APPOINTMENT OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA CARRIED OUT FOR THE PURPOSE OF FULFILLING THE LEGAL OBLIGATIONS PROVIDED FOR BY THE ANTI-MONEY LAUNDERING LEGISLATION IN FORCE
Between: YoUnique Business Srl (Supplier) and The Client (Customer)
DEFINITIONS
“Current anti-money laundering legislation”: European Directives concerning the fight against Money Laundering and the Financing of Terrorism, as well as the legislative implementations of their own country;
“Legal obligations under the applicable anti-money laundering legislation”: This refers to the set of obligations prescribed by the current anti-money laundering regulations applicable to the obligated parties, with specific reference to customer due diligence, risk analysis, and record-keeping obligations.
“Obligated”: the persons required by the legislation in force to implement procedures for verifying the identity of the customer and the transactions carried out by him.
“Customer“: the person who purchases access to the Service Delivery Environment from the Supplier.
“Supplier”: YoUnique Business Srl, the private party that provides the Principal with access to the Service Delivery Environment.
“Service Delivery Environment”: a software platform, for the exclusive use of the obligors, to satisfy the legal obligations provided for by the current anti-money laundering legislation. The software is provided in SaaS mode.
“Saas”: an abbreviation of software as a service; a software distribution model in which the application and any related services run in a centralized environment and users access them via a network, almost always via the Internet and using a browser as an interface.
“Contract”: the agreement signed between the Parties, involving the provision of access to the Service Delivery Environment.
“GDPR“: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as well as the legislative implementations of their own country; on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“Personal Data Legislation” means the applicable provisions on the protection of personal data set out in the GDPR, the Privacy Code and any other regulatory provisions in force and/or that may be subsequently issued, as well as the measures issued by the Privacy Guarantor, the Article 29 Working Party and the European Data Protection Board (EDPB);
“Personal Data”: any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his physical, physiological, genetic, mental, economic, cultural or social identity;
“Processor”: the natural person identified, authorized and instructed to carry out processing operations by the Controller or the Processor
“Processor”: the Processor is the Supplier, who processes Personal Data, in a subcontracting relationship, on behalf of and in accordance with the instructions of the Controller;
“Service”: the Service that the Supplier offers to the Principal in the Contract.
“Data Controller”: the Principal, i.e. the legal entity that determines the purposes and means of the processing of Personal Data for the purposes of commercial information;
“Processing”: any operation or set of operations, carried out even without the aid of electronic instruments, concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data, even if not registered in a database; in relation to commercial information purposes.
1. OBJECT
◦ With the present addendum, the Customer intends to appoint the Supplier as external Data Processor.
◦ This Addendum deals exclusively with the appointment of the External Data Processor and does not imply any right to renegotiate other terms agreed upon in the Contract.
◦ In the event of changes in the Personal Data Protection Law that may affect the content of this Addendum, the Customer shall make the necessary amendments to the Addendum and send the same to the Supplier.
2. PREMISES
– The Customer, through the signed contract of which this addendum is a part, has entrusted the Supplier with the Service Delivery Environment.
– Current legislation on the protection of personal data identifies the methods to be adopted for the processing of personal data and identifies the subjects who, in relation to the activity carried out, are required to comply with the requirements of the same law.
– The Supplier, under the contract of which this addendum forms part, shall provide the Customer with the service of supplying the Service Delivery Environment, which also entails the necessary assistance in the use of the product (help desk).
– The Customer is the data controller;
– The Customer, in its capacity as Data Controller, may appoint a Data Processor which
– shall be selected from among persons who, on account of their experience, capacity and reliability, provide an adequate guarantee of full compliance with the provisions in force concerning the processing of information, including the security profile;
– will perform the tasks entrusted to him in writing by the Controller;
– carry out the processing in accordance with the instructions given by the Controller;
3. APPOINTMENT
In regard to the premises referred to in point 2 above, the Customer hereby appoints the Supplier as the person responsible for the processing of personal data relating to the services carried out in implementation of the contract signed, of which this addendum forms part.
The Supplier is appointed as the Responsible Party since it is currently considered to possess the requisites of experience, capacity and reliability such as to provide an adequate guarantee of full compliance with the provisions in force concerning the processing of personal data, including the capacity to implement adequate technical and organizational measures. The Data Processor is therefore required to promptly inform the Data Controller of any situation that may arise that, due to changes in the knowledge acquired as a result of technical progress or for any other reason, may affect his suitability to carry out the assignment.
The Supplier, in his capacity as Data Processor, shall comply with the instructions given to him by the Controller in this deed of appointment. The Data Processor may use another Data Processor without the need for further specific authorizations from the Controller, informing the new Data Processor of the instructions received from the Controller and committing the latter to comply with them.
In particular, the Data Processor shall:
– ensure that the personal data being processed are processed lawfully and fairly, and in any case always in full compliance with the current legislation in force
– adopt preventive security measures which, also in relation to the knowledge acquired on the basis of technical progress, the nature of the data and the specific characteristics of the processing, are suitable for reducing to a minimum the risks of destruction or loss, even accidental, of the data, unauthorized access, processing not allowed or not in compliance with the purposes of collection;
– with regard to the processing of entrusted data, provide the Data Controller with all the information necessary in the event of the exercise of the right of access by the data subject, as provided for by the legislation on the protection of personal data, in order to allow for a timely response;
– adopt all the necessary security measures and precautions to ensure timely implementation and, in particular:
– provide for the written appointment of the persons in charge of the processing, giving them the necessary and appropriate instructions in order to guarantee the confidentiality of the data and, in general, compliance with the legislation in force;
– provide that the persons in charge of processing, where technically possible on the basis of the characteristics of the systems used, are in possession of authentication credentials enabling them to perform, depending on the tasks assigned to each of them, only the operations falling within their competence
– implement controls on the activities carried out by the Processors in order to verify their actual compliance with the security measures adopted and, in any event, with the instructions given;
– designate the natural persons who are assigned the functions of system administrators on which the data processing of which the Principal is the owner takes place, ensuring compliance with the applicable legislation. More specifically, it shall be responsible for
– assess the subjective characteristics necessary for the designation, provide for individual designations in writing, maintain the list of system administrators, record the accesses carried out and check the activity carried out;
– inform the Data Controller, upon request, of the security measures and precautions adopted to ensure compliance with the legislation in force and, in particular, with the instructions given by the Data Controller in this deed of appointment;
– provide the Data Controller, upon simple request and according to the modalities indicated by the latter, with the data and information necessary to allow the latter to carry out a timely defence in any proceedings instituted before the Guarantor or the Judicial Authority and relating to the processing of personal data;
– promptly take all steps necessary to provide the Controller with the information required to respond to any requests for access to personal data made by the data subject;
promptly take all steps necessary to provide the Controller with the information required to respond to any requests received from the Guarantor or the Judicial Authority or, in any case, from the Police Forces;
– to comply with all the prescriptions contained in the provisions of the supervisory authorities that are applicable for the proper performance of the assignment, in compliance with the applicable legislation;
– to take care of the drafting and maintenance of a register of processing operations, which includes all the information relating to the processing operations necessary for the proper performance of the assignment, in compliance with the applicable legislation;
– in general, to provide the fullest and most complete cooperation to the Data Controller in order to carry out all that is necessary and appropriate for the proper performance of the assignment, in compliance with the applicable legislation.
With regard to the processing of data, it is specifically stated that:
– the categories of interested parties to whom the data refer are: customers of the Customer, who carry out transactions with the same
– the Supplier is authorized to operate for the project and service delivery periods, in accordance with the time limits laid down by the anti-money laundering legislation in force, after which it shall be obliged to return/delete all data attributable to this assignment, both online and in the backup copies;
– it is understood that the same obligation of deletion shall also apply in the event that the Customer terminates the contract with the Supplier.
– Please note that the following data may be present: personal data, judicial data and sensitive data, while the presence of biometric data is excluded.
This appointment shall be effective until the conclusion of the activities described in the Contract of which this addendum is a part.
The Supplier, having acknowledged the provisions of this deed of appointment and of the regulations in force, declares that it accepts the appointment as Data Processor..
YoUnique Business Srl