This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
Data Processing Agreement (DPA) (pursuant to Art. 28 GDPR)
- customers hereinafter referred to as "Responsible Party"
- azuma healthtech GmbH hereinafter referred to as "Processor"
Preamble
A contractual relationship exists between the Responsible Party and the Processor within the meaning of Art. 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "GDPR ").
The Processor undertakes to the Responsible Party to fulfill the main contract and this Agreement in accordance with the following provisions:
§ 1 Anwendungsbereich und Begriffsbestimmungen
1.
The following provisions shall apply to all commissioned processing services within the meaning of Art. 28 GDPR which the Processor provides to the Responsible Party on the basis of the main contract.
2.
Insofar as the term "data processing" or "processing" of data is used in this agreement, this is generally understood to mean the use of personal data. Data processing or the processing of data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.
Reference is made to the further definitions in Art. 4 GDPR.
§ 2 Subject and duration of data processing
1.
The Processor shall process personal data on behalf of and in accordance with the instructions of the Responsible Party.
2.
The object of the order is the use of the Full Service Identitiy Software of azuma healthtech GmbH within the scope agreed with the Processor, in accordance with the user agreements.
3.
The duration of this agreement corresponds to the term of the main contract.
§ 3 Type and purpose of data processing
The nature and purpose of the processing of personal data by the processor are set out in the main contract. This includes the following activity(ies) and purpose(s):
- Account provision
- Role and rights management
- Tenant management
- User management
§ 4 Categories of data subjects
The categories of data subjects affected by the handling of personal data under this agreement include
- End user data
- Employees of the end user
§ 5 Type of personal data
The following types of data are affected by order processing:
- Personal master data (name, salutation, title/academic degree)
- Contact data (e-mail address, telephone number, address)
- Role-related identification number (e.g. doctor number (LAN))
- Employee data of the end user
- Organizational hierarchies of the end user
- Function designations
- Electronic communication data (IP address, websites accessed, details of the end device used, operating system and browser)
§ 6 Rights and obligations of the Responsible Party
1.
The Responsible Party is solely responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore the Responsible Party within the meaning of Art. 4 No. 7 GDPR.
2.
The Responsible Party is entitled to issue instructions regarding the type, scope and procedure of data processing. Verbal instructions must be confirmed immediately by the Processor in writing or in text form (e.g. by email) at the request of the Responsible Party.
3.
Insofar as the Responsible Party deems it necessary, persons authorized to issue instructions may be appointed. The Responsible Party shall inform the Processor of these in writing or in text form. In the event that these authorized persons change at the Responsible Party, the Processor shall be informed of this in writing or in text form, naming the new person in each case.
4.
The Responsible Party shall inform the Processor immediately if errors or irregularities are discovered in connection with the processing of personal data by the Processor.
§ 7 Obligations of the processor
1. Data processing
The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying main contract and in accordance with the instructions of the Responsible Party.
2. Rights of data subjects
a) The Processor shall support the Responsible Party in fulfilling the rights of the data subjects, in particular with regard to rectification, restriction of processing and erasure, notification and provision of information, within the scope of its possibilities. If the Processor processes the personal data referred to in § 5 of this Agreement on behalf of the Responsible Party and if this data is the subject of a request for data portability pursuant to Art. 20 GDPR, the Processor shall provide the Responsible Party with the relevant data set within a reasonable period of time, otherwise within seven working days, in a structured, common and machine-readable format.
b) The Processor shall, at the instruction of the Responsible Party, rectify, erase or restrict the processing of the personal data referred to in § 5 of this Agreement that are processed on behalf of the Responsible Party. The same shall apply if this Agreement provides for the rectification, erasure or restriction of processing of data.
c) Insofar as a data subject contacts the Processor directly for the purpose of rectification, erasure or restriction of processing of the personal data referred to in § 5 of this Agreement, the Processor shall forward this request to the Responsible Party immediately upon receipt.
3. Control obligations
a) The Processor shall ensure through appropriate controls that the personal data processed on behalf of the Controller is processed exclusively in accordance with this Agreement and/or the Main Agreement and/or the corresponding instructions.
b) The Processor shall structure its company and its operating procedures in such a way that the data it processes on behalf of the Responsible Party is secured to the extent necessary and protected against unauthorized access by third parties.
c) The Processor confirms that it has appointed a data protection officer pursuant to Art. 37 GDPR and, if applicable, pursuant to Section 38 BDSG and monitors compliance with data protection and data security regulations with the involvement of the data protection officer. The data protection officer of the processor is currently
Name: Dr. Matthias Berger
Email: privacy@azuma.health
4. Information obligations
a) The Processor shall immediately inform the Responsible Party if, in its opinion, an instruction issued by the Responsible Party violates statutory provisions. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Responsible Party.
b) The Processor shall assist the Responsible Party in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to it.
5. Place of data processing
The processing of the data shall generally take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
6. Deletion of personal data after termination of the contract
After termination of the main contract, the Processor shall either delete or return all personal data processed on behalf of the Responsible Party, at the Responsible Party's discretion, provided that the deletion of this data does not conflict with any statutory retention obligations of the Processor. The data protection-compliant deletion must be documented and confirmed to the Responsible Party upon request.
§ 8 Control rights of the Responsible Party
1.
The Responsible Party shall be entitled, after timely prior notification during normal business hours without disrupting the business operations of the Processor or jeopardizing the security measures for other Responsible Parties and at its own expense, to check compliance with the data protection regulations and the contractual agreements itself or through third parties to the extent necessary. The checks can also be carried out by accessing existing industry-standard certifications of the processor, current certificates or reports from an independent body (e.g. auditor, external data protection officer, auditor or external data protection auditor) or self-disclosures. The Processor shall provide the necessary support to carry out the checks.
2.
The Processor shall inform the Responsible Party about the implementation of control measures by the supervisory authority, insofar as the measures may concern data processing that the Processor performs for the Responsible Party.
§ 9 Subcontracting relationships
1.
The Responsible Party authorizes the Processor to make use of other Processors in accordance with the following paragraphs in § 9 of this Agreement. This authorization constitutes a general written authorization within the meaning of Art. 28 para. 2 GDPR.
2.
The Processor currently cooperates with the subcontractors named in Annex 2 in the performance of the contract, with whose commissioning the Responsible Party agrees.
3.
The Processor shall be entitled to commission further Processors or to replace those already commissioned. The Processor shall inform the Responsible Party in advance of any intended change with regard to the involvement or replacement of another Processor. The Responsible Party may object to an intended change.
4.
The objection to the intended change must be raised with the Processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional Processor and coordinate this with the Responsible Party. If the provision of the service without the intended change is unreasonable for the Processor - for example due to the associated disproportionate expenses for the Processor - or if the coordination of an additional Processor fails, the Responsible Party and the Processor may terminate this Agreement and the main contract with one month's notice to the end of the month.
5.
If another processor is engaged, a level of protection comparable to that of this Agreement must always be guaranteed. The Processor shall be responsible to the Responsible Party for all acts and omissions of the other Processors engaged by it.
§ 10 Confidentiality
1.
The Processor shall be obliged to maintain confidentiality when processing data for the Responsible Party.
2.
The Processor undertakes to use only employees or other vicarious agents who are obliged to maintain confidentiality when handling the personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the Processor shall provide the Responsible Party with evidence that these obligations have been fulfilled.
3.
If the Responsible Party is subject to other confidentiality rules, it shall inform the Processor of this. The Processor shall obligate its employees to comply with these confidentiality rules in accordance with the requirements of the Responsible Party.
§ 11 Technical and organizational measures
1.
The technical and organizational measures described in Annex 1 are agreed to be appropriate. The Processor may update and amend these measures, provided that the level of protection is not significantly reduced by such updates and/or amendments.
2.
The Processor shall observe the principles of proper data processing in accordance with Art. 32 in conjunction with Art. 5 para. 1 GDPR. It shall ensure the contractually agreed and legally prescribed data security measures. It shall take all necessary measures to secure the data or the security of the processing, in particular also taking into account the state of the art, as well as to minimize possible adverse consequences for data subjects. The measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to ensure an appropriate level of security of processing at all times, the Processor shall regularly evaluate the measures implemented and make any necessary adjustments.
§ 12 Liability/ Indemnification
1.
The Processor shall be liable to the Responsible Party in accordance with the statutory provisions for all damages caused by culpable violations of this Agreement and of the statutory data protection provisions applicable to it, which the Processor, its employees or those commissioned by it to perform the contract cause in the course of providing the contractual service. The Processor shall not be obliged to provide compensation if the Processor proves that it processes the Responsible Party's data provided to it exclusively in accordance with the Responsible Party's instructions and has complied with its obligations under the GDPR specifically imposed on Processors.
2.
The Responsible Party shall indemnify the Processor against all third-party claims asserted against the Processor due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Responsible Party.
§ 13 Miscellaneous
1.
In the event of contradictions between the provisions of this Agreement and the provisions of the Main Agreement, the provisions of this Agreement shall take precedence.
2.
Amendments and supplements to this Agreement shall require the mutual consent of the contracting parties with specific reference to the provision of this Agreement to be amended. Verbal collateral agreements do not exist and are also excluded for future amendments to this Agreement.
3.
This Agreement shall be governed by German law.
4.
If access to the data that the Responsible Party has transferred to the Processor for data processing is jeopardized by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities, etc.), the Processor must notify the Responsible Party of this immediately.