Data Processing Addendum
ADDENDUM ON THE PROCESSING OF PERSONAL DATA
THIS ADDENDUM is made and entered into by and between INFERENDO S.R.L., having legal seat in Via Firenze 37, 15121 Alessandria, Italy, (fiscal code and VAT no. 02622540066), in the person of its CEO Alessandro Rolando (hereinafter referred to as “Inferendo”) as the Data Processor, and THE CLIENT, i.e. the person who, by approving the present terms and conditions through the website www.visidea.ai has requested the services of Inferendo itself (hereinafter referred to as “Client”; where jointly mentioned the contracting parties will be referred to as “the Parties”), as the Data Controller.
To supplement the Agreement for the provision of services and licensing of IT products (hereinafter referred to as “Agreement”) made and entered into by the Parties,
WHEREAS, the Parties hereby agree to comply with the current sources of law and, in particular, with the Regulation 2016/679 issued by the European Parliament and Council on the 27th April 2016 (hereinafter referred to as “General Data Protection Regulation” or GDPR).
I. Subject matter
The aim of this Addendum is to define the means through which the Data Processor agrees to fulfil on behalf of the Data Controller the processing operations of the personal data required by the Agreement and hereinafter better explained.
II. Description of Data Processor’s services
The Data Processor shall be entitled to process on behalf of the Data Controller all the personal data belonging to third parties and necessary to carry out the services defined in the Agreement and better specified in the following table.
Nature of the data operations
Data collection, data saving, data processing with statistical purposes, data filing, communication to third parties, user profiling.
Aim of the processing
The given personal data will be used with the aim of building the relationship between the Parties, performing the Agreement, and allowing the supply of the agreed services.
Personal data processed
IP address, email, name, surname, telephone number, title (e.g., Dr, Engr., CA), gender, date of birth, browser and O/S used, device’s ID n., language preferences, referring site, date and time of the access to the website, mobile network’s information, location (in terms strictly proportionate to the previously mentioned purposes), shipping address, billing address, fiscal code, VAT n., company name, order history, cart history, invoice history, pageview history, researches made, images uploaded via visual search system, recommendations viewed and clicked.
Types of data subjects (clients, website users, etc.)
1) Website subscribers 2) People doing online shopping
The term of this Addendum is linked and equal to that of the Agreement.
IV. Data Processor’s obligations
The Data Processor hereby agrees to fulfil the following obligations.
The Data Processor hereby agrees to process the data solely for the abovementioned purposes and in order to perform the contractual services.
The Data Processor hereby agrees to process the data in compliance with the documented instructions provided by the Data Controller. If one, or more, of the instructions provided will infringe the GDPR or any other source of law of the EU or of the Member States related to the protection of data, the Data Processor shall immediately inform the Data Controller.
3. Data transfer
The Data Processor shall inform the Data Controller, who acknowledges and agrees that, as part of the processing, it will be necessary to transfer the data to a third country belonging to the EU in order to supply the services.
The Data Processor hereby agrees to ensure the confidentiality and security of the processed personal data subject to the Agreement.
5. Authorized people
The Data Processor hereby agrees to check that the people authorized to process the personal data under the terms of this Addendum:
Agree to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
Receive the necessary training in data protection.
The Data Controller hereby authorizes the Data Processor to engage other processors (hereinafter referred to as “Sub-Processors”) in order to organize specific processing activities aimed at installing, managing, performing, supplying and/or concluding the products and services specified in the Agreement. In this regard, “SoftLayer Dutch Holdings B.V.” and “Google LLC” are hereby appointed as Sub-Processors; the Data Controller hereby acknowledges and approves them and accepts that the engagement of these entities entails the transfer of the data abroad.
The Data Processor shall give written notice to the Data Controller every time a Sub-Processor is replaced, or new ones are appointed. The Data Controller shall have a maximum of 2 days from the date of receipt of the notice to present any objection; after the said time, if the Data Controller has not objected, the Data Processor can proceed with what has been agreed.
The Sub-Processors shall comply with the obligations of this Addendum on behalf of and according to the instructions given by the Data Controller.
At the moment of the data collection (if carried out by the processor), the Data Processor shall provide all the necessary information to the data subjects. The wording and content of the notice have already been communicated to the Data Controller, who has accepted them.
Where possible, the Data Processor shall assist the Data Controller in the performance of the obligations regarding the requests for the exercise of the rights of data subjects (and thus regarding: right of access, right to rectification, right to erasure or object, right to restriction of processing, right to data portability, right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her).
In particular, if the data subjects exercise this right with the Data Processor by presenting the related request, the Data Processor shall promptly forward these requests to the Data Controller and follow any operational instructions.
In general, the Data Processor shall assist the Data Controller in the performance of the obligations and in particular in the data protection impact assessment (if necessary) and any prior consultation by the supervisory authority (art. 36 of the GDPR).
The Data Processor shall notify in writing the Data Controller of any personal data breach within a maximum of 24 hours after having become aware of it. This notice shall be accompanied by the necessary documentation that allows the Data Controller, if necessary, to notify this breach to the supervisory authority competent and data subjects.
10. Security measures
The Data Processor hereby agrees to implement the following security measures:
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A prompt process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
11. Data availability after termination of contractual services.
The Data Processor hereby agrees to transfer all the personal data to the Data Controller after the termination of the Agreement. This transfer shall be made together with the destruction of all the copies available in the systems and archives of the Data Processor. Once completed, the Data Processor shall provide written documentary evidence of the data destruction.
12. Records of the types of processing activities
The Data Processor hereby agrees to keep record of all the types of processing activities carried out on behalf of the Data Controller, which include:
The name and details of the Data Controller, any Data Processor and, if appointed, the Data Protection Officer;
The types of processing operations carried out on behalf of the Data Controller;
If any, the transfers of personal data to third countries;
Where possible, a general description of the technical and organizational security measures.
Pursuant to a written request, the Data Processor shall put at the Data Controller’s disposal all the necessary documentation in order to prove compliance of all the obligations, and to allow audits, inspections and any analysis by the Data Controller.
V. Data Controller’s obligations
The Data Controller hereby agrees to:
Provide to the Data Processor all the data referred to in point II of this Addendum;
Document in writing all the instructions related to the data processing carried out by the Data Processor;
Ensure compliance of the Data Processor’s obligations provided for by the GDPR, before and during the processing;
Supervise the processing, including audits and inspections carried out by the Data Processor;
Provide to the data subjects all the necessary information related to the data processing and transfer to the Data Processor (if the data are directly collected by the Data Controller).
The Data Controller is only liable for any infringement of the GDPR falling within the sphere of responsibility of the Data Controller. In particular – even when the IT products subject to the licence include Programmes or Applications dedicated to the processing and/or managing of personal data and/or production of documents related to these operations – the Data Controller expressly accepts and acknowledges that the licensing of the Products and the fulfillment of the Data Processor’s obligations neither represent nor replace the legal advice related to the processing of these data.
VI. Amendments to this Addendum.
Inferendo shall have the right to modify the terms and conditions of this Addendum according to any change in the case law, regulations and their interpretation related to the protection of personal data. These amendments shall be communicated to the Client via email and shall be considered accepted if not rejected within 30 days.
The Parties hereby declare that they wish to receive any communication related to the performance of this Addendum by means of the email address defined at the moment of the conclusion of the Agreement.