Appointment of External Data Processor pursuant to Art. 28 EU Regulation 676/2016   To the company People Lab srl Via Oldofredi, 45 MILAN   Tax code and VAT no. 0421284096   Subject: Appointment of External Data Controller   The Client, in its capacity as Personal Data Controller, in the person of its legal representative pro tempore, hereinafter referred to as Data Controller or Client WHEREAS

• People Lab srl, by virtue of the supply contract and the consequent licence agreement, provides the Client with the Adiuvet software;
• by reason of the aforementioned contractual relationship, People Lab srl carries out a processing of personal data, in respect of which the Customer is the Data Controller;
• it is therefore necessary to proceed with the appointment of People Lab srl as Data Processor, as provided for by Article 28 of Regulation 679/2016 (GDPR);
• People Lab possesses adequate requirements of experience, capacity and reliability sufficient to put in place appropriate technical and organisational measures and to perform the role of external Data Processor, as referred to in the aforementioned Article 28 GDPR

NOMINATION External Data Processor People Lab srl, with registered office in Milan, Via Oldofredi 45. People Lab srl, in its capacity as External Data Processor, is required to process personal data in compliance with the GDPR principles and following the instructions of the Data Controller.   Object of the processing The activities carried out by Peole Lab srl on behalf of the Data Controller involve the processing of the following personal data:

• common data/contact details (such as, by way of example but not limited to, name, surname, residence, email address, telephone number).

  Duties of the External Manager People Lab srl is required to:

1. process the data in compliance with the principles of data processing set out in the Regulation, only for the purposes indicated in the contract, and for the duration of the contract;
2. process the data in accordance with the documented instructions of the data controller;
3. to ensure that the persons authorised to process personal data have formally committed themselves to confidentiality or have an appropriate legal duty of confidentiality and have received the necessary training on data protection;
4. drawing up, pursuant to Art. 30, p. 2 GDPR, where applicable, a register of processing activities;
5. taking into account the state of the art and the costs of implementation, as well as the nature, subject matter, context and purposes of the processing, as well as the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which include, among others, where appropriate:
6. the pseudo-anonymisation and encryption of personal data;
7. the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on an ongoing basis;
8. the ability to restore timely availability and access to personal data in the event of a physical or technical incident;
9. procedure to regularly test, verify and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing.
10. make available to the data controller all the information necessary to demonstrate compliance with the obligations of this agreement or contract and allow and contribute to the audit activities, including inspections, carried out by the data controller or another person mandated by the latter;
11. informing and involving the Controller in a timely manner in all matters concerning the processing of personal data and in particular in the event of requests for information, audits, inspections and access by the Privacy Guarantor or the Authorities in charge;
12. taking into account the nature of the processing, to assist the Data Controller with appropriate technical and organisational measures, insofar as this is possible, in order to comply with the obligation of the Data Controller to comply with requests to exercise the data subject’s rights;
13. to assist the Data Controller in ensuring compliance with the obligations set out in Articles 32 to 36, GDPR, taking into account the nature of the processing and the information available to the Data Controller, and in particular to cooperate in personal data breach notifications, impact assessment and prior consultation;
14. immediately inform the Data Controller if, in its opinion, an instruction violates the Regulation or other provisions, national or Union, relating to data protection;
15. comply with the conditions set out in paragraphs 2 and 4 of Article 28, GDPR, for recourse to another Data Controller;
16. at the option of the Data Controller, erase or return all personal data after the provision of services relating to the processing has ended and delete existing copies (unless Union or Member State law provides for retention of data).

  Codes of conduct and certification mechanisms Adherence by the data controller to a code of conduct or certification mechanisms may be used as an element to demonstrate the sufficient safeguards referred to in paragraphs 1 and 4 of Article 28 GDPR.   People Lab srl   [Document version 1.0]