1. The object of the following conditions is to define the operating modalities by which the Data Processor (Expandi Ltd and all its subsidiaries) undertakes to carry out, on behalf of the Data Controller (Customer), the processing of personal data that uploads or otherwise provides Expandi Ltd in connection with the services and the processing of any personal data that Expandi Ltd provides to Customer in connection with the service. Where Expandi Ltd, (38 Craven Street, London WC2N 5NG, UK): the holding company represents the companies within the group. You can see the full list of the companies here.
The parties agree, in relation to the data processing activities, the following:
2.1 That the data of the data subjects will be processed exclusively for the purposes inherent in the execution of the service.
2.2 That the type of personal data and the categories of data subjects to the processing will be limited only to those provided for in the service.
2.3 Expandi LTD shall process personal data only on documented instruction of the Data Controller.
3.1 Expandi LTD shall ensure that persons entitled to the processing of personal data have previously signed a confidentiality agreement (Non-disclosure agreement NDA).
3.2 Expandi LTD shall appoint, within the meaning of article 28, par. 2 of Regulation (EU 2016/679), another Data Processor, exclusively after explicit approval by the Data Controller.
3.3 Expandi LTD shall maintain the technical and organizational measures in order to ensure a level of security appropriate to the risk.
3.4 Customers reserve the right to verify and monitor the compliance status of the Data Processor with the information provided in the field of data protection, including through periodic audits by its personnel or external appointed personnel.
4.1 Expandi LTD shall assist the Data Controller using appropriate technical and organizational measures, in order to comply with the obligations of the Data Controller to respond the requests for the exercise of the rights of the data subjects under Article 15 of the EU regulation 2016/679.
4.2 In the event that Expandi LTD has advanced requests from the data subject about the exercise of his or her rights relating to the personal data owned by Data Controller, for example and not exhaustively: rectification, cancellation and limitation, data portability, Expandi LTD will have to inform Data Controller, without delay, and in any case not beyond the terms of the law.
4.3 In the event that Data Controller is obligated to provide information on personal data to other Data Controllers or third parties, Expandi LTD shall be obliged to cooperate by providing all necessary information.
5.1 Expandi LTD shall not disclose the data to third parties, to the public administration or to the judicial authority, without the prior authorization of Data Controller. In the event that European Union law or national law requires data communication and access to them, Expandi LTD shall communicate the data to the applicant and, subsequently, notify the event to the Data Controller, also communicating this legal obligation, unless the right prohibits such information for relevant reasons of public interest.
6.1 Unless different dispositions of law, Expandi LTD , depending on the choice of Data Controller, shall delete or return the personal data upon the due date or suspension of the services. Expandi LTD undertakes to delete existing copies, at the request of the Data Controller, unless the law of the European Union or Member States provides for the retention of data beyond the limit set by the Data Controller.
7.1 Expandi LTD must maintain, and from time to time update, the register containing the names and contact details of Expandi LTD’s sub- suppliers.
7.2 Expandi LTD shall maintain a log of access to personal data by a public administration, judicial authority or third part audit.
7.3 Expandi LTD shall maintain a record of the violations involving personal data of the data subjects.
7.4 In addition, Expandi LTD shall fill in the register of processing activities, pursuant to article 24, taking care to inform, when requested, the Data Controller of the categories of processing activities carried out on behalf of the Data Controller, and of any subcontractors involved.
8.1 Expandi LTD will inform Data Controller of further notice and documents relating to the international transfer data mechanism in accordance with article 46 of GDPR.
8.2 If Expandi LTD transfers some data to one Expandi LTD’s sub - supplier who is established in the United States of America will inform Controller about Expandi LTD’s sub - supplier Privacy Shield certification and regularly, once a year, will confirm that the certification is valid.
9.1 The engagement of Expandi LTD’s sub - supplier, requires Data Controller’s explicit prior written approval by using Certified Mail, if possible, otherwise, by e-mail. Expandi LTD will notify Data Controller in advance and without undue delay of any changes to Expandi LTD’s sub - supplier in accordance with the previous and explicitly approved list.
9.2 Expandi LTD shall impose the same data protection obligations as set out in this DPA on any approved Expandi LTD’s sub - supplier.
9.3 In case of Expandi LTD, in accordance with art. 28, par. 4 European Regulation 679/2016, appoint a Expandi LTD’s sub - supplier, to the latter are imposed the same obligations in force between the controller and Expandi LTD.
9.4 Expandi LTD remains responsible for its sub - processors and liable for their acts and omissions as for its own acts and omissions and any references to Expandi LTD ’s obligations, acts and omissions in this DPA shall be construed as referring also to Expandi LTD ’s sub - processors.
10.1 Expandi LTD will inform Data Controller without undue delay of any suspected non-compliance with applicable Data Protection Laws or relevant contractual terms of this DPA or in case of serious disruptions to operations or any other irregularities in the processing of the Data Controller Personal Data. Expandi LTD will promptly investigate and rectify any non-compliance as soon as possible and upon Data Controller’s request, provide Data Controller with all information requested with regard to the suspected non-compliance.
10.2 Expandi LTD will notify Data Controller without undue delay (and in no event later than 24 hours) after becoming aware of a Personal Data Breach in respect of the Services. Expandi LTD will promptly investigate the Personal Data Breach and will provide Data Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify Supervisory Authorities or Data Subjects).
10.3 To clarify, Expandi LTD will inform, at first Data Controller of any data breach, secondly Expandi LTD will inform Data Controller of any sub - Expandi LTD s’ data breach within 24 hours from the incident detection.
11.1 This DPA will remain valid until the discontinuance of the Services. Expandi LTD will maintain maximum confidentiality on data and information concerning the Controller of which it became aware of the fulfilment of its obligations.
11.2 Expandi LTD, at the expiration of the Services, must interrupt each operation of Data processing or it must provide for their complete cancellation, in both cases it must release a written statement stating that at Expandi LTD does not own any copy. In the case of request of the Data Controller, Expandi LTD must indicate the technical methods and procedures used for the cancellation and destruction.
12.1 Contentious, enquire and litigations between Parties concerning the DPA must be established forward the Court of Milan.
12.2 Italian Law governs this DPA.
Expandi LTD will maintain all technical and organizational security measures in accordance with GDPR Data Security Principles, for protecting Data Controller Personal Data against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction.
In the field of processing activities, which are the object of this DPA, Controller provides that Expandi LTD observes these security measures during processing activities: