if applicable)
There is no processing of special categories of data.
Processing operations
The personal data processed fall under the following basic processing activities:
- Purpose of the processing: The purpose of the processing is related to executing the Contract between the Parties.
- Nature and purpose of the processing: The nature and purpose of the processing is geretating Spoken Articles through the Speakup-Article™ Suite.
In the event that the activities established by the Controller involve the processing of additional or different information or data than those indicated in this Annex, the Controller undertakes to promptly send the Supplier an updated Annex containing all new information and data subject to processing.
ANNEX 2
Approved Sub-Processors
The following are the name, address and services provided by the Sub-Processors authorized by the Data Controller at the date of signature of this DPA. The updated list of Sub-Processors authorized by the Data Controller should be maintained by the Data Processor for internal registration purposes and any changes notified to the Data Controller.
Sub-Processor | Location and contact details / Place of processing | Processing activities | Direct appointment of the Processor / Sub-appointment |
Google Cloud Italy S.r.l. | Via Federico Confalonieri 4 Milan, 20124, Italy | API “Cloud Speech-to-Text”, as detailed in the following URLs: https://cloud.google.com/speech-to-text/docs/data-logging-terms | Sub-appointment, as detailed in the following URL: https://cloud.google.com/terms/data-processing-addendum?hl=it |
Microsoft Srl | Microsoft House, Viale Pasubio 21, 20154, Milano, Italia | API “Cloud Speech-to-Text”, come meglio precisato ai seguenti link: Data, privacy, and security for text to speech – Azure AI services | Microsoft Learn | Sub-supplier, as detailed in the following link: |