Last update*: December 9, 2022*

This Data Processing Addendum (“DPA”) is incorporated into and is subject to the Contract between Nibol S.r.l., with registered office at Via Alfredo Campanini 4, Milan, 20124 Italy (“Nibol” or “Data Processor”), and the client that is a party to the Contract (“Client” or “Data Controller”). Each Data Controller and Data Processor may be referred to herein as a “Party” and jointly as the “Parties”.

Background

  1. Article 28 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) allows any data controller responsible for processing personal data to appoint a natural or legal person, public administration, or any other entity or association to act as data processor for the processing of personal data on the data controller’s behalf among entities that can suitably guarantee compliance with the applicable data protection laws, including with regard to security matters.
  2. The Data Processor will provide a platform named “Nibol” offering, among other features, a service to manage workstations, office locations and activities to the Data Controller (“Service”) pursuant to the agreement between the Parties concerning Nibol platform (“Contract”) and, in order to provide the Service, Nibol will process personal data acting as a data processor on behalf of the Data Controller. In addition, Nibol will also process Personal Data for its own purposes, including ensuring the correct functioning of the Service and carrying out internal analysis to improve the Service. In these cases, Nibol will act as an autonomous data controller.
  3. The Parties agree that clauses 2 to 7 of this DPA apply to any processing of Personal Data carried out by Nibol as Data Processor. The purposes of the processing of Personal with reference to the Service are described in Annex 1 (Description of Processing where Nibol acts as a Data Processor).
  4. The Parties agree that clause 8 of this DPA applies where the Parties process Personal Data separately in circumstances where each Party is considered as a data controller in respect of the Personal Data.
  5. All Personal Data covered by the Contract will be processed in accordance with Article 28 of the GDPR and all applicable European Union and European Economic Area (“EEA”) laws and regulations (“Data Protection Legislation”).
  6. The Parties enter into this DPA in order to ensure that they comply with applicable Data Protection Legislation and establish safeguards and procedures for the lawful processing of personal data.

Agreed Terms

It is understood that the above background and the Annexes of this DPA are an integral and substantive part hereof, the Parties agree as follows.

  1. Definitions
    1. Unless otherwise defined in this DPA, all capitalised terms used herein shall have the meaning given to them in the GDPR. In the event of any conflict or inconsistency in terms of data protection safeguards between this DPA and GDPR, this DPA will prevail.
      1. Contract” has the meaning given to it in recital B.
      2. DPA” has the meaning given to it at the beginning of this agreement.
      3. Data Controller” has the meaning given to it at the beginning of this agreement.
      4. Data Processor” has the meaning given to it at the beginning of this agreement.
      5. Data Protection Legislation” has the meaning given to it in recital E.
      6. EEA” has the meaning given to it in recital E.
      7. GDPR” has the meaning given to it in recital A.
      8. Party” or “Parties” has the meaning given to it at the beginning of this agreement.
      9. Personal Data” means Personal Data relating to Data Subjects processed in connection with the Service provided by the Data Processor to the Data Controller.
      10. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
      11. Service” has the meaning given to it in recital B.
      12. Standard Contractual Clauses”: means the Standard Contractual Clauses of the European Commission Implementing Decision (EU) 2021/914.
      13. Sub-processor” means an entity engaged by the Data Processor to assist it in (or who undertakes any) processing of Personal Data in the performance of the Data Processor’s obligations pursuant to the DPA.
  2. Data Protection Roles
    1. The Parties agree that:
      1. The Client acts as the Data Controller regarding the Personal Data processed by Nibol in the provision of the Service;
      2. Nibol acts as the Data Processor of the Personal Data for the provision of the Service; and
      3. this DPA regulates the relationship between the Parties in terms of respective duties and obligations concerning the processing of Personal Data by the Data Processor in the provision of the Service.
  3. Obligations of the Data Processor
    1. To the extent that Nibol is acting as a data processor, the Data Processor agrees to:
      1. ensure the confidentiality of the Personal Data that learns or becomes aware of in the performance of the Service or the Contract and to comply with the instructions given from time to time by the Data Controller;
      2. only process the data related to the operations entrusted to it on the basis of the instructions of the Data Controller, unless required to do so by Union or Member State law to which the Data Processor is subject;
      3. process and retain Personal Data within the EEA and, in the event of transfers of Personal Data to countries outside the EEA, to adopt the guarantees required by the GDPR*,* including the Standard Contractual Clauses of the European Commission Implementing Decision (EU) 2021/914;
      4. in accordance with article 32 of the GDPR, implement adequate operational, technical, and organizational measures to eliminate or, in any case, to minimize any risk of destruction or loss of data, whether or not accidental, and of unauthorized or non-compliant access processing, taking into account (1) the current state of the art and technical progress, (2) the risks associated with the data processed, and (3) the nature of the data. These measures include, among others: (i) pseudonymization and encryption of personal data (where possible); (ii) the ability to ensure the confidentiality, integrity, availability, and resilience of processing systems and services; (iii) the ability to restore the availability and access of personal data in a timely manner in the event of a physical or technical incident;
      5. assist the Data Controller in ensuring its compliance with its obligations under articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor;
      6. identify in writing the personnel authorized to process personal data and to provide them with instructions on the operations to perform in compliance with Data Processor’s obligations under this DPA, ensuring that (i) the instructions given are duly observed, and (ii) the authorized personnel are under an appropriate obligation of confidentiality;
      7. cooperate in good faith with the Data Controller to ensure compliance with this DPA, assist the Data Controller in complying with its obligations under the Data Protection Legislation, and make available to the Data Controller all information necessary to demonstrate compliance with the Data Protection Legislation;
      8. allow for and contribute to audits conducted by the Data Controller or by its auditors or authorized agents on Data Processor’s systems and locations used to process Personal Data. Audits carried out must be preceded by reasonable prior notice to the Data Processor and, in any case, on a date agreed with the Data Processor. Any information gathered on Data Processor’s activities will be subject to confidentiality, except where mandatory applicable laws (including, but not limited to, the applicable Data Protection Legislation) or binding orders from law enforcement authorities (including, but not limited to, the Supervisory Authority) require information to be disclosed. The Data Controller shall bear all the costs incurred for the audits;
      9. use the services of the Sub-processors approved by the Data Controller, for the sole and exclusive purpose of delivering the Service and subject to this DPA. The Data Controller hereby authorizes the Data Processor to engage Sub-processors subject to the conditions that the Data Processor: (1) enters into a written agreement with the Sub-processor containing the same obligations as set out in this DPA or, in any case, ensures that the Sub-processor offers no fewer guarantees than those offered by the Data Processor in this DPA, and (2) remains fully liable for the actions or omissions of the Sub-processor. A current list of the Sub-processors involved in the provision of the Service is available within the Nibol Admin account of the Data Controller or here [www.nibol.com/sub-processors] (List of Sub-processors). The access to the above link could be protected by a password that the Data Controller will receive, upon written request, from Nibol. The Data Processor will update the List of Sub-processors to reflect any addition or replacement to Sub-processors. The Data Controller will periodically check the list, in any case at least once per month, and may reasonably object to the use of a new Sub-processor on legitimate grounds, subject to the termination and liability clauses of the Contract. The Data Controller acknowledges that these Sub-processors are essential for the provision of the Service and that objecting to the use of a Sub-processor may prevent Nibol from offering the Service to the Data Controller;
      10. maintain written records of all types of processing activities carried out on behalf of the Data Controller, where applicable in relation to the organization of the Data Processor or to the nature of the processing, in accordance with article 30 of the GDPR;
      11. notify the Data Controller, unless legally prohibited from doing so, without undue delay, after having become aware of any contact, communication or correspondence it may receive from the relevant Supervisory Authority, courts or law enforcement authorities in relation to the processing of Personal Data;
      12. immediately inform the Data Controller when, in the Data Processor’s opinion, an instruction received from the Data Controller violates the GDPR or other applicable national or European Union laws or regulations related to data protection;
      13. assist the Data Controller with appropriate technical and organizational measures to comply with all data subjects’ requests that the Data Controller may receive. The Data Processor agrees to promptly notify the Data Controller about any request received directly from the Data Subject.
  4. Obligations of the Data Controller
    1. The Data Controller agrees that in order for the Data Processor to provide the Service, the Data Controller shall provide the Data Processor with Personal Data.
    2. The Data Controller represents and warrants that it has an appropriate legal basis (e.g., Data Subject’s consent, legitimate interest, authorization from the relevant Supervisory Authority, etc.) to process and disclose Personal Data to the Data Processor as part of the provision of the Service.
  5. Return and Deletion of Data
    1. Upon the expiration of the Contract, the Data Processor agrees to delete or anonymize all Personal Data within the following 60 days.
    2. If requested by the Data Controller within thirty (30) days prior to the expiration or termination of the Service, the Data Processor will return the Personal Data to the Data Controller in accordance with the terms of this DPA and applicable Data Protection Laws.
    3. Upon written request of the Data Controller, the Data Processor must provide a statement to the Data Controller certifying the return or deletion of Personal Data, or both, as applicable.
    4. The Data Processor’s obligations under clauses 5.1 and 5.2 will be subject to mandatory applicable laws (including, but not limited to, the Applicable Data Protection Laws) or binding orders from competent judicial, law enforcement, or regulatory authorities (including, but not limited to, the Supervisory Authority) that prevent the Data Processor from complying with its obligations. In such cases, the Data Processor will remain bound to this DPA (even after its expiration or earlier termination) regarding any Personal Data so retained, and the Data Processor must not process any Personal Data for any other purpose than to comply with any such legal obligations or binding orders.
    5. The Data Processor may retain Personal Data which is stored under regular computer backup operations in compliance with the Data Processor’s disaster recovery and business continuity protocols; provided, however, that Data Processor must not process any Personal Data retained in backup storage for any purpose other than to provide the Service and that such Personal Data will be deleted, in any case, after 90 days.
  6. Data Breach
    1. The Data Processor agrees to:
      1. notify the Data Controller of any Personal Data Breach as soon as possible, and in any event no later than 48 (forty-eight) hours after the Data Processor becomes aware of the Personal Data Breach, to enable the Data Controller to expeditiously implement its response program;
      2. cooperate with the Data Controller to investigate any Personal Data Breach and provide the Data Controller with all the information requested by it in relation to the Personal Data Breach;
      3. take appropriate actions to contain and mitigate any Personal Data Breach, fully cooperating with the Data Controller to develop and implement an action plan to address the Personal Data Breach in accordance with applicable laws and regulations; and
      4. where the Data Protection Legislation requires that the Personal Data Breach be notified to relevant Supervisory Authorities and affected Data Subjects, follow and comply with any instructions from the Data Controller.
    2. The Data Processor agrees that the Data Controller will be entitled to determine the measures to be taken to comply with Applicable Data Protection Legislation and to remediate any risk, including, without limitation: (1) whether any notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others, as may be required by Applicable Data Protection Legislation or at the Data Controller’s sole discretion; and (2) the contents of any such notice, whether any type of remediation may be offered to affected Data Subjects under the Data Controller’s responsibility, and the nature and extent of any such remediation.
  7. Transmissions
    1. Personal Data transmitted by the Data Processor in connection with the Service through the Internet shall be reasonably encrypted. The Parties acknowledge, however, that the security of transmissions over the Internet cannot be guaranteed.
    2. If any security breach or personal Data Breach is suspected, the Data Processor may suspend the Data Controller’s use of the Service via the Internet immediately pending an investigation, provided that the Data Processor serves notice of any such suspension as soon as reasonably possible and takes all reasonable measures to promptly restore the use of the Service via the Internet and cooperate with Data Controller in order to continue the provision of the Service via other communication channels.
  8. Nibol’ Role as Data Controller
    1. The Parties acknowledge and agree that to the extent Nibol processes Personal Data involved in the Service to (1) establish, exercise, or defend rights of Nibol, including proving the correct execution of the Service, (2) comply with legal or regulatory obligations applicable to the processing and retention of data to which Nibol is subject, and (3) send communications about platform news and upgrades and of support, Nibol is acting as a data controller with respect to the processing of Personal Data it receives from or through the Data Controller.
    2. When both Parties act as autonomous controllers, each Party undertakes to process Personal Data in accordance with Data Protection Legislation. In particular, each Party will be liable to make sure it has a legal basis for collecting and processing the Personal Data and will provide transparent information to data subjects about the processing.
    3. Unless it is prevented to do so under applicable legislation, each Party shall provide the other Party with reasonable cooperation and assistance, as applicable from time to time, in connection with:
      1. its compliance with Data Protection Legislation in relation to the Personal Data;
      2. any request or other communication made in relation to data subject rights; and
      3. any notice or other communication received from a supervisory authority in connection with the processing of the Personal Data or the other Party’s compliance with the Data Protection Legislation provided that a Party shall not be required to incur material costs or expenses in providing such cooperation and assistance.