vintogroup.com is committed to the correct processing of data and has created the following Data Processing Agreement in accordance to the applicable Data Protection Laws. Please be aware the following agreement.

(1) DEFINITIONS

“Data Controller” Has the meaning given to ‘Data Controller’, or ‘Controller’ as appropriate, in the Data Protection Laws;

“Data Breach” Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

“Data Processor” Has the meaning given to ‘Data Processor’, or ‘Processor’ as appropriate, in the Data Protection Laws;

“Data Protection Laws” Means any and all laws, statutes, enactments, orders or regulations or other similar instruments of general application and any other rules, instruments or provisions in force from time to time relating to the processing of personal data and privacy applicable to the performance of this Agreement, including where applicable the Data Protection Act 1998, the Data Protection Bill, the Regulation of Investigatory Powers Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and the GDPR (Regulation (EU) 2016/679), as amended or superseded;

“GDPR” Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded or repealed from the time to time;

“Personal Data” Has the meaning given in the Data Protection Laws.

(2) DATA PROCESSING

2.1 Each Party shall comply with its obligations as a Data Controller or Processor under the applicable Data Protection Laws.

2.2 If it is found that the Publisher, pursuant to this Agreement, processes Personal Data on behalf of. vintogroup.com, the Publisher acknowledges that vintogroup.com is the Data Processor, and that the Publisher is the Data Controller.

2.3 In the event that clause 2.2 applies, the Data Processor shall comply with its obligations under applicable Data Protection laws and as set out in this Schedule I.

(3) COMPLIANCE WITH DATA PROTECTION LAWS

3.1 The Data Processor warrants that it has complied, and shall continue to comply, with the requirements of the applicable Data Protection Laws and all other data protection legislation in any jurisdiction relevant to the exercise of its rights or the performance of its obligations under this Agreement.

(4) DATA CONTROLLER OBLIGATIONS

4.1 In respect of any Personal Data to be processed by the Data Controller pursuant to this Agreement, the Data Controller shall:

4.1.1 have in place and at all times maintain appropriate technical and organizational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk and shall implement any reasonable security measures as requested by vintogroup.com from time to time;

4.1.2 not engage any sub-controllers without the prior specific or general written authorization of vintogroup.com (and in the case of general written authorization; the Data Controller shall inform vintogroup.com of any intended changes concerning the addition or replacement of other controller and vintogroup.com shall have the right to object to such changes);

4.1.3 ensure that each of the Data Controller’s employees, agents, consultants, subcontractors and sub-controllers are made aware of the Data Processor’s obligations under this Schedule I and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule I. The Data Controller shall ensure that the terms of this Schedule I are incorporated into each agreement with any sub-controller, subcontractor, agent or consultant to the effect that the sub-controller, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data controller under this Schedule I. The Data Controller shall at all times be and remain liable to vintogroup.com for any failure of any employee, agent, consultant, subcontractor or sub-controller to act in accordance with the duties and obligations of the Data Processor under this Schedule I;

4.1.4 process that Personal Data only on behalf of vintogroup.com in accordance with vintogroup.com instructions and to perform its obligations under this Agreement or other documented instructions from vintogroup.com and for no other purpose save to the limited extent required by law;

4.1.5 ensure that all persons authorized to access the Personal Data are subject to obligations of confidentiality and receive training to ensure compliance with this Agreement and the Data Protection Laws;

4.1.6 make available to vintogroup.com all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule I and allow for and contribute to audits, including inspections, conducted by vintogroup.com or another auditor mandated by vintogroup.com, of the Data Controller’s data processing facilities, procedures and documentation (and the facilities, procedures and documentation of any sub-Controller) in order to ascertain compliance with Article 28 GDPR and this Schedule I, within 5 working days of request by vintogroup.com, and, following any such audit, without prejudice to any other rights of vintogroup.com, the Data Controller shall implement such measures which vintogroup.com considers reasonably necessary to achieve compliance with the Data Controller’s obligations under this Schedule I; provided that, in respect of this provision the Data Controller shall inform vintogroup.com if, in its opinion, an instruction infringes Data Protection Laws;

4.1.7 taking into account the nature of the processing, provide assistance to vintogroup.com within such timescales as vintogroup.com may require from time to time, at no charge to vintogroup.com, in connection with the fulfilment of the vintogroup.com obligation as Data Processor to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the GDPR to the extent applicable;

4.1.8 provide vintogroup.com with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to vintogroup.com, taking into account the nature of the processing and the information available to the Data Controller;

4.1.9 (at no additional cost to vintogroup.com) deal promptly and properly with all enquiries or requests from vintogroup.com relating to the Personal Data and the data processing activities, promptly provide to vintogroup.com in such form as vintogroup.com may request, a copy of any Personal Data requested by vintogroup.com

4.1.10(at no additional cost to vintogroup.com) assist vintogroup.com (where requested by vintogroup.com) in connection with any regulatory or law enforcement authority audit, investigation or enforcement action in respect of the Personal Data;

4.1.11 timely notify vintogroup.com in writing about:

(a) any Data Breach or any accidental loss, disclosure or unauthorized access of which the Data Controller becomes aware in respect of Personal Data that it Controlled on behalf of vintogroup.com;

(b) any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited);

(c) any access request or complaint received directly from a data subject.

It being accepted by the Data Processor that:

(d)the Data Controller remains responsible for any complaints or claims made by Data Subjects, third parties or any regulatory or law enforcement authority to the extent such complaints or claims are the result of an infringement of Data Protection Laws by the Data Controller.

4.1.12 maintain a record of its processing activities in accordance with Article 30 of the GDPR.

4.1.13 indemnify vintogroup.com against all liabilities, claims, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by vintogroup.com or for which it may become liable as a result of or in connection with any failure of the Data Controller, its employees, agents, consultants, subcontractors or sub-controller’s to comply with this Schedule I.

4.2 vintogroup.com reserves the right to take legal action for any damages (financial or reputational) and the Data Controller shall indemnify vintogroup.com and its clients in respect of any fines, damages or complaints made to us as a result of the Data Controller’s use of personal data.

4.3 Notwithstanding anything to the contrary set out in this Agreement, to the extent that there is any duplication or conflict between definitions or clauses used in the Agreement and this Schedule I, the definitions and clauses set out in this Schedule I will apply and take precedence. In all other respects the Agreement shall continue to be in effect.

(5) INTERNATIONAL DATA TRANSFERS

5.1 In respect of any Personal Data to be processed by a party acting as Data Controller pursuant to this Agreement for which the other party is Data Processor, the Data Controller shall not transfer the Personal Data outside the EEA or to an international organisation without:

5.1.1 obtaining the written permission of the Data Processor;

5.1.2 ensuring appropriate levels of protection, including any appropriate safeguards if required, are in place for the Personal Data in accordance with the Data Protection Laws;

5.1.3 notifying the Data Processor of the protections and appropriate safeguards in paragraph 5.1.2 above;

5.1.4 documenting and evidencing the protections and appropriate safeguards in paragraph 5.1.2 above and allowing the Data Processor access to any relevant documents and evidence.

(6) DETAILS OF PROCESSING ACTIVITIES

6.1. As required by Article 28 of the GDPR if at any point you will be processing data on behalf of the Data Processor, please specify this to the Data Processor and they will pass you the relevant pre due diligence questions before moving forward this this activity.

This document was last updated in February, 2021