HOW4 is GDPR compliant. Below you can read the Company’s Data Processing Agreement.
Data Processing Agreement
Article 1. Definitions
“Personal Data” refers to any information relating to an identified or identifiable natural person, (“Data Subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” refers to the entity acting on behalf of the Data Controller.
“Processing” means any operation, or a set of operations done, using automatic processes or not, applied to personal data, as collecting, recording, organization, structuration, retention, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of the personal data.
“Transfer of Personal Data” means the processing, material transfer or distant access to Personal Data from entities established out of the European Economic Area (EEA).
“Personal Data breach“ refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Article 2. Processing of the Controller Personal Data
(1) People Yield shall comply with all applicable data protection laws when processing the Controller Personal Data. The Controller Personal Data includes categories of personal data of the Controller’s employees who will be provided with access to the People Yield’s services under the Principal Agreement: names, email address, IP address, phone number, position, employer, employee’s personal objectives, key results and tasks.
(2) People Yield shall process Controller Personal Data only on the Controller’s documented instructions unless the processing is required by the applicable laws to which People Yield is subject. People Yield is prohibited to use or otherwise process Controller Personal Data for purposes different than the provision of the services under the Principal Agreement and only for the term agreed under the Principal Agreement.
(3) People Yield shall not disclose or provide the Controller Personal Data to third parties, except under the provisions of Art. 4 of this Data Processing Agreement or where there is an obligation under the applicable data protection laws.
Article 3. People Yield’s personnel
(1) People Yield shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors who may have access to the Controller Personal Data.
(2) People Yield shall in each case ensure that access to the Controller Personal Data is strictly limited to those individuals who need to know and/or access the relevant Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with the applicable laws in the context of that individual’s duties to People Yield, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Article 4. Security of the Controller Personal Data
(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Controller Personal Data as well as the risks for the rights and freedoms of natural persons, in particular the risk of Controller Personal Data breach, People Yield shall implement in relation to the Controller Personal Data appropriate technical and organizational measures to ensure an appropriate level of security.
Article 5. Appointment of subprocessors
(1) The Controller authorizes People Yield to appoint subprocessors (the “Subprocessor”) in accordance with this article. Each Subprocessor shall also be entitled to appoint subprocessors to the extent the restriction of this article are complied with.
(2) People Yield shall give the Controller prior written notice of the appointment of any new Subprocessors, including full details of the processing activities that the Subprocessor will undertake.
(3) The Controller shall have 3 business days following the receipt of the written notice on the appointment of a Subprocessor to object in writing to the proposed appointment of the Subprocessor. In such cases, if People Yield may not by itself perform the services related to the data processing under the Principal Agreement, People Yield may unilaterally and without notice terminate the Principal Agreement. If there is no objection on the side of the Controller within the set term, the Subprocessor is deemed approved by the Controller.
(4) People Yield shall not disclose Controller Personal Data to Subprocessors which have not yet been notified and approved by the Controller. People Yield shall conclude a written contract with the Subprocessor to govern their relation. The contract shall meet the requirements of Article 28, para. 3 of the GDPR and shall contain terms that offer at least the same level of protection for the Controller Personal Data as those set in this Data Processing Agreement. If the appointment of a Subprocessor involves transfers of the Controller Personal Data to third countries, People Yield shall incorporate the Standard data protection clauses adopted by the European Commission in its contract with the Subprocessor.
(5) People Yield may continue to use and provide access to the Controller Personal Data to Subprocessors which have already been engaged by People Yield at the date of conclusion of this Data Processing Agreement.
People Yield’s list of Subprocessors includes: Seeweb.
Article 6. Obligations of People Yield towards the Controller
(1) People Yield shall promptly notify the Controller if it or any of its Subprocessors have received a request from a data subject who wishes to exercise his/her rights related to the Controller Personal Data under the applicable data protection laws. People Yield shall reasonably assist the Controller to respond to such requests.
(2) People Yield shall ensure that it or any of its Subprocessors does not respond to data subject requests except on the documented instructions of the Controller or as required by the applicable laws to which People Yield or the respective Subprocessor is subjected. In case the response to the request is required by the applicable laws, People Yield or the Subprocessor shall to the extent permitted by this law prior to responding to the request inform the Controller of this legal requirement.
(3) People Yield shall provide the Controller at the latter’s expense reasonable assistance with any data protection impact assessments and prior consultations with the competent data protection authorities, which the Controller reasonably considers necessary pursuant to Art. 35 and Art. 36 of the GDPR.
Article 7. Personal data breach
(1) People Yield shall notify the Controller without undue delay on People Yield or any of its Subprocessors becoming aware of a personal data breach affecting the Controller Personal Data. People Yield shall provide the Controller with sufficient information to allow the Controller to meet its obligations to report or inform the data subjects of the personal data breach as required by the data protection laws applicable to the Controller.
(2) People Yield shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist the Controller investigate, mitigate and remediate the personal data breach.
Article 8. Deletion of the Controller Personal Data
(1) People Yield shall promptly and in any event within 9 months of the date of cessation of any services involving the processing of the Controller Personal Data delete in a manner that the data could not be recovered and procure the deletion of all copies of Controller Personal Data processed for the services under the Principal Agreement.
(2) Notwithstanding the previous paragraph, People Yield may retain the Controller Personal Data to the extent required by the applicable data protection laws and only to the extent and for such periods as required by the applicable laws. In any such case, People Yield shall ensure the confidentiality of the Controller Personal Data and shall ensure that such Controller Personal Data is solely processed as necessary for the purpose specified in the applicable laws requiring the storage of the Controller Personal Data.
Article 9. Audit rights
(1) People Yield shall make available to the Controller on the latter’s request all information necessary to demonstrate compliance with this Data Processing Agreement. People Yield shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by People Yield. All expenses related to the audit are to be borne by the Controller.
(2) The Controller shall give one-month notice to People Yield by submitting a detailed audit plan for any audit or inspection to be conducted. The Controller and its mandated auditors shall make reasonable efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to People Yield’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The audits and inspections shall take place during normal business hours for People Yield.
(3) If the requested audit scope is addressed in an audit report performed by a qualified thirdparty auditor within twelve months of the Controller’s audit request and People Yield confirms there are no known material changes in the controls audited, the Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
Article 10. International transfers
(1) People Yield is required to notify the Controller in advance about the third countries to which People Yield may transfer Controller Personal Data and undertakes to comply with all additional reasonable instructions given by the Controller in connection with such processing. As at the date of the conclusion of this Data Processing Agreement, the Controller expressly authorizes People Yield to transfer Controller Personal Data to the Unites States of America.
Article 11. Miscellaneous
(1) This Data Processing Agreement shall be governed by the Italian law and the Italian courts shall have exclusive jurisdictions for any disputes arising out of or in connection with this Data Processing Agreement.
(2) Should any provision of this Data Processing Agreement be proclaimed invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible.
People Yield srl.
Corso Europa, 15
20122 Milano (Italy)