Agreement for the appointment of the data controller

AGREEMENT FOR THE APPOINTMENT OF THE DATA CONTROLLER PURSUANT TO ARTICLE 28 OF REGULATION (EU) 2016/679 BETWEEN

Ambimed S.r.l. (P.IVA 11500980963), Corso Italia, 1 - 20122 Milano (MI), PEC: ambimed@legalmail.it, in the person of the legal representative pro tempore, designated DPO reachable at the e-mail dpo@ambimed-group.com, (hereinafter "Ambimed" or "Data Controller")

E

The Travel Agency accepting this agreement (hereinafter referred to as "Agency" or "Responsible Party")

WHEREAS.

1. Ambimed is a service company that specializes in brokering health care services, with an emphasis on travel medicine services ;
2. The Agency operates in the travel industry and is affiliated with Ambimed's partner travel/tour operator group or otherwise has ongoing business arrangements with one of these entities;
3. The Agency wants to integrate its services by allowing the booking of travel-focused health services through Ambimed's platform (e.g., swabs, vaccines, prophylaxis, or simple consultations);
4. Said service will be offered by Ambimed and its partners as data controller/controllers, the Agency will only assume the role of data controller according to Art. 28 of the General Data Protection Regulation No. 2016/679;
5. In detail, the Agency's activity/processing will be limited to the simple data entry related to the traveler's personal data and the indication of the processing aimed at the trip requested by the traveler indicated above (e.g. request: swabs, vaccines, prophylaxis or simple consultations);
6. by virtue of the acceptance of the general conditions of use of the platform, the Data Controller avails itself of the support of the aforementioned Data Processor for the processing referred to in points C) and E);
7. the performance of such Services entails the processing of personal data, as defined in Article 4, 1) of Regulation (EU) 2016/679, including the special data referred to in Article 9 indicated above;
8. the applicable data protection legislation imposes a number of obligations and constraints on the processing of Personal Data by the Data Controller that affect the Processing in question, through which the Data Processor will in principle be able to access, albeit only for contractual purposes and for the benefit of the Data Controller as well as in strict compliance with applicable regulations (including the applicable data protection legislation), the Personal Data;
1. on the basis of the references and skills boasted by the Data Processor in its field of activity, including Data Processing in general and the management of situations similar to those of the Processing, the Data Controller has conducted a positive assessment of the suitability and qualification of the Data Processor to meet, including in terms of the security of the Processing, the necessary requirements of experience capacity and reliability required by the applicable legislation on the protection of Personal Data in order to ensure the required legal guarantees for the purposes of the Processing of Data as a Data Processor on behalf of the Data Controller pursuant to the applicable legislation on the protection of Personal Data in connection with the Processing of Personal Data necessitated by the Agreement;
10. The Data Controller therefore intends by this Agreement (hereinafter the "Agreement") to proceed with the appointment of the aforesaid company/professional as the Data Processor and to issue detailed instructions to it.
11. This Agreement, as to duration and termination and for all that is not expressly stipulated herein and to the extent compatible follows as annexed the principal consulting agreement in existence between the parties.

All the foregoing and forming an integral and substantial part of this Agreement, the following is hereby agreed and entered into between the Parties, as represented above.

The Data Controller hereby appoints with immediate effect the aforementioned company/Agency, as Data Processor - as defined in Article 4, no. 8) of the Regulations - of the processing of personal data carried out within the scope of its tasks referred to in the premises and better described in the main agreement in existence between the Parties and necessary for the performance of all the tasks related to the activity of competence indicated below.

The appointed Manager provides suitable guarantees, by preparation and experience, of full compliance with the current provisions on the processing of personal data, including the profile relating to the security of the processing.

He/she is authorized to proceed with the organization of any personal data processing operation, carried out by him/her, with or without the aid of electronic or otherwise automated tools, in full compliance with the rules provided for by the Regulations, as well as with the provisions of the operating instructions given by the Data Controller, also through his/her own collaborators adequately trained and bound to the secrecy of the processed data in the sense indicated by the GDPR (Reg. EU 679/2016).

In particular, by way of example and without limitation, the processing carried out by the appointed Data Processor is necessary for the pursuit of the following purposes:

Booking on behalf of clients of the services usable through Ambimed.

The Data Processor verifies that the processing of personal data of the Data Controller carried out within the scope of its task, does not deviate from the purposes for which the data are collected, in accordance with the notices issued to the data subjects pursuant to Article 13 of the Regulations. To this end, the appointed Data Processor must therefore maintain active monitoring of the processing operations under his/her responsibility, availing himself/herself, if necessary, of the collaboration of the structures and resources of other internal services of the Data Controller, also verifying the purposes and methods by which the processing of personal data takes place and their consistency with what is indicated in the information given to the data subjects.

The appointed Data Processor has the power to carry out all that is necessary for compliance with the current legal provisions on the processing of personal data in the activities carried out within its area of responsibility. In particular, he/she shall:

1. Provide, if requested, Ambimed's privacy policy to its client as well as acquire their consent to the processing of personal data;
2. except as already provided by the Owner, if necessary, appoint and identify within its own organization the persons authorized to process, with reference to the preposition of one or more subjects to activities involving the processing of personal data;
3. comply with and enforce compliance by those authorized to process and other persons who for whatever reason will come into contact with the processing of personal data with the security measures already implemented or that will be prepared in the future in accordance with the applicable legislation on the protection of personal data;
4. verify at least annually that the access profiles assigned to those authorized to process are adequate and do not exceed the needs of the task or the Organizational/Operational Unit to which they have been assigned;
5. assist if requested the Data Controller in the Data Protection Impact Assessment (DPIA) process referred to in Article 35 of the Regulation, as well as in any prior consultation phase with the Supervisory Authority pursuant to Article 36 of the Regulation, if the DPIA indicates that the processing would present a high risk in the absence of measures taken by the Data Controller to mitigate the risk;
6. delete or return all personal data once processing has ceased and delete existing copies in accordance with the instructions received from the Controller, unless data retention is required by Union or domestic law;
7. cooperate with the Data Controller in order to meet the latter's obligation to follow up on requests for the exercise of the data subject's rights under Chapter III of the Regulations and provide all necessary support in order to enable a response within a period of one month, from the request, which may be extended by two months in cases of particular complexity, pursuant to Article 12(3) of the Regulations
8. promptly inform the Data Controller of any new processing and any issue relevant to the personal data protection legislation, including any complaints made by data subjects and any petitions submitted to the Guarantor;
9. in the event that the Data Processor employs other data processors (sub-processors) to perform specific processing activities on behalf of the Data Controller, the sub-processors will be obliged to comply with the obligations under this agreement;
10. within the scope of the responsibilities thus entrusted to him/her, and in compliance with the relevant instructions, it will be incumbent on the Processor, if necessary, to keep a register of all categories of processing-related activities carried out on behalf of the Controller, pursuant to Article 30 Reg. (EU) 2016/679, constantly updated at its premises, and available at all times to the Data Controller, in written or electronic form. The same Data Processor will be exclusively responsible for preparing and carrying out a periodic internal verification activity on the work of its sub-processors and processors;
11. within the scope of the responsibilities thus entrusted to him/her, and within the limits of the relevant instructions, the Data Processor, in his/her capacity as Data Processor, shall also be vested with the related power to issue in writing the necessary instructions and binding provisions to the subjects authorized by him/her for processing
12. the Data Processor shall comply - in proceeding with the necessary processing operations and in the termination of the same Processing - with the regulations applicable from time to time and with the instructions given by the Data Controller. In addition, the Processor undertakes to maintain in place and apply appropriate security measures in accordance with applicable data protection regulations;
13. it shall be the care and responsibility of the Data Processor to provide in writing to the authorized processors operating under its direct authority the necessary instructions and binding provisions for the processing with respect to compliance with the applicable provisions on processing and to also bind them to confidentiality, providing a copy thereof to the Data Controller.

Any changes to this Agreement must be made in writing and may be changed only through a written statement agreed between the Parties or through communication from the owner 30 days prior to the change of conditions, the failure of the responsible party to withdraw will count as an implied agreement, in any case this agreement follows the general conditions of use of the platform.

The invalidity, even partial, of one or more of the clauses of this Agreement shall not affect the validity of the remaining clauses.

The Parties hereby expressly intend to revoke and replace any other existing contract or agreement between them relating to the processing of personal data.

The Agency has read and understood the contents of this Agreement and by signing it expresses its full consent.