pursuant to art. 28 General Data Protection Regulation (GDPR)
between you, as a user of the iubenda service
and
iubenda s.r.l.
Via San Raffaele, 1
20121 Milan
Italy
legal representative, Andrea Giannangelo
The subject matter of the DPA results from the main contract signed by the parties for the provision of the iubenda service (“Contract”). The Processor shall carry out the processing activities described therein
with respect to the following categories of personal data:
referring to the following categories of data subjects:
The term of this DPA corresponds to the term of the main contract.
Processing activities shall take place only on documented instructions by the Controller. Such instructions are included in the Contract and in this Agreement. Data processing activities under this DPA shall be performed within the European Union (EU) or the European Economic Area (EEA). In case any transfer of data outside of the EU or EEA should take place, it shall be performed in accordance with the conditions set forth in art. 44 et seq. GDPR.
The Processor has adopted technical and organizational measures in order to ensure that processing activities under this DPA are carried out in compliance with applicable data protection provisions.
The Processor has in particular adopted security measures to guarantee protection standards adequate to the risks to confidentiality, integrity, availability, and resilience of the systems, taking into account the likelihood of data breaches and the severity of risk to the rights and freedoms of natural persons possibly resulting thereof.
Technical and organizational measures shall always be monitored and updated according to the technical progress and development in order to maintain or increase the data protection standards.
The Processor shall not rectify or erase data or restrict the processing of data covered by this agreement unless instructed to do so by the Controller. Should a data subject contact the Processor concerning a data processing activity under this agreement, the Processor shall forward such inquiry directly to the Controller.
The Processor shall comply with the provisions of this DPA and with all applicable statutory requirements, in particular those resulting from art. 28-33 GDPR. In particular, the Processor guarantees that
The Processor has subcontracted part of its services to third parties, that - as far as required by statutory law - have been subjected to the same obligations and guarantees provided by this DPA and by applicable data protection law. The Controller may request the list of the current sub-processors employed by the Processor. Any change in such list shall be notified to the Controller without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the Contract with the Controller without notice.
If there is a compelling reason, the Controller may request that an inspection or audit of the data processing activities performed by the Processor under this agreement are carried out by an independent and recognized third party. Inspections and audits shall be agreed upon in advance with the Processor and take place without impairing the Processor's regular business operations. The Processor may charge the costs of such audits or inspections to the Controller.
Compliance with the obligations pursuant to art. 32-36 GDPR may also be proven through evidence of
The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR, including
In case the Controller should require any change in the processing of personal data set forth by the documented instructions mentioned at no. 2, the Processor shall immediately inform the Controller if it considers such changes to result in infringements to data protection provisions. The Processor may refrain from carrying out any activity that may result in any such infringement.
After the end of the provision of services, the Processor shall, at the choice of the controller, delete or return to the Controller all the personal data collected and processed under this agreement, unless any applicable legal provision which the Processor is subject to, requires storage of the personal data.
In any case, the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.