Whereas, pursuant to Article 28 of the GDPR, in order to protect any of the Client’s personal data that may be subject to processing during performance of the software licence agreement and to guarantee APlanet’s professional confidentiality, the Parties agree to the application of the following clauses:

1. Purpose

The purpose of the processing is to enable APlanet to access personal data that it needs to provide the services contracted through the corresponding Purchase Order (PO) and to establish the terms and conditions applicable to such access.

2. Type of services provided and purpose of the processing 

The Parties agree that APlanet will provide the aforementioned services at its own facilities and in its own IT systems to provide technical support and maintenance for the contracted services.  

3. Identifying information provided

To carry out the agreed services, APlanet will have access to information containing the following personal data:

• The category of data subjects whose personal data will be processed concerns the Client’s USERS.
• The data processed concerns the following categories of personal data: 

– Personal details (name, title, degree/academic grade, date of birth)

– Contact details (email address, telephone number)

– Electronic communication data (IP address, websites accessed, details about the device used, operating system and browser)

• Special categories of data: not applicable. 

4. Data Processor’s Obligations

APlanet and all its staff must comply with the following requirements:

4.1. Duty of Confidentiality

• Keep confidential the personal data to which it has access for as long as it is contracted to carry out the processing, including when the purpose of the processing has ended.
• Ensure that any individuals it authorises to process personal data give their express written agreement to respect confidentiality and to comply with the relevant security measures which it must duly inform them about.
• Keep and make available to the data controller written records to show that it is compliant with the obligation contained in the previous paragraph.
• Ensure individuals authorised to process personal data receive the necessary training on the protection of personal data.

4.2. Only use any personal data that it processes, or collects for processing, for the purpose of the service carried out. Under no circumstances must it use the data for its own ends.

4.3. Process the data in accordance with the Client’s instructions. If the APlanet considers that any of these instructions are in breach of the GDPR or any other data protection laws of the European Union or its Member States, it must notify the Client immediately.

4.4. Not disclose any personal data to third parties without the Client’s express authorisation and only if required to do so by law. 

4.5. International Data Transfers

If, under the applicable European Union or Member State law, APlanet has to transfer personal data to a third country or to an international organisation, it shall inform the Client of this legal requirement beforehand, and, in any event, it shall guarantee that such transfer is made in accordance with the obligations stipulated under applicable law.

4.6. Security Measures 

APlanet shall implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and to prevent alteration, loss and any unauthorised processing or access, taking into account the state of the art, implementation costs, the type, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons to which they are exposed. 

APlanet shall implement the following specific security measures:

• Maintain a record of all the categories of processing activities it carries out on behalf of the Client, which must include:

1. The name and contact details of the processor and of its representative and its data protection officer, if applicable.
2. The categories of processing carried out on behalf of the Client.
3.       If applicable, transfers of any personal data to a third country or an international organisation, including the identification of that third country or international organisation.
4. A general description of technical and organisation security measures implemented regarding:

• Pseudonymisation and/or encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A procedure to test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing. 
• Reporting data security breaches: 

APlanet must notify the Client via the [email protected] email address without undue delay, and in any case within 24 hours, about any security breaches it becomes aware of affecting personal data for which it is responsible, including all relevant information required to document and report the incident. 

It will not be necessary to report a security breach if it is unlikely to create a risk to the rights and freedoms of natural persons. 

If available, it  must provide the following information as a minimum: 

1. a) A description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected. 
2. b) The name and contact details of the data protection officer or alternative contact who can provide more information. 
3. c) A description of the possible consequences of the personal data breach. 
4. d) A description of the measures taken, or proposed measures, to address the personal data breach, including, where appropriate, measures taken to mitigate any possible adverse effects. If it is not possible to provide this information at the same time, the information can be provided in phases without undue delay. 

4.7. Data Subject Rights: Assist the Client when responding to a request to exercise the rights of:

•  access, rectification, deletion and objection 

• restriction of processing 
• data portability 
• not to be subject to decisions based solely on automated processing [including profiling). 

The Client shall send APlanet any requests received from its users so that it may respond to the request within the established period of 3 working days. When it has replied to the request, APlanet will inform the Client using the same email address so that the Client can reply to the data subject within the statutory period of one month.

If a data subject who is affected contacts APlanet directly to exercise their rights, APlanet will redirect the user to the Client. 

4.8. Assist the Client in carrying out data protection impact assessments, if required.

4.9. Assist the Client in making prior consultations with the supervisory authority, if required.

4.10. Make available to the Client any information required to demonstrate fulfilment of its obligations, and to allow, and actively participate in, audits or inspections carried out by the Client or any of its authorised auditors, provided APlanet considers that this does not infringe any other data protection provisions.

5. Deletion of Personal Data

APlanet shall destroy the personal data within three months from the date when provision of the services ends. However, APlanet may retain a copy, in which the personal data have been duly blocked, until the limitation period has lapsed for any liability deriving from the services provided. 

6. Subcontracting

The Client authorises APlanet to subcontract some of its services and expressly authorises the Sub-processors listed in paragraph 1 of the attached Schedule to carry out processing activities. If APlanet intends to change any of the Sub-Processors, it shall notify the Client 15 days beforehand in accordance with paragraph 2 of the attached Schedule. 

The sub-processor, who also acts as data processor, shall also be bound by the same obligations as applicable to APlanet that are established in this agreement, and the Client’s instructions. 

7. Data Processor’s Obligations

The Client must:

1. facilitate the right for data subjects to be informed when accessing the service.
2. Notify APlanet of any change made to the personal data provided to enable APlanet to update the data.
3. Security breaches: It is the Client’s responsibility to report any data security breaches to the Data Protection Authority and to data subjects.

• The Data Protection Authority must be notified without undue delay, and in any event, within 72 hours, unless it is unlikely that the breach implies a risk for the rights and liberties of natural persons. Any breach that is not reported to the supervisory authority within 72 hours must include an indication of the reasons for the delay. 

• Data subjects must be notified as quickly as possible if it is likely that the security breach supposes a high risk to the rights and freedoms of natural persons.

1. Carry out any data protection impact assessments that are required.
2. Provide prior consultations with the supervisory authorities if required.
3. Monitor the processing, including carrying out inspections and audits.

8. Applicable Jurisdiction

The Parties waive their personal jurisdiction and submit any dispute arising over the interpretation of these data processor agreement to the courts of the city where the data processor resides.

SCHEDULE 1: AUTHORISED SUB-PROCESSORS 

1. List of Sub-processors 
2. APlanet’s sub-processors (including the Client’s companies) that are located in a Member state of the European Union, in a country that the European Commission considers to have adequate protection or that have incorporated into their processor contracts the Standard Data Protection Clauses adopted by the Commission on 4 June 2021: