The Client, as identified in detail at the end of this Agreement, as the data controller (hereinafter, “Data Controller”or “Controller”),
AND
Blastness S.r.l., with registered office in Milan, Piazza Castello n. 26 - 20121, Fiscal Code and VAT no. 01195440118, in the person of its legal representative pro tempore, in its capacity as External Data Processor (hereinafter, “Blastness”)
A. An agreement exists between the Data Controller and Blastness for the provision by Blastness in favour of the Data Controller of the services set out in greater detail in the agreement (hereinafter, the “Services”) and of which this agreement forms an integral and substantial part.
B. Within the scope of the aforementioned Services, Blastness may carry out the personal data processing activities described in detail in Annex A (“Processing Activities”).
C. The provision of the Services by Blastness involves the performance of activities that may be relevant to the protection of personal data.
D. Blastness declares that it possesses the experience, technical competences and resources that enable it to implement the Security Measures set out in https://media.blastness.info/796/documents/security-measures.pdf (“Security Measures”), as appropriate to ensure compliance with data protection legislation and the protection of data subjects;
E. The aforementioned cases are relevant cases pursuant to EU Regulation 2016/679 (hereinafter, “GDPR”) and to the legislation, including national legislation, on the protection of personal data applicable at the time (hereinafter, “Data Protection Regulation”) and, therefore, it is necessary to regulate the relationship between the parties by providing for the specific duties and instructions to the party in charge;
F. With this agreement, pursuant to article 28 GDPR and the Data Protection Regulation and in consideration of its experience, capacity and reliability, the Data Controller intends to appoint Blastness S.r.l. as data processor with reference to the Data to which it has access in the performance of the Services and to regulate the specific obligations to be borne by it (hereinafter, “Agreement”).
1. Recitals and Annexes
1.1. The Recitals and Annexes form an integral and substantial part of this Agreement.
2. Obligations of Blastness
2.1.1. carry out only those Personal Data processing activities that are strictly necessary for the provision of the Services, by using the authorised, trained and appointed personnel;
2.1.2. carry out such Personal Data processing activities in compliance with the requirements of the Data Protection Regulation, the general instructions contained in this Agreement and any instructions communicated by the Controller. Should the instructions communicated by the Controller and/or their supplement, amendment or reduction entail additional costs to be borne by Blastness, the Controller acknowledges and accepts that all costs arising, directly or indirectly, from Blastness' compliance with said instructions shall be borne exclusively by the Controller.
3. Authorization of personnel in charge of the processing activities
3.1. Blastness undertakes to identify and instruct the persons authorised and charged with the processing, giving them instructions on how to comply with the security measures adopted and allowing them access only to the Personal Data whose knowledge is strictly necessary to perform the tasks assigned to them in connection with the Services.
3.2. Blastness also undertakes to identify the system administrators, where necessary, and to appoint them in writing, complying with all the requirements provided for by the Decision adopted by the Italian Supervisory Authority on 27 November 2008.
4. Adoption of security measures
4.1. Blastness undertakes, pursuant to Article 28(3)(f) of the GDPR, to assist the Data Controller, taking into account the nature of the processing and the information available to Blastness, in ensuring compliance with the obligation set out in Article 32 of the GDPR consisting in the adoption of appropriate technical and organisational security measures to guarantee a level of security appropriate to the risk.
4.2. In particular, Blastness, limited to the perimeter of its own competence and relevance, undertakes to implement and maintain at its own expense the Security Measures set out in Annex B.
4.3. Any changes to the Security Measures set out in Annex B required due to variations and updates of the Data Protection Regulation and/or due to changes in the type and nature of the personal data being processed, must be adopted and implemented by Blastness and/or its Sub-Processors, if any, without any charge or expense to the Data Controller. In all other cases, whenever the Data Controller requests Blastness to adopt security measures that are additional and surplus to the provisions of Annex B, the Data Controller undertakes to support Blastness also financially in the operations necessary for the development, implementation and maintenance, also assuming the percentage of the costs that will be negotiated with Blastness from time to time.
5. Notification of a Personal Data Breach
5.1. Blastness shall notify the Controller of any breach of the security measures adopted for the protection of data and information that results in the destruction, loss, modification, unauthorised disclosure of or access to the Personal Data and the information transmitted, stored or otherwise processed, without undue delay and in any event not later than 48 hours after the event or the discovery of the event.
6. Support in carrying out Data Protection Impact Assessment and/or prior consultation
6.1. In the case of processing operations referred to in Article 35 of the GDPR, Blastness must support, to the extent of its competence, the Data Controller in carrying out a specific Data Protection Impact Assessment, taking into account the known or evident risks and the technical and organisational measures (including security measures) to be adopted to mitigate such risks.
6.2. Where necessary, as a result of such impact assessment, Blastness must also support the Controller in the activities of consultation of the supervisory authority pursuant to Article 36 of the GDPRR.
7. Designation of Sub-processors
7.1. The Controller grants Blastness general authorisation to involve external parties, as Sub-Processors, for the performance of the processing activities related to the Services.
7.2. In such case, Blastness undertakes to inform the Controller of any addition or replacement of the Sub-Processors and to allow the Controller to object to such addition or replacement. In particular, Blastness shall:
a) select such parties from among those having the necessary technical competence and experience;
b) inform the Controller of its intention to use a Sub-Processor to perform part of the Services;
c) in the event that the Controller does not object within 2 (two) business days following the communication to the Controller under point
b) above, appoint the party indicated as Sub-Processor by giving written instructions for the processing of Personal Data equivalent to those given by the Controller to Blastness.
The updated list of Sub-Processors is available in https://media.blastness.info/796/documents/sub-processors-2023--.pdf.
7.3. If any Sub-Processors are located in a country outside the European Economic Area, Blastness undertakes to carry out the transfer only after signing with the Sub-Processors the Standard Contractual Clauses adopted by the European Commission and after verifying that the party importing the Personal Data is in a legal position to ensure compliance with such Standard Contractual Clauses and is not subject to any provisions and/or practices of law which conflict with them. It is understood that, where Blastness is required by the Controller to implement cookies or other tracking systems that result in a transfer of Personal Data outside the European Economic Area, Blastness shall not be liable for any subsequent transfer of Personal Data.
8. Exercise of the rights of the data subject
8.1. Blastness undertakes to cooperate with the Data Controller in responding to the requests of exercise of rights by the data subjects within the terms and in the manner provided by the Privacy Law. In this regard, Blastness hereby ensures that it shall comply with the requests of the data subjects to exercise their rights, by amending, rectifying, erasing or limiting the Personal Data, as the case may be.
8.2. Where, however, requests to exercise rights are exercised by the data subjects directly against Blastness, Blastness shall inform the data subjects of the need to address their request directly to the Data Controller. In any event, the Data Controller shall be solely responsible for responding to the data subject's request.
9. Requests from the Supervisory Authority
9.1. Blastness undertakes to cooperate with the Controller in responding to requests from the Supervisory Authority and any other authority competent in the matter in the event of controls and assessments by the Authority.
9.2. The Parties undertake to cooperate fully and promptly with each other in order to promptly and fully respond to any requests for information and documents from the Supervisory Authority.
10. Controller's power of control and right of audit
10.1. The Controller shall periodically supervise the strict compliance with the instructions given herein to Blastness and verify the continuation of the requirements of experience, capacity and reliability which have influenced the appointment of Blastness.
10.2. Blastness shall enable the Controller to exercise the power of control: in this context, Blastness shall, upon written request of the Controller and at least 15 (fifteen) days’ notice, make available to the Controller all the information necessary to prove compliance with the obligations under this Agreement. It is specified that the verifications by the Controller shall be carried out beforehand on the documents and remotely by means of the encrypted transmission by Blastness of all the required documentation.
10.3. If, as a result of the documentary controls carried out, on-site inspection and audit activities become necessary, Blastness shall also contribute to the inspection and audit activities that the Data Controller decides to carry out, either directly or through another party commissioned by the Data Controller – whose costs shall be borne entirely by the Data Controller – it being understood that (i) the Data Controller cannot carry out such activities more frequently than once a year and in any event, before 12 (twelve) months have elapsed since the last audit activity carried out or commissioned by the Data Controller; (ii) the scope of such activities shall be agreed with Blastness at least 15 (fifteen) working days in advance; (iii) such activities shall be carried out safeguarding the normal operations of Blastness and may not exceed 3 working hours, without prejudice to the possibility of agreeing visits outside working hours; (iv) the use of the information which the Data Controller and any third party by the Data Controller may become aware of during the audit shall be regulated in advance by an appropriate confidentiality/not disclosure agreement.
11. Termination of processing and deletion or anonymisation of Personal Data
11.1. Blastness undertakes, as of now, to terminate, in the event of revocation or termination for any reason of this Agreement, the Processing Activities.
11.2. In the event of termination of the processing, Blastness, upon instruction of the Data Controller, shall return the Personal Data to the Data Controller and/or permanently erase the same within 90 days from the request of the Data Controller or, in any case, from the revocation or termination of this Agreement. This is without prejudice to the right of Blastness to retain the Personal Data necessary for the purpose of demonstrating the Services provided and for the possible legal protection of Blastness’ rights.
11.3. The Data Controller authorises Blastness to proceed, for the entire duration of this Agreement in compliance with the retention periods of the Personal Data indicated by the Data Controller or upon termination of the same and of the processing activities in compliance with the preceding paragraphs, where technically possible, to delete the Personal Data by anonymising these Data in such a way that the information that remains is not, to the best of its knowledge, referable in any way to the data subjects.
12. Duration
12.1. This Agreement enters in force upon its signature and shall remain in force until terminated or otherwise until the termination for any reason of the Services and/or the agreement between the parties in relation to the provision of the Services and/or the Processing Activities.
13. Indemnification
13.1. Blastness shall indemnify and hold the Controller harmless from any damage, prejudice, cost, expense (including legal fees) and/or penalty arising from:
i) judicial, arbitral or administrative claims or actions by any third party;
ii) unlawful or non diligent conduct by itself or its staff in charge.
These cases shall apply where they are the result of wilful and negligent breaches of this Agreement, of any other instructions given by the Controller regarding the processing of personal data and of the Data Protection Regulation.
13.2. The liability referred to in the above paragraph shall be expressly excluded where it is attributable, even partially, to a failure by the Controller to disclose relevant information or documents or processes and, in general, where the breach is due to circumstances for which Blastness, its staff in charge and/or Sub-Processors are not responsible. The liability of Blastness arising out of any breach in the performance of this Agreement shall be limited to an amount equal to 100% of the amount invoiced in respect of the work performed. The limitations of liability set forth herein shall be ineffective in the event of wilful misconduct or gross negligence.
13.3. The Controller undertakes to indemnify and hold Blastness harmless from any tangible or intangible damage, prejudice, costs, expenses (including legal fees), sanctions or any other charges deriving from claims or judicial, arbitral or administrative actions by third parties including public administrations, national or international, and data subjects, as a result of the non-performance, unlawful and/or non diligent conduct by the Data Controller and its staff in charge of the processing and/or data processors other than Blastness for breach of the obligations set forth by the Data Protection Regulation specifically addressed to the Data Controller or in this Agreement or resulting from the implementation by Blastness of the instructions given by the Data Controller for the processing of Personal Data in relation to the provision of the Services.
14. Contacts
14.1. All communications that Blastness is required to make to the Controller under this Agreement shall be made to the contacts specified at the end of this Agreement.
15. Final provisions
15.1. This Agreement supersedes and replaces any previous agreement between the Controller and Blastness regarding the protection of Personal Data.
15.2. The Agreement does not provide for any additional compensation to Blastness over and above the compensation already agreed between the Parties with respect to the provision of the Services.
15.3. In the event of any conflict between the provisions of this Agreement and any provisions of the agreement relating to the provision of the Services, the provisions of this Agreement shall prevail.
15.4. For anything not expressly provided for herein, reference is made to the general provisions in force regarding the protection of personal data.
Lats update: Milan, 1 December 2022
ANNEX A: PROCESSING ACTIVITIES
Activity
Personal Data
Data Subjects
Duration
Website Management
IP address and browsing data
Web users
30 days (maximum cookie duration)
Booking Management
Personal and contact details
Booking data
Any particular (sensitive) data
Guests
Possible Guests
10 years from the booking
Collecting and managing consent to use cookies
IP address
Web users
30 days (maximum cookie duration)
Pay-Per-Click and digital campaign management
Browsing data
Web users
Guests
30 days (maximum cookie duration)
Newsletter
Contact details
Newsletter subscribers
Withdrawal of consent or blacklisting
Business Intelligence
Personal and contact details
Booking data
IP address and browsing data
Web users
Guests
Immediate anonymisation