Data Processing Agreement
a) Healthlink Europe B.V., established in s-Hertogenbosch, The Netherlands, hereinafter referred to as “Processor” and
b) [Controller] and herein after referred to as “Controller” each also collectively referred to as “Parties” and separately as “Party”.
Agree as follows:
The Parties entered into a [Please fill in the current agreement] Agreement (“the Agreement”) which requires that the Processor accesses and Processes Personal Data. This agreement (“the Data Processing Agreement”) specifies the obligations of the Parties when Processing Personal Data.
Where the Parties conclude agreements in the future which require that Processor accesses and Processes Personal Data, the Parties may refer to this Data Processing Agreement by concluding an “Individual Agreement on Data Processing” which is attached as another Appendix.
In this Data Processing Agreement, the following terms shall have the following meanings:
“Data Protection Laws” shall mean the data protection laws of the country in which Controller is established (including the GDPR) and any data protection laws applicable to Controller in connection with the Service Agreement.
“GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” shall mean any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation of the European Union (“GDPR” EC-2016/679) that is Processed by Processor as part of providing the services to Controller.
“Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries in the form set out in the Annex of European Commission Decision 2010/87/EU, as amended by incorporating the description of the Personal Data to be transferred and the technical and organisational measures to be implemented as set out in the Appendix.
“Controller“, “Data Subject“, “Personal Data Breach“, “Processor” and
“Process” shall have the meaning given to them in the GDPR
“Subcontractors” shall mean any subcontractor that fulfills obligations and rights under this Data Processing Agreement.
Scope of contract and Distribution of Responsibilities
1.1 The Parties agree that, for Processing Personal Data, the Parties shall be Controller and Processor as defined in the GDPR.
1.2 Processor shall Process Personal Data only on behalf of Controller and at all times only in accordance with this Data Protection Agreement.
1.3 Within the scope of the Service Agreement, each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.
1.4 The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Agreement.
1.5 All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
1.6 Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party.
2.1 The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.
2.2 The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Agreement and the GDPR.
2.3 The Processor’s obligations arising under the terms of this Data Processing Agreement apply also to whomsoever processes personal data under the Processor’s instructions. Processor will restrict its personnel from Processing Personal Data without authorization.
2.4 Processor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. Processor shall ensure that any personnel who have access to Personal Data have undergone appropriate training to ensure that they understand their data protection responsibilities with respect to Personal Data that they Process.
Disclosure to Third Parties
3.1 Processor will not disclose Personal Data to any third party (including any government agency, court, or law enforcement) except with written consent from Controller or as necessary to comply with applicable mandatory laws. If Processor is obliged to disclose Personal Data to a law enforcement agency or third party, Processor agrees to give Controller reasonable notice of the access request prior to granting such access, to allow Controller to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Processor will take reasonable measures to protect the Personal Data from undue disclosure and shall inform Controller promptly as soon as possible if and when such legal prohibition ceases to apply.
3.2 In case Controller receives any request or communication from Data Subjects which relates to the processing of Personal Data (“Request“), Processor shall provide the Controller with cooperation, information and assistance (“Assistance“) in relation to any such Request where requested by Controller.
3.3 Where Processor receives a Request, Processor shall (i) not directly respond to such Request, (ii) notify the Controller and (iii) provide Assistance according to further instructions from Controller unless those instructions are contrary to the applicable laws.
Technical and Organizational Measures
4.1 The Processor will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
4.2 The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavor to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
4.3 Processor shall assess and evaluate the effectiveness of technical and organizational measures on an ongoing basis. Processor shall continuously enhance and improve the measures where reasonably required.
Assistance with Data Protection Impact Assessment
5 Where a Data Protection Impact Assessment (“PIA“) is required under Applicable Data Protection Laws for the Processing of Personal Data, Processor shall provide upon request to Controller any information and assistance reasonably required for the PIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Processor’s obligations under this Data Processing Agreement.
6.1 Processor makes available to Controller upon Controller’s request all information reasonably required to demonstrate compliance with the obligations laid down in this Data Processing Agreement.
6.2 Processor shall, upon reasonable notice no later than two weeks before the audit, allow for and contribute to on-site inspections of the Processor’s Processing of Personal Data, as well as the technical and organizational measures(including data processing systems, policies, procedures and records), during regular business hours and without interrupting Processor’s business operations. Such on-site inspections are conducted by the Controller, its affiliates or an independent third party on Controller’s behalf (which will not be a competitor of the Processor) that is subject to reasonable confidentiality obligations.
6.3 The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to the Processor.
6.4 The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
6.5 The costs of the audit will be borne by the Controller.
6.6 The Processor has appointed Ms. Debbie Kamsteeg, QA Department, +31-(0)73-3030500, firstname.lastname@example.org, as Data Protection Officer. The Controller shall be informed of any change of Data Protection Officer.r who performs his/her duties in compliance with articles 38 and 39 GDPR. The Controller shall shall be informed immediately of any change of Data Protection Officer.
Duty to report
In respect of any Personal Data Breach (actual or reasonably suspected), Processor shall:
7.1 notify Controller of a Personal Data Breach involving Processor or a subcontractor without undue delay (but in no event later than 36 hours after becoming aware of the Personal Data Breach);
7.2 provide reasonable information, cooperation and assistance to Controller in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.
8.1 The Processor is authorised within the framework of the Agreement to engage third parties, without the prior approval of the Controller being required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged. Processor shall regularly check and document that the subcontractor is fulfilling his obligations.
8.2 The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
8.3 Where the subcontractor fails to fulfil its data protection obligations under any subcontracting agreement, Processor shall remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement and for the performance of the subcontractor’s obligations.
International Data Transfers
9.1 The Processor may process the personal data in countries outside the European Union insofar needed for the provision of the services. In addition, the Processor may also transfer the personal data to a country outside the European Union provided that such country guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Agreement and the GDPR.
9.2 Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.
Term and Termination
10.1 This Data Processing Agreement becomes effective upon signature. It shall continue to be in full force and effect as long as Processor is Processing Personal Data and shall cease automatically thereafter or after termination of the Agreement, whichever comes sooner.
10.2 Where amendments are required to ensure compliance of this Data Processing Agreement with Data Protection Laws, the Parties shall agree on such amendments upon request of Controller and, for the avoidance of doubt, with no additional costs to Controller.
10.3 Processor shall without undue delay, at the written request of the Controller, securely delete or return all the Personal Data to the Controller in hardcopy or electronic form after the end of the provision of the relevant services related to the processing and securely delete existing copies (unless storage of any data is required by applicable law and, if so, shall inform the Controller of any such requirement prior to processing).
Liability and Indemnity
11.1 The liability of the Parties shall be subject to liability provisions applying to the Agreement.
11.2 Where Controller receives a compensation claim from a Data Subject or is (potentially) subject to a fine issued by national data protection authority relating to Processing of Personal Data, Processor shall provide such cooperation and assistance to the Controller as the Controller requires in relation to any such action, and the terms of any settlement or compromise shall be the Controller’s decision. All costs related to such cooperation and assistance shall be beared by the Controller unless to the extent that the compensation claim or (potential) fine is issued because of a breach of this agreement by the Processor.
12.1 In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
- the Agreement;
- this Data Processing Agreement;
- additional conditions such as the FENEX conditions, where applicable.
12.2 Where this Data Processing Agreement requires a “written notice” such notice can also be communicated per email to the other Party. Notices shall be sent to the Data Protection Officer.
12.3 Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.
12.4 Any supplementary agreements or amendments to this Data Processing Agreement must be made in writing and signed by both Parties.
12.5 Should individual provisions of this Data Processing Agreement become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.
12.6 This agreement shall be governed by Dutch law. The sole place of jurisdiction shall be Breda, the Netherlands.