Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms an integral part of the contract, hereinafter referred to as the “Agreement”, which is entered into between UK Easycall Ltd and the Client, and which defines the terms and conditions applicable to the services provided by Corem.

Article 1 – Definitions

The following terms used in this Agreement shall have the meanings set out below:

PERSONAL DATA: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

SPECIAL CATEGORIES OF PERSONAL DATA: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning a person’s sex life or sexual orientation.

INFORMATION: any data, including non-personal data, owned by the Client.

PROCESSING: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation and/or modification, retrieval, consultation, use, disclosure by transmission, dissemination and/or otherwise making available, alignment and/or interconnection, restriction, erasure or destruction.

The purpose of this DPA, entered into between Corem and the Client, in compliance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), is to define the conditions under which Corem, acting as Data Processor and as part of the Services defined in the Agreement, is authorized to process personal data. The processing of Personal Data by Corem acting as Data Controller is not included in this DPA.

For the purposes of this DPA, UK Easycall Ltd, with registered office in  19 The Circle, Queen Elizabeth Street, London, England, SE1 2JE – VAT: 275 5885 50, represented by its legal representative pro tempore, acts as Data Processor, and the Client acts as Data Controller.

DATA CONTROLLER: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

DATA PROCESSOR: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

AUTHORIZED PERSONS: natural persons authorized to carry out processing operations by the Controller or the Processor.

DATA SUBJECT: the natural person to whom the personal data relates.

SUPERVISORY AUTHORITY: an independent public authority established by each Member State, responsible for monitoring the application of Regulation (EU) 2016/679 in order to protect the fundamental rights and freedoms of natural persons with regard to processing.

COMMUNICATION: the disclosure of personal data to one or more identified subjects other than the data subject, the representative of the controller within the territory of the State, the processor, and the persons authorized to process the data, in any form, including by making them available or allowing consultation.

DISSEMINATION: the disclosure of personal data to unspecified subjects, in any form, including by making them available or allowing consultation.

SECURITY MEASURES: the set of technical, IT, organizational, logical and procedural security measures aimed at ensuring an adequate level of security, taking into account the risks arising from destruction, loss, alteration, unauthorized disclosure of, or accidental or unlawful access to personal data transmitted, stored or otherwise processed.

PERSONAL DATA BREACH: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

Article 2 – Subject Matter

2.1. This Agreement governs and regulates the privacy roles of the Parties involved in the processing of personal data, as well as the terms and conditions under which Corem is authorized to process the personal data for which the Client is the Data Controller, in execution of the Agreement.

2.2. The type of personal data and the categories of data subjects are determined and controlled by the Client. Data processing activities are carried out by Corem for the period specified in the Agreement.

2.3. The processing shall be carried out solely for operations necessary for the implementation and management of the Services provided to the Client, without performing any additional processing beyond what is strictly necessary for the fulfillment of the required activities.

2.4. All information processed on behalf of the Data Controller, or otherwise acquired even incidentally, shall be considered strictly confidential and shall remain the exclusive property of the Controller. Therefore, the Provider, including through its personnel, may not freely use such confidential information, either directly or indirectly, for purposes other than those agreed upon. The use of such information is strictly limited to the proper performance of the assigned tasks or those that may be subsequently assigned.

Article 3 – Client Obligations

3.1. For the processing of Personal Data, the Client shall provide Corem in writing with (a) all necessary instructions and (b) any information required for the creation of the Processor’s records of data processing activities.

3.2. The Client remains solely responsible for the information processed and the instructions communicated to Corem. The Client is responsible for ensuring that:
(a) the processing of Personal Data has an appropriate legal basis (e.g. consent of the data subject and the Controller, legitimate interests, authorization from the relevant Supervisory Authority, etc.);
(b) all required procedures and formalities (such as data protection impact assessments, notifications and authorization requests to the data protection authority or other competent bodies, where required) have been duly completed;

(c) data subjects are informed of the processing of their Personal Data in a concise, transparent, intelligible and easily accessible manner, using clear and plain language as required by the GDPR;
(d) data subjects are informed and are able at any time to easily exercise their data rights, as provided by the GDPR, directly with the Client or with the Controller where the Client acts as Processor.

3.3. The Client is responsible for adopting appropriate technical and organizational measures to ensure the security of resources, systems, applications and operations that are not under Corem’s responsibility.

3.4. The Client/Data Controller is fully responsible for informing data subjects of their rights and ensuring their enforcement, including the rights of access, rectification, erasure, restriction and portability.

Article 4 – Client Obligations Where Acting as Data Processor

4.1. Where the Client acts as a Data Processor on behalf of third-party Controllers, the Parties hereby expressly agree to the following conditions:

The Client shall ensure that:
(i) all necessary authorizations required under this DPA, including the appointment of Corem as a sub-processor, have been obtained from the Data Controller;
(ii) an agreement fully consistent with the terms and conditions of the Agreement, including this DPA, has been executed with the Data Controller in compliance with Article 28 of the GDPR;
(iii) any instructions received by Corem from the Client for the performance of the Agreement and this DPA are fully aligned with those of the Data Controller;
(iv) all information communicated or made available by Corem in accordance with this DPA is duly communicated to the Data Controller, where applicable.

4.2. Corem shall (i) process Personal Data solely on the Client’s instructions and (ii) shall not receive any instructions directly from the Data Controller.

4.3. The Client, who shall be deemed fully responsible towards Corem for the proper fulfillment of the Data Controller’s obligations as set out in this DPA, shall indemnify and hold Corem harmless from:
(i) any failure by the Data Controller to comply with applicable laws and regulations; and
(ii) any actions, claims or demands by the Data Controller relating to provisions of this Agreement (including this DPA) or any other instruction provided by the Client to Corem.

Article 5 – Corem Obligations

5.1. In the performance of this Agreement, Corem undertakes to:
(a) process the Personal Data uploaded, stored and used by the Client solely to the extent necessary for the provision of the Service, as defined in the Agreement;
(b) not access or use the Personal Data for any purpose other than what is strictly necessary for the performance of the Services;
(c) adopt the technical and organizational measures set out below to ensure the security of Personal Data in the provision of the Service;
(d) ensure that Corem employees authorized to process Personal Data under the Agreement are bound by confidentiality obligations and receive appropriate training regarding the protection of such data;
(e) inform the Client if, in light of the information available to it, it considers that an instruction from the Client violates the GDPR or other European Union or Member State data protection provisions;
(f) in the event of receiving requests from a competent authority relating to the Personal Data processed herein, inform the Client (unless prohibited by applicable law or an order from a competent authority), and limit the disclosure of data to what has been expressly requested by the authority.

5.2. Upon written request from the Client, Corem shall provide reasonable assistance to the Client in carrying out data protection impact assessments and in consultations with competent supervisory authorities, solely where such assistance is necessary and relates to the processing of Personal Data carried out by Corem under this Agreement.

Article 6 – Personal Data Location

6.1. Corem guarantees that the processing of the Controller’s personal data will be carried out through the systematic and continuous use of IT infrastructures located within countries belonging to the European Economic Area, and that no transfers of such data abroad will take place, meaning transfers to countries outside the European Economic Area.

6.2. In any case, it is understood that the Provider undertakes to notify the Data Controller in writing and with adequate prior notice of any transfer of personal data to IT infrastructures located in countries within the European Union and/or outside the EU.

Article 7 – Security Measures

7.1. Corem undertakes to adopt the following technical and organizational security measures:

(a) physical security measures aimed at preventing unauthorized access to the infrastructures where the Client’s data is stored;
(b) identity and access controls using authentication systems, as well as password management policies;
(c) an access management system that restricts entry to facilities only to those for whom it is necessary in the performance of their duties and within the scope of their responsibilities;
(d) dedicated personnel responsible for monitoring the physical security of Corem’s facilities;
(e) authentication procedures for users and administrators, as well as measures to protect access to administrative functions;
(f) an access management system for support and maintenance activities based on the principles of least privilege and need-to-know;
(g) procedures and measures to track actions performed on its IT systems.

7.2. The security measures implemented by Corem shall, in any case, be suitable to ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the systems and data subject to processing.

Article 8 – Technical Specifications for Data Processing

8.1. Corem Srl declares, for the purpose of verifying the correct application of data protection regulations and in compliance with the provisions of European Regulation 679/2016 regarding data tracking, that the server hosting the Corem service is located within the European Community, and that in the contractual agreements established with the service provider, the latter undertakes to guarantee the highest level of security for its infrastructures.

8.2. With regard to the service provided, Corem declares that once access credentials to the service have been issued, only the end Client is authorized to view the contents of the environment. The end Client may request assistance from Corem. Assistance is provided remotely through screen sharing with the Client, who monitors and shares the intervention in real time. Once the work session is completed, the Corem operator exits the system and cannot re-enter without a new authorization from the same Client. In exceptional cases, where maintenance activities cannot be carried out using the above method, the end Client may provide access credentials with temporary authorization in order to allow the intervention. Once the intervention has been completed, the end Client shall reconfigure the passwords, and Corem assumes no responsibility if the Client fails to do so.

8.3. For the security of data in transit, Corem is configured with the HTTPS protocol, which enables data encryption using some of the most secure standards available on the market. Under the HTTPS protocol, TLS 1.2 is used, with ECDHE key exchange, RSA authentication, AES 256-bit encryption in Galois/Counter mode, and SHA384 hashing.

8.4. The only data processing activity performed by Corem on the end Client’s database is backup. The backup activity is carried out directly on the provider’s server hosting the service referred to in point 8.1 and is fully automated. Specifically, the database containing the end Client’s data is subject to periodic backup procedures in “snapshot” mode, with a 12-hour interval. The backup is compressed and encrypted using AES encryption with a 256-bit key. The processed file is then stored offsite on the provider’s backup infrastructure. At the end of the procedure, backups ranging from 0% to 120% older than 24 hours are automatically deleted. After 48 hours, all backups are unconditionally deleted. Upon termination of the contract, all data, both backups and operational data, are deleted.

Article 9 – Security Standards for Corem Platform Authentication Credentials

9.1. In compliance with the provisions of Regulation (EU) 679/2016, access to the Corem platform is granted exclusively to individuals authorized by the end Client who are provided with authentication credentials. Authentication credentials consist of a public component and a confidential component (password). The password is chosen by the authorized users, who retain exclusive control over it.

In the “Call Center Settings” section, authentication settings can be managed through the following six options:

1. Allow operator to change password
2. Allow only secure passwords
3. Force password change at first login
4. Password expiration every 6 months
5. Require password upon return from break
6. User inactivity limit

If the option “Allow only secure passwords” is selected, the password system verifies that the password consists of at least eight characters and includes at least two of the following characteristics:
(i) contains at least one numeric character;
(ii) contains at least one lowercase character;
(iii) contains at least one digit;
(iv) contains at least one non-alphanumeric character.

Furthermore, the password must not contain:
(a) the user’s first name;
(b) the user’s last name;
(c) the user’s email address;
(d) the user’s identification code;
(e) sequences of 3 or more numerical characters (e.g., 123…);
(f) sequences of 3 or more alphabetical characters (e.g., abc…);
(g) sequences of 3 or more repeated characters (e.g., aaa…, 111…);
(h) sequences of 3 or more adjacent keyboard characters (e.g., qwerty…).

9.2. The identification code, where used, cannot be assigned to other users, even at different times. Option number 4, “Password expiration every 6 months”, requires users to change their personal password at least once every 6 months in order to continue accessing the service.

Option number 5, “Require password upon return from break”, requires re-entry of the personal password after a break, in order to prevent unauthorized access to an unattended workstation.

Option number 6, “User inactivity limit”, automatically disables credentials that have not been used for a configurable period of time.

9.3. System users are profiled to allow access exclusively to the set of data relevant to them, according to their role within the organizational structure.

Article 10 – Personal Data Breach

10.1. In the event of incidents resulting in a personal data breach or affecting information managed by Corem, Corem shall promptly notify the Data Controller within 24 hours of becoming aware of the breach (if not simultaneous with the occurrence of the breach).

10.2. Corem undertakes to maintain strict confidentiality regarding any such breaches. In this regard, such information shall not be disclosed in any form, including by making it available and/or allowing consultation.

Article 11 – Duration of the Agreement

11.1. This Agreement shall be valid from the date of its execution and shall remain in force for the entire duration of the service provision by Corem.

Article 12 – Governing Law and Jurisdiction

12.1. It is expressly agreed between the Parties that this Agreement shall be governed exclusively by Italian law.

12.2. In the event of disputes between the Parties regarding the execution and/or interpretation of this Agreement, the Parties undertake to seek an amicable resolution of the dispute. If a resolution is not reached within three (3) working days, the Parties shall exchange observations and proposals regarding a possible solution. If no resolution is reached within a further six (6) working days, the matter shall be submitted to the attention of the legal representatives of the Parties or their delegates.

12.3. If the procedure referred to in the previous paragraph cannot be applied, any dispute relating to the validity, interpretation, execution, and termination of this Agreement shall fall under the exclusive jurisdiction of the Court of Naples North, except for contracts entered into with consumers, for which the competent court shall be that of the consumer’s place of residence in accordance with Legislative Decree 206/2005.

Article 13 – Heat Mapping and Session Recording – Smartlook

Personal Data: Cookies; Usage Data; various types of Data as specified in the service’s privacy policy.

Use of Google Data on the Corem Platform

Corem integrates with Google Calendar to synchronize Corem appointments with Google Calendar.

If the Google Calendar integration is enabled on the Corem platform, the following data will be processed:

• Google account username
• calendars associated with the Google Calendar account

The data is processed for the purpose of adding appointments to Google Calendar in accordance with the usage of the Corem platform.

For more information regarding the Privacy Policy of the Google Calendar service, please refer to the following link.