Logo

Subscribe to our social networks

map

Data Processing Agreement

Find here all the informations about our DPA

DPA

Publytics SRL, registered office at Via Giosué Carducci, 8 - 20123 Milan (MI), VAT number IT13079420967 (hereinafter also referred to as "Processor" or "Provider").

In this act of appointment the user will also be referred to as the "Controller" or "Client"

In this appointment, the processor and the controller may also be referred to as "party" or "parties".

The present appointment constitutes the entire agreement between the parties regarding the processing of personal data by the Processor on behalf of the Controller in relation to the provision of services.

1.

Introduction

  1. 1.1

    These terms (hereinafter also "appointment" or simply "agreement") establish the rights and obligations of the data controller and the data processor in the context of processing operations carried out by the Processor on behalf of the Data Controller.

  2. 1.2

    Users affected by the processing of their data under this appointment include visitors to the Controller's websites. For further information on the processing of data belonging to visitors and the categories of data that the Processor collects and processes on behalf of the Controller, please refer to the privacy policy, available here: Data policy

  3. 1.3

    The parties have entered into a contract for an analytics service that allows the Controller to monitor the number of views and actions of users on its website (hereinafter the "Contract"). The performance of the services under the Contract involves the processing of personal data by the Data Processor, for the purposes and with the tools determined by the Controller and indicated in the Contract itself and in this appointment.

  4. 1.4

    This agreement has been drafted to ensure compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").

  5. 1.5

    Within the scope of the services provided under the Contract, the Data Processor shall process personal data on behalf of the Controller in accordance with this appointment.

  6. 1.6

    The three annexes to this appointment form an integral part of the appointment.

  7. 1.7

    Annex A contains details on the processing of personal data, including the purposes and types of processing, the nature of the personal data, and the categories of data subjects.

  8. 1.8

    Annex B contains the conditions for the use by the Data Processor of sub-processors and a list of sub-processors authorized by the Controller.

  9. 1.9

    Annex C contains the Controller's instructions regarding the processing of personal data and the security measures to be implemented by the Data Processor.

  10. 1.10

    The clauses and annexes shall be retained by both parties, in electronic or paper form.

  11. 1.11

    The clauses of this agreement do not exempt the Data Controller from the obligations to which it is subject under the General Data Protection Regulation (GDPR) or other regulations.

2.

Rights and obligations of the data controller

  1. 2.1

    The Data Processor must ensure that the processing of personal data complies with the GDPR (see Article 24 GDPR), the applicable data protection provisions of the EU or the EEA (European Economic Area) Member States, and the clauses set forth herein.

  2. 2.2

    The Data Controller is responsible for deciding on the purposes and means of the processing of personal data.

  3. 2.3

    Among other things, the Data Controller must ensure that the processing of personal data assigned to the Processor has a legal basis and that users have been adequately informed about the use of the services offered by the Processor.

  4. 2.4

    The Controller undertakes never to insert unique identifiers of its users that may allow the re-identification of a specific user through the Processor's script, as this would also constitute a violation of the settings implemented to protect users' privacy by the Processor. In case of violations due to unauthorized use of the script, the responsibility for the breach of privacy rules shall rest solely with the Controller, who shall also indemnify and hold harmless the Processor from any claims for damages or penalties.

3.

Rights and obligations of the data processor

  1. 3.1

    The Data Processor shall process personal data only following documented instructions from the Data Controller, unless required to process it by a provision of EU law or the law of the Member State in which it is located. Such instructions shall be specified in Annexes A and C. Any further instructions may be issued by the Data Controller and evaluated by the Processor, and must always be documented and retained in writing, including electronically.

  2. 3.2

    The Data Processor shall promptly inform the Data Controller if the instructions provided by the latter, in the Processor's opinion, violate the GDPR or the applicable data protection provisions of the EU or the Member States.

4.

Confidentiality

The Processor shall grant access to the personal data processed on behalf of the Controller only to persons acting under its authority and who are committed to maintaining confidentiality or are required to do so by law, to the extent that they need access to it. The list of persons granted access to personal data shall be subject to periodic review. Based on this review, access to personal data may be revoked if it is no longer necessary.

5.

Security measures

  1. 5.1

    Pursuant to Article 32 of the GDPR, taking into account the state of the art and the costs of implementation, as well as the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate:

    1. a)

      Pseudonymization and encryption of personal data;

    2. b)

      The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

    3. c)

      The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

    4. d)

      A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

  2. 5.2

    The Data Processor shall assist the Data Controller in ensuring compliance with the Controller's obligations under Article 32 of the GDPR, providing, among other things, information to the Controller regarding the technical and organizational measures already implemented, along with any other information necessary for the Controller to fulfill its obligations under Article 32 GDPR.

  3. 5.3

    The parties have assessed the adequacy of the security measures implemented by the Processor to address the risks inherent in the processing required by the provision of the Services as identified in Annex C.

6.

Use of subprocessors

  1. 6.1

    In order to engage another subprocessor for processing activities on behalf of the Controller, the Processor must meet the requirements of Article 28(2) and (4) of the GDPR.

  2. 6.2

    The Data Processor shall not appoint another data processor (subprocessor) for the performance of the obligations set out in this appointment without the prior general written authorization of the Data Controller, which shall not be refused except for reasons related to the protection of personal data, such as a clear risk to the data protection of data subjects, violation of GDPR principles, or the subprocessor's failure to implement adequate security measures to ensure the privacy and security of data subjects in accordance with GDPR.

  3. 6.3

    The Data Processor has the general authorization of the Data Controller to use subprocessorss

  4. 6.4

    The Data Processor shall provide written notice to the data controller at least 15 days in advance if it intends to make changes to the list of subprocessors by adding new ones or replacing them, thereby giving the Controller the opportunity to object to such changes before engaging other subprocessors. In the absence of reasoned objection, the appointment shall be deemed automatically accepted. Longer notice periods for specific processing operations may be indicated in Annex B. The list of subprocessors authorized by the Data Controller is available in Annex B.

  5. 6.5

    If the Data Processor engages a subprocessor to perform specific processing activities on behalf of the Controller, data protection obligations equivalent to those set out in these clauses are imposed on such subprocessor through a contract or other legal act under EU law or the laws of the Member States, so that the subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of this appointment and the GDPR.

  6. 6.6

    It is the responsibility of the Data Processor to ensure that the subprocessor complies with at least the obligations to which the Data Processor is subject under these clauses and the GDPR.

  7. 6.7

    A copy of such subprocessor appointment agreement and any subsequent amendments must, upon request of the Controller, be shown to the Controller, to verify that equivalent data protection obligations to those provided in this agreement have been imposed on the subprocessor.

  8. 6.8

    If the subprocessor fails to fulfill its data protection obligations, the Data Processor remains liable to the Controller for the fulfillment of the subprocessor's obligations. This does not affect the rights of data subjects under the GDPR - in particular those provided for in Articles 79 and 82 of the GDPR - against the Controller, the Data Processor, including the subprocessor.

7.

Transfer of data to third countries and international organizations

  1. 7.1

    Any transfer of personal data to third countries or international organizations by the Data Processor shall be carried out only on the basis of documented instructions from the Controller and always in compliance with Chapter V of the GDPR and Annex C3.

  2. 7.2

    In case of transfers not authorized by the Controller but required by law under EU law or the law of the Member State in which the Processor is located, the Processor shall inform the Controller of the legal requirement that requires the transfer before proceeding with the transfer, unless prohibited by law for important reasons of public interest.

  3. 7.3

    Without documented instructions from the Controller, the Data Processor shall not:

    1. a)

      Transfer personal data to a different controller or processor located in a third country or international organization;

    2. b)

      Assign the processing of personal data to a subprocessor located in a third country;

    3. c)

      Have personal data processed by another data processor located in a third country.

  4. 7.4

    The clauses of this agreement should not be confused with the standard data protection clauses pursuant to Article 46(2)(c) and (d) of the GDPR and cannot be invoked by the parties as a transfer tool under Chapter V of the GDPR.

8.

Data Controller Assistance

  1. 8.1

    Considering the nature of the processing, the Processor assists the Data Controller with appropriate technical and organizational measures, to the extent possible, in fulfilling the obligation of the Data Controller to respond to requests to exercise data subject rights. This implies that the Processor, as much as possible, assists the Data Controller in fulfilling the following:

    1. a)

      The data subject's right to be informed when their personal data is collected;

    2. b)

      The data subject's right to be informed when personal data has not been obtained from them;

    3. c)

      The data subject's right to access;

    4. d)

      The right to rectification;

    5. e)

      The right to erasure ("right to be forgotten");

    6. f)

      The right to restriction of processing;

    7. g)

      The obligation to notify in the event of rectification, erasure of personal data, or restriction of processing;

    8. h)

      The right to data portability;

    9. i)

      The right to object;

    10. j)

      The right not to be subject to a decision based solely on automated processing, including profiling.

  2. 8.2

    In addition to the obligation to assist the Controller under clause 8.1, the Processor must also, taking into account the nature of the processing and the information available to it, assist the Data Controller in ensuring compliance with:

    1. a)

      The obligation of the Data Controller to notify the personal data breach to the competent supervisory authority, without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    2. b)

      The obligation of the Data Controller to communicate without undue delay the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

    3. c)

      The obligation of the Data Controller to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment).

    4. d)

      The obligation of the Data Controller to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.

9.

Notification in Case of Personal Data Breach

  1. 9.1

    In the event of a personal data breach, the Processor shall, without undue delay after becoming aware of it, notify the Data Controller of the personal data breach.

  2. 9.2

    The notification by the Processor to the Controller shall, if possible, be made within 48 hours from the moment the Processor becomes aware of it to enable the Controller to meet the obligation to notify the personal data breach to the competent supervisory authority (Article 33 GDPR).

  3. 9.3

    As provided for in clause 8, paragraph 2, letter a), the Processor shall assist the Data Controller in the notification to the competent supervisory authority, which means that the Processor shall provide assistance to obtain the information listed below that, pursuant to Article 33, paragraph 3, of the GDPR, must be included in the notification by the Controller to the competent supervisory authority:

    1. a)

      The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

    2. b)

      The likely consequences of the personal data breach;

    3. c)

      The measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.

10.

Erasure and Return of Personal Data

Upon completion of the processing operations of personal data, the Processor is obliged to erase all personal data processed on behalf of the Data Controller and certify to the Data Controller that it has done so, unless Union or Member State law requires storage of the personal data for longer periods. The Controller may choose to delete their account and the statistics of the monitored website at any time. The Processor provides a link for simple and question-free deletion. All statistics will be permanently and immediately deleted when the Processor receives a data deletion request. Once the data has been permanently deleted, it cannot be recovered.

11.

Audit

The Processor provides the Data Controller with all necessary information to demonstrate compliance with the obligations under Article 28 of the GDPR and the clauses of this appointment agreement and agrees to a potential annual audit at the Processor's premises, to be notified at least 3 months in advance of the planned inspection date. The costs of the audits are borne by the Data Controller.

12.

Additional Clauses

The parties may agree on additional clauses applicable to the processing of personal data further specifying certain aspects of the processing, provided that they do not directly or indirectly contradict the provisions of this appointment agreement nor prejudice the fundamental rights and freedoms of the data subject and the protection afforded by the GDPR.

13.

Effectiveness and Term of the Appointment Agreement

  1. 13.1

    This appointment agreement shall enter into force on the date of acceptance by the Data Controller.

  2. 13.2

    Both parties shall have the right to request renegotiation of the clauses in the event of changes to the applicable law or if the clauses are deemed inadequate by the parties.

  3. 13.3

    These provisions apply for the duration of the processing activities envisaged under the Contract.

  4. 13.4

    If the processing of personal data is terminated and the personal data is deleted or returned to the Data Controller pursuant to clause 10, this appointment agreement may be considered terminated following written notification by one of the parties.

Attachment A: Treatment Information

A.1. Purpose of the Treatment Carried out by the Processor on Behalf of the Controller.

The purpose of the personal data processing carried out by the processor on behalf of the controller is to provide the analytics services described on the Documentation.

A.2. Nature of the Processing Carried out by the Processor on Behalf of the Controller.

The nature of the processing involves the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission, provision, alignment, combination, limitation, deletion, or destruction of data from visitors to the Controller's website using automated and manual processing tools.

Although the purpose of the Publytics platform is to track website usage, the Processor does not track, collect, or store personally identifiable information. No cookies are used. All website measurements are made anonymously, and the Processor only collects data strictly necessary for processing.

A.3. Categories of Personal Data Processed.

IP Address, User-Agent.

A.4. Duration of the Processing by the Processor.

The duration of the processing is equal to that of the Contract, subject to any legal retention obligations or requests for deletion from the Controller or the data subject.

The Controller may choose to delete their account and the statistics of the monitored site at any time. The Processor will provide a link for simple and question-free deletion. All statistics will be permanently deleted immediately upon the request for data deletion. Once the request is made, the data will be permanently deleted and cannot be recovered.

Type of personal data processed Categories of interested parties Type of processing Purpose of the processing Storage times
Common, non-sensitive/particular data: visitor's anonymized IP address, location Users who visit the Owner's website. Analysis and monitoring of the number of visitors and navigation on the site in statistical and aggregate form. Contractual purpose. Fino al termine del contratto o fino a quando il contratto lo prevede oppure fino a quando il Titolare non decida di cancellare i dati o cancellare il proprio account, a seconda di quale evento si verifichi prima.
User ID assigned on the Customer's platform by the Customer Final users who visit the Customer's website The customer can use it for customized reports that allow the identification of actions carried out by the aforementioned ID Only upon customer need, not mandatory Until the customer requests its cancellation

Attachment B: List of Authorized Sub-Processors

B.1. Pre-approved Sub-Processors List

  • Hosting - Hetzner
    • Hetzner Online GmbH
    • Industriestr. 25
    • 91710 Gunzenhausen, Deutschland
  • Certifications: Hetzner Certifications

If the Controller refuses to appoint additional sub-processors, and if such non-appointment could jeopardize the performance of the services, the Processor shall have the right to terminate the service contract, without the Processor having anything to claim as a result of the termination.

Attachment C - Data Processing Instructions, Security Measures

C.1.

The Data Controller instructs the Data Processor to process personal data in accordance with the Contract, this Data Processing Agreement, and to adhere to other reasonable instructions from the Controller (e.g., via email) where such instructions are consistent and in line with the Contract and the services provided. Any additional security measures required by the Controller or additional instructions beyond those listed in this Agreement shall be borne by the Controller, including their implementation. The Processor shall:

  1. (1)

    Process personal data solely on behalf of the Data Controller and in accordance with the Data Controller's documented legitimate instructions within this appointment

  2. (2)

    Immediately notify in writing if, in its judgment, it believes that any instruction provided by the Data Controller violates the GDPR.

  3. (3)

    Perform the services and process personal data in compliance with the GDPR and the Contract.

  4. (4)

    Promptly communicate to the Data Controller any non-compliance with this agreement.

The parties agree that this agreement and the Contract establish the complete and final instructions from the Data Controller to the Data Processor regarding the processing of personal data, and processing beyond the scope of these instructions (if any) shall require a written agreement.

The Processor shall not collect or analyze personal information of users of monitored websites for the purpose of selling advertisements to third parties and shall ensure the privacy compliance of visitors.

C.2. Data Processing Security

  • Firewall
  • Private encrypted networks
  • Antivirus
  • Encryption of transit HTTPS
  • Capability to restore data availability within 24 hours
  • Confidentiality agreement: all persons authorized by the Processor to process personal data have committed to maintaining data confidentiality through a specific agreement.

The Processor shall refrain from generating a persistent device identifier for the website visitor, as it would be considered personal data under the GDPR. The data processed by the Processor cannot be used to identify an individual. Each HTTP request sends the IP address and User-Agent to the server, which the Processor uses to generate an identifier that changes daily using a hash function with a salt that changes daily to anonymize the data. The IP address and User-Agent are never stored in our logs, databases, or servers. Previous salts are deleted every 24 hours, making the IP address and User-Agent completely inaccessible to anyone, including the Processor. The formula used by the Processor generates a random alphanumeric string used only for calculating the number of unique visitors in a single day. After a day, it becomes impossible to trace back to the user, as the salts change, and the hash produces a different ID for the same combination of IP, Domain, and User Agent.

  1. Salt: It varies daily to ensure that the hash is different each day for the same combination of IP, User-Agent, and Hostname.
  2. IP Address (e.g., 1.1.1.1): This is typically a unique identifier for the network, but sometimes, if using a VPN or proxy, it may be the same as other users.
  3. User-Agent (e.g., Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36): This provides greater uniqueness than using only the IP address and indicates the browser and operating system used by the user.
  4. Hostname (e.g., example.com): It identifies the second-level domain where a specific event occurs; adding it to the hash allows differentiation of a user's identifier performing browsing activities across different websites.

C.3. Instructions on Transfer of Personal Data to Third Countries

Data is not transferred outside the European Union. Personal data is stored in Italy, Germany, and Finland.