DATA PROCESSING AGREEMENT

Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”), you, as the end user of services (hereinafter referred to as “User”)

Whereas:

1. The User and LeadBI S.r.l., with registered office in Iasi, Str. Olari nr. 8, C1, Iasi, Romania, 700019 (hereinafter, the “Company” or “LeadBI”) have entered into a contract, concerning the use by the User of the marketing automation platform of LeadBI, of which this document is an integral and substantial part (hereinafter referred to as the “Contract”);
2. the User acts as Data Controller with reference to the personal data processed in order to implement the Contract and indicated more precisely in Annex 1 (hereinafter the «Personal Data«);
3. Pursuant to Article 28 of the Regulation, the Data Processor is optionally designated by the Data Controller and, if appointed, is identified among subjects who, due to experience, capacity and reliability, provide the appropriate guarantee of full compliance with the applicable provisions on processing, including the safety profile;
4. The tasks entrusted to the Data Processor must be specified in writing by the Data Controller, and the Data Processor must comply with the instructions given by the Data Controller, who, also through periodic checks, ensures that they are strictly observed;
5. The User has found that – and LeadBI guarantees that – the Company, by virtue of its experience, capacity, and reliability, can provide sufficient guarantees regarding compliance with the applicable provisions on protection of personal data, including the safety profile, as required by the Applicable Law, as defined below;
6. It is the intention of the User, as Data Controller, to appoint LeadBI, who accepts, as an external Data Processor.

Given the above, the User hereby

Nominates

The Company as the External Data Processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.

1. Definitions
In this letter of appointment (hereinafter, the «Appointment» or “DPA”) the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings:

“Sub-supplier” (or “Sub-Processor”), natural or legal persons who carry out their business for the Company by dealing with Personal Data belonging to the User;

“Applicable Law” the Regulation, as well as any other personal data protection legislation applicable in Italy, already in force or that will enter into force after this Appointment comes into force, including the provisions of the Data Protection Authorities issued in implementation of the Regulation;

“Safety Measures” are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation.

2. Obligations of the Parties
2.1 Obligations of the Company
2.1.1 Processing purposes
The Company, as Data Processor, is committed to:

• Processing the Personal Data for the exclusive purpose of executing the Contract, and within the limits what it was established by it, while strictly adhering to the instructions given by the User;
• Only processing the Personal Data that is strictly required for a correct and full implementation of the Contract, or to fulfil legal obligations;
• Making sure that its employees and Sub-Suppliers have access and only process the Personal Data that is strictly required for a full and correct implementation of the Contract, or to fulfil legal obligations;
• Processing the Personal Data in a lawful manner, according to fairness and in full compliance with the Applicable Law.

2.1.2 Safety measures
The Company undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation.
Also based on new solutions provided by technical and technological progress, and taking into account the nature of the data and the characteristics of the processing, the Company undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.

2.1.3 Representatives
The Company agrees to:

• Instruct, according to article 29 of the Regulation, those responsible for processing operations (hereinafter “Representative”), choosing from among its employees who, by experience, capacity, and training, can ensure compliance with Applicable Law;
• Give to the Representatives detailed operational instructions in writing regarding the methods for carrying out the processing entrusted to them as well as to strictly monitor the exact fulfilment of the instructions received;
• Implement physical, technical and organizational measures to ensure that each Representative may have access only to Personal Data that may be processed based on its authorization profile;
• Draft and update a list of Representatives, and annually checking the scope of processing allowed.

2.1.4 Rights of the data subjects
The Company must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify the User of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.
The Company undertakes to cooperate with the User to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.

2.1.5 Data communication and transfer abroad
The Company cannot exercise independent control of the Personal Data, and refrains from disclosing or communicating this data to third parties, unless expressly authorized by the Contract, or by the User in writing, and in any case in compliance with the provisions of the information statement provided to the Data Subject and with the consents, if expressed, in relation to the different purposes of processing.

2.1.6 Sub-Suppliers
If the Company intends to entrust to a Sub-Supplier in whole or in part the execution of the Contract, and this is permitted by the Contract or authorized by the User, he must previously inform the latter if his Sub-Supplier will process Personal Data of which the User is the Data Controller.
In this case, the User may directly appoint the authorized Subcontractor as its own Data Processor, or the User may authorize the Company to appoint the Sub-Supplier with an appointment deed substantially equivalent to this DPA.
In Annex 2, the User and the Company report the Sub-Suppliers approved at the date of signing this DPA.

2.2 Obligations of the Controller
2.2.2 The Controller declares and guarantees that any form of collection of personal data processed under this DPA:
a) contains a clear privacy notice, simple to understand but at the same time complete and compliant with Applicable Law, and that:
it is easily usable by the interested parties;
identifies the methods for collecting and using the personal data obtained;
b) offers to the data subjects the opportunity to remain excluded from such collection and use of such personal data;
c) provides for the obtaining of all the consents of the data subjects, to which the personal data refer, as required by the Applicable Law.

2.2.3 Considering the previous article 2.2.2, in particular the Data Controller warrants and expressly declares that:
a) the data subjects have given the Data Controller consent to the processing of their data through a free, specific, informed and unequivocal manifestation of will, for each purpose of the processing covered by the DPA.
b) the data were collected by the Data Controller according to the principles of correctness and lawfulness and for purposes corresponding to those for which they are processed under the DPA.

3. Audit
The Company acknowledges that, in compliance with art. 28 of the Regulations, the User may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the User as Controller.

The User will also have the right to access offices, computers and other IT systems / documents of the Company and its Sub-Suppliers, where this is deemed necessary to verify that the Company or its Sub-Supplier acts in compliance with the obligations agreed in virtue of this DPA.

In the event of access to the Company’s or Sub-Supplier’s premises by the User, it will be required to give the Company written notice of at least 7 working days. The User expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.

Nothing contained in this DPA presupposes Company’s consent to disclosure to the User, as well as User’s access to:

• internal accounting or financial data of the Company;
• Company’s trade secrets;
• information which, on the basis of reasonable objections raised by the Company, could: (A) compromise the security of the Company’s systems or offices; or (B) entail the violation of the obligations of the Company as per the Applicable Law or of its obligations regarding security and / or confidentiality towards the User or third parties; or
• information to which the User (or any external auditors appointed by the latter) seek to access for reasons beyond the duty of good faith in fulfilling the obligations of the User as set out in the Applicable Law.

4. Statements and guarantees of the Company
The Company states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.

The Company declares that it has not identified the Data protection Officer (DPO), as it is not subject to the obligation of designation provided for by Article 37 of the Regulation, and confirms the aforementioned declaration with a letter signed by its legal representative attached to this DPA.

5. Fee
Without prejudice to what was established in the Contract, the Company will carry out its function as Data Processor without payment, unless otherwise agreed with the User.

6. Duration
This Appointment takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.
If the Contract is terminated for whatever reason, the Company will return the Personal Data in its possession to the User and will delete any copies thereof. Upon the User’s request and at its full discretion, the Company must alternatively delete the Personal Data in its possession, giving written confirmation to the User without delay, unless the retention of data is required by law.

ANNEX 1

Data Subjects

The personal data processed concern the following categories of data subjects:

• persons who navigates and use the User’s websites;
• persons whose personal data are contained in the User’s CRM or User’s databases;

Data categories
The personal data processed concern the following data categories:

• Main data, e.g. title, name, company, address; and vat n.
• Additional contact details such as telephone number, e-mail address; ip, browser,
• Online data;
• billing information

Processing operations
The personal data processed fall under the following basic processing activities:

• Purpose of the processing: The purpose of the processing is executing the Contract among the User and the Company;
• Nature and purpose of the processing: The nature and purpose of the processing is marketing activity.