1. General information
This document (hereinafter for brevity “GDPR Conditions”) is an integral part of the Contract finalized between Openwork and the Customer in accordance with the procedures set out in Article 4 of the General Conditions for the provision of Jamio openwork services (hereinafter for brevity Conditions” , published at http://www.jamio.com/condizioni-generali-fornitura-servizi ).
2. Definitions
List of definitions
: Data Subject: The identified or identifiable natural person to whom the data refers.
Another data controller: Also called a sub-processor. The entity (the natural or legal person, public authority, agency or other body) used by the Data Controller to carry out specific processing on its behalf. The use of another data processor must be previously authorized in writing by the Data Controller .
Processor: The natural or legal person, public authority, agency or other body other than the Data Subject , the Data Controller , the Data Processor and the persons authorized to process data under the direct authority of the Data Controller or the Data Processor , referred to in the GDPR as a “third party”.
For all other definitions, please refer to Article 2 of the Conditions.
3. Object and purpose of the document
The purpose of the GDPR Terms is to detail the obligations assumed by the Parties to implement the provisions of the GDPR.
4. Roles
4.1. Customer Personal Data . The Personal Data processed through the use of the Services are also Data .
4.2 Appointment of Data Processor. The Parties agree that the Customer is the Data Controller and that Openwork is the Data Processor, except where the Customer itself acts as a Data Processor , i.e. is not responsible for the purpose and methods of the Processing ; in this case, the Parties agree that Openwork acts as an Other Data Processor . In all cases where the GDPR and the Customer is a Data Processor , the Customer guarantees to Openwork that its instructions, including the appointment of Openwork as a Data Processor or Other Data Processor , have been authorised by the Data Controller.
4.3. Other Data Processors. The Customer acknowledges and agrees that, for the provision of the Services , Openwork uses the suppliers listed below: Microsoft Ireland Operations Ltd from which it acquires Azure infrastructure, Artificial Intelligence and Machine Learning Services (for the supply conditions and specific rules relating to the GDPR, refer to the document Conditions for the use of online services at the link https://azure.microsoft.com/it-it/support/legal/ ); Aruba SpA, from which it acquires cloud infrastructure services (for the supply conditions and specific rules relating to the GDPR, refer to the document General Conditions of Supply of Aruba Cloud Services at the link https://www.cloud.it/doc,uments/tc-files/1_condizionifornituraserviziarubacloud.aspx ); the supplier Openwork Lab srl , a company 100% controlled by Openwork , from which it acquires professional services for the maintenance of the infrastructure for the provision of the Services , installation and set-up services of the Services , maintenance services of the Services . Openwork has appointed these providers as Data Processors , and the Customer authorizes Openwork to use them. Openwork undertakes to inform the Customer of any changes regarding the addition or replacement of Data Processors , thereby giving the Customer the opportunity to object to such changes in the event of an objective and demonstrable lack of sufficient requirements and/or guarantees from the Data Processors regarding the protection and security of personal data (Article 28.2 of the GDPR ). If the Customer objects to the changes, the Services can no longer be provided and the Customer may withdraw from the Contract in accordance with the provisions of the Conditions .
5. Processing of personal data
5.1 Characteristics. The parties acknowledge and accept the following: a) The scope of the Processing is limited to the Personal Data strictly necessary for the performance of the Services covered by the Contract . b) The duration of the Processing will coincide with that of the Customer to use the Services , and the Processing will continue until all Personal Data Customer 's instructions or the provisions contained in the Conditions . c) The nature and purpose of the Processing will consist in providing the Services pursuant to the Contract . d) The categories of data subjects are End Users .
5.2 Instructions. The Customer agrees that the Agreement , together with the technical specifications of the Services and the configuration and use of the Services , constitute the complete and final set of documented instructions provided to Openwork for the Processing . The Customer deems these instructions adequate in relation to the provisions of Article 32 of the GDPR . The Customer acknowledges that the nature of the Services allows it to independently configure them to process Personal Data whose nature, purpose, and duration cannot be independently determined by Openwork . If the Customer has specific needs that require processing other than that described in the documentation referred to above, it must express these needs to Openwork and describe the measures it requests be implemented, which will be quoted in a specific commercial offer.
5.3 Storage of Personal Data. Personal Data , like all Data managed by the Services , is stored at the Aruba data center located in Arezzo, Italy and/or the Microsoft data center located in Dublin, Ireland.
6. Specific GDPR obligations
6.1. Obligations of the Data Controller
The Customer guarantees, with reference to the data of third parties processed by him/her during the activation request and/or use of the Services , that he/she has previously provided them with the information referred to in the GDPR and that he/she has acquired their consent to the processing and indemnifies Openwork from any dispute, claim or other that may arise from third parties in reference to such processing.
6.2. Obligations of the Data Processor
Openwork undertakes to: (a) process Personal Data only for the provision of the Services covered by the Contract and upon documented instructions from the Customer; (b) ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate legal obligation of confidentiality; (c) adopt all measures required pursuant to Article 32 of the GDPR ; (d) comply with the conditions set out in Article 28 of the GDPR; (e) taking into account the nature of the Processing , assist the Customer with appropriate technical and organisational measures, to the extent possible, in order to fulfil the Customer to respond to requests for the exercise of the rights of the Data Subject under Chapter III of the GDPR ; (f) assist the Customer in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR , taking into account the nature of the Processing and the information available to Openwork ; (g) at the Data Controller , delete or return all Personal Data after the provision of the services related to the Processing and delete existing copies, unless otherwise provided by law; (h) make available to the Customer all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and enable and contribute to audit activities, including inspections, carried out by the Customer . The costs of such audits will be borne by the Customer i) Openwork shall immediately inform the Customer if, in its opinion, an instruction violates the GDPR or other legislative provisions relating to the protection of personal data. (Article 28.3 of the GDPR ).
6.3. Obligations of Other Processors
When Openwork uses another processor to perform specific Processing on behalf of the Customer , such other processor shall be subject, by contract or other legal act under Union or Member State law, to the same personal data protection obligations as those contained in these GDPR Terms , in particular by providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR . If the other processor fails to fulfill its personal data protection obligations, Openwork will remain fully liable to the Customer other processor 's obligations (Article 28.4 of the GDPR ).
6.4. Data Processors
The Customer and Openwork shall ensure that anyone acting under their authority and having access to Personal Data does not process such data unless instructed to do so by the Customer , unless required by applicable legislation (Article 32.4 of the GDPR ). In particular, if Openwork avails itself of the collaboration of Data Processors , Openwork shall ensure their specific assignment to the Processing , providing them with the necessary instructions and making them aware of the agreed methods and those prescribed by the GDPR .
6.5. Information
Openwork will inform the Customer without undue delay after becoming aware of a Personal Data (Article 33.2 of the GDPR ). This notification will include the information that the Data Processor is required to provide to the Data Controller pursuant to Article 33.3 of the GDPR , to the extent that such information is reasonably available to Openwork .
6.6. Assistance with Data Subject Requests
Openwork will make available to the Customer , in accordance with the functionality of the Services and its role as Data Processor , the Personal Data of its Data Subjects and the ability to fulfill their requests regarding the exercise of their rights under the GDPR . Openwork will comply with the Customer in meeting such Data Subject . If Openwork receives a request directly from the Customer 's Data Subject to exercise one or more of their rights under the GDPR in relation to the Services for which it is a Data Processor or Another Controller , Openwork will suggest that the Data Subject submit the request directly to the Customer . The Customer will be required to respond to such requests, where necessary, using the functionality of the Services . Openwork Customer 's reasonable requests for assistance in meeting such Data Subject .
6.7. Records of Processing Activities.
Openwork, in accordance with Article 30.2 of the GDPR, Processing activities carried out under its responsibility and, to the extent applicable to the Processing of Personal Data on behalf of the Client , must make them available upon request to the Client.
Rev 1.5 dated 06.21.2021
jamio.com
