Provisions of the mayor

Act appointing the Data Processor pursuant to Article 28 of EU Regulation 2016/679 of April 27, 2016 and Article 2 – quaterdecies of Legislative Decree No. 196 of June 30, 2003 as amended by Legislative Decree No. 101 of August 10, 2018.

BETWEEN

The Municipality of Grosseto (hereinafter also referred to as “Data Controller” or “Principal”) based in Grosseto, Piazza Duomo n. 1 – 58100 (GR), C.F. and P. IVA 00082520537, Tel. 0564488111, in the person of the Mayor pro tempore and legal representative, PEC comune.grosseto@postacert.toscana.it

E

The Promo PA Foundation (hereinafter also referred to as the “Manager”) with registered office in Viale Luporini 37/57 – 55100 Lucca P.IVA 01922510464 in the person of its pro tempore Legal Representative Dr./Doctor Fabiana Dardi, PEC promopa@legalmail.it

(hereinafter also jointly referred to as the “Parties”)

WHEREAS.

The Municipality of Grosseto has entrusted the Promo PA Foundation with the provision by the supplier of a specialized support service to the Administration for the activation of Grosseto enterprise through the implementation and updating of the investingrosseto.it website
To execute this project, the Supplier:
1) performs processing operations of personal data owned by the Principal and referring only to the data necessary for the provision of the services agreed upon between the parties;
2) declares and guarantees that it possesses competence and technical knowledge in relation to the purposes and methods of processing, the security measures to be taken to guarantee the confidentiality, completeness and integrity of the Personal Data processed, as well as in relation to Italian and European legislation on the protection of personal data and that it possesses the appropriate reliability requirements to ensure compliance with the relevant regulatory provisions;

ALL OF THE ABOVE

Taking into account that The General Data Protection Regulation 679/16 (referred to as GDPR) in Article 28 states that where “a processing operation is to be carried out on behalf of the controller, the latter shall use only controllers providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and ensures the protection of the rights of the data subject […]”, in observance of this requirement the Municipality

APPOINTS A PERSON RESPONSIBLE FOR THE PROCESSING ex art. 28 GDPR.

Promo PA Foundation in the person of its legal representative p.t. for the performance of activities related to the foregoing;

In the performance of the assigned tasks, the scope of the processing of personal data that the Data Processor treats must be said to be limited only to activities related to the performance of the commissioned service and depending on the relationship between the Data Controller and the Data Processor itself.

In particular, the Processor appointed herein will process the following personal data:

Navigation data, essential technical cookies.

Any additional data voluntarily provided by the user while browsing the reference site will also be processed.

The Parties undertake to base the processing of data on the principles of fairness, lawfulness and transparency in full compliance with the privacy regulations set forth in EU Regulation 2016/679 (G.D.P.R.) and Legislative Decree No. 196/2003 ss.mm.ii.

The data processing is carried out in compliance with the technical and organizational measures that the Parties have put in place to ensure an adequate level of security in the protection of personal data.

The Data Processor appointed herein undertakes to comply with the indications and instructions set forth below and, by signing this appointment, declares that the Data Controller’s data are and will be processed and stored in the territory of the European Union only. Specifically, the Data Controller undertakes to:

Observe the EU Reg. No. 679/2016 “GDPR”, the Measures of the Guarantor for the Protection of Personal Data, the Privacy Code set forth in Legislative Decree 196/03 as repealed and/or amended by Legislative Decree 101/2018;
Not to bring to the knowledge of third parties information, documents and news of a confidential nature, of which the personnel otherwise employed in the performance of the activities covered by the contract become aware by virtue of this commitment. The Manager undertakes to comply with the confidentiality obligation even after the expiration of this agreement;
Take all reasonable measures to ensure the reliability of any person who will have access to the Controller’s personal data by reason of any working relationship established with the Manager. In addition, ensure that persons authorized to process personal data have committed to confidentiality or have an appropriate legal duty of confidentiality, and continuously supervise their performance.
Identify persons authorized to process data by giving them, in writing, detailed instructions regarding permitted operations and security measures to be taken in relation to the criticality of the data being processed;
Regularly supervise the punctual implementation by the authorized persons of what is prescribed, including through periodic audits;

Ensure the adoption of the different authorization profiles of authorized persons, so as to limit access only to the data necessary for permitted processing operations with respect to the tasks performed;
Periodically verify the existence of the conditions for the preservation of the authorization profiles of all authorized persons, promptly changing said profile when necessary (e.g., change of duties);
Take care of the training and professional development of authorized persons operating under its responsibility about the legal and regulatory provisions on the protection of personal data;

In any case, data processing must be carried out by the Data Processor solely for the purpose of carrying out the services commissioned to him.

In particular, the Data Processor shall ensure that:

Data are processed in a lawful, fair and transparent manner;
Data are collected only for the specific purposes of the assigned processing (principle of purpose limitation);
Data are adequate, relevant and not excessive in relation to the purposes (principle of data minimization);
Data are accurate and if necessary updated (data accuracy principle), preparing any directives regarding their updating;

The Data Processor is required to cooperate with the Controller to ensure compliance with the obligations and requirements contained in the GDPR and, to that effect, undertakes to perform the obligations imposed therein pertaining to him/her;

By virtue of Article 28(3)(e) of the GDPR, the Controller taking into account the nature of the processing, shall assist the Data Controller with appropriate technical and organizational measures, to the extent feasible, in order to comply with the obligation of the Data Controller to follow up on requests for the exercise of the data subject’s rights under Chapter III;

Taking into account the state of the art and the costs of implementation, as well as the nature, subject matter, context and purposes of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Data Controller must take appropriate and adequate measures necessary for the security of personal data, pursuant to Article 32 of the GDPR;

The Processor must provide reasonable assistance to the Controller for the purposes of compliance with the obligations under Articles 32 to 36 of the GDPR (on personal data security, security of processing, notification of a personal data breach to the supervisory authority, etc.) taking into account the nature of the processing and the information available to the Controller;

The Processor shall implement solutions to detect to the extent of its responsibility any breaches of personal data (i.e. security breaches that accidentally or unlawfully result in the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed) and, upon the occurrence of such breaches, report them without undue delay and, in any event, no later than twenty-four (24) hours after the breach becomes known, to the Principal at privacy@comune.grosseto.it. The Data Processor undertakes, to the extent of its competence, to cooperate actively with the Principal for the purpose of preparing the consequent notifications to the Data Protection Authority and, if necessary, to the data subjects pursuant to Articles 33 and 34 of the GDPR;

The Processor shall make available to the Principal all information necessary to demonstrate compliance with the obligations arising from Article 28 of the GDPR and contribute to the review activities, including audits carried out by the Principal or another person appointed by the Principal.

The Data Processor acknowledges that the Controller’s audits may be carried out directly by the Municipality of Grosseto or through audits, through the DPO or through other appointed functions and/or external consultants. These audits must be carried out exclusively on weekdays, to be agreed with the Manager and with at least 15 working days’ notice except in cases of particular urgency dictated by rule of law or order of the judicial or administrative authority;

At the end of the service that is the subject of the contract or service, the Data Processor shall arrange for the destruction of the personal data in his possession, as well as any copies made. In any case, unless he/she is obliged by the regulations in force to retain the data for a fixed period of time or retain the data for the purpose of exercising the right to act and/or defend oneself in court, The Data Processor shall be obliged to delete the data in accordance with the provisions of the notice attached to this appointment.

The Data Processor must inform the Controller immediately if, in his or her opinion, he or she believes that certain actions or omissions by him or her or by third parties violate the European Regulation or other provisions, national or Union, relating to data protection. The Data Processor also has the duty to notify the Data Controller of any conduct and/or instructions and directives that appear to be improperly regulated by the Data Controller;

The Data Processor must supervise and control the data processing methods implemented by its Data Processors and sub-processors. In this regard, the Data Processor ensures, to the extent of its responsibility, constant monitoring to verify that the data are processed lawfully, in accordance with fairness and, in any case, in compliance with the laws, the provisions on processing including the profile relating to security as well as the instructions given herein;

The Processor shall, at the express request of the Principal, assist the Principal with appropriate technical and organizational measures, insofar as this is possible, in order to facilitate the conduct of personal data protection impact assessments, pursuant to Article 35 of the GDPR, for the processing in question;

The Processor may use another controller only with the specific written authorization of the Principal. If the Processor uses another processor (sub-processor) to perform specific processing activities on behalf of the Principal, it must impose on him, by means of a contract or other legal act under Union or Member State law, the same data protection obligations contained in this contract. In particular, the sub-processor must present sufficient guarantees that adequate technical and organizational measures will be put in place to meet the prescribed regulatory requirements.

The Processor is, however, always obliged to inform the Principal about the selection, addition or substitution of any sub-processor, thus giving the Principal the opportunity to evaluate it and, where appropriate, object to it;

In the event that subcontracting is allowed, the processing of data by other entities qualified as sub-processors must be carried out under the same contractual conditions provided for in these agreements and, therefore, the Processor retains, with respect to the Data Controller, the responsibility referred to in Art. 28, paragraph 4 of the EU Regulation 2016/679, and undertakes to hold the Data Controller harmless from any damage, claim, compensation, sanction that is a consequence of the failure of the Data Processor and its sub-contractors (sub-processors) to comply with the obligations established by the present covenants and more generally from the violation of the aforementioned regulations or prescriptions of the Control Authority or Judicial Authority;

It is recalled that the violation of the legal regulations on privacy (art. 83, paragraph 4, lett. a, GDPR) will result in the imposition of sanctions and possible compensation for damages and, where, the Data Processor were to carry out the processing by independently determining, purposes and means of processing would be considered as a true Data Controller (art 28 no. 10 GDPR);

The Processor must keep a register of processing activities pursuant to Art. 30, c.2, GDPR;

The Data Processor and the Sub-Processors must provide for the appointment of their own System Administrators as per the specific provision of the Guarantor “Measures and expedients prescribed for the holders of processing operations carried out by electronic means with regard to the attributions of the functions of system administrator November 27, 2008” and ss.mm.ii. In any case, the data controller undertakes to transmit to the data controller the names of its own system administrators or of any sub-processors appointed, where permitted by this agreement.

The Processor must proceed, where appropriate, to the designation of the Data Protection Officer (DPO) pursuant to Article 37 of the GDPR. If the Processor considers that it should not have such a person, it shall provide adequate and documented reasons for this to the Principal.

This appointment will lapse with effect from the date of termination of the relationship between the parties. All obligations which, by their nature, must continue to survive to ensure compliance with the regulations shall remain in place.

The Data Controller, given the above instructions and without prejudice to the tasks identified above, reserves the right, within the scope of its role, to issue in writing any further instructions that may be necessary for the correct and compliant performance of the data processing activities related to the agreement in force between the Parties, also to complete and supplement the above defined.

The Parties declare that the personal data provided herewith are accurate and correspond to the truth, exonerating each other from any liability whatsoever for material errors in compilation or for errors resulting from an inaccurate imputation of the same data in the electronic and/or paper files.

This appointment supersedes any previous agreement that may have been stipulated between the parties at an earlier date.

Signature for acknowledgement and acceptance

Lucca 04/10/2023