The Controller and the Processor have entered into this Data Processing Agreement as follows.
The purpose of this Data Processing Agreement is to govern the processing activities that the Processor will carry out on behalf of the Controller to execute the Agreement and to establish the conditions under which the Processor may process the Personal Data relating to the Data Subjects.
The Processor undertakes to:
process the Personal Data exclusively on behalf of the Controller, only as long as necessary to execute the Agreement, and in accordance with the Data Protection Law and the instructions and conditions provided by the Controller with this Data Processing Agreement;
ensures that the persons processing the Personal Data under its authority, including its employees, interns, and consultants have committed themselves to confidentiality and have received proper instructions to process the Personal Data in accordance with the Data Protection Law and the instructions provided for by the Controller;
implement all technical and organisational measures to ensure a level of security appropriate to the risk presented by the nature, scope, context, and purposes of the processing of Personal Data;
when engaging another processor (the “Sub-processor”),
notify to the Controller any request received by Data Subjects and assist the Controller to fulfil such requests;
assist the Controller to:
upon termination of this Data Processing Agreement, at the choice of the Controller, delete or return to the Controller all Personal Data, except where retaining Personal Data is required to comply with an obligation upon the Processor, in which case it shall inform the Controller of such obligation;
upon request of the Controller, made it available all information necessary to demonstrate compliance with the instructions provided for in this Data Processing Agreement. The Processor also undertakes to allow the Controller to carry out audit activities by itself or, at its own cost, through an independent auditor to verify the compliance with the instructions set out in this Data Processing Agreement. In any case, the Controller undertakes to:
when required by the Data Protection Law, the Processor shall maintain and keep updated a record of processing activities according to the requirements set forth by the applicable Data Protection Law;
when necessary under the applicable Data Protection Law, the Processor shall appoint a Data Protection Officer and communicate its contacts to the Controller.
This Data Processing Agreement has the same duration of the Agreement signed between the Controller and the Processor and will cease should the Agreement expire or be terminated for any reason.
The Processor undertakes to indemnify and hold harmless the Controller for any damage or sanction resulting to the Controller for its failure to comply with this Data Processing Agreement or with the applicable Data Protection Law and from any damage, expense, cost or charge arising out of a violation of the data protection obligations imposed to any Sub-processor.
In the event of any change to the applicable Data Protection Law that may affect the responsibilities and obligations imposed under this Data Processing Agreement, the Controller and the Processor undertake to discuss and negotiate in good faith any possible amendment necessary to comply with the amended Data Protection Law.
Whenever a provision of this Data Processing Agreement be or becomes invalid or not applicable, such provision will be considered autonomously in respect thereto and, if possible, it will be replaced by a lawful provision which truthfully reflects the intention of the parties pursuant to this Data Processing Agreement and, if applicable, does not affect the validity and/or applicability of any further provisions thereof.
In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement on data protection, the provisions of this Data Processing Agreement shall prevail.
This Data Processing Agreement is regulated by the United Kingdom Law.
Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of London.