PRIVACY
Agreement for Processing of Personal Data
Farmigea, represented by its legal representative pro tempore (Data Controller, hereinafter referred to as the “Controller“) and Distributor, as identified in the LICENSE AND SUPPLY AGREEMENT signed by the Parties (Data Processor, hereinafter referred to as the “Provider” or “Processor“).
The Controller and the Provider are hereinafter individually referred to as “Party” and collectively as the “Parties“.
Beckground
• This Agreement aims to define the obligations of the Parties concerning the protection of personal data, in accordance with Article 28 of EU Regulation 2016/679 (hereinafter also referred to as “GDPR”).
• For the purposes of this Agreement, “Relevant Regulations” refers to the GDPR and any legislative and/or regulatory provisions adopted by national public authorities regarding the processing of personal data (including provisions issued by supervisory authorities), applicable during the validity period of this Agreement. It also serves as a reference for definitions such as “data processing” and “personal data”.
• For all matters not explicitly governed by this Agreement, reference shall be made to the License and Supply Agreement and the Relevant Regulations.
1. Subject of the Agreement and Compensation
1.2. With this Agreement, pursuant to Article 28 of the GDPR, the Controller appoints the Provider as the Data Processor. The Provider accepts the appointment and undertakes to comply with the provisions of the Relevant Regulations and to fulfill all clauses of this Agreement, including its annexes.
1.1. The preamble and annexes are an integral and substantive part of the Agreement.
1.3. The Parties acknowledge and confirm that the compensation for the services provided by the Provider as Data Processor is included in the compensation stipulated in the License and Supply Agreement and follows its terms.
2. Rights and Obligations of the Controller
2.1. The Controller determines the purposes and means of processing personal data collected or processed by the Provider in the execution of the License and Supply Agreement.
2.2. The Controller has the right to verify at any time that the Provider complies with the given instructions and adheres to the Relevant Regulations.
2.3. The Controller is required to inform the Provider of any changes in the purposes and means of processing personal data
3. Obligations of the Provider
3.1. General Obligations
3.1.1. The Supplier shall process personal data on behalf of the Controller in execution of the License and Supply Agreement and exclusively within the framework of this Agreement, unless otherwise provided by the law of the European Union or of a Member State to which the Supplier is subject. The data provided shall not be used for any other purpose and, in particular, shall not be used by the Supplier for its own purposes. The Supplier may disclose the data to third parties that provide instrumental services, if necessary to carry out the License and Supply Agreement. The Supplier is not authorized to provide the data to any other third parties, different from those indicated above, without the prior written approval of the Controller.
3.1.2. The processing of personal data shall take place exclusively within the territory of the European Union or in third countries deemed secure based on the requirements provided in Chapter V of the GDPR. The Processor and the Controller agree that the processing of personal data may not take place in a non-secure third country without the prior approval of the Controller.
3.1.3. The Data Processor shall promptly notify the Controller of any request received from the data subject or from third parties. The Processor shall not respond to the request, unless expressly authorized to do so by the Controller.
3.1.4. The Processor shall assist the Controller in fulfilling the obligations to respond to requests from data subjects for the exercise of their rights, taking into account the nature of the processing.
3.1.5. The Supplier shall provide the Controller with all necessary assistance, as requested by the latter, to ensure compliance with the obligations referred to in Articles 32 “Security of Processing”, 33 “Notification of a personal data breach to the supervisory authority”, 34 “Communication of a personal data breach to the data subject”, 35 “Data protection impact assessment”, and 36 “Prior consultation” of the GDPR.
3.1.6. The Supplier shall make available to the Controller all necessary information to demonstrate compliance with the obligations and requirements of the Relevant Legislation, and shall cooperate with the Controller in the event of any inspection or audit by Authorities or in the event of disputes with the data subject.
3.1.7. Upon termination of the License and Supply Agreement, or in any case upon termination of the data processing agreement between the Parties, the Supplier shall deliver to the Controller all data received from the Controller and any data eventually generated during the processing operations carried out on behalf of the Controller. The Supplier shall then proceed with the prompt deletion of all personal data in its possession and any copies that may exist in its archives, except in cases where European Union law or the law of the Member State where the Supplier is established requires the retention of certain data.
3.1.8. If required by the Relevant Legislation or at the explicit request of the Controller, the Supplier shall prepare, maintain, and regularly update a record of processing activities carried out on behalf of the Controller, as governed by Article 30 of the GDPR.
3.1.9. The Supplier must designate in writing the persons authorized to process personal data, ensuring that they have the necessary skills and training related to the personal data processing activities to be carried out.
3.2. Provider Obligations – Technical and Organizational Measures
3.2.1. The Supplier is required to adopt the measures provided under Article 32 of the GDPR and, in particular, taking into account the state of the art, the cost of implementation, as well as the nature, scope, context and purposes of the processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In doing so, the Supplier must give particular consideration to the risks posed by the processing, especially those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3.2.2. The Supplier is required to report, upon request of the Controller, on the security measures adopted pursuant to Article 32 of the GDPR.
3.3. Provider Obligations – Relations with Third Parties
3.3.1. Should data subjects, Supervisory Authorities, or any other third party (including, by way of example but not limited to, judicial and administrative authorities other than Supervisory Authorities) submit requests to the Supplier (including requests to exercise the rights granted to data subjects, such as the right of access and other rights recognized by the GDPR), the Supplier shall immediately – and in any case no later than 24 hours from receipt of such requests – inform the Controller in writing.
3.3.2. The Supplier shall ensure, in particular, to forward to the Controller a copy of the received requests, also attaching any additional information or circumstances deemed useful.
3.3.3. It is understood that the Supplier may only respond to such requests with the express written authorization of the Controller and in accordance with the directions, instructions, and guidelines provided in writing by the latter. Therefore, the Supplier shall not act independently or as a representative/agent of the Controller (unless expressly instructed to do so by the Controller).
3.3.4. The Supplier is expressly prohibited from disclosing or communicating to third parties, including in response to requests, the personal data processed on behalf of the Controller or any additional information related to the processing of personal data without obtaining prior written authorization and instructions from the Controller.
3.3.5. Should the Supplier be required – in execution of legal obligations or by requests from judicial, administrative, or public security authorities – to disclose or communicate to third parties the data processed on behalf of the Controller or the information relating to the processing, the Supplier undertakes to:
a) immediately notify the Controller in writing of such circumstance;
b) adopt any measures aimed at limiting or restricting the scope of the disclosure/communication (for example, by omitting information not expressly requested);
c) make every reasonable effort to obtain confidentiality commitments from the recipients of such communications.
3.4. Supplier Obligations – Sub-processing Relationships
3.4.1. The Controller generally authorizes the Supplier to engage another Data Processor (hereinafter also referred to as “Sub-processor”) pursuant to and for the purposes of Article 28 of the GDPR, solely for the performance of specific personal data processing activities necessary for the execution of the License and Supply Agreement.
3.4.2. The Supplier is required to provide the Controller, upon simple request, with a complete list of the Sub-processors used to carry out necessary or instrumental activities.
3.4.3. The Supplier must promptly inform the Controller of any changes concerning the addition and/or replacement of other data processors prior to implementing such changes, thereby giving the Controller the opportunity to object. In the event of an objection, the changes and the appointment of the new data processor may not be executed.
3.4.4. If the Supplier engages, under its own responsibility, a Sub-processor, the Supplier must ensure that the contract with the new Sub-processor includes sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. It is understood that the appointment of Sub-processors shall only occur before the commencement of any processing operations by such Sub-processors and that, pursuant to Article 28(4), the same data protection obligations set forth in this Agreement and in any future instructions from the Controller must be imposed on the Sub-processors.
3.4.5. The Supplier shall in any case remain solely responsible for all obligations assumed under this Agreement. The Supplier shall therefore be liable for the proper performance of the activities assigned to the appointed Sub-processor and for any non-fulfillment or violations committed by the latter.
3.5. Supplier Obligations – Notification of Breaches by the Supplier (so-called data breach)
3.5.1. In the event of a security incident (including, but not limited to, any event involving destruction, loss, alteration, disclosure, or unexpected or unauthorized access to personal data), affecting the Supplier’s own systems or those of its Sub-processors, the Supplier shall notify the Controller in writing via certified email (PEC) of such event as soon as possible from the moment it becomes aware of it, and in any case without undue delay. The notification must contain the elements prescribed by paragraph 3 of Article 33 of the GDPR.
4. Termination
4.1. In the event of a breach by the Supplier of any of the obligations set out in this Agreement, the Controller shall have the right to terminate any agreement in force between the Parties for non-performance.
5. Confidentiality
5.1. All personal data received by the Supplier from the Controller and/or collected by the Supplier in the performance of this Agreement shall be subject to an obligation of confidentiality towards third parties.
5.2. This obligation of confidentiality shall not apply where the Controller has expressly authorized the disclosure of such information to third parties, where the disclosure to third parties is reasonably necessary in light of the provisions and performance of this Agreement, or where there is a legal obligation to make the information available to third parties.
6. Duration of the Agreement
6.1. This Agreement shall enter into force on the date of signing and shall remain valid and effective until the termination or cessation (for any reason) of the License and Supply Agreement or any subsequent agreements entered into between the same Parties and having the same purpose. Should any processing activities still be ongoing upon termination of the License and Supply Agreement, the Supplier undertakes to complete them and, with regard to such processing and activities, shall remain bound by all instructions and obligations arising from this Agreement.
7. Liability and Indemnification
7.1. The Supplier shall indemnify and hold harmless the Controller from any loss, cost, expense, monetary penalty, compensatory damage, and in general from any liability directly or indirectly arising from the execution by the Supplier (and/or its appointed Sub-processors) of the provisions of this Agreement, and from the Supplier’s (and/or its appointed Sub-processors’) compliance with and implementation of the provisions of the Relevant Legislation in relation to personal data processing activities carried out on behalf of the Controller.
8. Final Provisions
8.1. Any amendment to this Agreement shall, under penalty of nullity, be made in writing and signed by the Parties.
8.2. This Agreement cancels and replaces any previous agreement or understanding between the Parties relating to the processing of personal data carried out by the Supplier on behalf of the Controller.
8.3. The Parties declare that all the clauses contained in this Agreement have been carefully and individually reviewed and reflect the mutual intention of the Parties.
8.4. If any clause of this Agreement is declared invalid, such declaration shall not affect the validity of the remaining clauses contained herein. In such a case, and to the extent possible, the invalid clause shall be replaced by another clause whose effect is as close as possible to what the Parties intended at the time of signing this Agreement.
8.5. The failure of the Controller to exercise one or more of the rights arising from this Agreement shall not constitute, nor be construed as, a waiver of such rights. If a Party is legally required to appoint a Data Protection Officer, it must do so and provide the relevant contact details to the other Party.