1. Generalities
This document (hereinafter for brevity "GDPR Conditions") is an integral part of the Contract concluded between Openwork and the Customer in the manner prescribed in Article 4 of the General Terms and Conditions for the provision of Jamio openwork services (hereinafter for brevity Conditions, published at https://www.jamio.com/en/general-conditions-for-the-provision-of-services/).
2. Definitions
Where mentioned, the terms below shall, for the purposes of the Contract, have the meanings set out in the Jamio openwork Glossary.
3. Subject and purpose of the document
The purpose of the GDPR Conditions is to detail the obligations assumed by the Parties to give effect to the provisions of the GDPR.
4. Roles
4.1. Customer’s Personal Data. The Personal Data processed through the use of the Services are also meant as Data
4.2. Appointment as Data Processor. . The Parties agree that the Customer is the Data Controller and that Openwork is the Data Processor except where the Customer itself acts as the Data Processor, i.e. is not responsible for the purpose and manner of the Processing; in which case the Parties agree that Openwork acts as the Other Data Controller. In all cases where the GDPR applies and the Customer is a Data Processor, the Customer warrants to Openwork that its instructions, including the appointment of Openwork as a Data Processor or Other Data Controller, have been authorized by the specific Data Controller.
4.3. Other Data Processors. The Customer acknowledges and agrees that, for the provision of the Services, Openwork makes use of the suppliers listed below:
- • Microsoft Ireland Operations Ltd, from which it acquires Azure Infrastructure, Artificial Intelligence and Machine Learning Services (for terms of supply and specific GDPR-related regulations, please refer to the document Terms of Use for Online Services at https://azure.microsoft.com/it-it/support/legal/);
- • Aruba SpA, from which it acquires infrastructural cloud services (for the conditions of supply and specific regulations relating to the GDPR please refer to the document General Conditions of Supply of Aruba Cloud Services at the link https://www.cloud.it/doc,uments/tc-files/1_condizionifornituraserviziarubacloud.aspx);
- • Openwork Lab s.r.l., a wholly-owned subsidiary of Openwork and from which it acquires professional services for the maintenance of the infrastructure for the provision of the Services, installation and set-up services for the Services, and maintenance services for the Services.
Openwork has appointed such Other Data Processors and the Customer authorises Openwork to use them. Openwork undertakes to inform the Customer of any changes regarding the addition or replacement of Other Data Processors, thus giving the Customer the opportunity to object to such changes in the event of an objective and documented lack of sufficient requirements and/or guarantees of the Other Data Processor regarding the protection and security of personal data (Article 28.2 of the GDPR). If the Customer objects to the changes, the Services may no longer be provided and the Customer may terminate the Contract in accordance with the Terms.
5. Processing of personal data
5.1. Characteristics. The parties acknowledge and agree to the following. a) The object of the Processing is limited to the Personal Data strictly necessary for the performance of the Services under the Contract. b) The duration of the Processing shall coincide with the duration of the Customer's right to use the Services, the Processing shall also last until all Personal Data has been deleted or returned in accordance with the Customer's instructions or the provisions contained in the Conditions. c) The nature and purpose of the Processing shall be to provide the Services under the Contract. d) The categories of data subjects are End Users.
5.2. Instructions. The Customer agrees that the Agreement together with the technical specifications of the Services and together with the configuration and use by the Customer of the functionality of the Services constitute the complete and final set of documented instructions provided to Openwork for Processing. The Customer considers such instructions to be adequate in relation to the requirements of Article 32 of the GDPR. The Customer acknowledges that the nature of the Services allows him/her to independently configure the same to process Personal Data whose nature, purpose and duration is not independently knowable by Openwork. In the event that the Customer manifests particular needs which require a different treatment to that described in the above-mentioned documentation, he/she must manifest such needs to Openwork and describe the measures which he/she requires to be implemented, which will be quoted with a specific commercial offer.
5.3. Storage of Personal Data. Personal Data, like all Data managed by the Services, is stored at the Aruba datacenter located in Arezzo, Italy and/or the Microsoft datacenter located in Dublin, Ireland.
6. Specific obligations of the GDPR
6.1. Data Controller’s Obligations. The Customer guarantees, with reference to the data of third parties which he/she processes during the activation request and/or use of the Services, that he/she has previously provided them with the information referred to in the GDPR and that he/she has acquired from them the consent to the processing and indemnifies Openwork from any dispute, claim or other that may arise from third parties with reference to such processing.
6.2. Data Processor’s Obligations. Openwork undertakes (a) to process Personal Data only for the provision of the Services covered by the Contract and on the documented instruction of the Customer; (b) to ensure that persons authorised to process Personal Data have committed to confidentiality or have an appropriate legal obligation of confidentiality; (c) to take all measures required under Article 32 of the GDPR; (d) to comply with the conditions set out in Art. 28 of the GDPR; (e) taking into account the nature of the Processing, assist the Customer with appropriate technical and organisational measures, to the extent possible, in order to fulfil the Customer's obligation to comply with requests for the exercise of the Data Subject's rights under Chapter III of the GDPR; (f) assist the Customer in ensuring compliance with the obligations under Articles. 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to Openwork; (g) at the option of the Data Controller, delete or return all Personal Data after the provision of services relating to the Processing has ended and delete existing copies, unless otherwise provided for by law; (h) make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allow and contribute to the audit activities, including inspections, carried out by the Customer. The costs of such audits shall be borne by the Customer i) Openwork shall inform the Customer immediately if, in its opinion, an instruction violates the GDPR or other legislation relating to the protection of personal data. (Art. 28.3 of the GDPR).
6.3. Data Processors’ Obligations. Where Openwork employs an Other Data Processor to perform specific Processing Activities on behalf of the Customer, the same data protection obligations contained in these GDPR Conditions shall be imposed on such Other Data Processor by contract or other legal act under Union or Member State law, providing in particular sufficient safeguards to put in place appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Should the Other Data Processor fail to fulfil its data protection obligations, Openwork shall retain towards the Customer the full responsibility for the fulfilment of the Other Data Processor's obligations (Article 28.4 GDPR).
6.4. Persons in charge of processing. The Customer and Openwork shall ensure that anyone acting under their authority and having access to Personal Data shall not process such data unless instructed to do so by the Customer, unless required to do so by current legislative provisions (Art. 32.4 of the GDPR). In particular, in the event that Openwork makes use of the collaboration of Data Processors, Openwork shall provide for their specific assignment to the Processing, giving them the necessary instructions and making them aware of the agreed methods and those prescribed by the GDPR.
6.5. Informations. Openwork will inform the Customer without undue delay after becoming aware of the Personal Data breach (Article 33.2 of the GDPR). Such notice will include the information to be provided by the Processor to the Data Controller pursuant to Article 33.3 of the GDPR to the extent such information is reasonably available to Openwork.
6.6. Assistance with requests from Data Subjects. Openwork will make available to the Customer, in accordance with the functionality of the Services and its role as a Data Processor, the Personal Data of its Data Subjects and the ability to comply with their requests regarding the exercise of their rights under the GDPR. Openwork will comply with the Customer's reasonable requests for assistance in meeting such need of Data Subjects. In the event that Openwork directly receives a request from the Customer's Data Subject to exercise one or more of its rights under the GDPR in relation to the Services of which it is a Data Controller or Other Data Processor, Openwork will suggest that the Data Subject submit the request directly to the Customer. The Customer will be required to respond to such requests, where necessary, using the functionality of the Services. Openwork will comply with the Customer's reasonable requests for assistance in meeting such a Data Subject's need.
6.7. Records of Processing Activities. Openwork in accordance with Article 30.2 of the GDPR shall keep one or more registers of the Processing activities carried out under its responsibility and to the extent applicable to the Processing of Personal Data on behalf of the Customer shall make them available upon request to the Customer.
Rev 1.7 dated 23/05/2023
jamio.com
