This Personal Data Processing Addendum (hereinafter, “DPA”) supplements Tanaza Terms & Conditions, as updated from time to time between Customer and Tanaza, and any other agreement between Customer and Tanaza governing Customer’s use of Tanaza Services. This DPA is an agreement between You / the entity You represent (hereinafter, “Customer”) and Tanaza S.p.A., with registered office at Milano, via Carlo de Cristoforis, 13, VAT no.IT07081410966 (hereinafter, “Tanaza”), hereinafter referred to individually as “Party” and jointly as “Parties”.

1. Whereas

1.1. Pursuant to the service agreement executed between Tanaza and Customer (the “Service Agreement”, which includes Tanaza’s general Terms and Conditions and any Service orders subject to such Terms & Conditions), Tanaza shall provide Customer with certain data processing services (the “Services”);

1.2. Whether Customer does directly use the Services or integrates them into other services it provides to its customers and/or resells the Services to its customers:

  1. the provision of the Services may from time to time involve the access of Tanaza to ‒ or the communication to Tanaza of ‒ information concerning Third Parties which may constitute Personal Data pursuant to EU Regulation no. 2016/679 (“GDPR”) and other applicable data protection provisions and laws;
  2. Parties acknowledge that transfers of such data between them fall within the scope of Article 28 of the GDPR and that relatively to such data Customer and Tanaza qualify respectively either as Controller and Processor or as Processor and Sub-Processor pursuant to the GDPR;
  3. This DPA is entered into to regulate the transfer and the processing of Personal Data necessary to perform the Services provided for in the Service Agreement, in order to guarantee the protection of privacy, liberties, and fundamental rights of natural persons.

2. Definitions

For the purposes of this DPA, certain terms are defined herewith and shall have the meaning of the definitions laid down hereto. In addition, the Definitions used in the GDPR shall have the same meaning in this DPA.

2.1. Member State: means a member state of the European Union (“EU”) or of the European Economic Area (“EEA”).

2.2. Sub-Processor: means any other processor, established within or outside the EU/EEA, appointed by Tanaza as a subcontractor of Customer for the provision of the Services or part thereof, provided that such Sub-Processor has access to Personal Data only for the purpose of performing the subcontracted Services on Customer’s behalf.

3. General obligations of the Parties

Parties shall comply with the provisions of the GDPR and any other data protection laws that apply to Customer as Controller (or Processor) or to Tanaza as Processor (or Subprocessor).

3.1. Obligations of Data Processor 

  1. Instructions. Tanaza represents and warrants that it will process Personal Data only on behalf of Customer and in accordance with the instructions given by Customer and contained in this DPA and that it will inform Customer without undue delay if it is unable for any reason to comply with such provisions, in which case Customer may suspend the transfer of Personal Data.
  2. Technical measures. Tanaza shall implement appropriate technical and organizational measures before processing Personal Data on behalf of Customer. Tanaza can change the technical and organizational measures from time to time.
  3. Requests and Supervisory Authority opinions. Tanaza shall respond promptly and adequately to all requests from Customer relating to the processing of Personal Data subject to transfer and to comply with any possible opinion issued by the Supervisory Authority on the processing of transferred data. Customer shall reimburse reasonable costs of complying with this provision.
  4. Personnel and Sub-Processors. Tanaza shall ensure that persons authorized to process Personal Data on behalf of the Customer, in particular Tanaza’s employees and any Sub-Processor, including their employees, shall process such personal data in accordance with the instructions given by Tanaza.
  5. Information. Tanaza shall provide Customer with the relevant information on the processing activities concerning the Services covered by the DPA, to the extent necessary for Customer to fulfill its obligation to keep the Record of Processing Activities.
  6. Assistance. At the request of Customer, Tanaza shall assist Customer in carrying out the data protection impact assessment and the prior consultation with Supervisory Authorities, taking into account the nature of the processing and the information available to Tanaza. Customer shall reimburse reasonable costs of complying with this provision.
  7. DPO. If Tanaza appoints a Data Protection Officer (“DPO”) (where required by applicable data protection law), it will be required to communicate the contact details of the DPO to Customer.
  8. Termination. Upon termination of the Service Agreement, Tanaza is required ‒ at the request of Customer ‒ to cancel or return to Customer all Personal Data (and any existing copies) processed by Tanaza on behalf of Customer referred to in the DPA. The deletion of Personal Data by Tanaza must be certified to Customer, unless the European Union law or the law of a Member State requires or entitles Tanaza to retain Personal Data, by way of an autonomous Data Processing. In this case, Tanaza undertakes to guarantee the confidentiality of the Personal Data transferred and not to process such data on its own initiative.

4. Instructions

4.1. Provisions of Law. In accordance with section article 3.1 of the DPA, Tanaza shall process Personal Data exclusively on behalf of Customer and in accordance with the instructions given by Customer and the Service Agreement (including this DPA), including in the case of transfer of Personal Data to a third country or an international organization, without prejudice to the provisions of the European Union law or the law of a Member State to which Customer is subject. In such a case, if Tanaza does not merely process Personal Data in accordance with the instructions given by Customer, it shall give prior notice to Customer of the provisions of the European Union law or of a Member State law, unless such law prohibits disclosure for reasons of overriding public interest. In such a case, the information to be communicated to Customer must contain the applicable provisions of the European Union law or of a Member State.

4.2. Specifications. Customer may provide specifications for the instructions contained in the DPA and the Service Agreement as well as further instructions. Any further instructions beyond those set forth in the DPA and in the Service Agreement shall be within the scope of the instructions given in the Service Agreement and the DPA. Otherwise, the additional instructions will require an amendment of or under the Service Agreement.

4.3. Form. Instructions shall be given in writing, unless the urgency or other circumstances of the case require a different form (e.g. oral). Instructions communicated in a form other than written or electronic form must be documented in an appropriate form.

4.4. Contested Instruction. In addition to the disclosure of obligations under the DPA, Tanaza is required to immediately notify Customer of any instructions that it believes are in violation of applicable data protection laws (“Contested Instruction”). Following such communication, Tanaza will not be required to comply with the Contested Instruction. If, as a result of the information provided by Tanaza, Customer confirms the Contested Instruction and assumes responsibility for it, Tanaza shall comply with the Contested Instruction unless it is related to (i) the implementation of technical and organizational measures; (ii) the rights of data subjects; or (iii) the appointment of Sub-Processors. In cases (i) to (iii), Customer may contact the competent Supervisory Authority for a legal assessment of the Contested Instruction. If the Supervisory Authority confirms the legitimacy of the Contested Instruction, Tanaza will be obliged to comply with it.

5. Monitoring, audits and inspections by Data Controller

5.1. Self-monitoring and Audit Reports. In order to assist Customer in his legal obligation to diligently choose a service provider, Tanaza shall monitor, by appropriate means, its own compliance as well as that of his employees and Sub-Processors with data protection obligations set out in this DPA and in Article 28 of the GDPR. Tanaza shall make available to Customer any information to demonstrate compliance with such obligations according to Tanaza’s own documents and processes.

5.2. On-Site Audits. Customer may request that audits be carried out directly by a third party auditor (“On-site Audit”) that shall be approved by Processor, such approval not being unreasonably withheld, an in any case shall not be withheld in case of an official chartered auditor is appointed, unless there is a clear conflict of interest. The On-site Audit is subject to the following conditions: (i) it must only concern Tanaza’s personnel and data processing facilities involved in the processing activities referred to in this DPA and the auditor shall undertake a formal non disclosure agreement if it was not bound to professional secrecy by operation of the law; (ii) it must be carried out no more than once a year or in accordance with the provisions of applicable data protection law or of the competent Supervisory Authority or immediately following the occurrence of a Personal Data Breach affecting Personal Data processed by Tanaza referred to in this DPA; (iii) it must come with an adequate advance notice and may be carried out during normal working hours, without interrupting the continuity of Tanaza’s commercial activities and in compliance with Tanaza’s safety policies; (iv) Customer shall bear all expenses arising out of or in connection with On-Site Audits at Customer’s or Tanaza’s premises, unless such On-Site Audits reveal that Tanaza is not acting in accordance with the obligations set forth in Article 28 of the GDPR, in this DPA or in any other applicable data protection law, in which case all expenses shall be borne by Tanaza. Customer may prepare an audit report summarizing the results and observations of the On-Site Audits (“On-Site Audit Report”). On-Site Audit Reports are confidential information of Tanaza and Customer undertakes not to disclose them to third parties, with the exception of its own consultants, including legal consultants, its Data Protection Officer (DPO), its own employees and affiliated companies, and unless it is required to disclose their contents in accordance with the applicable data protection law, or at the request of the competent Supervisory Authority or if Tanaza gives its consent to disclosure.

6. Confidentiality

Tanaza shall ensure that persons authorized to process personal data on behalf of Customer, in particular its employees, any Sub-Processor and the latter’s employees, undertake to respect the confidentiality of such data or are subject to a legal obligation of confidentiality concerning Personal Data and processing operations referred to in this DPA.

7. Obligation to notify and Personal Data Breach

7.1. Obligation to notify. In addition to the notification requirements of the DPA, Tanaza is obliged to notify Customer within a reasonable term of: (i) any legally binding request of disclosure of Personal Data issued by judicial or police authorities, unless disclosure is prohibited by specific rules (e.g. criminal law rules protecting the confidentiality of investigations), or by any orders issued by law-courts and competent regulatory authorities/bodies relating to the processing of personal data referred to in this DPA; (ii) any complaints or requests from data subjects (e. g. in respect of access, rectification, erasure, restriction of processing, data portability, objection to data processing, automated decisions) without having to respond to such requests unless Tanaza has been otherwise authorized or otherwise required by applicable law; and (iii) any Breaches as defined in this DPA or by applicable data protection law relating to the Services provided by Tanaza.

7.2. Obligation to inform data subjects. Tanaza shall assist Customer in fulfilling the obligation under applicable data protection law for Customer to inform the data subjects and supervisory authorities, as the case may be, by providing disclosing information taking into account the nature of the processing and the information available to Tanaza.

7.3. Indemnification. Tanaza shall indemnify and hold harmless Customer against any claim, loss, liability, damage, cost, administrative penalty or other expenses (including legal fees) arising out of or in connection with any claim, demand, action or proceeding by any third-party entity (including Supervisory Authorities) suffered by Customer as a result of a Breach caused by Tanaza, by employees, directors, managers, agents and other collaborators of Tanaza, or by Sub-Processors where appointed. This indemnification clause is subject to the same liability caps and limits provided by the Service Agreement.

8. Requests from data subjects

8.1. Tanaza shall assist Customer, especially through the implementation of appropriate technical and organizational measures, as far as possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects regarding the exercise of their rights.

8.2. In addition to what is described above, Customer may request Tanaza to assist it in order to respond to requests from Data Subjects regarding the exercise of their rights. Customer shall establish whether or not a Data Subject has the right to exercise such rights and shall give further instructions to Tanaza regarding the necessary assistance. Any denial to provide access instructed by Customer shall be confirmed in writing by Customer.

9. Sub-Processing

9.1. Customer hereby provides a general authorization to Tanaza to appoint Sub-Processors, subject to the following conditions and to any other applicable provision of the GDPR, including those in Art. 28.2:

a. Tanaza shall diligently choose Sub-Processors, paying particular attention to the reputation and experience of providing the subcontracted Services as well as the adequacy of technical and organizational measures. Tanaza shall enter into a written agreement with any Sub-Processor which shall (i) provide, for the Sub-Processor, the same obligations as the DPA for Tanaza, to the extent applicable to the sub-contracted Services, (ii) describe the sub-contracted Services, and (iii) the technical and organizational measures that the Sub-Processor shall implement, where applicable to the sub-contracted Services;

b. Tanaza, throughout the duration of the DPA, and at no charge to Customer, shall actively monitor, regularly audit and, where applicable, take measures to ensure compliance by each Sub-Processor with its obligations, and promptly report to Customer any non-compliance identified or reported by the Sub-Processor and any measures taken to remedy any non-compliance found.

c. If [Sub Processor] is established in a country outside the EU/EEA that does not provide for an adequate level of protection of personal data, the Sub-Processor shall (i) ensure that Customer and Sub-Processor enter into a data processing agreement based on the standard contractual clauses for the transfer of Personal Data to processors established in third countries pursuant to Commission Decision 2010/87/EU of 5 February 2010, or (ii) provide Customer with additional information and documents relating to the international data transfer mechanism pursuant to Article 46 of the GDPR used for the lawful disclosure of Personal Data from Customer to the Sub-Processor (even by including such information and documents within the list of approved Sub-Processors according to article 9.2).

9.2. Customer hereby pre-authorizes the appointment by Tanaza of any of the Sub-Processors listed at www.tanaza.com/Legal in order to assist Tanaza in the provision of services. Tanaza may also appoint additional Sub-Processors, if Tanaza is otherwise manifestly unable to continue to provide one or more Services in such circumstance.

10. Effectiveness, duration and termination

This DPA shall be effective from date of stated execution of the Service Agreement. Without prejudice to the provisions of this DPA, the conditions and rights of withdrawal are the same as those set forth in the Service Agreement.

11. Miscellaneous

11.1. Each Party is responsible for fulfilling its obligations under this DPA and applicable data protection law. Any liability arising out of or in connection with a breach of data protection obligations shall be governed by the liability provisions set forth in, or otherwise applicable to, the Service Agreement, subject to the provisions of this DPA.

11.2. Tanaza undertakes to defend, indemnify and hold harmless Customer, its collaborators, directors, employees, successors and agents (collectively the “Indemnified Parties”) from any action, damage, liability, loss, cost, administrative penalty and other expenses (including reasonable legal fees and expenses) arising out of any legal action, claim, order or other proceeding by any third-party entity (including Supervisory Authorities) arising out of or relating to the breach of Tanaza’s obligations under the DPA, within the limits and caps otherwise established between the parties.

Last Modified: Dec 21st, 2020