🔥 Lite Plan for just €19.00/month! 🔥

SupportFast

Data Processing Agreement (DPA)

This Data Processing Agreement (“ DPA ”), attached to the General Conditions of Use of the “Supportfast” Software and Services, regulates the processing of Personal Data connected to the execution of the Contract stipulated between the Customer (hereinafter “ Data Controller ”) and Supportfast di Elia Semprebon , with registered office in Via 8 Marzo n. 2, CAP: 37012, Bussolengo (VR), VAT number 04921160232 (hereinafter “ Data Processor ”).

The Owner and the Manager will be referred to hereinafter jointly as the “ Parties ” and individually as the “ Party ”.

Premises

  1. By purchasing a subscription to the “Supportfast” Software and Services, the Owner has accepted the relevant General Conditions (hereinafter “ Contract ”), of which this DPA is an integral part.
  2. The Data Controller declares to be aware that the processing of Personal Data carried out in the context of the execution of the Contract will take place exclusively on the instructions of the Data Controller, in compliance with Regulation (EU) 2016/679 (“ GDPR ”) and national legislation on the protection of personal data (“ Privacy Legislation ”).
  3. The Data Processor has been identified by the Data Controller as having the experience, reliability and capacity necessary to carry out the processing of Personal Data pursuant to art. 28 GDPR.
  4. The execution of the Contract involves the processing, by the Processor, of Personal Data owned by the Data Controller.

Given the above, the Data Controller hereby appoints Supportfast di Elia Semprebon as the controller of Personal Data pursuant to and for the purposes of art. 28 of the GDPR, with the limits and in accordance with the methods indicated below.

1. Definitions

  1. In addition to the terms already defined in the Agreement or this DPA, the capitalized terms listed below have the meanings set forth herein:
    • “Personal Data” : any information relating to a Data Subject, as defined in point 5.
    • “Special Categories of Data” : Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data (intended to uniquely identify a natural person), data concerning health or data concerning the data subject’s sex life or sexual orientation.
    • “Garante Privacy” : the Italian Data Protection Authority.
    • “GDPR” : Regulation (EU) 2016/679.
    • “Data Subjects” : the identified or identifiable natural persons to whom the Personal Data refers (an identifiable person is one who can be recognised, directly or indirectly, through an identifier such as a name, a number, location data, online identifiers or one or more elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity).
    • “Processing” : any operation or set of operations performed on Personal Data, with or without the aid of automated tools (e.g. collection, recording, organization, storage, consultation, use, communication, cancellation, destruction).
    • “Sub-processor” : the legal person, sole proprietorship or freelancer appointed by the Processor to carry out Processing operations on behalf of the Data Controller.
    • “Personal Data Breach” : a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed.

2. Object of the assignment to Manager

2.1 Supportfast undertakes to carry out, as Data Processor pursuant to art. 28 GDPR, the activities referred to in article 4 of this DPA, in compliance with the Privacy Law and based on the instructions received from the Data Controller.

3. Categories of Personal Data and Interested Parties

3.1 In the execution of the Contract, the Processor may process, on behalf of the Data Controller, the following categories of Personal Data :

  1. Identifying data (e.g. name, surname, date of birth, age, gender).
  2. Contact details (e.g. email, telephone, residence, domicile).
  3. Bank details.
  4. Data relating to the purchase of products and services.
  5. Data relating to requests for information or assistance.
  6. Special Categories of Data (e.g. health data, ethnic origin, disability).

3.2 The Controller will periodically verify that the Personal Data is accurate, complete and relevant to the purposes indicated in Article 4, informing the Controller in writing if he/she deems it necessary to modify, update, correct or delete it.

3.3 Upon written request from the Data Controller, the Data Processor will, within and no later than 15 (fifteen) days from receipt of the request, update, modify, correct or delete the Personal Data processed.

3.4 Personal Data may belong to natural persons who request assistance through the “Supportfast” Software and who have a direct or potential relationship with the Data Controller (e.g. customers, potential customers, users, suppliers).

4. Purpose of the Processing

4.1 To the extent permitted by the Agreement and this DPA, the Data Controller will process the Personal Data exclusively for:

  1. Execute the Contract.
  2. Manage contractual and commercial relationships with the Owner.
  3. Improve our products and services, as well as train the Software.
  4. Comply with any legal obligations to which the Controller is subject.

4.2 The Data Controller acknowledges that the Company may process Personal Data on an aggregate basis, for statistical research purposes or to improve the Services provided and the performance of the Software in the context of the execution of the Contract.

5. Obligations of the Data Controller

5.1 The Manager undertakes to:

  1. Comply with the provisions contained in the Privacy Policy.
  2. Comply fully with the instructions given by the Data Controller.
  3. Adopt appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, in accordance with the instructions provided by the Data Controller.
  4. Implement measures to ensure the confidentiality, availability and integrity of the systems used for the Processing of Personal Data.
  5. Maintain a record of the processing activities under its responsibility.
  6. Promptly inform the Data Controller of any disputes, investigations or proceedings initiated by Data Subjects or Supervisory Authorities, whether judicial or administrative, concerning the processing activities envisaged by this DPA.
  7. Report to the Data Controller, without delay, any request from the Interested Parties to exercise the rights provided for by the GDPR, so that the Data Controller can comply with them within the terms of the law.
  8. Ensure that personnel in charge of Processing operations receive adequate training in Personal Data protection and are bound by confidentiality obligations.

6. Processing of Personal Data towards third countries

6.1 The Controller will carry out the Processing using, as a rule, servers located within the European Union, avoiding, unless strictly necessary, the transfer to third countries outside the EU.

6.2 In any case, the transfer of Personal Data to third countries is permitted only if:

  • It occurs towards a country for which the European Commission has issued an adequacy decision, or
  • Adequate guarantees are adopted pursuant to Articles 46 et seq. of the GDPR (e.g. standard contractual clauses).

7. Sub-processors

7.1 By signing this DPA, the Data Controller authorizes the Processor to use external parties to perform certain Processing operations necessary for the execution of the Contract, assigning them the role of sub-processors. The Processor undertakes to impose on the sub-processors the same obligations assumed with this DPA.

7.2 The Controller will choose sub-controllers from among individuals with adequate skills, capabilities and reliability, capable of guaranteeing compliance with the Privacy Law and the adoption of technical and organisational measures suitable for protecting the rights of the Interested Parties.

8. Duration

8.1 This DPA shall be effective upon acceptance of the Agreement, of which it is an integral part, and shall remain in effect for the duration of the Agreement. In the event of termination, resolution or withdrawal from the Agreement, the DPA shall automatically cease to be effective, without the need for further notice.

8.2 Unless there are legal or regulatory obligations that require their conservation, upon expiry of the Contract the Processor will stop Processing the Personal Data of the Owner and will return to the latter any material (in any format) containing Personal Data.

9. Personal Data Breach

9.1 In the event of a Breach of Personal Data processed by the Processor on behalf of the Controller (even if caused by sub-processors), the Processor undertakes to:

  1. Inform the Owner without unjustified delay and in any case within 36 (thirty-six) hours from the moment in which he becomes aware of it.
  2. Maintain an up-to-date register describing the nature of the breach, the Data Subjects involved, the possible consequences and the security measures taken (in collaboration with the Data Controller) to mitigate the impact of the breach and restore the previous situation.

9.2 The obligation to notify the Privacy Guarantor or the Interested Parties, if due, remains the responsibility of the Owner. The Processor hereby undertakes to provide the necessary support to the Owner to comply with this obligation.

10. Communications

10.1 Any communication between the Parties relating to this DPA, including any communication necessary or required for the purposes thereof, shall be in writing and transmitted in the manner and to the addresses indicated in the Agreement.

11. Applicable law and competent court

11.1 This DPA is governed by Italian law.

11.2 Any dispute relating to the validity, effectiveness, interpretation or execution of this DPA shall be referred exclusively and without derogation to the jurisdiction of the Court of Verona .