Data Processing Agreement (DPA)
Data Processing Agreement ("DPA")
This Data Processing Agreement ("DPA") sets forth the terms and conditions regarding the privacy, confidentiality, and security of Personal Data associated with the Services provided by Tiledesk to the User.
Recitals
- The Data Controller utilizes the collaboration of Tiledesk for certain processing activities;
- Tiledesk, within the scope of the Services offered to the Data Controller, as further detailed in the specific Terms and Conditions in force, may process personal data on behalf of the Data Controller;
- Pursuant to Article 28.1 of Regulation (EU) 2016/679, the General Data Protection Regulation (hereinafter "GDPR"), "where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject";
- The Data Controller has verified that Tiledesk, in accordance with Article 28.1 of the GDPR, provides "sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject";
Definitions
- Data Controller, Data Processor, Data Subject, Processing, and Personal Data shall have the meanings ascribed to them in the applicable data protection laws.
- Data Protection Law means all applicable laws or regulations relating to the privacy, confidentiality, and security of Personal Data.
- Data Security Breach means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Tiledesk on behalf of the User in connection with the User’s use of the Services.
- EU Standard Contractual Clauses means the standard contractual clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council.
- Services means any service provided by Tiledesk to the User.
- Terms and Conditions means the document governing the contractual relationship between Tiledesk and the User in relation to the Services, available at the following address: [https://tiledesk.com/it/termsofservice/](https://tiledesk.com/it/termsofservice/)
DPA
1.1 In utilizing Tiledesk's Services, the User acts as the Data Controller of the personal data associated with the User's clients ("Clients"), integrating such Personal Data with the Services offered by Tiledesk.
1.2 Tiledesk processes the Clients' Personal Data on behalf of the User within the scope of the Services and, for this reason, pursuant to Article 28 of the GDPR, Tiledesk is the Data Processor.
1.3 The details of the Personal Data to be processed by Tiledesk and the processing activities to be carried out under this Agreement are as follows:
- Retention of Personal Data: The Data Processor processes the Data Controller's Clients' Personal Data as long as the Data Controller remains a user of Tiledesk;
- Purpose of Processing: The Data Processor processes the Clients' Personal Data to enable the User to utilize the Services offered by Tiledesk;
- Categories of Data: The Personal Data processed by the Data Processor are those required or integrated by the User within the scope of the Services.
Instructions and Processing
2.1 Tiledesk will process Personal Data only on documented instructions from the Host, unless otherwise required by applicable law. The Data Controller ensures that its instructions comply with all applicable laws, regulations, and standards regarding Personal Data and that Tiledesk's processing of such Personal Data will not result in a violation of any applicable law, regulation, or standard, including data protection laws. Tiledesk will inform the User if, in its opinion, an instruction violates applicable data protection laws. Under this DPA, the User instructs Tiledesk, and Tiledesk agrees to process Personal Data to the extent necessary to fulfill Tiledesk's obligations under the Terms and Conditions and for no other purpose, unless otherwise specified in this DPA or required to comply with law or other binding government orders. If this DPA or any action to be taken or contemplated under it does not meet or fail to meet the obligations of either party under applicable data protection laws, the parties will negotiate in good faith to modify this DPA accordingly.
2.2 Tiledesk complies with all applicable provisions of Data Protection Laws and provides the same level of protection for Personal Data as required of the User by Data Protection Laws. Without limiting the foregoing, Tiledesk shall not:
(i) "sell" or "share" Personal Data;
(ii) retain, use, or disclose such Personal Data outside the direct business relationship between the User and Tiledesk, unless permitted by Data Protection Laws.
The User agrees that Tiledesk may transfer the Clients' Personal Data to various locations in connection with the provision of the Services. Transfers will be carried out in accordance with legally applicable transfer mechanisms where required by applicable data protection laws.
2.3 Upon termination of the Service and the corresponding data processing provided by the Data Controller for any reason, the Data Processor undertakes to delete or return to the Data Controller all data in its possession for the execution of the relevant contract, subject to any legal retention obligations.
2.4 Given that processing operations can only be carried out by personnel operating under the direct authority of the Processor, the Processor must:
a) specifically identify the scope of permissible processing and provide instructions on processing, determine appropriate access profiles to IT systems, taking into account the functions performed by the "personnel" within the organizational structure;
b) identify and instruct the individuals authorized to perform personal data processing operations;
c) enforce a prohibition on the communication and dissemination of processed data by the authorized personnel, except in cases where communication is permitted by specific authorization from the Controller.
2.5 Tiledesk is permitted to appoint Sub-processors for specific processing activities, in compliance with the same contractual obligations binding the Controller and the primary Processor. The Processor is responsible, even before the Controller, for the actions of the Sub-processor, including for any damages caused by the processing, unless the Processor can demonstrate that the damaging event is in no way attributable to them and that they have adequately monitored the Sub-processor's actions. Tiledesk, in the context of Personal Data processing, utilizes the services of duly appointed third-party service providers as Sub-processors. Upon request by the Controller, Tiledesk will provide a detailed list of such Sub-processors.
2.6 The Processor shall, within its scope of competence, perform all activities required by law and all tasks assigned by the Controller, and in particular shall:
- adopt appropriate technical and organizational measures to ensure the security of processing;
- appoint a Data Protection Officer (DPO), in cases expressly provided for by Article 37 GDPR;
- assist the Controller in conducting the Data Protection Impact Assessment (hereinafter "DPIA") by providing all necessary information in its possession;
- inform the Controller without undue delay and in any event no later than 30 hours upon becoming aware of any personal data breaches, to enable the Controller to notify the data breach to the Data Protection Authority, if the Controller considers that the breach is likely to result in a risk to the rights and freedoms of data subjects.
2.7 Tiledesk shall implement and maintain all necessary measures to ensure that the Clients' Personal Data is stored and controlled, taking into account the state of the art, the nature of the data, and the specific characteristics of the processing.
2.8 The Processor shall organize, within its area of competence, the necessary arrangements to respond to access requests from data subjects within 10 working days, and set up its internal organization to modify, rectify, supplement, or delete data, or block processing, as may be ordered by judicial authorities. It is understood that Tiledesk shall immediately inform the Data Controller of any access requests pursuant to Article 15 of the GDPR.
2.9 The Data Processor shall be liable for and indemnify the Data Controller against any damage arising from unlawful or incorrect processing of data attributable to actions or omissions of the Processor or anyone collaborating with them. The Processor is exempt from this liability if it can demonstrate that the damaging event is in no way attributable to it.
Audit
3.1 Tiledesk will allow audits, investigations, and inspections (“Audit”) regarding data protection and data security to be conducted, either by an external auditor or as otherwise required, to review Tiledesk’s and its authorized Sub-processors' data protection and security procedures in connection with the processing of personal information under this DPA. Tiledesk may provide all necessary information and grant access to its business premises, systems, and employees as an alternative to, or in addition to, conducting an on-site Audit.
3.2 Tiledesk will be informed of the Audit’s date and time at least 10 business days in advance. Audits will be conducted during Tiledesk’s regular business hours and will be carried out in a manner that avoids unnecessary disruption to its operations, unless urgency dictates otherwise, in which case proper documentation must be provided. The costs of the Audit will be borne by the requesting party, except in cases where Tiledesk is found to have breached its data protection obligations, in which case Tiledesk will reimburse the Audit expenses.