Aesys Cloud Services

INFORMATION FOR THE PROCESSING OF CUSTOMER DATA - CLOUD AESYS USERS

Last update: April 2021

APPOINTMENT of AESYS as EXTERNAL DATA PROCESSOR

In the context of the provision of the cloud service described in the contract, the Customer (hereinafter also "the Data Controller") appoints AESYS SPA as Data Processor pursuant to Article 28, EU Reg. 2016/679 of 27 April 2016, "on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation - GDPR)".

The Data Controller has assessed that AESYS S.P.A. in terms of structure, organisation of means and men, knowledge, skills and know-how available possesses the requirements of reliability, capacity and experience such as to provide the appropriate guarantee of full compliance with the provisions in force regarding processing, including the security profile.

The Processing is entrusted exclusively for the purposes of the Data Controller, in order to allow the execution of the activities entrusted to AESYS S.P.A.

AESYS S.P.A. carries out the processing of personal data belonging to the Customer exclusively as an implicit and indirect consequence of the activities and purposes strictly inherent to the execution of the activities entrusted to AESYS S.P.A. referred to in the Subject of this contract.

Aesys will only process the following personal data:

Authentication credentials of the users for technical purposes of the functioning of the service
Any geolocation information of subjects indirectly identifiable through database correlation processed solely for technical reasons and at the request of the Data Controller.

In the performance of the assignment, the External Data Processor shall comply with the applicable provisions of the relevant legislation and, specifically, the processing shall be carried out in compliance with the provisions of the European Privacy Regulation (GDPR) 679/2016 and of the specific provisions that shall be issued by the Data Controller. The processing is entrusted exclusively for the purposes of the Data Controller, namely to enable the performance of the activities of the service provider listed above.

Both the Data Controller and the Data Processor, are required to implement technical and organisational measures taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons as set out in Articles 32 -33 and 35-36 of the GDPR. They must comply with specific requirements set out in the GDPR to reduce the risks of processing and ensure the continued confidentiality, integrity, availability and resilience of the systems and services that process personal data; ensure the ability to promptly restore data availability and access in the event of a physical or technical incident; a procedure to regularly test, verify and evaluate the effectiveness of technical and organisational measures to ensure the security of processing. In particular, the security measures applied by Aesys S.p.A and described in Attachment B are considered appropriate by the Data Controller.

OBLIGATIONS OF THE MANAGER

The Data Processor also has other specific obligations:

• the personal data of which the Data Processor will have knowledge are the property of the Data Controller and therefore the Data Processor may keep copies of them only for the performance of the tasks entrusted and only for the time strictly necessary to carry out the permitted operations. The Data Processor also guarantees the deletion of temporary files or backup files.

• the Data Processor is under a specific obligation to comply with the prohibition of unauthorised communication and dissemination of personal data for any reason whatsoever, as well as the prohibition of independent use for purposes (e.g., commercial use) other than those specified herein unless specifically authorised by the Data Controller. Furthermore, personal data shall be processed by personnel duly informed and authorised by the Data Processor.

• The Data Processor shall prepare and keep constantly updated, in electronic or paper format, a register of all processing operations carried out for the purposes of the performance of the Contract, containing in particular:

their own contact details and those of the Data Controller;
the categories of processing operations carried out on behalf of the Data Controller;
the details of any transfers of the shared data outside the European Economic Area, indicating the third country or organisation to which the data are transmitted and, if the transfer is not based on an adequacy decision of the EU Commission or other guarantee mechanisms, such as standard contractual clauses or Binding Corporate Rules, and none of the exemptions provided for by the applicable legislation is applicable, the measures implemented to protect the data;
a general description of the technical and organisational security measures taken in accordance with this Agreement and, more generally, with the applicable legislation.

• the Data Processor shall assess the appropriate level of security, taking particular account of the risks presented by the processing, resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• the Data Processor declares that it has and adopts the minimum-security measures dictated by Articles 32-33 of GDPR 679/2016, and appropriate organisational and technical measures suitable to prevent unauthorised access and non-compliant processing of data as described in Attachment B. The Data Processor also declares that it adopts an Information Security Management System compliant with ISO 27001, ISO 27017 and 27018.

• the Data Processor shall ensure compliance with the provisions of the general provision - 27 November 2008 "Measures and arrangements applying to the data controllers of processing operations performed with the help of electronic tools in view of assigning System Administrator tasks" (Official Journal no. 300 of 24/12/2008) and subsequent amendments, issued by the Italian Data Protection Authority.

• the Data Processor shall adopt the technical and organisational measures of the aforementioned provision, with reference to the storage in its organisation of the identification details of the persons appointed and authorised as system administrators, the appointments of the same as system administrators in accordance with the provisions of the aforementioned provision and the diligent application thereof;

• the Data Processor, in accordance with the provision on System Administrators, shall inform the Data Controller of the names of the persons appointed as system administrators within its structure who shall act as system administrators at the Data Controller's structure for the activities limited to the appointment as Data Processor, the filing of logs in accordance with the provision of 27 November 2008 in terms of system administrators shall be the responsibility of the Data Controller.

• Within the organisation of the Data Processor, data may only be processed by persons who shall use them for the performance of the services entrusted by the Data Controller.

• the Data Processor shall, therefore, provide the above-mentioned data processors with all necessary instructions (also in writing) on the correct use of all system and IT equipment involved in personal data processing operations and keep the list of data processors updated.

• the employees and/or collaborators who will be authorised to carry out the services will ensure reliability and trustworthiness and will be duly trained and informed on the methods of processing, on the risks affecting the data and on the profiles of the current legislation.

• the Data Processor must comply with the provisions of Article 28 of EU Regulation 679/2016 paragraphs 2,3,4, unless otherwise prescribed in writing by the Data Controller. In particular, with reference to the provisions of paragraph 3 letters a, b, c, d, e, f, g, h.

• it shall be the responsibility of the Data Processor to ensure that the instructions given to his/her data processors are complied with.

• the Data Processor shall ensure that the processing of personal data is carried out within the EU and, should he/she need to transfer the data outside the EU, he/she is obliged to request formal prior authorisation from the Data Controller.

• if the Data Processor uses or wishes to use another Data Processor, he/she must notify the Data Controller in writing, specifying the purposes, methods, nature and location of the processing, in accordance with the provisions of Article 28 paragraph of the GDPR, and shall retain full responsibility towards the Data Controller for fulfilling the obligations of the other Data Processor

• if the other Data Processor fails to fulfil his/her data protection obligations, the initial Data Processor retains full responsibility towards the Data Controller for the fulfilment of the other Data Processor's obligations.

• The Data Processor shall assist the Data Controller with appropriate technical and organisational measures, insofar as this is possible, in order to comply with the Data Controller's obligation to follow up on requests to exercise the data subject's rights, with particular reference to requests for portability, restriction of processing and erasure of data (right to be forgotten).He/she shall also inform the Data Controller, upon receipt, of any requests for information or communications from the data subjects, from the Italian Data Protection Authority or any other Authority, from Public Administrations and third parties, collaborating, as far as it is competent, with the Data Controller in the preparation of feedback.

• The Data Processor shall inform the Data Controller without undue delay of a personal data breach, and, in any event, of any event which, in his/her opinion, may compromise the security of the data processed. The Data Processor keeps a register of all personal data breaches that contains information on: the data subject of the breach, the persons to whom it was disclosed and the date of the breach.

• Within this overall framework, it shall be the duty of the Data Processor, to the extent of his/her competence and within his/her objective possibilities, to ensure that personal data undergoing processing are processed lawfully and fairly, and are:

collected and recorded for specified, explicit and legitimate purposes, and used in other processing operations in ways compatible with those purposes. In this respect, the use of personal data and identification data must be kept to a minimum, so as to rule out their processing if the purposes pursued in individual cases may be achieved by means of anonymous data, or by adopting methods whereby the data subjects can be identified only when necessary;
accurate and, where necessary, kept up to date;
relevant, complete and not excessive in relation to the purposes for which they are collected and subsequently processed;
kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they were collected and subsequently processed.

TERMINATION OF PROCESSING

In the event that the termination of processing operations by the Data Processor constitutes a termination of the processing, the Data Processor shall notify the Data Controller in writing well in advance for the adoption of the appropriate legal measures. Upon termination, for any reason whatsoever, of the Processing operations by the Data Processor, the latter shall, within the timeframe agreed with the Data Controller, arrange for the complete destruction of the data relating to privacy, except for the administrative documentation, the keeping of which is managed in compliance with the storage obligations established by law.

VERIFICATIONS BY THE DATA CONTROLLER

The Data Processor interacts with the persons authorised by the Data Controller to carry out checks, controls, audits, inspections, on the compliance with the provisions adopted and indicated in this appointment and relating to the legislation on the protection of personal data, guaranteeing these persons, subject to 15 days' notice, access for control purposes to premises, machinery and equipment used directly and indirectly in the processing of personal data. The Data Controller shall not hold AESYS S.P.A. liable for any liability connected with the processing of personal data and for processing operations for which it is not expressly appointed as Data Processor. For all matters not expressly specified in this document, the Data Controller and the Data Processor shall generally comply with the provisions of the current legislation on personal data, EU Regulation 679/2016.