AGREEMENT OF APPOINTMENT OF DATA PROCESSOR

The legal entity or the self-employed professional identified as client in the Order Form (the “Data Controller” or the “Client”),

WHEREAS

  1. Artshell is a company operating in the sector of management of works of art and, more specifically, in the development of IT systems to facilitate and streamline the activities relating to the management, classification and share of works of art and artistic collections, as well as availability of online spaces for the organization of trade show-exhibition events. In this context, Artshell developed a software – called “Artshell” and accessible through an online platform at https://www.artshell.eu/ – capable to provide galleries, art collectors, artists and museums and event organizers with a full and integrated management of works of art, through a simple and intuitive web or mobile-based interface;
  2. The Client operates in the arts and/or event organization (e.g. exhibition events) sector and intends to use the services provided by Artshell (the SaaS Services, as defined under the Agreement) for the purpose of improving the management, presentation and communication to the public of the works of art and, in general, the performance of its initiatives and activities in the sector;
  3. The Client entered into a SaaS license agreement (the “Agreement”) – of which this agreement of appointment of Data Processor (“Deed”) is integral and substantial part as Annex 4 – pursuant to which Artshell will deliver, through the software as per the foregoing recital A (the Software, as defined under the Agreement), of some SaaS Services (as defined in the Agreement) involving the Processing by Artshell of the Personal Data owned by the Client, namely the Saas Services (as better defined individually in the Agreement) relating to: (i) the management, archiving, classification, retention, share, tagging, presentation, integration with documentation and certification of the images of the works of art (the Photos of the Works, as defined under the Agreement) and, in general, what is contained in the database loaded by the Client in the Software (the Client Database, as defined under the Agreement); (ii) Newslettering, Chatting, the creation, promotion and registration at Events, as well as the Website Integration service (when selected) and (iii) Network within which the Following and Visitors Book functions are operational; and
  4. The Client believes that Artshell has sufficient guarantees to adopt appropriate technical and organizational measures in order that the Processing of Personal Data (as defined hereinafter) meets the requirements established by the legislation on personal data protection and guarantees the protection of the rights of the data subjects (as defined hereinafter);

ALL THAT BEING SAID, THE DATA CONTROLLER APPOINTS

ARTSHELL S.R.L., with registered office in Milan, 20123, Via Carducci n. 8, Tax Code and VAT Number 10440980968, as data processor pursuant to article 28 of the GDPR (as defined hereinafter) in accordance with the Agreement, according to the restrictions and terms specified hereinafter (“Artshell” o il “Data Processor”).

  1. Definitions

    1. In addition to what is otherwise expressly defined herein, the following terms, with capital letter, shall have the meaning attributed thereto in this Article:
      • “Personal Data” means any information concerning the data subject (as defined hereinafter).
      • “Special Categories of Data” means Personal Data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, as well as genetic data, biometric data having the purpose to uniquely identify an individual, data concerning health or sex life of the data subjects (as defined hereinafter).
      • “Personal Data Protection Authority” means the Italian Personal Data Protection Authority.
      • GDPR” means the Regulation (EU) 2016/679 (“GDPR”)
      • Designated Persons” means any individual authorised and instructed to perform Personal Data processing activities under the authority of the Data Processor and/or its Data Subprocessors, if any (as defined hereinafter).
      • Data Subjects” means the individuals identified or that can be identified to whom Personal Data refer (an individual who can be identified, directly or indirectly, with particular reference to any identification data like name, ID number, data relating to the place, an online ID or to any or more elements typical of the individual’s physical, physiologic, genetic, psychic, economic, cultural or social is considered identifiable);
      • Processing” means any operation or set of operations, made with or without the assistance of automated processes and applied to Personal Data or sets of Personal Data, as collection, registration, organization, structuring, use, communication through transmission, dissemination or any other form of disclosure, comparison or interconnection, restriction, erasure or destruction;
      • Subprocessor” means a legal person, sole proprietorship or self-employed professional appointed by the Data Processor to carry out Personal Data Processing activities on behalf of the Data Controller; and
      • Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed.
    2. The singular terms used herein shall refer also to the plural and vice versa.
  2. Purpose of the appointment as data processor

    1. Artshell undertakes to act as Data Processor for the purposes specified in the following Article 9, in accordance with the personal data protection legislation applicable from time to time as well as with the terms and instructions established hereunder.
  3. Categories of Personal Data being Processed

    1. For the performance of the Agreement and for the purposes of this Deed, the Data Processor shall solely process the following categories of Personal Data:
      • the Personal Data contained and/or retrievable from the Photos of the Works, including: images shot from the works possibly referable to identifiable subjects, personal data contained in all the documents inherent to the Photos of the Works and to the works of art represented therein (data relating to the current controllers and previous changes of ownership, etc.) as well as certifications relating to the same and all the additional data and/or information and/or contents loaded, entered, stored, managed, processed and prepared by the Client on the Platform and through the Software, including the results of the activities relating to the management, archiving, classification, tagging, presentation and share (Network) of the Photos of the Works relating to the SaaS Services
      • all Personal Data contained in the Client Database, including: any photographic and/or video images acquired during the “Events”; personal and contact data of the names included in the Client’s mailing list that are required for the use, subject to a prior selection, of the Newslettering service in order to allow the forwarding to such contacts/names of information and/or marketing communications relating to the Client’s activity through the Platform and the Software;
      • all Personal Data related to the use of the share service called “Network”, that enables the Client to share specific elements of its Database and/or account with other users or contacts, including: the recipient’s name; the contents of the shared elements; the sharing date; the number of times the sharing recipient has displayed, forwarded or acquired the shared “card” according to the received share permit;
      • the Personal Data, images, information and documentation shared by and with the Client through the Following function integrated in the “Network” service including: the name and user ID of the Data Subject included in the list of the followers of the Client’s account followed in order to fulfil the purposes specified more in detail in section 9 below; the data, images and information shared among the users through the Chatting and/or Newslettering services; any photographic and video images acquired during the performance of the “Events”; as well as statistical data inherent to display, opening and forwarding of the emails sent to the accounts followed;
      • the Personal Data associated with the messaging activity and with the use of the “Chatting” service, including: the name of sender and of recipient; date and time of forwarding and reception of the communication; and the statistical data related to the analysis and understanding of the results of the messaging activity;
      • the Personal Data intentionally shared and notified to Users for the registration in the “contact lists” of other Users by using the Visitors Book function integrated in the “Network” service including, among other things: the account name and email address of the data subject;
      • the Personal Data and information associated with the registration and attendance of the Data Subject at an event organized, promoted and shared by the Client through the Artshell “Events” service, including: name (and/or User ID) and email address; date and time at which the data subject made its registration at the event or refused the invitation or cancelled the event; date and time of the data subject’s entrance at the event through the scan of the passbook generated by the Software or by ticking the specific section of the Arthsell app, as well as the statistical data generated by the analysis of the results of the event management SaaS Service.
    2. Without prejudice to the provisions of Article 11 below, as well as to sections 9.3(x) and 13.4(ii) of the Agreement, subject to a prior written request by the Data Controller, the Data Processor undertakes to update, change, correct or erase the processed Personal Data in the shortest time possible and, in any case, within 15 (fifteen) days
  4. Categories of Data Subjects

    1. The Personal Data processed by the Data Processor specified in the foregoing Article 3 is exclusively referable to the following categories of Data Subjects:
      • all Artshell users and the personal contacts (even not registered at Artshell) to whom the Client targets its share (“Network”), Following, messaging (“Chatting”), forwarding of newsletters and event management activities;
      • any identifiable subjects possibly portrayed in the Photos of the Works;
      • any subjects holding rights to works of art retrievable from the documentation inherent to the Photos of the Works and to the works of art represented therein, as well as from the certifications relating thereto;
      • any additional third party subjects whose data and/or information can be related for various reasons to the Photos of the Works and to the works of art represented therein due to the management, classification and certification activities performed by the same relatively to the same works.
  5. Data Processor’s Obligations

    1. The Data Processor shall perform the obligations envisaged under the Agreement and hereunder. More specifically, the Data Processor shall:
      • accurately follow the Data Controller’s instructions and make exclusively the Personal Data Processing operations agreed with the Data Controller and indicated by the latter, and strictly necessary to perform the contract;
      • taking into account the nature, object, context, purposes of the Processing, as well as any risk to the rights and freedom of the Data Subjects, adopt the appropriate technical and organizational measures to guarantee a level of security adequate to the risk and, in any case, the integrity, the exactness of the Personal Data processed and the lawfulness of the Processing. In particular, in order to guarantee:
        1. the encryption of Personal Data;
        2. the capability to permanently ensure the confidentiality, integrity, availability and resilience of Processing systems and services;
        3. the capability to promptly restore the availability of Personal Data as well as the access to the same, in case of any physical or technical incident;
        4. a procedure to regularly test, verify and assess the effectiveness of the technical and organizational measures adopted in order to guarantee the Processing security; and
        5. other technical and organizational measures aimed at preventing any risk of destruction, loss or alteration of Personal Data, access to Personal Data by unauthorised subjects, use of Personal Data not compliant with the declared purposes of collection and/or any unauthorised use of the Data Used.
      • guarantee to the Data Controller the possibility to follow up the requests for the exercise of the rights of data subjects, including, by way of example without limitation, the right to access the Personal Data concerning them, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to portability, the right to opposition, the right not be subject to decisions based on an automated decision-making process;
      • identify on a name basis in writing the Designated Persons, procure that the same adhere to the instructions provided by the Data Controller and also guarantee that – with reference to Personal Data processed by the Data Processor on behalf of the Data Controller – the Designated Persons are bound by the confidentiality obligations established under the Agreement, with regard to Confidential Information (as defined under the Agreement);
      • based on the information available to it and following reception of a written request by the Data Controller, assist the latter in performing the obligations envisaged by the applicable personal data protection legislation, with special reference to the implementation of technical and organizational measures, to the performance of the activities required as a result of a Personal Data Breach, as well as to the execution of an impact valuation on Personal Data protection;
      • make available to the Data Controller all the information requested by the same to prove the fulfilment of the obligations envisaged by the personal data protection legislation applicable from time to time;
      • contribute to the review activities, including any inspections, made by the Data Controller and/or by any other subject authorised by the same.
  6. Record of processing activities

    1. The Data Processor shall create and prepare a record of processing activities carried out on behalf of the Data Controller pursuant to Article 30, Par. 2, of the GDPR (the “Record”).
    2. The Data Processor undertakes to maintain the Record separate from any other registers kept or, alternatively, to report in its record of Processing activities any Processing made on behalf of the Data Controller separately from any other Processing made as data controller or data processor.
    3. Upon request by the Personal Data Protection Authority, the Data Processor shall promptly provide copy of such Record.
  7. Processing of Personal Data to Third Countries

    1. Without prejudice to what is provided for under the following article 8.1, the Data Processor shall carry out the data Processing by using servers located within the European Union, avoiding any transfer to Non-EU third countries.
    2. Subject to the above, the transfer of Personal Data processed by the Data Processor on behalf o the Data Controller is allowed in case of a European Commission adequacy decision.
  8. Appointment of Data Subprocessors

    1. The Data Controller hereby authorises the Data Processor to use the subjects specified in the table below as Data Subprocessors:
      • Provider: Stripe, Inc.
      • Processing: Online payment services
      • Place of Processing: US: CALIFORNA, San Francisco

      Stripe Inc, will process Personal Data, as Artshell Data Subprocessor, in compliance with the European legislation on the matter in order to guarantee an adequate level of protection for the transfer of Personal Data to the United States. In this respect, Stripe Inc. adopted compliance measures for the international transfer of data – applicable to all Stripe companies worldwide dealing with the processing of personal data of EU data subjects – based on the EU typical contractual provisions (SCC, Standard Contractual Clauses), continuing in any case to adhere to the principles of the so-called Privacy Shield framework previously in force (in relation to which it had been EU-US and EU-Swiss Privacy Shield certified); more information is available at General Data Protection Regulation

    2. Subject to the above, the Data Processor may appoint further data subprocessors subject to prior notice to the Data Controller thereof. In such cases, the Data Processor shall select subprocessors among subjects who, due to their expertise, capacity and reliability, provide enough guarantees to implement adequate technical and organizational security measures, in order that the Processing meets the requirements of the legislation applicable from time to time and guarantees protection of the rights of data subjects also pursuant hereto. In addition, all subprocessors shall respect the same obligations contained herein by virtue of an appointment agreement substantially in line herewith.
    3. In the event that any Subprocessor fails to perform its obligations envisaged in the appointment agreement as per the foregoing Paragraph 8.2, the Data Processor shall continue to be entirely responsible to the Data Controller for the performance of the Subprocessor’s obligations.
  9. Purposes of Processing by Data Processor

    1. The Data Processor, within the limits envisaged under the Agreement and hereunder, shall process Personal Data on behalf of the Data Controller for the following purposes:
      • performance of the SaaS Services that involve the Processing of the Client’s Personal Data by Artshell , i.e. management, archiving, classification, share, tagging, presentation, integration with documentation and certification, and share of the Photos of the Works and, in general, all that is contained in the Client Database (through the “Network” SaaS Service); and
      • performance of SaaS Services mainly aimed at allowing interaction between the Client and the Data Subjects registered on the Artshell platform through the Following (i.e. entry and consequently giving visibility of the name and user ID of the Data Subject in the list of the followers of the Client account); share of the account data through the Visitors Book function (i.e. entry in the “contact list” of other users); sending and reception of the elements of the Client Database that the Client intends to share with the Data Subject; forwarding and reception of instant messages between Client and Data Subjects through the “Chatting” function; sending and reception of the Client’s newsletter and any email communications containing marketing or information offers; any WebSite Integration service (when selected);
      • creation, organization, customization, generation of VIP passbook, promotion, scheduling and share of the Client’s events with the Data Subjects being members of its Network, as well as allowing the following activities relating to registration and attendance at the events (i.e. entry of name and email contact of the Data Subject in the Client’s “guest” list, registration of date and time at which the Data Subject made a given action – opening, removal, RSVP or other –; registration of the physical presence of the Data Subject at the event through the scan of the passbook or by ticking the list on the Artshell app and processing of statistical data relating to the analysis of the event management SaaS Service results);
      • retention and storage of Client Database;
      • forwarding to the Client any communications, even customized and made ad hoc, without using computerized profiling tools, concerning updates on the world of art, new digital solutions to facilitate and streamline the activities relating to the management, classification and share of works of art and artistic collections, as well as on Artshell activities.
    2. It is hereby agreed that personal data associated with the purposes as per the foregoing Paragraph 9.1 shall be visible exclusively to the Client that processes it as data controller; Artshell shall process such data exclusively on behalf of the Client and only storing and recording it to allow the full use of the SaaS Services by the Client.
  10. Term of the Deed

    1. This Deed shall be effective starting from the date of its stipulation and for the entire Term of the Agreement (as defined thereunder), subject to revocation by the Data Controller pursuant to Article 11 below.
    2. Upon expiration, termination of or withdrawal from the Agreement for any reason whatsoever, the Deed shall automatically terminate its effects, without any notice.
    3. Upon expiration of the Agreement or in case of revocation as per Article 11 below, the Data Processor shall return to the Data Controller all the materials – of any kind whatsoever and in any form – containing Personal Data to which it may have had access and that have been delivered to the same in performing the Agreement. Without prejudice to the provisions of sections 9.3(x) and 13.4(ii) of the Agreement, the Data Processor shall also erase any Personal Data processed on behalf of the Data Controller from its files and/or folders, and the relevant copies in digital and/or paper format, except for all Personal Data the retention of which is requested by the law applicable from time to time.
  11. Data Controller’s rights and obligations

    1. The Data Controller may request information from the Data Processor and make reviews for the purpose of assessing the technical, organizational and security measures adopted by the Data Processor, in order to verify that the Data Processor acts in compliance with the obligations envisaged hereunder and under the personal data protection legislation applicable from time to time.
    2. If, following the audit activities as per the foregoing Paragraph 11.1, the Data Controller believes on the basis of founded written reasons previously notified to the Data Processor that the warranties mentioned in Recital C hereof are no longer applicable, and/or ascertains a breach by the Data Processor of the obligations envisaged hereunder, the Data Controller may revoke the Data Processor mandate with immediate effect.
  12. Fee

    1. The Fee (as defined and agreed under the Agreement) includes the services inherent to the Data Processor qualification; therefore the Data Processor shall have nothing to claim in this respect.
  13. Personal Data Breach

    1. In the event of a Breach of the Personal Data processed by the Data Processor on behalf of the Data Controller, also as a consequence of the conduct of any Subprocessors, the Data Processor undertakes to:
      • inform the Data Controller without any unjustified delay; and
      • prepare and update a record describing the type of any Personal Data Breach occurred, the Data Subjects involved, the possible consequences as well as the security measures implemented, also in agreement with the Data Controller, in order to limit the negative effects of the event and restore the situation existing before any such breach.
  14. 14. Liability

    1. The Data Processor shall be liable to the Data Controller – also for any fact related to its Designated Persons – for any delay and/or inexact or failed performance of the obligations hereof.
    2. The Data Processor shall also be exclusively liable for any breach of the personal data protection legislation applicable from time to time, that may occur for any reason attributable to the same and as a consequence of the non-compliance with the instructions provided by the Data Controller in this Deed and in the Agreement, pursuant to and within the limits envisaged by the applicable law.
    3. In the event that the Data Processor determines the purposes and means of Personal Data Processing, in breach of the obligations envisaged hereunder, the same will be considered a data controller.
  15. Communications

    1. The mutual communications contemplated or requested hereunder, as well as all communications between Data Controller and Data Processor in relation hereto, shall be made in writing and addressed to the addresses specified below or to any different address that Data Controller and Data Processor reserve the right to provide to each other.

      As to Data Processor

      Address:

      Via Giosuè Carducci 8, 20123 Milano

      Email:

      admin@artshell.eu

      Certified email:

      artshell@legalmail.it

      Attn:

      Artshell S.r.l

      Per le comunicazioni al Cliente:

      Address:

      Registered Office of the Client specified in the Order Form

      Email:

      Email address of the User Admin provided upon registration

      Certified email:

      Certified email address specified in the Order Form

      Attn:

      Person indicated as legal representative in the Order Form

  16. Applicable law and competent court

    1. This Deed is governed by the Italian laws.
    2. Any dispute arising in relation to the performance, interpretation and/or application hereof shall be submitted to the court of Milan, having exclusive jurisdiction.
  17. Miscellaneous

    1. Any amendment hereto shall not be valid unless it is made in writing and signed by the authorised representatives of Data Controller and Data Processor.
    2. In case of conflict between this Deed and the Agreement, this Deed shall prevail over the provisions relating to Personal Data Processing contained in the Agreement.

* * *      *      * * *

L
o
a
d
i
n
g