Emotion AI For Zoom – Appointment as Data Processor (DPA)

 

Vedi anche in italiano

Effective 22th January, 2023

Appointment as Data Processor pursuant to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the “GDPR”)

This deed of appointment (hereinafter, the Appointment) is stipulated by and between Cynny S.p.A. (“Cynny”), enrolled at the Business Registry of Florence, VAT number No. IT06340560488, D-U-N-S® number 434193325 (hereinafter, the “Data Processor”) and the business user that is interested in the activation of the service MorphCast Emotion AI for Zoom (hereinafter, the “Data Controller”). The Data Processor and Data Controller are hereinafter referred to as the “Parties”. 

Whereas

  1. the Data Controller uses the “MorphCast Emotion AI for Zoom”, based on the terms and conditions available here (hereinafter, the “Agreement”);
  2. for the execution of the Agreement, the Data Processor must process on behalf of the Data Controller the personal data indicated under Annex A to this Appointment (the “Personal Data”);
  3. the Data Controller has ascertained that the Data Processor provides sufficient guarantees as to the fact that the data processing carried out by the latter meets the requirements of the GDPR and guarantees the protection of the rights of the data subjects.

in view of the foregoing, being the Whereas and Annexes an integral and substantial part of this Appointment, the Parties hereby agree and stipulate as follows. 

1. Appointment

During the execution of the assignment covered by the Appointment, the Data Processor shall Process the Personal Data as provided for in the Appointment and/or in accordance with the instructions relating to the Processing of Personal Data that the Data Controller shall supply from time to time. 

The Processing covered by the Appointment will be carried out exclusively by electronic means. 

The Data Processor undertakes for itself, for its employees, as well as for any other parties that cooperate and/or are part of its organization, to Process the Personal Data exclusively for the purposes of fulfilling and executing its obligations under the Agreement, in full compliance with the provisions of the Appointment, as well as the provisions of the GDPR and any other legislation concerning the protection of personal data applicable in Italy, including the provisions of any Supervising Authority (hereinafter, “Privacy Law”). 

For the purposes of this Appointment, the terms used in capitalized letters shall have the meaning ascribed in this Appointment or under the GDPR.

2. Obligations of the Data Processor

  1. Security Measures 

The Data Processor declares to have adopted the security measures listed under Annex B. The Data Processor also undertakes (i) to adopt appropriate technical and organizational measures in order to safeguard the security of the Personal Data and (ii) to assist the Data Controller, based on the nature of the Processing of the Personal Data and the information available to the Data Processor, in ensuring compliance with its obligations, reporting any data breach, assessing the impact on data protection and preventive consultations pursuant to Article 32-36 of GDPR.

  1. Data protection impact assessment 

Upon request of the Data Controller, the Data Processor undertakes to provide the Data Controller with the collaboration requested by the latter in carrying out any data protection impact assessment, as required under Article 35 of the GDPR.

  1. Data breach 

Pursuant to Article 33 of the GDPR, the Data Processor must notify the Data Controller, without undue delay, and in any case within 24 hours, of becoming aware of any security breach that involves the destruction, loss, modification, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise Processed under this Appointment.

  1. Possible extra-UE transfers 

The Personal Data governed by this Appointment will be Processed in the Italian territory, in another member state of the European Union or in the European economic area. If Personal Data are transferred to subjects outside the territory of the EU member states, the Data Processor ensures that the Processing of Personal Data by these subjects takes place in compliance with the Privacy Law. In particular, in the absence of a prior written consent from the Data Controller, it is guaranteed that the transfer will take place, alternatively, on the basis of: 

  1. an adequacy decision of the Commission pursuant to Article 45 GDPR;
  2. standard contractual clauses referred to in Article 46, paragraph 2, GDPR;
  3. binding corporate rules governing the transfer of personal data to a third country in accordance with the provisions of Article 47 GDPR; 
  4. other guarantees or specific circumstances for the transfer of personal data recognized by the GDPR, for example pursuant to Article 46, paragraph 3, and Article 49 of the GDPR.
  1. Record of Processing activities 

The Data Processor undertakes to draw up and keep up to date the Record of Processing activities in accordance with the provisions of Article 30 of the GDPR. 

  1. Requests of the Data Subjects and of the authorities 

In the event that the Data Processor receives any request from the Data Subject concerning the exercise of the rights indicated pursuant to Articles 15-22 GDPR (including the right of access, rectification/integration, deletion, limitation or portability), the Data Processor undertakes to inform, without undue delay, the Data Controller in writing by enclosing a copy of the request received and provide the Data Controller with all information necessary to satisfy the request of the Data Subject. Only when requested by the Data Controller, the Data Processor shall promptly provide the Data Subjects with a reply, according to the terms indicated by the Data Controller. 

The Data Processor must notify in writing, without undue delay, the Data Controller of every request, order, control activity performed by any Supervising Authority or Court in relation to the Personal Data.

Should any judicial or administrative proceedings be initiated in relation to the Processing of Personal Data, the Data Processor undertakes to provide the Data Controller with the reasonable assistance necessary.

  1. System administrators 

The Data Processor appoints one or more system administrators ("System Administrators") for the Processing of the Personal Data carried out with electronic tools, in compliance with the provisions contained in the provision dated 27.11.2008 of the Italian Supervisory Authority. To this end, the Data Processor will:

  • assess in advance the subjective features of the persons to whom it intends to assign the function of System Administrator, appointing as System Administrators only people with proven ability, experience and reliability in relation to the protection of Personal Data, in particular with reference to security measures; 
  • specifically list the scope of operations assigned;
  • provide, upon request, the identification details of the System Administrators and the functions assigned to them individually, maintaining an updated document list for this purpose;
  • record the logical accesses of the System Administrators, through complete registrations, including time references and description of the event that generated them, unalterable (with the possibility of verifying this integrity) and kept for at least six months;
  • verify the work of the System Administrators through internal audits carried out at least annually.
  1. Person in charge of the Processing 

The Data Processor undertakes to: 

  • identify in writing the persons authorized to Process Personal Data and provide them with instructions relating to the operations to be carried out, ensuring correct compliance with the instructions given;
  • ensure that the persons authorized to Process Personal Data are committed to confidentiality and that they Process such Personal Data by observing these instructions provided by the Data Controller and the Privacy Law. 

3. Inspections and controls

3.1 In order to verify compliance with the Appointment’s provisions, the Data Controller may organize visits and inspections, on a reasonable basis, at the Data Processor’s premises, where the Personal Data are stored under Annex A, or through documentary audits. In the latter case, the Data Processor will send the required documentation, where reasonable, to the Data Controller, via e-mail, it being understood that the shipping costs by other means shall be borne by the Data Controller.

3.2 The visits and inspections can be carried out by the Data Controller only upon prior written notice to be received by the Data Processor with a minimum notice of 15 (fifteen) working days. The Data Controller is aware that any of such visits and inspections can significantly disrupt Data Processor's business activities. The Data Controller warrants that its auditors will endeavour to avoid causing any interruptions, interference, disservices and /or damage to Data Processor's equipment, personnel and / or business activities during or as a result of the control or inspection. Each control request must in any case meet the following requirements: 

  1. to be conducted by an internationally recognized independent auditing firm;
  2. it must take place during Data Processor's normal business hours, subject to a mutually agreed scope of control;  
  3. the duration of the inspection must be reasonable and, in any case, shall not last more than eight hours within one business day; 
  4. the scope of the inspections will in any case be strictly limited to the Processing of the Personal Data, being expressly prohibited access to any other information; controls will not be authorized if they interfere with the Data Processor's ability to provide its services;
  5. the inspections must be carried out in full compliance with Data Processor's obligations of confidentiality and /or other contractual and /or legal obligations; 
  6. the costs and expenses of the audits shall be fully borne by the Data Controller. 

4. Use of sub-processors 

The Data Processor currently uses another data processor for the execution of specific Processing activities under this Appointment (hereinafter “Sub-Processor”), as mentioned under Annex C. 

In addition to the above, by signing this Appointment, the Data Controller grants to the Data Processor a general written authorization to the appointment of new and/or further Sub-Processors. 

The Data Processor undertakes to make available to the Data Controller the list of its Sub-Processors, upon its written request. Should the Data Processor appoint new or additional other Sub-processors, the Data Controller will inform the Data Processor by e-mail (referring to the contact details provided in the registration to the service under the Agreement).

If the Data Controller has reasonable grounds to object to the appointment of new and/or further Sub-processors and is able to prove that this would cause a significant risk to the protection of Personal Data, the Data Controller shall send a written notice to the Data Processor detailing the reasons of its position. If the above conditions are met, the Data Processor will collaborate with the Data Controller in order to agree on a commercially reasonable alternative solution which might be acceptable by both Parties. If an agreement cannot be found and/or in the event of partial impossibility of providing the services in the absence of such agreement, the Parties will define in good faith, on a case-by-case basis, how to continue to provide the services in compliance with the terms of the Agreement. 

The Data Processor will engage the Sub-processors through written agreements asking them to provide at least the level of Personal Data’s protection required by this Appointment. 

5. term and termination of the Appointment 

5.1 The Appointment produces its effects starting from the date of entry into force of the Agreement and shall remain in force until its termination, regardless of the cause of the aforesaid termination.

5.2 In the event of termination of the Agreement or of this Appointment for any reason or title, the Data Processor, in accordance with the instructions given in writing by the Data Controller, undertakes: (i) to return the Personal Data; or alternatively (ii) to completely destroy the aforementioned Personal Data by final cancellation of the latter from its systems.  

6. final provisions 

6.1 The Parties acknowledge and agree that, to the maximum extent permitted under applicable law, the limitation of liabilities provided by the Agreement shall apply also to the present Appointment. 

6.2 If you have any questions about this document, please contact [email protected] or mail your request to the following postal address: Cynny S.p.a., Via Delle Mantellate n. 8, 50129 Firenze (Italy). Cynny has also appointed a Data Protection Officer, who may be reached at the email address [email protected].

6.3 This Appointment is governed by Italian law. Any dispute related to this Appointment shall be decided exclusively by the Court of Florence (Italy).

Accepted electronically by the Data Controller

[x] The Data Processor declares to have carefully examined and specifically approved the following articles of this Appointment for the purposes of Articles 1341 and 1342 of the Italian Civil Code: 6.1 (limitation of liability), 6.3 (jurisdiction).

 

Annex A

Categories of Personal Data  

name entered by the guest before joining the video conference/webinar; with a certain degree of accuracy, the dominant emotions according to the model of Paul Ekman; mood, level of attention and involvement (Russell's circumflex model of affects based on arousal and valence).

Purpose of the data Processing performed by the Data Processor in favour of the Data Controller 

Live data view during video conference/webinar and dashboard view of data after video conference/webinar

Activities allowed on the Personal Data

Display reserved for the data controller

Place of storage of the Personal Data 

European Union

Annex B

 


Annex C

AWS (Amazon Servicesi) – Amazon Virtual Private Cloud