Data Processing Agreement (DPA) (pursuant to Art. 28 GDPR)
This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
- customers hereinafter referred to as "Controller" or "Responsible Party"
- azuma healthtech GmbH hereinafter referred to as "Processor"
Preamble
There is a contractual relationship between the Controller and the Processor within the meaning of Art. 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "GDPR ").
The Processor undertakes to the Controller to fulfill the main contract and this agreement in accordance with the following provisions:
§ 1 Scope of Application and Definitions
1.
The following provisions apply to all commissioned processing services within the meaning of Art. 28 GDPR that the Processor provides to the Responsible Party on the basis of the main contract.
2.
Where the term "data processing" or "processing" of data is used in this agreement, it is generally understood to mean the use of personal data. Data processing or the processing of data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.
Please refer to the further definitions in Art. 4 GDPR.
§ 2 Purpose and Duration of Data Processing
1.
The Processor processes personal data on behalf of and in accordance with the instructions of the Responsible Party.
2.
The subject of the order is the use of the Authorization as a Service Software (azuma mimoto) of azuma healthtech GmbH within the scope agreed with the Processor, in accordance with the user agreements.
3.
The duration of this agreement corresponds to the term of the main contract.
§ 3 Type and Purpose of Data Processing
The nature and purpose of the processing of personal data by the processor are set out in the main contract. This includes the following activity(ies) and purpose(s):
-
Registration with the health ID for end users of the controller
-
Token transfer/token exchange
-
Integration in Federated OIDC process specified by gematik
-
Providing functionality for administration and configuration of the Relying Party by employees of the responsible party
§ 4 Categories of Affected Persons
The categories of data subjects affected by the handling of personal data under this agreement include
-
End users of the controller's application
-
Employees of the controller
§ 5 Type of Personal Data
The following types of data are affected by order processing:
(1) Data in the web token
For the integration of the HealthID, the following end user data or, depending on the controller's requirements, a subset thereof is processed:
- Personal master data (name, date of birth, age, gender, profession)
- Contact details (e-mail address)
- Role-related identification number (health insurance number)
- Organization (identity of issuing health insurance company)
This data is only contained in the technical token that is transferred from the processor's software to the controller's software. This data is not stored. The authentication and creation of the tokens with the above-mentioned data takes place in the sectoral identity providers of the health insurance companies. The scope of the data transferred in the token is based on the BfArM's approvals for the customer. The processor only passes on to the controller the data that has been approved by BfArM and gematik in the approval and confirmation process.
(2) Metadata
End user metadata is recorded in azuma mimoto for the token handling process. The following data is processed:
- SubjectID (pseudonymized identifier)
- Token issuer
- Time of the token handling
- Duration of the token handling
- Status of the token transfer (successful/unsuccessful)
- Number of logins via the health ID
- Technical data on the technical events (status transitions)
(3) Access data
The following data of the controller's employees are processed for the administration of the relying party:
- Personal master data (name)
- Contact data (e-mail address)
- Tenant data (technical representation of the customer)
This data does not relate to the end user of the controller, but only to the controller's employees and has no connection to the controller's software. The data is required to log in to the Administration Frontend/Developer Portal of azuma mimoto.
§ 6 Rights and Obligations of the Controller
(1)
The controller is solely responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore the controller within the meaning of Art. 4 No. 7 GDPR.
(2)
The controller is entitled to issue instructions regarding the type, scope and procedure of data processing. At the request of the Controller, verbal instructions must be confirmed immediately by the Processor in writing or in text form (e.g. by email).
(3)
If the Controller deems it necessary, persons authorized to issue instructions may be appointed. The Controller shall inform the Processor of these in writing or in text form. In the event that these authorized persons change at the Controller, the Processor shall be informed of this in writing or in text form, naming the new person in each case.
(4)
The Controller shall inform the Processor immediately if errors or irregularities are discovered in connection with the processing of personal data by the Processor.
§ 7 Obligations of the Processor
(1) Data processing
The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying main contract and in accordance with the Controller's instructions. This also applies to the transfer of personal data to a third country or an international organization, unless the Processor is obliged to do so by the law of the Union or the Member States to which the Processor is subject. In such a case, the processor shall notify the controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.
(2) Rights of data subjects
(a) The Processor shall assist the Controller in fulfilling the rights of the Data Subjects, in particular with regard to rectification, restriction of processing and erasure, notification and access, to the extent possible. If the Processor processes the personal data specified in § 5 of this Agreement on behalf of the Controller and if this data is the subject of a request for data portability pursuant to Art. 20 GDPR, the Processor shall provide the Controller with the relevant data set within a reasonable period of time, otherwise within seven working days, in a structured, commonly used and machine-readable format.
(b) The Processor shall, at the instruction of the Controller, rectify, erase or restrict the processing of the personal data referred to in § 5 of this Agreement that are processed on behalf of the Controller. The same shall apply if this Agreement provides for the rectification, erasure or restriction of processing of data.
(c) If a data subject contacts the Processor directly for the purpose of rectification, erasure or restriction of processing of the personal data referred to in § 5 of this Agreement, the Processor shall forward this request to the Controller immediately upon receipt.
(3) Control obligations
(a) The Processor shall ensure through appropriate controls that the personal data processed on behalf of the Controller is processed exclusively in accordance with this Agreement and/or the Main Agreement and/or the corresponding instructions.
(b) The Processor shall structure its company and its operating procedures in such a way that the data it processes on behalf of the Controller is secured to the extent necessary and protected against unauthorized access by third parties.
(c) The processor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR and, if applicable, in accordance with Section 38 BDSG and monitors compliance with data protection and data security regulations with the involvement of the data protection officer. The data protection officer of the processor is currently
(4) Duty to provide information
(a) The Processor shall immediately inform the Controller if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
(b) The Processor shall assist the Controller in complying with the obligations referred to in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
(c) The Processor shall inform the Controller without undue delay of any personal data breach by the Subprocessor and/or the Processor itself.
(5) Place of data processing
The processing of the data shall generally take place in the territory of the Federal Republic of Germany, in a member state of the European Union, in another state party to the Agreement on the European Economic Area or in a third country for which an adequacy decision pursuant to Art 45 GDPR exists. Relocation to locations other than those mentioned is excluded without a mutual agreement between the controller and the contractor.
(6) Deletion of personal data after completion of the order
After termination of the main contract, the Processor shall either delete or return all personal data processed on behalf of the Controller at the Controller's discretion, provided that the deletion of this data does not conflict with any statutory retention obligations of the Processor. The data protection-compliant deletion must be documented and confirmed to the controller upon request. In the erasure concept, the processor must also record all data that was processed in the course of further commissioned processing.
§ 8 Control Rights of the Controller
(1)
The controller shall be entitled, after timely prior notification during normal business hours and without disrupting the business operations of the processor or jeopardizing the security measures for other controllers and at its own expense, to monitor compliance with the data protection regulations and the contractual agreements itself or through third parties to the extent necessary. The checks can also be carried out by accessing existing industry-standard certifications of the processor, current certificates or reports from an independent body (e.g. auditor, external data protection officer, auditor or external data protection auditor) or self-disclosures. The processor shall offer the necessary support to carry out the checks.
(2)
The Processor shall immediately inform the Controller of the implementation of control measures by the supervisory authority, insofar as the measures or data processing operations that the Processor performs for the Controller may be affected.
§ 9 Subcontracting Relationships
(1)
The Controller authorizes the Processor to make use of other Processors in accordance with the following paragraphs in § 9 of this Agreement. This authorization constitutes a general written authorization within the meaning of Art. 28 para. 2 GDPR.
(2)
The Processor currently works together with the subcontractors named in Annex 2 in the performance of the order, with whose commissioning the Controller agrees. The Processor has authorized other processors to process data on the basis of a legally valid contract or other admissible legal instrument pursuant to Art. 28 (2) GDPR. The aforementioned contract must specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the parties. The data processing activities of the other processor are subject to the instructions of the processor, who has established a process for documenting and monitoring all instructions issued.
(3)
The Processor shall require an assurance from the other Processors that all persons involved in the processing are subject to confidentiality or have committed themselves to confidentiality, as well as guarantee and ensure the security of the processing through appropriate technical and organizational measures. Furthermore, the processor shall require the other processors to provide a transparent explanation of which other processors they use and what safeguards and guarantees are in place to ensure the specified level of data protection throughout the entire chain of processors. Before concluding the contract, the processor must check the technical and organizational measures of the additional processor, which contain information on which processing activities carried out on behalf of the processor and on which categories of personal data these measures apply, and ensure that the processor offers sufficient guarantees for the security of the processing through its expertise, reliability and the resources provided. The processor must request evidence of certifications from the other processor.
(4)
The Processor shall ensure that the Sub-Processor fulfills the following criteria or contractually agrees the following obligations with the Sub-Processor:
- Appointment of a data protection officer,
- A duty to cooperate in the implementation of the rights of data subjects,
- an obligation to notify the client in the event of a breach of personal data protection,
- An obligation to notify the data protection supervisory authority in the event of reportable incidents under the GDPR
- Involvement or replacement of downstream processors takes place only after informing the processor
- Right of control of the processor,
- Traceability of the transmitted data (incl. which data of which data subjects was transmitted to the other processor at what time)
(5)
The processor must explain the data transfer to all other processors, such as which data of which data subjects were transferred to which processors at what time. The Processor shall provide information in its privacy policy about the existence of data processing, the purposes of processing, the identity of the Processor and the categories of data transferred. The processor must prove for each order processing that it is not a joint responsibility pursuant to Art. 26 GDPR.
(6)
The Processor shall be entitled to commission additional Processors or replace those already commissioned. The Processor shall inform the Controller in advance of any intended change with regard to the involvement or replacement of an additional Processor. The controller may object to an intended change. The Processor may not enter into contracts with additional Processors that carry out processing of personal data at locations other than those agreed in Section 7 (5) of this Agreement. If the Processor is not established in the Union, the provisions of Art. 27 GDPR must be complied with and the representative designated in writing by the Processor must be established in Germany.
(7)
The objection to the intended change must be raised with the processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional Processor and coordinate this with the Controller. If the provision of the service without the intended change is unreasonable for the Processor - for example due to the associated disproportionate expenses for the Processor - or the coordination of an additional Processor fails, the Controller and the Processor may terminate this agreement and the main contract with one month's notice to the end of the month.
(8)
The Processor shall be responsible to the Controller for all acts and omissions of the other Processors engaged by the Processor.
(9)
When using additional Processors who process personal data whose parent company is located in a location other than the locations agreed in Section 7 (5) of this Agreement, the Processor shall take the following additional technical and organizational measures:
(a) Personal data processed in background systems shall be stored and exchanged in encrypted form and the keys to decrypt the data shall be managed or stored by the Processor in the EU itself. The key management can also be carried out by a trustee if it is located in a country as defined in Section 7 (5) of this Agreement.
(b) The Processor and the Further Processor agree that in the event of requests for disclosure by authorities of a third country, no data shall initially be made available and shall not be disclosed to the parent company of the Further Processor.
(c) The additional processor assures the processor that it will take and exhaust legal action in the event of a request for disclosure.
§ 10 Third-party Providers
(1)
For all third-party provider components used in the digital application, the Processor shall ensure that they do not transfer data to third countries in violation of the provisions of Section 7 (5), Section 9 (6) and Section 9 of this Agreement. Data transfers for the purposes of support or error analysis (e.g. as part of 3rd level support) are also taken into account here.
(a) The Processor can provide up-to-date documentation and/or contracts for the third-party components used for the digital application in accordance with the version of the digital application used, from which all occasions for data transmission and the locations of data processing can be seen or from which it can be seen that no data transmission takes place.
(b) The processor must prove that the processing operations at a third party following such data transfers do not constitute commissioned processing within the meaning of Art. 28 GDPR.
§ 11 Confidentiality
(1)
The processor is obliged to maintain confidentiality when processing data for the controller.
(2)
The Processor undertakes to use only employees or other vicarious agents who are obliged to maintain confidentiality when handling the personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the processor shall provide the controller with evidence that these obligations have been fulfilled.
(3)
If the Controller is subject to other confidentiality rules, it shall inform the Processor of this. The Processor shall obligate its employees to comply with these confidentiality rules in accordance with the Controller's requirements.
§ 12 Technical and organizational measures
(1)
The technical and organizational measures described in Annex 1 are agreed to be appropriate. The Processor may update and amend these measures, provided that the level of protection is not significantly reduced by such updates and/or amendments.
(2)
The Processor shall observe the principles of proper data processing in accordance with Art. 32 in conjunction with Art. 5 para. 1 GDPR. It shall ensure the contractually agreed and legally prescribed data security measures. It shall take all necessary measures to secure the data or the security of the processing, in particular also taking into account the state of the art, as well as to minimize possible adverse consequences for data subjects. The measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to ensure an appropriate level of security of processing at all times, the Processor shall regularly evaluate the measures implemented and make any necessary adjustments.
§ 13 Liability and indemnification
(1)
The Processor shall be liable to the Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement and of the statutory data protection provisions applicable to it, which the Processor, its employees or those commissioned by it to perform the contract cause in the course of providing the contractual service. The processor shall not be liable for compensation if the processor proves that it processes the data provided to it by the controller exclusively in accordance with the instructions of the controller and has complied with its obligations under the GDPR specifically imposed on processors.
(2)
The Controller shall indemnify the Processor against all third-party claims asserted against the Processor due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Controller.
§ 14 Miscellaneous
(1)
In the event of contradictions between the provisions of this agreement and the provisions of the main contract, the provisions of this agreement shall take precedence.
(2)
Amendments and supplements to this Agreement shall require the mutual consent of the contracting parties, with specific reference to the provision of this Agreement to be amended. Verbal collateral agreements do not exist and are also excluded for future amendments to this Agreement.
(3)
This agreement is subject to German law.
(4)
If access to the data that the Controller has transmitted to the Processor for data processing is jeopardized by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities, etc.), the Processor shall notify the Controller of this immediately.