This Data Processing Agreement (from now on: “DPA”) forms an integral part of the Agreement concluded between https://digitalcardiology.net (from now on referred to as: “Processor”) and the Client (from now on referred to as: “Controller”) with reference to the use of the Services.
The Client is regarded to be the controller within the meaning of paragraph 4 (7) of the EU General Data Protection Regulation (“GDPR”) and https://digitalcardiology.net is regarded to be the processor within the meaning of paragraph 4 (8) of the GDPR. Where, in this DPA, terms that are defined in the GDPR are mentioned, such as “data subject” and “personal data”, such terms will have the context given to them in the GDPR. Parties wish to set out their rights and obligations in writing by means of this DPA with due observance of the rules of paragraph 28.3 of the GDPR.
Goals
1A: Personal data is processed by the Processor on behalf of Controller in conformity with the settings laid down in this DPA.
1B: The processing will be performed within the groundwork of the Agreement, in order to provide Controller with the first party description and data collection use. The personal data that is or will be processed by Processor within the groundwork of the Agreement and the division of data subjects from whom they originate are listed below.
1C: Personal data of Controllers’ website visitors including browser type and IP-address, cookie ID, and clicking and viewing behavior will be processed by the Processor
1D: Processor aims to anonymize data which are collected from Controller’s website visitors as much as achievable with the vision of the Agreement.
Commitments
2A: With regard to the processing referred to in the first paragraph, Processor shall make best efforts to comply with the GDPR.
2B: Processor will contact the Controller, at its first request and within a reasonable period of time, of the measures it has taken with regard to its obligations under this DPA and the GDPR.
2C: Processor’s obligations arising from this DPA also apply to any parties which process personal data under Processor’s authority. Processor ensures that the correct authorizations are in place regarding access to Controller’s personal data.
2D:. Upon termination of the Agreement or at the first request of Controller, Processor shall return (all copies in its possession of) and at the discretion of Controller, the personal data to Controller or demonstrably destroy them. Upon request, Processor shall provide Controller with a written confirmation of this.
Personal data exchange
3A: Processor may process the personal data in countries within and outside the European Economic Area, provided that the requirements of Chapter V of the GDPR are met.
3B: Processor will notify Controller prior to processing outside the EEA to which third country or countries the personal data will be transferred, unless prohibited by law.
Responsibilities
4A: Processor is responsible for processing personal data under this DPA, in accordance with Controller’s instruction and under the express (end) responsibility of the Controller. For other processing of personal data, including but not limited to the collection of personal data by the Controller, processing for purposes not notified to Processor by Controller, processing by third parties and/or for other purposes, the Processor is explicitly not responsible.
4B: Controller warrants that the content, use and instructions for the processing of personal data are not unlawful and do not infringe any rights of third parties. In this context, the Controller indemnifies Processor of all claims of third parties related to the processing of personal data.
Subprocessors
5A: Controller hereby grants Processor permission to involve third parties that process the personal data for Controller on behalf of Processor (from now on: “Subprocessors”) for the processing of personal data, pursuant to this DPA, with due observance of the GDPR.
5B: At the request of Controller, Processor will inform Controller of the Subprocessor it has engaged. Controller has the right to object to any Subprocessor engaged by Processor. If Controller objects to any Subprocessor hired by the Processor, Parties shall consult each other with a view to find a solution for this problem.
5C: Processor will in any case ensure that the Subprocessors assume in writing the same obligations as agreed between Controller and Processor in this DPA regarding the processing of personal data.
Data safety
6A: Processor shall endeavor to take appropriate technical and organizational measures regarding the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, alteration, modification or disclosure of the personal data).
6B: Despite the fact that Processor is required to adopt appropriate security measures in accordance with the first paragraph, Processor cannot fully guarantee that the security will be effective under all circumstances. However, in the event of a threat of or an actual breach of these security measures, Processor shall take all reasonable steps to limit the loss of personal data as much as possible.
6C: If it appears that a necessary security measure is lacking, Processor will ensure that the security complies at a level that is not unreasonable in view of technology, the sensitivity of the personal data and the costs involved in taking the security measures.
Correspondence on data breaches
7A: In the event of a data breach (which is understood to mean: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed as referred to in paragraph 4.12 GDPR), Processor will inform Controller without undue delay or if possible at the latest within 48 hours, on the basis of which the Controller will decide whether or not it will inform the supervisory authorities and/or data subjects concerned. Processor shall do its utmost to ensure that the information provided is complete, correct and accurate to the best of its ability. The Processor’s obligation to report applies regardless of the impact of the breach.
7B: In any case, Processor’s reporting obligation to Controller includes reporting the fact that there has been a breach, as well as the following, if known to Processor:
the nature of the data breach, specifying the categories of data subjects and personal data registers;
the date on which the breach occurred (if no exact date is known: the period in which the breach took place);
the (alleged) cause of the breach;
the date and time on which the data breach became known to Processor or to a third party (Subprocessor) engaged by it;
the number of people whose data has been breached (if no exact number is known: the minimum and maximum possible number of people whose data has been breached);
a description of the group of people whose data has been breached, as well as the type or types of personal data that have been breached;
whether the data has been encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorized persons;
what the planned and/or already taken measures are to close the leak and to limit the consequences of the breach;
contact information for following up on the breach.
7C: Controller will ensure that any (statutory) reporting obligations are met. If required by law and/or regulations, the Processor will cooperate in notifying the relevant authorities and/or involved data subjects.
Confidentiality obligation
8A: All personal data Processor receives from Controller and/or collects itself within the framework of this DPA is subject to confidentiality toward third parties.
8B: This confidentiality obligation does not apply to the extent that Controller has given explicit permission to provide information to third parties, if the provision of the information to third parties is reasonably necessary in view of the nature of the assignment given and the performance of this DPA, or if there is a legal obligation to provide the information to a third party.
Request handling
9A: In the event that a data subject wishes to exercise one of his or her legal rights (paragraph 15-22 GDPR) and directs his or her request to Processor, Processor will forward this request to Controller. Controller will handle the request further. Processor may inform the relevant data subject about this.
9B: In the event that a data subject makes a request to exercise any of his or her legal rights to Controller, Processor will cooperate as a result that Controller can meet the request. Processor may charge a reasonable fee to the Controller for this.