Data Processing Agreement (DPA) (pursuant to Art. 28 GDPR)
This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
- customers hereinafter referred to as "Responsible Party"
- azuma healthtech GmbH hereinafter referred to as "Processor"
Preamble
There is a contractual relationship between the controller and the processor within the meaning of Art. 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), „GDPR“).
The processor undertakes to the controller to fulfill the main contract and this agreement in accordance with the following provisions:
§ 1 Scope of Application and Definitions
1.
The following provisions apply to all commissioned processing services within the meaning of Art. 28 GDPR that the processor provides to the controller on the basis of the main contract.
2.
Where the term “data processing” or “processing” of data is used in this agreement, it is generally understood to mean the use of personal data. Data processing or the processing of data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.
Please refer to the further definitions in Art. 4 GDPR.
§ 2 Purpose and Duration of Data Processing
1.
The processor processes personal data on behalf of and in accordance with the instructions of the controller.
2.
The object of the order is the use of the Full Service Identitiy Software (azuma doa) of azuma healthtech GmbH within the scope agreed with the processor, in accordance with the user agreements.
3.
The duration of this agreement corresponds to the term of the main contract.
§ 3 Nature and Purpose of Data Processing
The nature and purpose of the processing of personal data by the processor are set out in the main contract. This includes the following activity(ies) and purpose(s):
- account provision for end users and employees of the controller
- role and rights management
- tenant management (management of the controller's tenant and the tenants of the controller's end users)
- user management
- providing functionality for the administration and configuration of tenants by employees of the responsible party
§ 4 Categories of Affected Persons
The categories of data subjects affected by the processing of personal data under this agreement include
- End users of the controller's application
- Employees of the controller
§ 5 Type of Personal Data
The following types of data are affected by order processing:
1. Data in the Web Token
For the integration of the Full Service Identity Software, the following end user data or, depending on the requirements of the controller, a subset thereof is processed:
- Personal master data (name, partly profession/functional titles)
- Contact data (e-mail address)
- Role-related identification numbers (e.g. lifetime doctor number)
- Organization
This data is contained in the technical token that is transferred from the processor's software to the controller's software.
2. Metadata
End user metadata is recorded in azuma doa for the token handling process. The following data is processed:
- SubjectID (pseudonymized identifier)
- Token issuer
- Time of the token handling
- Duration of the token handling
- Status of the token transfer (successful/unsuccessful)
- Number of logins
- Technical data on the technical events (status transitions)
3. Access/identification data
The following data of end users and employees of the controller are processed for administration purposes:
- Personal master data (name, partly profession/functional titles)
- Contact data (e-mail address)
- For end users: role-related identification numbers (e.g. lifetime doctor number)
- Tenant data (technical representation of the customer)
§ 6 Rights and Obligations of the Controller
1.
The controller is solely responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore the controller within the meaning of Art. 4 No. 7 GDPR.
2.
The controller is entitled to issue instructions regarding the type, scope and procedure of data processing. At the request of the Controller, verbal instructions must be confirmed immediately by the Processor in writing or in text form (e.g. by email).
3.
If the Controller deems it necessary, persons authorized to issue instructions may be appointed. The Controller shall inform the Processor of these in writing or in text form. In the event that these authorized persons change at the Controller, the Processor shall be informed of this in writing or in text form, naming the new person in each case.
4.
The Controller shall inform the Processor immediately if errors or irregularities are detected in connection with the processing of personal data by the Processor.
§ 7 Obligations of the Processor
1. Data processing
The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying main contract and in accordance with the Controller's instructions. This also applies to the transfer of personal data to a third country or an international organization, unless the Processor is obliged to do so by the law of the Union or the Member States to which the Processor is subject. In such a case, the processor shall notify the controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.
2. Rights of data subjects
a) The Processor shall support the Controller in fulfilling the rights of the data subjects, in particular with regard to rectification, restriction of processing and erasure, notification and provision of information, within the scope of its possibilities. If the Processor processes the personal data specified in § 5 of this Agreement on behalf of the Controller and if this data is the subject of a request for data portability pursuant to Art. 20 GDPR, the Processor shall provide the Controller with the relevant data set within a reasonable period of time, otherwise within seven working days, in a structured, commonly used and machine-readable format.
b) The Processor shall, at the instruction of the Controller, rectify, erase or restrict the processing of the personal data referred to in § 5 of this Agreement that are processed on behalf of the Controller. The same shall apply if this Agreement provides for the rectification, erasure or restriction of processing of data.
c) If a data subject contacts the Processor directly for the purpose of rectification, erasure or restriction of processing of the personal data referred to in § 5 of this Agreement, the Processor shall forward this request to the Controller immediately upon receipt.
3. Control Obligations
a) The Processor shall ensure through appropriate controls that the personal data processed on behalf of the Controller is processed exclusively in accordance with this Agreement and/or the Main Agreement and/or the corresponding instructions.
b) The Processor shall structure its company and its operating procedures in such a way that the data it processes on behalf of the Controller is secured to the extent necessary and protected against unauthorized access by third parties.
c) The Processor confirms that it has appointed a data protection officer pursuant to Art. 37 GDPR and, if applicable, pursuant to Section 38 BDSG and monitors compliance with data protection and data security regulations with the involvement of the data protection officer. The data protection officer of the processor is currently
Name: Benjamin R. Hansen, LL.M.
4. Information Obligations
a) The Processor shall immediately inform the Controller if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
b) The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
c) The Processor shall notify the Controller without undue delay of any personal data breach by the Subprocessor and/or the Processor itself.
5. Place of Data Processing
The processing of data shall generally take place in the territory of the Federal Republic of Germany, in a member state of the European Union, in another state party to the Agreement on the European Economic Area or in a third country for which an adequacy decision pursuant to Art 45 GDPR exists. Relocation to locations other than those mentioned is excluded without a mutual agreement between the controller and the contractor.
6. Deletion of Personal Data after Termination of the Contract
After termination of the main contract, the processor shall either delete or return all personal data processed on behalf of the controller at the controller's discretion, provided that the deletion of this data does not conflict with any statutory retention obligations of the processor. The data protection-compliant deletion must be documented and confirmed to the controller upon request. In the erasure concept, the processor must also record all data that was processed during further commissioned processing.
§ 8 Control Rights of the Controller
1.
The Controller shall be entitled, after timely prior notification during normal business hours and without disrupting the Processor's business operations or jeopardizing the security measures for other Controllers and at its own expense, to monitor compliance with the data protection regulations and the contractual agreements itself or through third parties to the extent necessary. The checks can also be carried out by accessing existing industry-standard certifications of the processor, current certificates or reports from an independent body (e.g. auditor, external data protection officer, auditor or external data protection auditor) or self-disclosures. The Processor shall provide the necessary support to carry out the checks.
2.
The Processor shall immediately inform the Controller of the implementation of control measures by the supervisory authority, insofar as the measures or data processing operations that the Processor performs for the Controller may be affected.
§ 9 Subcontracting Relationships
1.
The Controller authorizes the Processor to make use of other Processors in accordance with the following paragraphs in § 9 of this Agreement. This authorization constitutes a general written authorization within the meaning of Art. 28 para. 2 GDPR.
2.
The Processor currently cooperates with the subcontractors named in Annex 2 in the performance of the contract, with whose commissioning the Controller agrees. The Processor has authorized other processors to process data on the basis of a legally valid contract or other admissible legal instrument pursuant to Art. 28 (2) GDPR. The aforementioned contract shall specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the parties. The data processing activities of the other processor are subject to the instructions of the processor, who has established a process for documenting and monitoring all instructions issued.
3.
The Processor shall be entitled to engage additional Processors or replace Processors already engaged. The Processor shall inform the Controller in advance of any intended change with regard to the involvement or replacement of an additional Processor. The controller may object to an intended change. The Processor may not enter into contracts with additional Processors that carry out processing of personal data at locations other than those agreed in Section 7 (5) of this Agreement. If the Processor is not established in the Union, the provisions of Art. 27 GDPR must be complied with and the representative designated in writing by the Processor must be established in Germany.
4.
The objection to the intended change must be raised with the Processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional Processor and coordinate this with the Controller. If the provision of the service without the intended change is not reasonable for the Processor - for example due to the associated disproportionate expenses for the Processor - or if the coordination of an additional Processor fails, the Controller and the Processor may terminate this Agreement and the main contract with one month's notice to the end of the month.
5.
The Processor shall be responsible to the Controller for all acts and omissions of the other Processors engaged by the Processor.
§ 10 Third-party Providers
1.
For all third-party provider components used in the digital application, the Processor shall ensure that they do not transfer data to third countries in violation of the provisions of Section 7 (5), Section 9 (6) and Section 9 of this Agreement. Data transfers for the purposes of support or error analysis (e.g. as part of 3rd level support) are also taken into account here.
a) The Processor can provide up-to-date documentation and/or contracts for the third-party components used for the digital application in accordance with the version of the digital application used, from which all occasions for data transmission and the locations of data processing are evident or from which it is clear that no data transmission takes place.
b) The processor must prove that the processing operations at a third party following such data transfers do not constitute order processing within the meaning of Art. 28 GDPR.
§ 11 Confidentiality
1.
The Processor shall be obliged to maintain confidentiality when processing data for the Controller.
2.
The Processor undertakes to use only employees or other vicarious agents who are obliged to maintain confidentiality when handling the personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the Processor shall provide the Controller with evidence that these obligations have been fulfilled.
3.
If the Controller is subject to other confidentiality rules, it shall inform the Processor accordingly. The Processor shall obligate its employees to comply with these confidentiality rules in accordance with the Controller's requirements.
§ 12 Technical and Organizational Measures
1.
The technical and organizational measures described in Annex 1 are agreed to be appropriate. The Processor may update and amend these measures, provided that the level of protection is not significantly reduced by such updates and/or amendments.
2.
The Processor shall observe the principles of proper data processing in accordance with Art. 32 in conjunction with Art. 5 para. 1 GDPR. It shall ensure the contractually agreed and legally prescribed data security measures. It shall take all necessary measures to secure the data or the security of the processing, in particular also taking into account the state of the art, as well as to minimize possible adverse consequences for data subjects. The measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to ensure an appropriate level of security of processing at all times, the Processor shall regularly evaluate the measures implemented and make any necessary adjustments.
§ 13 Liability/ Indemnification
1.
The Processor shall be liable to the Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement and of the statutory data protection provisions applicable to it, which the Processor, its employees or those commissioned by it to perform the contract cause in the course of providing the contractual service. The Processor shall not be obliged to provide compensation if the Processor proves that it processes the Controller's data provided to it exclusively in accordance with the Controller's instructions and has complied with its obligations under the GDPR specifically imposed on Processors.
2.
The Controller shall indemnify the Processor against all third-party claims asserted against the Processor due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Controller.
§ 14 Miscellaneous
1.
In the event of contradictions between the provisions of this agreement and the provisions of the main contract, the provisions of this agreement shall take precedence.
2.
Amendments and supplements to this Agreement shall require the mutual consent of the contracting parties, with specific reference to the provision of this Agreement to be amended. Verbal collateral agreements do not exist and are also excluded for future amendments to this Agreement.
3.
This Agreement shall be governed by German law.
4.
If access to the data that the Controller has transferred to the Processor for data processing is jeopardized by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities, etc.), the Processor must notify the Controller of this immediately.