Header-Hp

INTERNAL AGREEMENT OF CO-OWNERSHIP OF THE TREATMENT PURSUANT TO ART. 26 PARAGRAPHS 1) AND 2) OF THE EU REGULATION N. 2016/679

                                                                                                                                  Between
B810 Srl
, (Tax code and VAT number: 03378920361) (infra “B810”), in the person of its pro tempore legal representative, with registered office in Reggio Emilia, via E. Lazzaretti, 2/1; DIGICOM Srl , (Tax code and VAT number: 03488160122) (hereinafter “DIGICOM”), in the person of its pro tempore legal representative, with registered office in Legnano (MI), viale Cadorna, 95; And MC REGEM Srl , (Tax code and VAT number: 02891380350) (hereinafter “MC REGEM”), in the person of its pro tempore legal representative, with registered office in Reggio Emilia, via G. Gutenberg, 3.

B810, DIGICOM and MC REGEM can be referred to jointly as “co-data controllers” and / or “Parties”, and they are part of the same business group pursuant to art. 4 n. 19) of the GDPR, where B810 holds the status of parent company pursuant to Recital no. 37) of the GDPR.

 

  1. Premises.

1.1. The Parties have mutually agreed, pursuant to art. 26 paragraphs 1) and 2) of the GDPR, the following contractual clauses (hereinafter “Clauses”) aimed at regulating, in a formal and transparent manner, the respective responsibilities regarding compliance with the obligations, as co-Data controllers, deriving from the Community and national legislation on the protection of personal data – with particular (but not exclusive) regarding the exercise of the rights of the interested party pursuant to art. 4 n. 1) of the GDPR and the communication burden of the information document pursuant to art. 13 of the GDPR – in relation to the processing operations better described in attachment 1), a document that forms an integral and substantial part of this agreement.

1.2. The Parties agree that the Clauses (and any subsequent amendments thereto) are known, by the interested party, only in their essential content, thanks to the use of effective tools, consisting, for example, in the inclusion of such content in the ‘inside the information pursuant to art. 13 of the GDPR or through the request, by the interested party, of this content through the contact details indicated in art. 7 of the related information pursuant to art. 13 of the GDPR. 

  1. Obligations.

2.1. Without prejudice to the other obligations established by the applicable legal provisions, including the so-called deeds. soft law or the Provisions made by the competent Control Authorities or of a judicial nature, we proceed to illustrate, below, the main obligations to be performed by the co-Controllers of the treatment jointly with each other or, in specific cases indicated, by the specific co-Data Controller identified, by reason of a specific (and explicit) allotment agreement agreed between the Parties:

  1. The co-controllers of the treatment undertake to collaborate, in a reciprocal and proactive way, in order to define the content of each information document pursuant to art. 13 of the GDPR relating to the processing operations referred to in Annex 1).
  2. The Parties expressly agree to jointly provide the interested party with the appropriate and specific information pursuant to art. 13 of the GDPR, through the use of the methods expressly agreed between the Parties.
  3. The co-controllers of the treatment undertake to assist each other, with adequate technical and organizational measures in compliance with the provisions of article 32 of the GDPR, in order to satisfy the obligation to follow up on requests for the exercise of the rights of the subject. interested party referred to in Chapter III) of the GDPR: to this end, the co-Controllers expressly agree to assign solely and exclusively to B810, as a reference point, the task of sending, in the name and on behalf of of the co-data controllers, the formal reply to the interested party, in compliance with the deadline provided for by art. 12 paragraphs 3) (or 4), where the circumstances indicated therein of the GDPR apply. In this regard, the co-controllers of the processing specify that, despite what has just been agreed upon, the interested party has the right to exercise their rights referred to in chapter III) of the GDPR towards (and against) each co- Holder of the treatment, as sanctioned by art. 26 paragraph 3) of the GDPR.
  4. The co-controllers of the processing respectively guarantee that their persons authorized to process the processing pursuant to art. 4 n. 10), 29 and 32 no. 4) of the GDPR – previously designated in writing, and adequately instructed on the scope of the authorized processing activity – are committed to confidentiality or have an adequate legal obligation of confidentiality.
  5. The co-Data Controllers respectively guarantee to undertake to adopt the technical and organizational security measures required by art. 32 of the GDPR, taking into account the state of the art, the implementation costs, as well as the nature, object, context and purpose of the processing, as well as the risk of (varying) probability and severity for the rights and freedom of natural persons, in order to thus ensure a level of security appropriate to the risk associated with the processing operations better described in Annex 1).
  6. The co-controllers of the treatment respectively guarantee to respect the conditions set forth in art. 28 of the GDPR, where there is a need to appoint a (sub) Data Processor, promptly informing the other Party (or the remaining Parties).
  7. The co-controllers of the treatment respectively guarantee to respect, inter alia, the principles ex art. 5 of the GDPR, the conditions of lawfulness of the processing pursuant to art. 6, 9 and 10 of the GDPR, the conditions of consent (where appropriate, also of minors) pursuant to art. 7 and 8 of the GDPR, and, finally, the information requirements pursuant to art. 12, 13 (and 14) of the GDPR.
  8. The co-Data Controllers undertake to assist each other in fulfilling the notification and / or communication burden pursuant to art. 33 and 34 of the GDPR of a breach of personal data (data breach) pursuant to art. 4 n. 12) of the GDPR concerning, even indirectly, the processing operations better described in Annex 1): for this purpose, the co-Data Controllers undertake to inform themselves, in a reciprocal manner, of this event immediately or , however, within the (mandatory) term of no. 24 (twenty-four) hours from the moment in which each co-Data Controller became aware of it, by sending, for this purpose, a communication to one of the following and alternative e-mail addresses (privacydpo810@baldiandpartners.it ;privacydpodigicom@baldiandpartners.it ; dpomcregem@baldiandpartners.it ), and cooperating, in a reciprocal way, in order to adopt immediately or, in any case, without any undue (and unjustified) delay all the necessary measures in order to minimize the risks deriving from the violation for the subjects concerned, remedy the data breach and mitigate it any further negative effects. In this regard, the co-Data Controllers undertake, without prejudice to the mutual obligation of information and cooperation, also, to fulfill, separately, the notification and / or communication burden pursuant to art. 33 and 34 of the GDPR, in compliance with the terms provided therein.
  9. The co-controllers undertake to assist each other in the execution, where necessary, of the impact assessment on data protection (DPIA) pursuant to art. 35 of the GDPR and, if necessary, they undertake to mutually cooperate in the execution of the obligations provided for by art. 36 of the GDPR: in this regard, the co-Data Controllers undertake, then, to fulfill, separately, the aforementioned obligations, where necessary.
  10. The co-controllers of the processing undertake, each for themselves, to draw up and keep updated, on a constant basis, the register of processing activities pursuant to art. 30 of the GDPR concerning the processing operations better described in attachment 1).
  11. The co-Data Controllers undertake, where required, to assist each other in handling any relationship with the competent Supervisory Authority or judicial body, even in the event of any administrative, civil and / or criminal proceedings.
  12. The co-controllers of the treatment undertake to respect the retention terms (data retention) described in the specific information pursuant to art. 13 of the GDPR relating to the processing operations referred to in Annex 1).
  13. The co-Data Controllers undertake, each for themselves, to comply with the provisions referred to in Chapter V) of the GDPR (and related jurisprudential rulings, doctrine and soft law acts), in case of transfer of personal data outside the European Economic Area (EEA) or to international organizations.
  14. The co-controllers of the treatment undertake, each for himself, to respect, where necessary, the conditions prescribed by art. 27 of the GDPR, subject to the exceptions indicated therein.
  15. The co-controllers of the treatment undertake, each for himself, to designate, where necessary, a person in charge of the protection of personal data pursuant to art. 37 of the GDPR.
  1. Responsibility.

4.1. In the event that the co-Data Controllers are considered responsible for any damage deriving, even indirectly, from the processing operations better described in Annex 1), each co-Data Controller will be jointly liable, pursuant to art. 82 paragraph 4) of the GDPR, for the entire amount of the damage, in order to guarantee effective relief in favor of the related injured party. However, in compliance with art. 82 paragraph 5) of the GDPR if one of the co-data controllers has paid, pursuant to art. 82 paragraph 4) of the GDPR, the entire compensation for damage, it has the right to claim, against the residual co-Data Controller involved in the processing operations described in Annex 1), the compensation amount corresponding to the respective part of responsibility .

  1. Final provisions.

5.1. The possible invalidity, inapplicability or ineffectiveness of some of the clauses that make up this agreement does not consequently determine the invalidity, inapplicability or full ineffectiveness of the agreement itself.

Reggio Emilia / Legnano, 20.10.2021

B810 Srl , as co-Data Controller

(in the person of its pro tempore legal representative)

………………………………………………………. ……

DIGICOM Srl , as co-owner of the treatment

(in the person of its pro tempore legal representative)

…………………………………………………………… ..  

MC REGEM Srl , as co-Data Controller

(in the person of its pro tempore legal representative)

……………………………………………………………… ..

Annex 1) – Information on processing activities

1.1. Object of the processing activity.

The processing operations that the co-Controllers can carry out on the types of personal data illustrated in the following point 1.4.) May consist, in general (but not exhaustive), in the following activities: collection; registration; organization; structuring; storage; adaptation or modification; extraction; consultation; use; communication by transmission; limitation; cancellation, destruction or anonymization.

These processing operations concern the website www.shop.tippyonboard.com (hereinafter “Site”).

1.2. Duration of treatment.

The retention term has been better illustrated in art. 3.1. of both disclosures pursuant to art. 13 of the GDPR present and published, by the co-Data Controllers, within the Site.

1.3. Nature of the processing and purpose of the processing.

The processing purposes for which there is co-ownership of the processing pursuant to art. 26 of the GDPR between the Parties have been better illustrated in art. 2 of both disclosures pursuant to art. 13 of the GDPR present and published, by the co-Data Controllers, within the Site.

Specifically, in the first of the two disclosures pursuant to art. 13 of the GDPR, there is a co-ownership of the processing in relation to the following purposes of the processing: 2.1. letter a): “complete and effective execution of a pre-contractual measure and / or a purchase order (and consequent conclusion of the related purchase contract better described in the GCS), including the execution of preliminary obligations (eg registration on the site internet in question, and consequent creation of your personal account) and the execution of the consequent legal (e.g. legal guarantee; fraud), fiscal, administrative, logistical and customer care (e.g. complaint management or return procedure) obligations connected to the completed completion of the related purchase contract “; 2.2. letter b: “sending commercial / promotional / advertising / marketing communications, regarding a product or service similar to that purchased by the consumer user through the website in question, to be carried out by email or by paper mail”; 2.3. letter c): “sending commercial / promotional / advertising / marketing communications (including market research), to be carried out using automated / electronic / telematic methods (eg. email; mobile app; social page; newsletter) or by non-automated / traditional methods (eg paper mail) “.

Conversely, in the second disclosure pursuant to art. 13 of the GDPR, there is a co-ownership of the treatment in relation to the following purpose of the treatment: art. 2.1. letter a): “sending commercial / promotional / advertising / marketing communications (including market research), to be carried out using automated / electronic / telematic methods (eg. email; mobile app; social page; newsletter) or by non-automated / traditional methods (eg paper mail) “.

1.4. Type of personal data.

With regard to the purposes of processing the first of the two disclosures pursuant to art. 13 of the GDPR better illustrated in the previous point 1.3.), The co-Data Controllers collect and process the following categories of information: personal data pursuant to art. 4 n. 1) of the so-called GDPR. identifiers (e.g. name; surname; tax code; address of residence / domicile / abode), cd. financial / banking (eg. credit / debit card number) where necessary and appropriate and navigation data (eg IP address), in the event that the interested party is a “consumer user” as described in the GCS of the Site; on the other hand, in the event that the user of the Site holds the qualification of “professional user” as described in the GCS of the Site, the co-Data Controllers collect and process non-personal data pursuant to art. 3 n. 1) of the EU Regulation no. 1807/2018 (e.g. company name; VAT number; registered office), as well as, where necessary and appropriate, personal data.

Instead, as regards the purpose of processing the second information pursuant to art. 13 of the GDPR better illustrated in the previous point 1.3.), The co-Data Controllers collect and process the following category of information: personal data pursuant to art. 4 n. 1) of the so-called GDPR. identifiers (eg. email address) in the case of a “consumer user” or non-personal data pursuant to art. 3 n. 1) of the EU Regulation no. 1807/2018 (eg so-called corporate email address) in the hypothesis of a “professional user”.

1.5. Category of interested parties.

The interested parties pursuant to art. 4 n. 1) of the GDPR are represented by the visitor of the Site or by the “consumer user” or by the “professional user” of the Site (definition better described in the relative GCS of the Site).