MEETALPHA INC 1643 Powell St, San Francisco, CA 94133
in the person of its legal representative pro tempore
the Company MEETALPHA SRL, with registered office in Florence, Via del Tiratoio 1 - 50124, VAT No.: 07205120483 and registered at the Florence Register of Companies No. REA FI-687032, in the person of its legal representative pro tempore
Hereinafter referred to as “Parties” or “Autonomous Owners” or “Co-Owners”.
- MEETALPHA SRL is a subsidiary of MEETALPHA INC under US law.
- MEETALPHA INC is a company under US law that has a partnership agreement with MEETALPHA SRL for the development and implementation of the 'APLHA' application and the subsequent marketing and commercialization of the same SW.
- As legal entities belonging to the same corporate group, but subject to Italian and US law, the companies jointly decided to regulate the processing of data via the ALPHA application and the web domain https://www.meetalpha.it/ as follows.
- In Article 4(1)(7) of the GDPR, the Data Controller is 'the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data’.
- In Art. 24(1), the data controller 'shall implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that processing is carried out in accordance with this Regulation’.
- The Parties mutually acknowledge that they are aware of and apply all applicable rules on the processing of personal data, both primary and secondary, relevant for the proper management of the Processing.
- Article 26(1) of EU Regulation 679/2016 ('the Regulation') provides that 'where two or more data controllers jointly determine the purposes and means of the processing, they shall be joint controllers. They shall determine in a transparent manner, by means of an internal agreement, their respective responsibilities as regards compliance with their obligations under the Regulation, in particular with regard to the exercise of the rights of the data subject and their respective functions for communicating the information referred to in Articles 13 and 14."
- Article 26(2) of the Regulation provides that, "The co-ownership agreement shall adequately reflect the roles and relationships of the co-owners with the persons concerned. The essential content of the agreement shall be made available to the interested parties”.
- the parties shall jointly determine the purposes and means of the processing of personal data consisting in carrying out statistical surveys for scientific research purposes.
- the performance of the aforementioned activities in fact entails the processing of personal data, as defined in Article 4, point 1) of the Regulation, also of particular categories as defined in Article 9 of the GDPR.
- the Parties hereby undertake to process data in accordance with the principles of lawfulness, correctness, transparency, minimization, accuracy, limitation, integrity, confidentiality and exclusively for the purposes set out in this agreement.
- The parties enter into this DPA (Data Protection Agreement) in order to limit the scope of circulation and processing of personal data (e.g., storage, archiving and retention of data on their own servers or in the cloud) to countries within the European Union.
THE FOLLOWING IS AGREED
Art. 1 - Premises
The premises form an integral and substantial part of this document henceforth referred to alternatively as "Agreement" and/or "DPA".
Art. 2 - Subject
- By this Agreement, the Parties determine the purposes and means of the processing, as well as their respective responsibilities regarding the compliance with the obligations arising from the current legal framework with particular regard to the exercise of the rights of the data subject, and their respective functions in communicating the information referred to in Articles 13 and 14 of the GDPR.
- The Parties have ownership of the software (moral rights and economic exploitation rights), in a proportion of 50% each, but MEETALPHA INC undertakes to process the data in full compliance with the GDPR.
- This Agreement also sets out the obligations of the Parties regarding the exercise of the rights of data subjects.
Art. 3 - Data processed, purpose and legal basis for processing
Contractors in connection with the exchange of information, understood as both data transmission and file sharing, and their role as source or receiver of the information exchanged report the data being processed:
- DATA CONTROLLER 1 - MEETAPLHA SRL: processes all data collected via the "APLHA" application. Please refer to the company's processing register for a detailed list of data, purposes, legal basis, data retention and indication of security measures.
- DATA CONTROLLER 2 - MEETALPHA INC: owner of the web domain https://www.meetalpha.it/ , does not process any type of data via the website. It then processes part of the data collected via the "APLHA" application with respect to licenses provided to American companies. Please also refer to the company's processing register for MEETALPHA INC for a detailed list of data, purpose, legal basis, data retention and indication of security measures.
Art. 4 - Data security obligations
- The Co-owners assume the charge of processing personal data in accordance with the regulations in force, the storage methods and the provisions concerning IT security incidents and through the use of IT tools complying with the technical and organizational requirements in force, as well as through their own staff, duly informed and trained pursuant to art. 32 of the Regulation, sharing common training paths or extending guidelines, internal disciplinary rules and conduct policies.
- The Co-owners identify the personnel authorized to process personal data and give the necessary instructions for the correct fulfilment of the provisions in the light of the applicable legislation.
- Each Holder has full knowledge of the organizational arrangements, operating procedures, paper documentation management, the use of IT tools and the functionality of information systems.
- Both companies also undertake to:
b) To make the content of this Agreement available to interested parties, pursuant to Article 26(2) of the Regulation, also by means of publication on the website.
c) Inform the other party without delay of any notices, inspections and/or objections by the Guarantor with reference to the processing operations covered by the Agreement, as well as in the event of a complaint or exercise of rights pursuant to Article 15 et seq. of the GDPR.
d) Share mutually and without delay any breach of data processed under the Agreement, including any relevant security incidents, agreeing as soon as possible as possible, and in any case within the time limits and in the manner provided for by the legislation, the contents of the possible notification to the Guarantor and to the data subjects pursuant to Articles 33 and 34 of the Regulation; notification to the data subject in the event of a personal data breach will be made by the party that has materially suffered the data breach.
Art. 5 - Relationship between Co-owners
The Parties mutually guarantee each other that the data processed by each of them in the execution of this DPA shall be subject to timely verification of compliance with the relevant regulations on the processing of personal data - including the GDPR - and also undertake to cooperate with each other in the best possible way in the event that one of them is the recipient of requests for the exercise of data subjects' rights provided for in Article 12 et seq. of the GDPR or of requests by the Supervisory Authorities concerning processing areas falling within the competence of the other Party
Art. 6 - Liability
- The Parties are jointly responsible for complying with each other's measures to ensure the effective redress of the person concerned in accordance with the provisions of the Applicable Rules, Articles 26 and 82 of the Rules, and in particular in accordance with Articles 3 and 4 of this Agreement.
- Regarding the processing of personal data as provided for in the Agreement, the Parties shall be held jointly and severally liable towards the data subjects, who may act indiscriminately against each Data Controller for the protection of their rights.
Art. 7 - Data processor
- In relation to data processing carried out within the framework of the Agreement, the Parties may designate one or more data controllers (pursuant to Article 28 of the Regulation), chosen from among the entities presenting sufficient guarantees to implement appropriate technical and organizational measures, so that the processing complies with the provisions of the law and guarantees the protection of the rights of the data subjects, carrying out appropriate checks and investigations.
- The designation of the Data Processor may be made by a joint legal act of the Parties or by a legal act of only one of them, which shall communicate the details to the other for information purposes. In the event of non-joint appointment, the Party appointing the Processor shall have the duty and responsibility of verifying the adequacy of the technical and organizational measures adopted by the Processor, assuming sole responsibility for any prejudicial consequences arising from the conduct of the Processor.
- The Contractors agree to limit the areas of circulation and processing of personal data (e.g. storage, archiving and preservation of data on their own servers or in the cloud) to countries that are part of the European Union, with the express prohibition of transferring them to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, or in the absence of the protection tools provided for by the GDPR (third country judged adequate by the European Commission, group BCR, model contractual clauses, etc.).
Art. 8 - Rights of data subjects
- Interested parties may at any time request access to their personal data and obtain a copy of them, their rectification or supplementation if they consider them to be inaccurate or incomplete, as well as their deletion, if the latter does not conflict with current legislation on the storage of data and with the possible need to enable the ascertainment, exercise, or defense of a right in court.
- Data subjects, as provided for in Article 77 of the Regulation, also have the right to lodge a complaint with the national supervisory authority in the event of unlawful processing or delay in the data controller's reply to a request falling within the data subject's rights.
- To exercise these rights, interested parties should always refer to the following contacts of MEETALPHA SRL: firstname.lastname@example.org
Art. 9 - Duration
1. The commencement and term of this Agreement are of indefinite duration since the companies are part of the same corporate group and it is therefore in force for as long as the existing legal link exists.
Art. 10 - Final Provisions
- Any amendments to this Agreement shall be made by written agreement between the Parties.
- The Parties have read and understood the content of this Agreement and by formally acceding to it, they fully express their consent.