· The Retail ROIvolution. · The Retail ROIvolution.In the exercise of our duties, the team of ANALYTICALWAYS processes personal data whose controller is the agent. Our company acts in such cases as data processor. According to the provisions of the European Regulation on data protection 679/2016 of 27 April, our company assumes the following commitments with the data controller:
1.- LIST OF DATA PROCESSING ACTIVITIES.- The contract concluded between ANALYTICALWAYS and its agents requires the processing of certain personal data.
In particular, ANALYTICALWAYS can gather, record, structure, modify, preserve, extract, query, interconnect, collate, limit and retain any personal data transferred by the Agent as required for the provision of the relevant software services.
2.- PURPOSES AND USE OF THE DATA.- The personal data to which ANALYTICALWAYS has access shall not be used for purposes other than those set out in the contract and its use shall be restricted to following the instructions provided from time to time by the agent.
3.- RETENTION OF DATA.- Upon completion or termination of the contractual relation, the personal data to which ANALYTICALWAYS has had access shall be deleted, as well as any media or documents containing any processed personal data. The removal involves ANALYTICALWAYS’ obligation to electronically remove any data o metadata of the agent through a secure deletion process and, if applicable, certify the physical destruction of media and/or documents in non-automated format (i.e. paper). Without prejudice to the foregoing, the data processor can keep a copy of the data, duly blocked, for as long as any liability may arise from the provision of the services.
4.- TRANSFER OF DATA TO THIRD PARTIES.- ANALYTICALWAYS shall not transfer the personal data to third parties without the prior written consent of the Agent, not even for mere retention purposes, unless expressly authorised by the Agent or as required by the competent authority.
5.- CONFIDENTIALITY AND SECURITY MEASURES.- ANALYTICALWAYS undertakes to observe the required confidentiality of the personal data provided by the Agent and to adopt the appropriate technical and organisational measures for the category of data that are to be processed in order to guarantee the security of personal data and avoid their alteration, loss, unauthorised processing or access, taking into consideration the state of the art, the nature of the stored data and the risks to which they are exposed, whether arising from human actions or from the physical or natural environment.
ANALYTICALWAYS, in accordance with the provisions of applicable regulations, shall implement the security measures proposed by any impact assessments or by the codes of conduct, seals or certificates that it may acquire. In any case, it undertakes to implement mechanisms to:
(a) guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services;
(b) restore availability and access to personal data promptly after any physical or technical incident;
(c) regularly verify, assess and evaluate the effectiveness of the technical and organisational measures implemented to guarantee the security of data processing; and
(d) pseudonymise and encrypt the personal data if so required by the regulations.
ANALYTICALWAYS shall always process the personal data, whose data controller is the Agent, in accordance with the requirements and conditions established by the law and the regulations as regards the integrity and security of the data and of the data processing centres, premises, equipment, systems and programmes.
6.- SECURITY BREACHES.- ANALYTICALWAYS shall promptly notify the Agent of any incident or security breach suffered by ANALYTICALWAYS or any of the subprocessors according to the applicable regulations if it affects the personal data relating to the contracted services. The notification shall be sent by email within 48 hours after it is known, together with all the relevant information available to the company. An incident shall be understood, as an example and without limitation, as:
a) unauthorised access to the system by a third party,
b) loss of information or impossibility of accessing information.
c) involuntary deletion of personal data.
d) involuntary alteration of personal data.
ANALYTICALWAYS shall provide the agent all the information it has on the incident. If not all the information can be provided simultaneously, to the extent that it cannot be, it shall be provided gradually but without undue delay.
In particular, information shall be provided about the nature of the security breach, the data that may have been compromised, approximate number or affected persons, description of the possible consequences and of the measures adopted to resolve the problem or mitigate damages.
7.- EXERCISE OF RIGHTS.- Whenever any interested person exercises any of the “habeas data” rights (i.e. access, rectification, cancellation/deletion, opposition, limitation of processing, portability) recognised by the European data protection regulation before ANALYTICALWAYS or any of its subprocessors, record shall be kept of such exercise for the Agent’s reference. Notice thereof shall be given immediately and under no circumstance later than one (1) working day after receiving the request. The agent shall also be notified of the proposed response of ANALYTICALWAYS before it sends it to the affected party.
8.- DURATION.- The obligations mentioned above shall be applicable as long as our company provides services to the Agent.
9.- OTHER OBLIGATIONS.- Our company shall support the agent in carrying out any impact assessments that affect processed data and shall provide the data controller with any information that may be relevant to prove compliance with its obligations in relation to data protection.
