DATA PROCESSING AGREEMENT – GANTUS AB
By creating a Group Account in accordance with TERMS OF SERVICE - ONLINE SERVICE AND COURSES - GANTUS AB (“TOS”) Medical Device HQ (“the Data Processor”) and the Customer (“the Data Controller”) enter into this Data Processing Agreement on the date the Group Account is created.
The Data Processor and the Data Controller are hereinafter referred to jointly as “the Parties” and/or each of them separately as “the Party”
All capitalized terms shall have the meaning included in the TOS unless the Parties decided otherwise.
The Data Controller has created a Group Account which allows them to order specific online courses and/or live virtual classroom sessions (“the Services”) to be performed by the Data Processor in accordance with the description on the Product Page for as long as the Group Account is active. Once the Service is ordered the Data Controller shall entrust the Data Processor with processing activities concerning the personal data required for that Service within the scope described herein;
The purpose of this Agreement is to establish terms and conditions for processing the personal data by the Data Processor on behalf of the Data Controller;
By entering into this Agreement the Parties aim to establish such terms and conditions for processing the personal data to be fully in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Therefore, the Parties agree as follows:
1 REPRESENTATIONS OF THE PARTIES
1.1 The Data Controller hereby acknowledge that it is a data controller in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (“GDPR”) of the data entrusted to the Data Processor.
1.2 The Data Processor hereby acknowledge that it may process the personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization.
Section 1.2 shall not apply if the Data Processor is required to do so by the law provisions in force. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2 PURPOSE AND TYPES OF PERSONAL DATA
2.1 The Data Processor may only process the personal data in order to provide the Services. For clarification, this shall include being able to send out information about course updates to Participants and Group Leaders, verifying course certificates’ authenticity, surveying Participants’ results and opinions on the Services delivered and recommend future courses.
2.2 The Data Processor may only process the personal data of the following categories of persons: employees, workers, consultants whose personal data are processed by the Data Controller as a data controller.
2.3 The Data Processor may process only the following data: first name, last name, e-mail address, name of the employer and the position. The data will be subject to the following processing operations: storage in data retrieval systems, communication, emailing and statistical processing and reporting.
2.4 The Data Controller hereby acknowledge the personal data entrusted hereunder do not include any special categories of personal data pursuant to section 9 (1) of GDPR or any data relating to criminal convictions and offences pursuant to section 10 of GDPR.
3 AUDITING RIGHTS
3.1 The Data Controller shall have the right to control the way this Agreement is performed by the Data Processor. The control may be performed on condition that the Data Processor is informed thereof at least 21 days prior to the control. The Data Processor may charge a fee (based on the Data Processor’s reasonable costs) for any such control. The Data Processor will provide the Data Controller with further details of any applicable fee and the basis for its calculations in advance of any such control. The Data Controller will be responsible for any fee charged by any auditor appointed by the Data Controller to execute such control.
3.2 The Data Processor may object in writing to an auditor appointed by the Data Controller to conduct any such audit if the auditor is, in the Data Processor’s reasonable opinion, not suitably qualified or independent, or a competitor of the Data Processor. Any such objection by the Data Processor will require the Data Controller to appoint another auditor or conduct the control on its own.
3.3 The Data Processor shall make all information necessary to prove the compliance with this Agreement available to the Data Controller.
3.4 The Data Controller shall have the above-stipulated rights also towards the Subcontractors indicated in § 7 hereof, if the Data Processor entrusts the Subcontractors with the data pursuant to § 7 hereof.
3.5 Given the above-stipulated obligations the Data Processor shall inform the Data Controller immediately if in its opinion an instruction issued by the Data Controller is in breach of GDPR or other legal provisions which relate to personal data protection.
4 TECHNICAL AND ORGANIZATIONAL MEASURES
4.1 The Data Processor shall implement appropriate technical and organizational measures which ensure such a level of safety that it takes into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
4.2 The measures stipulated hereinabove, include inter alia the following:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
5 ASSISTANCE IN PERFORMING DATA CONTROLLER’S OBLIGATIONS
5.1 Taking into account the nature of data processing, the Data Processor shall help the Data Controller by appropriate technical and organizational measures to meet the requirements to address the demands of a person whose data are concerned, particularly when it comes to his/her rights stipulated in Section 3 of GDPR.
5.2 Taking into account the nature of data processing and possessed information, the Data Processor shall help the Data Controller to meet the requirements of Articles 32-34 of Section 2 and Articles 35-36 of Section 3 of Chapter 4 of GDPR, i.e. especially when it comes to implementing appropriate technical and organizational measures, notifying the personal data breach to the supervisory authority and to the person whose data are concerned by the Data Controller which means providing the Data Controller with all the information that may be needed to address its obligations under GDPR in due time.
6 RECORD OF PROCESSING ACTIVITIES
6.1 The Data Processor shall maintain a record of processing activities performed on behalf of the Data Controller (“Record”).
6.2 That Record shall contain all of the following information:
a) the name and contact details of the Data Processor and the Data Controller and, where applicable, their representative and the data protection officer if he/she was appointed;
b) a description of the categories of data processing performed on behalf of the Data Controller,
c) a general description of technical and organizational measures taken to ensure the safety of personal data processing,
d) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of GDPR, the documentation of suitable safeguards.
7.1 The Data Controller shall allow the Data Processor to engage other processors (“Subcontractors”) in processing the personal data (“Sub-processing”) and performing the tasks resulting herefrom, provided that:ž
a) The Data Processor informs the Data Controller in advance about its intention of Sub-processing, subject to section 7.3.
b) The Data Controller has the right to object to the intention of Sub-processing or to any change concerning the conditions of Sub-processing made by the Data Processor.
c) The scope and purpose of Sub-processing are not wider than the ones resulting herefrom.
d) The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Data Controller are in line with the terms and conditions stipulated herein.
e) Sub-processing is necessary to perform the Service.
f) Sub-processing does not infringe any of the Data Controller’s interest.
g) Sub-processing agreement is concluded in writing, pursuant to legal provisions in force connected with data processing and all obligations of the Data Processor resulting herefrom are applicable to the Subcontractor under the Sub-processing agreement.
h) The Subcontractor meets all the requirements stipulated in the GDPR and concerning the data processor directly as defined in the GDPR, in particular the obligation to keep a record of processing activities and implemented technical and organizational measures that ensure the safety of data processing, as stipulated in the GDPR.
7.2 The Data Processor shall oblige the Subcontractor in the Sub-processing agreement to meet the requirements concerning the data protection at least on the same level as the one stipulated herein and/or in the GDPR while processing the entrusted data.
7.3 As of the date this Agreement is entered into the Data Processor shall be allowed to engage processors rendering the following categories of services:
- data storage services
- customer relationship management system services
- customer surveying services
- emailing services
- certificate issuing services
- invoicing and accounting services
- web hosting services
- learning management system services
- document sending services
- printing services in performing the tasks resulting herefrom.
8 PROCESSING OF PERSONAL DATA
8.1 The Data Processor acknowledge that it and every person that will process the data entrusted by the Data Controller shall be obliged to keep such data confidential. The secrecy of such information also includes information on the measures taken to ensure the safety of entrusted data.
8.2 The Data Processor acknowledge that every person with access to the personal data shall process them only on the Data Processor’s instruction unless otherwise stipulated in the law provisions in force.
8.3 The Data Processor shall immediately after termination or expiration of this Agreement at least anonymize all the entrusted data and all existing copies thereof unless otherwise stipulated in the legal provisions in force.
8.4 The Data Processor shall process the data on behalf of the Data Controller until the obligation to remove the data stipulated hereinabove is met. The provisions shall be applicable respectively to the Subcontractors.
9 PERSONAL DATA BREACH
9.1 As soon as the Data Processor becomes aware that a personal data breach has occurred, it should notify the personal data breach to the Data Controller without undue delay and, where feasible, not later than 72 hours after having become aware of it.
9.2 The notification referred to in section shall at least:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained,
c) describe the likely consequences of the personal data breach
d) describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 In order to perform the obligations stipulated hereinabove, the Data Processor shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
10 FINAL PROVISIONS
10.1 This Agreement is entered into for a limited period of time and shall terminate on the day Group Account is deleted under the TOS.
10.2 All amendments made hereto shall be in writing otherwise shall be null and void.