1. Generalities
This document (hereinafter for brevity "GDPR Conditions") is an integral part of the Contract concluded between Openwork and the Customer in the manner prescribed in Article 4 of the General Terms and Conditions for the provision of Jamio openwork services (hereinafter for brevity Conditions, published at https://www.jamio.com/en/general-conditions-for-the-provision-of-services/).
2. Definitions
List of Definitions
DataSubject: The identified or identifiable natural person to whom the data relate.
Other Data Processor: Also referred to as Sub-Processor. The entity (the natural or legal person, public authority, service or other body) to which the Processor makes use of to perform specific Processing activities on behalf of the latter. Recourse to Other Data Processor must be authorized in advance in writing by the Data Controller.
Data Processor: The natural or legal person, public authoritỳ, service or other body other than the DataSubject, the Data Controller, the Data Processor and the persons authorized to Process under the direct authoritỳ of the Data Controller or the Data Processor, referred to in the GDPR as a "third party".
See Article 2 of the Conditions for all other definitions.
3. Subject and purpose of the document
The purpose of the GDPR Conditions is to detail the obligations undertaken by the Parties to make the provisions of the GDPR effective.
4. Roles
4.1. Customer Personal Data. The Personal Data processed through the use of the Services is also Data.
4.2 Appointment as Data Processor. The Parties agree that Customer is the Data Controller and that Openwork is the Data Processor except in cases where Customer itself acts as a Processor, i.e., is not responsible for the purpose and manner of the Processing; in this case, the Parties agree that Openwork will act as the Other Processor. In all cases where the GDPR applies and Customer is a Processor, Customer warrants to Openwork that its instructions, including the appointment of Openwork as a Processor or Other Processor, have been authorized by the Data Controller.
4.3. Other Data Processors. Customer acknowledges and agrees that, for the provision of the Services, Openwork uses the following providers: Microsoft Ireland Operations Ltd from which it acquires Azure Infrastructure, Artificial Intelligence and Machine Learning Services (for terms of supply and specific rules related to GDPR please refer to the document Terms of Use for Online Services at the link https://azure.microsoft.com/it-it/support/legal/); Aruba SpA, from which it acquires Infrastructure Cloud Services (for terms of supply and specific rules related to GDPR please refer to the document General Terms of Supply for Aruba Cloud Services at the link https://www.cloud.it/doc,uments/tc-files/1_condizionifornituraserviziarubacloud.aspx); of the supplier Openwork Lab s.r.l, a wholly owned subsidiary of Openwork, from which it acquires professional services for the maintenance of the Services delivery infrastructure, installation and set-up services for the Services, and maintenance services deli Services.Openwork has appointed such suppliers Other data processors and the Client authorizes Openwork to use them. Openwork undertakes to inform Customer of any changes regarding the addition or replacement of Other Data Processors, thereby giving Customer the opportunity to object to such changes where there is an objective and documentable lack of sufficient requirements and/or guarantees of theOther Data Processor regarding the protection and security of personal data (Article 28.2 of the GDPR). If Customer objects to the changes, the Services may no longer be provided and Customer may terminate the Contract in accordance with the Terms.
5. Processing of personal data
5.1. Characteristics. The parties acknowledge and agree to the following. a) The object of the Processing is limited to the Personal Data strictly necessary for the performance of the Services under the Contract. b) The duration of the Processing shall coincide with the duration of the Customer's right to use the Services, the Processing shall also last until all Personal Data has been deleted or returned in accordance with the Customer's instructions or the provisions contained in the Conditions. c) The nature and purpose of the Processing shall be to provide the Services under the Contract. d) The categories of data subjects are End Users.
5.2. Instructions. The Customer agrees that the Agreement together with the technical specifications of the Services and together with the configuration and use by the Customer of the functionality of the Services constitute the complete and final set of documented instructions provided to Openwork for Processing. The Customer considers such instructions to be adequate in relation to the requirements of Article 32 of the GDPR. The Customer acknowledges that the nature of the Services allows him/her to independently configure the same to process Personal Data whose nature, purpose and duration is not independently knowable by Openwork. In the event that the Customer manifests particular needs which require a different treatment to that described in the above-mentioned documentation, he/she must manifest such needs to Openwork and describe the measures which he/she requires to be implemented, which will be quoted with a specific commercial offer.
5.3. Storage of Personal Data. Personal Data, like all Data managed by the Services, is stored at the Aruba datacenter located in Arezzo, Italy and/or the Microsoft datacenter located in Dublin, Ireland.
6. Specific obligations of the GDPR
6.1. Obligations of the Data Controller
The Client warrants, with reference to third party data processed by him/her in the process of requesting activation and/or use of the Services, that he/she has previously provided them with the information referred to in the GDPR and that he/she has acquired from them the consent to the processing and holds Openwork harmless from any dispute, claim or other that may come from third parties in reference to such processing.
6.2. Obligations of the Data Processor
Openwork undertakes to (a) process Personal Data only for the provision of the Services covered by the Contract and on the documented instruction of the Customer; (b) ensure that persons authorized to process Personal Data have committed to confidentiality or have an appropriate legal obligation of confidentiality; (c) take all measures required under Article 32 of the GDPR; (d) comply with the conditions set forth in Art. 28 of the GDPR; (e) taking into account the nature of the Processing, assist the Client with appropriate technical and organizational measures, to the extent possible, in order to meet the Client 's obligation to comply with requests for the exercise of theData Subject 's rights under Chapter III of the GDPR; (f) assist the Client in ensuring compliance with the obligations under Articles. 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to Openwork; (g) at the option of the Data Controller, delete or return all Personal Data after the provision of services related to the Processing is terminated and delete existing copies, unless otherwise required by law; (h) make available to the Client all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow and contribute to the audit activities, including inspections, carried out by the Client. The costs of such audits will be borne by the Client i) Openwork shall inform the Client immediately if, in its opinion, an instruction violates the GDPR or other legal provisions relating to the protection of personal data. (Art. 28.3 of the GDPR).
6.3. Obligations of Other Data Processors
When Openwork employs an Other Data Processor to perform specific Processing activities on behalf of the Client, the same data protection obligations contained in these GDPR Conditions shall be imposed on such Other Data Processor by contract or other legal act under Union or Member State law, providing in particular sufficient safeguards to put in place appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. In the event that theOther Data Processor fails to fulfill its data protection obligations, Openwork will retain towards the Client the full responsibility for the fulfillment of theOther Data Processor 's obligations (Art. 28.4 GDPR).
6.4. Data Processors
The Client and Openwork shall ensure that anyone acting under their authority and having access to Personal Data shall not process such data unless instructed to do so by the Client, unless required to do so by applicable legislative provisions (Article 32.4 of the GDPR). In particular, in the event that Openwork makes use of the collaboration of Data Processors, Openwork shall provide for their specific assignment to the Processing by giving them the necessary instructions and making them aware of the agreed modalities̀ and those prescribed by the GDPR.
6.5. Information
Openwork will notify the Client without undue delay after becoming aware of the Personal Data breach (Article 33.2 of the GDPR). Such notice will include information to be provided by the Processor to the Data Controller pursuant to Article 33.3 of the GDPR to the extent that such information is reasonably available to Openwork.
6.6. Assistance to Data Subjects' Requests
Openwork will make available to Customer, in accordance with the functionality of the Services and its role as a Data Processor, the Personal Data of its Data Subjects and the ability to comply with their requests regarding the exercise of their rights under the GDPR. Openwork will comply with Customer 's reasonable requests for assistance in meeting such need of Data Subjects. If Openwork directly receives a request from the Customer 's DataSubject to exercise one or more of its rights under the GDPR in relation to the Services of which it is a Data Controller or Other Data Processor, Openwork will suggest that theData Subject submit the request directly to the Customer. The Customer will be required to respond to such requests, where necessary, using the functionality of the Services. Openwork will comply with the Client 's reasonable requests for assistance in meeting such Data Subjects' need.
6.7 Records of Processing Activities
Openwork in accordance with Article 30.2 of the GDPR shall keep one or more records on the Processing activities performed under its responsibility and to the extent applicable to the Processing of Personal Data on behalf of the Client shall make them available upon request to the Client.
Rev 1.5 dated 06/21/2021
jamio.com
