Conditions for commissioned processing of data
In the context of processing data on assignment the following definitions are used: “Principal” means any person who confers on EGS the task of submitting personal data to processing. “Interested” means a natural person to whom personal data refers and who can be identified or identified by such personal data. This occurs when the person is given an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of this person. Those interested in the framework agreement for the provision of services (Master Service Agreement, MSA) are listed in Annex 1. “Data protection rules” means Regulation (EU) 2016/679 of European Parliament and Council, of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC (general regulation on data protection, RGPD) as well as any other law that is based on this directive or regulation, all other applicable laws in force in any other country regarding the protection of personal data or data protection, in the last version in force modified or replaced. “MSA” means one or more agreements on the provision of certain services for the Principal in relation to the manufacture of dental prostheses and related services by EGS for the Principal. “Parties” means the contracting parties of the MSA. “Personal data” means data that can be used to identify a natural person. The respective categories of personal data are defined in Annex 1. “Standard contractual clauses” means the standard contractual clauses which, according to the judgment expressed by the European Commission on the basis of Article 26 paragraph 4 of Directive 95/46 / EC offer sufficient guarantees for the transmission of personal data to a third country or the data protection clauses established by the European Commission or by a supervisory authority which have been approved by the European Commission according to the procedure referred to in Article 93, paragraph 2 of the regulation (EU) n. 2016/679. The data protection clauses defined according to the general data protection regulation supersede and are prioritized with respect to any standard contractual clauses defined according to Directive 95/46 / EC, if they refer to the same type of data transmission report. “Sub-processor” means any subcontractor appointed by EGS to process personal data in whole or in part. “Data Controller” means the person referred to in Article 4, paragraph 7 of the RGPD. “Treatment” or “treaty” means any operation or set of operations carried out with or without the aid of automated processes and applied to personal data such as collection, registration, organization, classification, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction.
2. Object, duration, type and purpose of the processing of data on behalf
For the purpose of managing the personal data of the interested parties during the validity period and for the execution of the MSA, the present agreement on commissioned processing of the data as well as the attachments (hereinafter “agreement on commissioned processing of data”) are binding, in particular the provisions concerning the management of personal data and technical and organizational measures. Within the MSA, EGS assumes, among other things, the task, on behalf of the Customer, of providing solutions aimed at realizing the solution identified. EGS also guarantees customer assistance services. In this context, it is possible that EGS comes into contact with the personal data listed in Annex 1 and submits them to treatment. The processing of personal data by EGS takes place only after conferment of a written assignment, only within the scope defined at the contractual level, for the agreed purpose and according to the instructions of the Customer. The personal data processed by EGS are used exclusively for the following purposes: – – Execution of the contract, including support services – – Research and development – – Statistical purposes Personal data will not be used in any other way for personal or third-party purposes. EGS always complies with the relevant data protection provisions. In the provision of services, EGS undertakes in particular to respect the principles of savings and data economy.
3. Scope and responsibilities
EGS processes personal data on behalf of the Customer. This treatment includes the activities better specified in the MSA and in the relative description of the services. As part of this agreement on the processing of data on behalf, the Principal has the exclusive responsibility, towards the Data Controller and EGS, to ensure compliance with the provisions of the law on data protection, in particular as regards the lawfulness of the transfer of data to EGS and to the lawfulness of data processing. The instructions initially defined by the MSA can be modified, integrated or replaced by the Customer in writing or in electronic format (text form) through individual instructions (single instruction). Instructions that are not included in the MSA will be managed as a request to change the service. Any verbal instructions must be immediately confirmed in writing
4. Obligations of the Principal
The Customer is responsible for assessing the admissibility of data processing and protecting the rights of the data subjects. The exclusive right to dispose of personal data remains with the Principal. In particular, the Customer is responsible for transferring the data to EGS and protecting the rights of the data subjects. Furthermore, the Principal undertakes to comply with all the relevant provisions regarding data protection in the execution of the MSA. The Customer is responsible for the completeness and accuracy of the data to be processed and guarantees that the data is correct and complete in consideration of the purpose of use. Before the start of treatment and, subsequently, at regular intervals, the Principal has the obligation and the right to verify compliance with the technical and organizational measures adopted by EGS according to Annex 2 and to confirm this compliance in writing. For more details, please refer to article 9 of this agreement on the processing of data on behalf. The Principal will immediately inform EGS of any errors or irregularities detected during the aforementioned verification. With regards to the protection of the rights of the data subjects under the current data protection legislation, the Principal will allow Data Subjects to exercise their rights and will ensure that the data subjects described herein receive univocal, transparent, understandable and easily accessible information on the treatment described in this document in clear language. The Principal is obliged to maintain the confidentiality of all trade secrets which it becomes aware of in the context of the MSA and of the agreement on the processing of data on charge, in addition to the measures adopted by EGS to guarantee data security. This obligation persists even after the termination of these agreements.
5. Technical and organizational measures according to article 32 of the RGPD
EGS has implemented and will maintain technical and organizational measures to protect personal data from unauthorized access, communication, modification, loss or destruction, accidental or illegal. These measures include, for example:
- Prevent access to systems for the processing of personal data by unauthorized persons (physical access control).
- Prevent the use of personal data processing systems without specific authorization (logical access control).
- Ensure that access to personal data is allowed only to persons authorized to use a system for the processing of personal data, to which they can access in accordance with their respective access rights and that, without specific authorization, personal data cannot be read, copied, modified or deleted during the processing (control of data access).
- Ensure that personal data cannot be read, copied, modified or deleted during electronic transfer, transport or recording on storage media and that it is possible to determine and verify the target devices for each type of transmission of personal data for means of data transfer devices (data transmission control).
- Guarantee the definition of a verification path to document if and by whom personal data have been introduced, modified or removed in the system for the processing of personal data (control of the introduction).
- Ensure that personal data is processed solely according to instructions (check of instructions).
- Ensure that personal data is protected from accidental deletion or loss (availability check).
The technical and organizational measures are described in Annex 2 of this agreement on the processing of data on behalf. EGS has the right to systematically adapt these measures based on the evolution of regulations, technology and other aspects; it also guarantees that it will eventually integrate, through appropriate technical and organizational measures, the sub-responsible for the processing. In any case, the technical and organizational measures implemented must guarantee a level of protection adequate to the risks deriving from the processing of the data and from the type of personal data to be protected, also in consideration of the level of technological knowledge and implementation costs. During the period of validity of the MSA and of this agreement on the processing of data on behalf, the Customer may request EGS to send him, within a reasonable time, a description of the technical and organizational measures.
6. Place of processing
Without prejudice to Article 7 of this agreement on the processing of data on assignment, the personal data that EGS handles on behalf of the Principal may be processed in all the countries in which EGS, its affiliated companies and the authorized sub-controllers dispose of facilities for the provision of services. In relation to the provision of services concerning personal data, the Customer authorizes EGS to transmit and process data in each of these countries. Each transmission from one jurisdiction to another (for the purposes of this article, the EU represents a single jurisdiction) takes place only in compliance with the current provisions on data protection, such as the drawing up of an additional contract for the processing of data that is based on the standard contractual clauses (depending on the circumstances) EGS will not control or limit the geographical area from which the Customer or its customers may process personal data.
7. Sub- controllers processing data
The Customer acknowledges and expressly agrees that Kulzer can transmit personal data to third parties sub-processors for data processing in order to provide the services, provided that the transmission complies with the conditions of this paragraph. Among these sub-controllers processing data and EGS are written contracts that include obligations, the level of protection of which is not inferior to that guaranteed by the agreement on the processing of data on charge, including the obligations according to the contractual clauses type, possibly applicable. The Principal expressly authorizes EGS to stipulate and apply the standard contractual clauses governed by this agreement on the processing of data on behalf of the data processing sub-controllers. With this agreement on the processing of data on behalf, EGS informs the Principal of all categories of sub-processors of data who process personal data in relation to the MSA (see Annex 1). In the start-up phase of each individual assignment, the Principal is informed of the actual sub-manager of the treatment and issues, as a preliminary step, with the assignment of the single assignment within the MSA (at the latest), his / her consent to the use of such a data controller by EGS. With respect to the sub-data processor, EGS has the right and the obligation to verify the implementation of data protection and, in particular, the technical and organizational measures adopted by the sub-supplier to the extent necessary.
8. Rectification, limitation and deletion of data
In order to cancel the data or limit the processing, the written instructions of the Customer must be respected, subject to possible reasons for refusing EGS. EGS reserves the right to cancel the data on its own initiative or to limit its processing if these data are no longer necessary for the execution of the MSA or a consent is no longer valid. If an interested party requires EGS to cancel, correct or access its data, EGS will forward the request of the interested party to the Customer, if such request is possible. On the instructions of the Principal, and within the limits of its possibilities, EGS will provide its support in the implementation of the request.
9. Right to control and audit the Data Controller
The Customer has the exclusive responsibility to assess the lawfulness of the processing of personal data and to implement the rights of the Interested, as well as being responsible also on behalf of the Data Controller. Upon request, EGS makes the necessary information available to the Principal or the Data Controller in accordance with Article 28 of the RGPD. The Principal and the Supervisor can verify, exclusively at their own expense, through an independent audit institute in accordance with the data protection law (TÜV, Dekra or others) (hereinafter referred to as “Auditor”), before and after the start of the processing of data, during the usual working hours in the necessary terms and with prior notice, compliance with data protection regulations and contractual agreements, in particular the technical and organizational measures adopted by EGS. All information provided by EGS, with the exception of the personal data of the Interested Parties, is confidential information that can only be disclosed to the Auditor. The Owner and / or the Principal and the respective Auditor are authorized to request written information and the presentation of evidence on the data protection measures introduced, on the type and method of technical and organizational implementation. The Auditor is also authorized to access the building and the premises of EGS to carry out, at its own discretion, inspections and inspections as well as view the documentation necessary for the purposes of processing, the processing and performance reports, the systems and stored data and regulations, directives and manuals governing the processing of delegated data. The audit includes the documentation concerning the appointment of a data protection officer, the obligation of the collaborators to guarantee confidentiality, and technical and organizational concepts: for example, relevant operating procedures, as well as contracts with the sub-managers of the processing . The aforementioned rights of the Principal or the Owner exist for the entire period of validity of this agreement and also beyond this period, until the forfeiture of the rights by the MSA, or at least until EGS preserves personal data of the treatments that have been entrusted to it. In special cases, the Auditor may carry out an unannounced audit, especially if there are problems in the processing, there are mandatory cases to report or the supervisory authority is about to introduce or has introduced new measures.
10. Behavior in the event of malfunctions and data breaches
EGS supports the Customer in compliance with the obligations, indicated in Articles 32 to 36 of the RGPD, regarding the security of personal data, the obligation to notify in cases of data breaches, assessments of consequences on data protection and preliminary consultations. In the event of a processing malfunction or a data breach, the data controller must immediately take all appropriate and necessary measures for data security and to reduce any damage to Data Subjects, the Customer and the Data Controller. EGS undertakes to immediately notify the Principal of any violations of the rules on the protection of personal data or of the provisions of this agreement. This also applies in the event of serious disruptions in operations, in the event of other suspected violations of rules for the protection of personal data or other irregularities in the management of the Customer’s personal data, which could entail consequences for the Interested or for the Principal or could cause damage; for example, cases of attachment, seizure, insolvency proceedings or controlled administration or other measures adopted by third parties. Data breaches include, in particular, the loss of confidentiality and the loss, destruction or violation of the integrity of the Customer’s data or other confidential information pursuant to the MSA or this agreement on the processing of data on behalf. The Principal must immediately inform EGS of any possible abuse of its accounts or of its authentication data or of any security problem in relation to the use of its services. The Party responsible for the breach of personal data must immediately investigate the breach of personal data and keep the other Party informed of the progress of the investigation, also taking measures to minimize its consequences. Both parties agree to cooperate with each other unconditionally in the context of this investigation and to lend mutual assistance in compliance with any notification requirements and procedures. The obligation of a Party to notify a violation of personal data or to react to such violation cannot and should not be interpreted as an admission of an error or liability in relation to the violation of personal data of that party.
11. Right to issue instructions to the Principal
EGS processes personal data only in accordance with the instructions of the Customer. The Customer can establish at any time the type, scope and procedure of data processing. These instructions must always be provided in writing. Any modification concerning the object or the general procedure of the processing must be decided by agreement between the parties. EGS will immediately inform the Principal if it deems that an instruction violates the data protection regulations. Until confirmation or modification of the disputed instruction by the Principal, EGS is authorized to suspend the application of this instruction.
12. Cancellation and return of personal data
Once all the conditions referred to in Article 6 of the RGPD have lapsed, EGS will first of all proceed with the anonymization of the data transmitted and within six (6) months of the lapse of the reasons set out in Article 6 of the RGPD, subject to any backup archives, will delete them or, at the Customer’s request, return them to the latter; under no circumstances will it continue to use them. EGS will confirm the cancellation in writing upon the written request of the Principal.
In accordance with the provisions of Article 82 of the RGPD, the parties have a responsibility towards the interested parties and a mutual responsibility.
14. Data Protection Officer
In accordance with Article 37 of the RGPD, EGS has appointed a data protection officer who coordinates the monitoring of compliance with the requirements of data protection legislation and collaboration with control authorities. The contact details of the data protection officer are as follows:
Data Privacy Officer
Leipziger Straße 2 63450 Hanau, Germany
The parties agree that all commercial data of which the counterpart will become aware within the framework of the contract will be considered “confidential” and that the obligation of secrecy will remain even after the end of the validity period of the Contract as regards these data. EGS maintains the obligation of secrecy of the Principal or of the Data Controller as a professional.
This Agreement replaces all existing agreements on data protection. The jurisdiction for all disputes arising from this Agreement is that of Bologna, Italy
Annex 1: Details regarding the processing of personal data
- Interested In the execution of the MSA, EGS will submit the following categories of interested parties to the processing of personal data:
- Customer (where necessary) Data controller
- Employees of the Customer / Contractual Partner / Data Controller
- Patients of the Customer / Contract Partner / Data Controller
- Categories of personal data The execution of the contract may include the processing of the following categories of personal data: names, addresses, contact details (e-mail, telephone numbers), contractual data, health data
III. Purpose of the processing The personal data transmitted concern all the information necessary for the provision of the services, including the following categories of data:
- Execution of the contract, including assistance and information services
- Research and development
- Statistical purposes
- Sub-suppliers For the purposes of the execution of the contract, EGS uses the following categories of companies:
- Hardware / software support
- IT services
Annex 2: Technical and organizational measures according to Article 32 of the RGPD
The following technical and organizational measures are established and considered to be agreed:
Individual users and passwords are created. The password must be changed by the authorized person after the first access, and in any case not beyond 90 days. Passwords are subject to the following rules:
- An initial password is assigned when a user is created.
- It must be changed on first access.
- The password must consist of at least 8 digits and must meet at least three of the following four complexity criteria: uppercase, lowercase, numbers and special characters.
- The password expires after 90 days and must be changed.
- After 10 failed login attempts, the user account is blocked by the IT support service (IT Service Desk) or EGS Self Service Password.
- After 15 minutes of inactivity, the screen is locked and a password is required to unlock it.
Physical access control
Access to company premises and servers is permitted only to EGS employees and service providers of which EGS uses to fulfill the corporate purpose. Access to company premises is controlled by an electronic system. Employees receive an access card that is blocked in the event of loss. Access cards are withdrawn immediately in the event of termination of the employment relationship. An access monitoring video system is in operation in the offices. Entry to the plant and offices is supervised by personnel. The building is protected by an alarm system. Access to the server room is protected by technical and organizational measures for the control of physical access, in particular also for checking the identity of authorized persons. Furthermore, technical and organizational measures have been taken to identify and authenticate users.
Control of telematic accesses
Authentication takes place via username and password. Each employee has access only to the data they need to perform their function. The user account is blocked immediately if the authorization expires: for example, in the event of dismissal of a collaborator or termination of the authorization. All Internet access is protected by a firewall. Default ports to the outside: http, https, ftp, smtp, dns. Default inward ports: smtp, dns. Default ports for the DMZ: http, https, ftp, smtp, dns. Access to internal services takes place exclusively through appropriate security devices such as reverse proxy solutions, in line with the current level of technological knowledge. Other ports are opened only upon request and subject to security analysis and authorization by the computer science department of EGS.
Separate systems for different tasks. Separate database for each application that can be accessed with different permissions.
All data connections on the Kulzer network are encrypted on the Internet. This applies to both network connections (Kulzer VPN) and to mobile devices (NetScaler, O365). The encryption level is established based on the current level of technological knowledge for each IT support. To send and receive confidential emails, the computer science department of EGS provides a centralized solution, which is based on the S / MIME encryption standard. Disposal of storage media no longer necessary and incorrect printouts is carried out in compliance with data protection rules. The storage media are deleted before being disposed of by the service provider. The storage media on mobile devices (mobile phones, laptops, portable disk drives) are encrypted.
Control of telematic inputs
Changes to data, applications and systems are recorded together with the date, time, user and data involved. Registration also includes the administrator’s activities. The recorded data is stored and protected from loss or modification.
To protect data against accidental or intentional destruction, Kulzer adopts the following solutions:
- Backup There is a back-up and recovery system. In the event of setbacks, the last backup can be restored.
- Uninterruptible power supplies (UPS) with controlled shutdown in case of low residual charge of the accumulators – Antivirus protection (centrally administered)
- Air conditioning system
- Fire prevention system
- Alarm system
Control of assignments
Through written contracts on the processing of data on behalf, all service providers of which EGS uses for the execution of the MSA, are bound to respect the principles defined in this agreement. All employees authorized to access the data are required to respect the confidentiality of the data. Training days are periodically organized on the issues of data protection legislation and the management of confidential information. A concept of data security is therefore present with reference to the technical and organizational measures adopted for data protection.
Data protection management
Internal directives are in force, which concern, among other things, the management of personal data and of confidential information and corporate security in general. Keeping a data processing register for all relevant transactions.
Computer security management in the event of an accident (Incident Response Management)
Training of all employees for handling cases related to data breaches and inefficiencies; in particular, training on the obligation of immediate notification.
Computer system monitoring
Creation of an internal IT security organization entrusted, inter alia, with the assessment of security incidents, security and risk gaps and the assessment of new IT security requirements.