This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
Data Processing Agreement (DPA) (pursuant to Art. 28 GDPR)
- customers hereinafter referred to as "Responsible Party"
- azuma healthtech GmbH hereinafter referred to as "Processor"
Preamble
There is a contractual relationship between the Responsible Party and the Processor within the meaning of Art. 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "GDPR ").
The Processor undertakes to the Responsible Party to fulfill the main contract and this agreement in accordance with the following provisions:
§ 1 Scope of application and definitions
1.
The following provisions apply to all commissioned processing services within the meaning of Art. 28 GDPR that the Processor provides to the Responsible Party on the basis of the main contract.
2.
Where the term "data processing" or "processing" of data is used in this agreement, it is generally understood to mean the use of personal data. Data processing or the processing of data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.
Please refer to the further definitions in Art. 4 GDPR.
§ 2 Purpose and duration of data processing
1.
The Processor processes personal data on behalf of and in accordance with the instructions of the Responsible Party.
2.
The subject of the order is the use of the Authorization as a Service Software (azuma mimoto) of azuma healthtech GmbH within the scope agreed with the Processor, in accordance with the user agreements.
3.
The duration of this agreement corresponds to the term of the main contract.
§ 3 Nature and purpose of data processing
The nature and purpose of the processing of personal data by the Processor are set out in the main contract. This includes the following activity(ies) and purpose(s):
-
Login with the healthID
-
Providing the authorization server/relaying party
-
Token transfer/token exchange
-
Integration in Federated OIDC process specified by gematik
§ 4 Categories of affected persons
The categories of data subjects affected by the handling of personal data under this agreement include
-
Data of the end user of the customer
-
Digital identity/healthID according to gematik specifications
§ 5 Type of personal data
The following data types are affected by order processing:
- Personal master data (name, date of birth, age, gender)
- Contact data (e-mail address)
- Role-related identification number (health insurance number)
- Organization (identity providing health insurance company)
The scope of the data transferred in the token depends on the BfArM's approvals for the customer.
§ 6 Rights and obligations of the Responsible Party
1.
The Responsible Party is solely responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore the Responsible Party within the meaning of Art. 4 No. 7 GDPR.
2.
The Responsible Party is entitled to issue instructions regarding the type, scope and procedure of data processing. Verbal instructions must be confirmed immediately by the Processor in writing or in text form (e.g. by email) at the request of the responsible.
3.
If the Responsible Party deems it necessary, persons authorized to issue instructions may be appointed. The Responsible Party shall inform the Processor of these in writing or in text form. In the event that these authorized persons change at the Responsible Party, the Processor shall be informed of this in writing or in text form, naming the new person in each case.
4.
The Responsible Party shall inform the Processor immediately if errors or irregularities are detected in connection with the processing of personal data by the Processor.
§ 7 Obligations of the Processor
1. Data processing
The Processor shall process personal data exclusively in accordance with this agreement and/or the underlying main contract and in accordance with the instructions of the Responsible Party.
2. Rights of data subjects
a) The Processor shall support the Responsible Party in fulfilling the rights of the data subjects, in particular with regard to rectification, restriction of processing and erasure, notification and provision of information, within the scope of its possibilities. If the Processor processes the personal data referred to in § 5 of this Agreement on behalf of the Responsible Party and if this data is the subject of a request for data portability pursuant to Art. 20 GDPR, the Processor shall provide the Responsible Party with the relevant data set within a reasonable period of time, otherwise within seven working days, in a structured, common and machine-readable format.
b) At the instruction of the Responsible Party, the Processor shall rectify, erase or restrict the processing of the personal data referred to in § 5 of this agreement that is processed on behalf of the Responsible Party. The same shall apply if this agreement provides for the rectification, erasure or restriction of the processing of data.
c) If a data subject contacts the Processor directly for the purpose of rectification, erasure or restriction of processing of the personal data referred to in § 5 of this Agreement, the Processor shall forward this request to the Responsible Party immediately upon receipt.
3. Control obligations
a) The Processor shall ensure through appropriate controls that the personal data processed on behalf of the Processor is processed exclusively in accordance with this Agreement and/or the Main Agreement and/or the corresponding instructions.
b) The Processor shall structure its company and its operating procedures in such a way that the data it processes on behalf of the Responsible Party is secured to the extent necessary and protected against unauthorized access by third parties.
c) The Processor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR and, if applicable, in accordance with § 38 BDSG and monitors compliance with data protection and data security regulations with the involvement of the data protection officer. The data protection officer of the Processor is currently
Name: Dr. Matthias Berger
Email: privacy@azuma.health
4. Information obligations
a) The Processor shall immediately inform the Responsible Party if, in its opinion, an instruction issued by the Responsible Party violates legal regulations. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Responsible Party.
b) The Processor shall support the Responsible Party in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to it.
5. Place of data processing
The processing of the data generally takes place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
6. Deletion of personal data after completion of the order
After termination of the main contract, the Processor shall either delete or return all personal data processed on behalf of the Responsible Party at the Responsible Party's discretion, provided that the deletion of this data does not conflict with any statutory retention obligations of the Processor. The data protection-compliant deletion must be documented and confirmed to the Responsible Party upon request.
§ 8 Control rights of the Responsible Party
1.
The Responsible Party shall be entitled to check compliance with the provisions on data protection and the contractual agreements to the necessary extent itself or through third parties after timely prior notification during normal business hours without disrupting the business operations of the Processor or jeopardizing the security measures for other Responsible Parties and at its own expense. The checks can also be carried out by accessing existing industry-standard certifications of the Processor, current certificates or reports from an independent body (e.g. auditor, external data protection officer, auditor or external data protection auditor) or self-disclosures. The Processor shall offer the necessary support to carry out the checks.
2.
The Processor shall inform the Responsible Party about the implementation of control measures by the supervisory authority, insofar as the measures may concern data processing that the Processor performs for the Responsible Party.
§ 9 Subcontracting relationships
1.
The Responsible Party authorizes the Processor to make use of other processors in accordance with the following paragraphs in § 9 of this Agreement. This authorization constitutes a general written consent within the meaning of Art. 28 para. 2 GDPR.
2.
The Processor currently works with the subcontractors named in Annex 2 in the performance of the contract, with whose commissioning the Responsible Party agrees.
3.
The processor is entitled to engage additional processors or to replace those already engaged. The Processor shall inform the Responsible Party in advance of any intended change with regard to the involvement or replacement of an additional Processor. The Responsible Party may object to an intended change.
4.
The objection to the intended change must be raised with the processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional Processor and coordinate this with the Responsible Party. If the provision of the service without the intended change is unreasonable for the Processor - for example due to the associated disproportionate expenses for the Processor - or if the coordination of an additional Processor fails, the Responsible Party and the Processor may terminate this Agreement and the main contract with one month's notice to the end of the month.
5.
If another processor is involved, a level of protection comparable to that of this agreement must always be guaranteed. The Processor shall be responsible to the Responsible Party for all acts and omissions of the other Processors engaged by it.
§ 10 Confidentiality
1.
The Processor is obliged to maintain confidentiality when processing data for the Responsible Party.
2.
The processor undertakes to use only employees or other vicarious agents who are obliged to maintain confidentiality when handling the personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the Processor shall provide the Responsible Party with evidence that these obligations have been fulfilled.
3.
If the Responsible Party is subject to other confidentiality rules, it shall inform the Processor of this. The Processor shall oblige its employees to comply with these confidentiality rules in accordance with the requirements of the Responsible Party.
§ 11 Technical and organizational measures
1.
The technical and organizational measures described in Annex 1 are agreed to be appropriate. The Processor may update and amend these measures, provided that the level of protection is not significantly reduced by such updates and/or amendments.
2.
The processor shall observe the principles of proper data processing in accordance with Art. 32 in conjunction with Art. 5 para. 1 GDPR. It shall guarantee the contractually agreed and legally prescribed data security measures. It shall take all necessary measures to secure the data or the security of the processing, in particular also taking into account the state of the art, as well as to minimize possible adverse consequences for data subjects. The measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to ensure an appropriate level of security of processing at all times, the Processor shall regularly evaluate the measures implemented and make any necessary adjustments.
§ 12 Liability/ Indemnification
1.
The Processor shall be liable to the Responsible Party in accordance with the statutory provisions for all damages caused by culpable breaches of this Agreement and of the statutory data protection provisions applicable to it, which the Processor, its employees or those commissioned by it to perform the contract cause in the provision of the contractual service. The Processor shall not be obliged to provide compensation if the Processor proves that it processes the Responsible Party's data provided to it exclusively in accordance with the Responsible Party's instructions and has complied with its obligations under the GDPR specifically imposed on Processors.
2.
The Responsible Party shall indemnify the Processor against all third-party claims asserted against the Processor due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Responsible Party.
§ 13 Miscellaneous
1.
In the event of contradictions between the provisions of this agreement and the provisions of the main contract, the provisions of this agreement shall take precedence.
2.
Amendments and additions to this agreement require the mutual consent of the contracting parties with specific reference to the provision of this agreement to be amended. Verbal collateral agreements do not exist and are also excluded for future amendments to this agreement.
3.
This agreement is subject to German law.
4.
If access to the data that the Responsible Party has transmitted to the Processor for data processing is jeopardized by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities, etc.), the Processor must notify the Responsible Party of this immediately.