Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 6.1. For the purposes of the correct processing of Personal Data, the Data Processor undertakes to: a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in the implementation of this Framework Agreement and for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as well as the purposes strictly linked and instrumental to the management of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required, the requirement to appoint a Data Protection Officer pursuant to article 37, paragraph 1 of the Regulations; d) in compliance with article 32 of the Regulation, implement technical and organisational measures to guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or indirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, notifying the Data Controller of the measures adopted in order to ensure an adequate level of protection for the transferred data and the rights of the data subjects (for example, adequacy decisions, type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of risk, in compliance with the provisions of article 32 of the Regulation, as well as the further measures provided for by article 10 of this Data Processing Agreement; m) designate, where applicable, the Union Representative pursuant to article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to guarantee compliance of the Personal Data processing with the applicable provisions; o) without undue delay and in any case no later than 24 hours from the time it has become aware of it, notify the Data Controller of any breach of personal data and cooperate with the Data Controller in relation to the analysis and assessments to carry out for the purposes of the notification to the supervisory authority pursuant to article 33 of the Regulation and of the communication to data subjects pursuant to article 34 of the Regulation, as well as for the preparation of the relative documentation, including the notification pursuant to article 35, paragraph 3; p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor notifies, without delay, the Data Controller of any issue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 6.1. For the purposes of the correct processing of Personal Data, the Data Processor undertakes to: a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in the implementation of this Framework Agreement and for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as well as the purposes strictly linked and instrumental to the management of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required, the requirement obligation to appoint a Data Protection Officer pursuant to article 37, paragraph 1 of the RegulationsRegulation; d) in compliance with article 32 of the Regulation, implement technical and organisational measures to guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or indirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, notifying the Data Controller of the measures adopted in order to ensure an adequate level of protection for the transferred data and the rights of the data subjects (for example, adequacy decisions, type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of risk, in compliance with the provisions of article 32 of the Regulation, as well as the further measures provided for by article 10 of this Data Processing Agreement; m) designate, where applicable, the Union Representative pursuant to article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to guarantee compliance of the Personal Data processing with the applicable provisions; o) without undue delay and in any case no later than 24 hours from the time it has become aware of it, notify the Data Controller of any breach of personal data and cooperate with the Data Controller in relation to the analysis and assessments to carry out for the purposes of the notification to the supervisory authority pursuant to article 33 of the Regulation and of the communication to data subjects pursuant to article 34 of the Regulation, as well as for the preparation of the relative documentation, including the notification pursuant to article 35, paragraph 3; p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor notifies, without delay, the Data Controller of any issue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 6.14.1. For The Parties agree that the purposes subject-matter of Processing performed by Data Processor under this DP Agreement, including the correct processing nature and purpose of Processing, the type of Personal Data, the and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor undertakes toproviding the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: a) carry out any 4.2.1. to process Personal Data processing operation in compliance accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable regulations relating to the protection laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of personal data, including the principles referred to in chapter II that legal requirement upon becoming aware of the Regulation same (articles 5-11except where prohibited by applicable laws); b) carry out the processing 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in the implementation of accordance with this Framework DP Agreement and for the purposes relative have committed themselves to the provision confidentiality or are under an appropriate statutory obligation of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as well as the purposes strictly linked and instrumental to the management of technical issues linked theretoconfidentiality; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, including by way of example, the obligation 4.2.3. to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required, the requirement to appoint a Data Protection Officer pursuant to article 37, paragraph 1 of the Regulations; d) in compliance with article 32 of the Regulation, implement and maintain appropriate technical and organisational measures to guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of protect Personal Data from data subjectsagainst accidental or unlawful destruction or accidental loss, where requiredalteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection costs of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or indirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, notifying the Data Controller of the measures adopted in order to ensure an adequate level of protection for the transferred data implementation and the rights nature, scope, context and purposes of the data subjects (for example, adequacy decisions, type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of risk, in compliance with the provisions of article 32 of the RegulationProcessing, as well as the further measures provided risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by article 10 the Processing and the nature of this the Data Processing Agreementto be protected; m4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) designate, where applicable, when engaging a Sub-processor; 4.2.6. taking into account the Union Representative pursuant to article 27 nature of the Regulation; nProcessing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) cooperate with direct the Data Controller on the implementation of any further measure that becomes necessary in order Subject to guarantee compliance of the Personal Data processing with the applicable provisions; o) without undue delay and in any case no later than 24 hours from the time it has become aware of it, notify the Data Controller of any breach of personal data and cooperate with the Data Controller in relation the first instance. However, in the event Data Controller is unable to address the analysis and assessments to carry out for Data Subject Request, taking into account the purposes nature of the notification to Processing, the supervisory authority pursuant to article 33 complexity and frequency of the Regulation request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the communication Processing and the information available to Data Processor, to help Data Controller to conduct any data subjects pursuant protection impact assessment or Supervisor consultation it is required to article 34 conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the RegulationService, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as well as a point of contact for the preparation of the relative documentationData Controller, and coordinate and control compliance with this DP Agreement, including the notification pursuant to article 35, paragraph 3;Security Measures. p) keep the 4.3. Data Processor shall immediately inform Data Controller informed if, in writingits opinion, on written request from the latterData Controller's Processing instructions infringe any law or regulation. In such event, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor notifies, without delay, the is entitled to refuse Processing of Personal Data Controller that it believes to be in violation of any issue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authoritieslaw or regulation.