Recitals: Whereas REGULATION (EU) 2016/679 of 27 April 2016 repealed Directive 95/46 / EC when it came into force in Italy on 25.05.18, (GDPR, General regulation on data protection), and provides for all the rules relating to the protection of individuals with regards to the processing of their personal data, as well as the free circulation of such data.
Whereas art. 26 GDPR expressly provides for the possibility that, where two or more controllers jointly determine the purposes and means of processing, they shall be Joint Controllers. They shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an internal agreement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject.
The arrangement may designate a contact point for data subjects. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers with the data subjects. The extract of the arrangement shall be made available to the data subject. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation with reference to and against each of the controllers.
Whereas all companies included in PA Group, [Partners Associates SpA (Holding company), PA Abs Srl, PA Expertise Srl, PA Evolution Srl, Inasset Srl, Up Solutions Srl, EasyConn Srl (joint controllers)] share aims, methods and purposes of the processing of personal data.
Whereas it is the request of the individual Companies to define a joint controllership agreement pursuant to and for the purposes of art. 26 of the GDPR. The companies mentioned in the recitals approve the specification and division of obligations and responsibilities regarding the processing of data as outlined by the GDPR and as reported below:
The recitals are an integral part of this agreement.
In this agreement, the following terms shall be interpreted as indicated below:
a. “Group”, the group of companies controlled by Partners Associates SpA (hereinafter PA SpA), in addition to the same Partners Associates SpA
b. “Joint Controllers”, the companies which belong to PA Group or are in any case controlled by PA SpA; in addition to the same PA SpA, the companies listed below: PA SpA, PA Abs Srl, PA Expertise Srl, PA Evolution Srl, Inasset Srl, Up Solutions Srl, EasyConn Srl;
c. “Parent Company”, the company PA SpA
d. “GDPR” the EU Privacy Regulation 2016/679, to which reference is expressly made for any further definition.
Personal data processing – disclosure
This agreement stipulates that, in compliance with PA Group internal organizational system, the joint controllers may share the processing of the following data:
All personal, administrative or business data (candidates, employees and/or self-employed and/or collaborators) and all data related to customers and/or suppliers may be shared between the joint controllers and PA SpA for the purposes strictly necessary for the Parent Company itself to propose/provide specific and customized professional services, in response to business requests made individually by a company of PA Group, or to set up common databases in a logic of corporate efficiency and effectiveness of the same Group.
All the aforementioned data may be processed by PA Evolution Srl and Inasset Srl for the purposes strictly necessary for the management and organization of the Group’s server or however named telematic platforms.
4. Definition of the Policies pursuant to art. 13 and 14 GDPR
PA SpA, for the purposes of this agreement, is committed to each of the joint controllers, to carry out the following interventions in relation to information and access to the personal data subject to processing:
As regards information, communications and transparent methods for the exercise of the rights of the data subject, PA SpA shall take appropriate measures to provide the data subject with all the information referred to in articles 13 and 14 of GDPR and those referred to in articles 15 to 22 and article 34, concerning the concise, transparent, intelligible and easily accessible processing, using simple and clear language; the information shall be provided in writing or by electronic means.
Regarding the information to be provided, should personal data be collected from the data subject, upon obtaining the personal data, PA SpA shall provide the data subject with the following information:
a. the identity and contact details of the data controller and, where applicable, of the controller’s representative;
b. the contact details of the data protection officer;
c. the purpose of the processing for which the personal data are intended as, as well as the legal basis for the processing;
d. if the processing is based on Article 6 GDPR, paragraph 1, letter f), the legitimate interests pursued by the data controller or by a third party;
e. the recipients and the categories of recipients of personal data;
f. the period for which the personal data shall be stored or, if that is not possible, the criteria used to determine that period;
g. the existence of the data subject’s right to request from the data controller access to and correction or erasure of personal data or restriction of processing concerning the data subject or to object to processing, as well as the right to data portability;
h. where the processing is based on Article 6 GDPR, paragraph 1, letter a), or on Article 9 GDPR, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on the consent given before its withdrawal; the right to lodge a complaint with a supervisory authority;
i. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
j. the existence of a joint controllership agreement, whose extract is made available to the data subjects at the headquarters of PA SpA, identified as a point of contact for the data subjects in the context of the joint controllership agreement;
k. the sharing of data processing between joint controllers in compliance with the agreement referred to in point j.
5. Consent collection and log, pursuant to art. 6 GDPR
For the purposes of this agreement, PA SpA agrees with the other joint controllers to register the consent to the processing of data according to the lawfulness criteria as set out in art. 6 GDPR; PA SpA shall have to demonstrate that the data subject has provided, preferably in written form, his consent to the processing of his personal data.
7. Data processors pursuant to art. 28 GDPR
The companies of PA Group, for the purposes of this agreement shall autonomously designate their data processor (internal data processor, who shall assist the data controller in all privacy obligations) by stipulating a contract which shall be binding on the processor with regard to the controller and that shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, with the established methods pursuant to art. 28 paragraph 3 GDPR. PA SpA, without prejudice to the decision-making autonomy of each of the joint controllers, shall coordinate these designations, and prepare the basic and common rules for all the contracts of each of the joint controllers, in compliance with the principles of the GDPR.
The companies of PA Group, for the purposes of this agreement, shall autonomously designate their data processor (external data processor, who shall process data on behalf of the controller) by stipulating a contract which shall be binding on the processor with regard to the controller and that shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, with the established methods pursuant to art. 28 paragraph 3 GDPR. PA SpA, without prejudice to the decision-making autonomy of each of the joint controllers, shall coordinate these designations, and prepare the basic and common rules for all the contracts of each of the joint controllers, in compliance with the principles of the GDPR.
8.Processing under the authority of the controller or processor pursuant to art. 29 GDPR
The companies of PA Group, for the purposes of this agreement, shall independently appoint their “data handler” pursuant to art. 29 (person in charge who, under the privacy regulation, has access to personal data and acts under the direct authority of the controller or processor) by means of a specific letter of appointment, which shall bind this subject as provided for by art. 29 GDPR. PA SpA, without prejudice to the decision-making autonomy of each joint controller, shall coordinate this task by preparing the basic and common rules for all the letters of appointment of each of the joint controllers, in compliance with the principles of the GDPR.
9. System administrator
Each company of PA Group shall independently prepare the appointment of their system administrator (internal or external subject who has the task of both supervising the resources for the IT support operating system or for the database system and facilitating its use). The companies PA Evolution Srl and Inasset Srl, without prejudice to the decision-making autonomy of each joint controller, shall coordinate this task by preparing the basic and common rules for all the tasks of each of the joint controllers.
10. Security of processing pursuant to art. 32 GDPR
A. Security of personal data processed with computer or electronic support
PA Evolution Srl and Inasset Srl for the purposes of this agreement undertake towards the other joint controllers to verify and implement the security measures of the processing of personal data (taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risks for the rights and freedoms of natural persons) by implementing appropriate technical and organizational measures to guarantee a level of IT security appropriate to the risk, including inter alia as appropriate:
a. the pseudonymisation and encryption of personal data (data masking);
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (Sys & NTW Protection – High Availability System, Back Up System);
c. the ability to promptly restore the availability and access to personal data in the event of a physical or technical incident;
d. the preparation of a procedure aimed at regularly test, assess and evaluate the effectiveness of technical and organisational measures in order to guarantee the security of the processing (definition of internal Audit, Test and simulation).
In assessing the appropriate level of security, PA Evolution Srl and Inasset Srl shall take particular account of the risks presented by the processing that derive in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. PA SpA shall take steps to ensure that anyone who has computer access to personal data does not process such data unless he or she is trained in this sense by PA Evolution Srl and Inasset srl. PA SpA shall coordinate the activities of PA Evolution Srl and Inasset Srl in order to ensure consistent processing security within the corporate group.
B. Security measures for personal data not processed by computer or electronic media
Each joint controller, for the purposes of this agreement, shall autonomously prepare and carry out the additional security measures, different from those mentioned above, for the storage and processing of data in compliance with the GDPR, including, but not limited to, the paper and digital record keeping; For this purpose, PA SpA shall prepare specific rules of conduct to which each joint controller must comply.
13. Data breach pursuant to art. 33 GDPR
Upon becoming aware, directly or through a joint controller, of a violation of the personal data processed, PA SpA shall, without undue delay and, where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority. This notification must in any case be preceded by a risk assessment for the persons concerned. The risk assessment must be carried out by the same PA SpA., possibly using the expertise of PA Evolution Srl and Inasset Srl. PA SpA shall provide the notifications pursuant to art. 33 paragraph 2 GDPR. Each joint controller shall provide PA SpA with the documentation referred to in the third paragraph of art. 33 GDPR.
14. Right to erasure, right to restriction of processing, notification obligation regarding rectification or erasure, right to data portability, pursuant to art. 17, art. 18, art. 19 and art. 20 GDPR
PA SpA shall guarantee the data subject the exercise of the rights referred to in this article; to this end, each joint controller shall comply with the instructions that will be given by the same PA SpA for the actual implementation of the rights of the data subject.
Upon receiving due notice from the respective joint controllers, PA SpA shall guarantee the data subject the exercise of the rights referred to in this article; to this end, each joint controller, in addition to making this aforementioned communication, shall comply with the instructions given by the same PA SpA, for the actual implementation of the rights of the data subject.
16. Responsibility and right to compensation pursuant to art. 82 GDPR
With reference to the possibility of each data subject to exercise his/her rights against each data controller, without prejudice to the provisions of art. 26 paragraph 3, art. 28 and art. 82 paragraph 4 GDPR, the parties intend to define, with this agreement, their respective individual contractual responsibilities pursuant to art. 1218 of the Civil Code, resulting from the possible non-fulfilment of an obligation, in relation to the processing of personal data outlined here.
PA SpA, in its capacity as Holding, shall assume a contractual responsibility, towards the other joint controllers, solely and exclusively for the obligations which are attributable to PA Spa and are defined in this agreement, regarding any possible violation of the GDPR which has caused indemnifiable damages for the data subject pursuant to art. 82 paragraph 1 GDPR.
PA Evolution Srl and Inasset Srl, being the entities responsible for implementing the IT security measures for all the companies of the Group, shall assume a contractual responsibility, towards the other joint controllers, solely and exclusively for the obligations which are attributable to them art. 32 GDPR as defined in this agreement, regarding any possible violation of the GDPR which has caused indemnifiable damages for the data subject pursuant to art. 82 paragraph 1 GDPR.
Each joint controller of PA Group shall in any case assume a contractual responsibility in relation to any obligations attributable to the same, which may arise from the appointment and work of the internal handlers and from the appointment and the work of the external handlers pursuant to art. 28 GDPR, as well as the appointment and work of the appointees pursuant to art. 29 GDPR.
In the same way, each joint controller of PA Group shall assume a contractual responsibility in relation to any obligations attributable to them, pursuant to this agreement.
Without prejudice to the possibility of each data subject to exercise his/her rights against each joint controller, each company of the Group may exercise the right of recourse against other companies that have taken upon themselves a specific responsibility as outlined in this agreement.
The joint controller of the processing that has complied with the entire compensation for damages may subsequently propose an action for recourse against the other joint controllers (Article 82 paragraph 5 GDPR).
The indemnifiable damage (if the conditions exist) is both the material and immaterial damage, caused by a violation of the GDPR (Article 82 paragraph 1 GDPR).
17. Final provisions
For any other aspect not explicitly covered in this agreement, the parties expressly refer to the GDPR text and any subsequent amendments.
18. Effective date
This agreement shall be effective as of 22.02.19