DATA PROCESSING AGREEMENT – GANTUS AB

By creating a Group Account in accordance with TERMS OF SERVICE – ONLINE SERVICE AND COURSES – GANTUS AB (“TOS”) Medical Device HQ (“the Data Processor”) and the Customer (“the Data Controller”) enter into this Data Processing Agreement on the date the Group Account is created.

The Data Processor and the Data Controller are hereinafter referred to jointly as “the Parties” and/or each of them separately as “the Party”

All capitalized terms shall have the meaning included in the TOS unless the Parties decided otherwise.

WHEREAS:

The Data Controller has created a Group Account that allows them to order specific online courses and/or live virtual classroom sessions (“the Services”) to be performed by the Data Processor in accordance with the description on the Product Page for as long as the Group Account is active. Once the Service is ordered, the Data Controller shall entrust the Data Processor with processing activities concerning the personal data required for that Service within the scope described herein;

The purpose of this Agreement is to establish terms and conditions for processing the personal data by the Data Processor on behalf of the Data Controller;

By entering into this Agreement, the Parties aim to establish such terms and conditions for processing the personal data to be fully in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Therefore, the Parties agree as follows:

1 REPRESENTATIONS OF THE PARTIES

1.1    The Data Controller hereby acknowledges that it is a data controller in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (“GDPR”) of the data entrusted to the Data Processor.

1.2    The Data Processor hereby acknowledges that it may process the personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation.

1.3    Section 1.2 shall not apply if the Data Processor is required to do so by the law provisions in force. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.

1.4    The Data Controller’s contact person’s name, position, and contact details have been provided to the Data Processor in accordance with the TOS.

1.5    The Data Processor’s contact person’s name, position, and contact details have been provided to the Data Controller in accordance with the TOS.

2 DESCRIPTION OF THE PROCESSING

2.1    The Data Processor may only process the personal data to provide the Services. For clarification, this shall include being able to send out information about course updates to Participants and Group Leaders, verifying course certificates’ authenticity, surveying Participants’ results and opinions on the Services delivered, and recommending future courses.

2.2    The Data Processor may only process the personal data of the following categories of persons: employees, workers, and consultants whose personal data are processed by the Data Controller as data controller.

2.3    The Data Processor may process only the personal data required to perform the Services properly: first name, last name, email, phone number, IP address, signature, title, username, nickname, password, image and any other data resulting from the usage of the Services. The data will be subject to the following processing operations: storage in data retrieval systems, communication, emailing, and statistical processing and reporting.

2.4    The Data Controller hereby acknowledges the personal data entrusted hereunder do not include any special categories of personal data pursuant to section 9 (1) of GDPR or any data relating to criminal convictions and offences pursuant to section 10 of GDPR.

2.5    Subject to section 11.3, the Data Processor will process the personal data until the Group Account is deleted unless otherwise agreed upon in writing.

3 DOCUMENTATION, COMPLIANCE, AND AUDITING RIGHTS

3.1   The Parties shall be able to demonstrate compliance with this Agreement.

3.2   The Data Processor shall deal promptly and adequately with inquiries from the Data Controller about the data processing in accordance with this Agreement.

3.3   The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations that are set out in this Agreement and stem directly from GDPR.

3.4   Should the information provided under section 3.3 be insufficient to confirm the compliance with the obligations that are set out in this Agreement and stem directly from GDPR, at the Data Controller’s request, the Data Processor shall also permit and contribute to audits of the processing activities covered by this Agreement, at reasonable intervals or if there are indications of non-compliance. The audit may be conducted on the condition that a relevant non-disclosure agreement is signed between the Parties and/or an independent auditor indicated in section 3.5. In deciding on a review or an audit, the Data Controller may consider relevant certifications held by the Data Processor.

3.5   The Data Controller may conduct the audit or mandate an independent auditor. Should the information and documents provided during a virtual audit be insufficient, the audits may also include inspections of the premises or physical facilities of the Data Processor. Any audit shall be carried out with a notice of at least 45 (forty-five) calendar days before the audit. The Data Processor may charge a fee (based on the Data Processor’s reasonable costs) for any such audit. The Data Processor will provide the Data Controller with further details of any applicable fee and the basis for its calculations before any such audit. The Data Controller will be responsible for any fee charged by any auditor appointed by the Data Controller to execute such control.

3.6   The Data Processor may object in writing to an auditor appointed by the Data Controller to conduct any such audit if the auditor is, in the Data Processor’s reasonable opinion, not suitably qualified or independent or a competitor of the Data Processor. Any such objection by the Data Processor will require the Data Controller to appoint another auditor or conduct the control on its own.

3.7   The Data Controller shall have the above-stipulated rights also towards the sub-processors indicated in Section 7 hereof if the Data Processor entrusts the sub-processors with the data pursuant to Section 7 hereof.

3.8   The Parties shall make the information referred to in this Section, including the results of any audits, available to the competent supervisory authority/ies on request.

3.9   Given the above-stipulated obligations, the Data Processor shall inform the Data Controller immediately if, in its opinion, an instruction issued by the Data Controller is in breach of GDPR or other legal provisions which relate to personal data protection.

4 TECHNICAL, PHYSICAL, AND ORGANISATIONAL MEASURES

4.1   The Data Processor shall implement appropriate technical, physical and organisational measures which ensure such a level of safety that it takes into account state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing. This includes protecting the data against a security breach, leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (personal data breach).

4.2   The measures stipulated herein above include inter alia the following:

a) The pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

4.3   The Data Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring the Services. The Data Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality regarding the personal data received. The secrecy of such information also includes information on the measures taken to ensure the safety of entrusted data.

4.4   The Data Processor acknowledge that every person with access to the personal data shall process them only on the Data Processor’s instruction unless otherwise stipulated in the law provisions in force.

5 ASSISTANCE IN PERFORMING THE DATA CONTROLLER’S OBLIGATIONS

5.1   Taking into account the nature of data processing, the Data Processor shall help the Data Controller by appropriate technical and organisational measures to meet the requirements to address the demands of a person whose data are concerned, particularly when it comes to their rights stipulated in Chapter 3 of GDPR.

5.2   Taking into account the nature of data processing and possessed information, the Data Processor shall help the Data Controller to meet the requirements of Articles 32-34 of Section 2 and Articles 35-36 of Section 3 of Chapter 4 of GDPR, i.e. especially when it comes to implementing appropriate technical and organisational measures, notifying the personal data breach to the supervisory authority and to the person whose data are concerned by the Data Controller which means providing the Data Controller with all the information that may be needed to address its obligations under GDPR in due time.

6 RECORD OF PROCESSING ACTIVITIES

6.1    The Data Processor shall maintain a record of processing activities performed on behalf of the Data Controller (“Record”).

6.2   That Record shall contain all of the following information:

a) the name and contact details of the Data Processor and the Data Controller and, where applicable, their representative and the data protection officer if they were appointed;

b) a description of the categories of data processing performed on behalf of the Data Controller,

c) a general description of technical and organisational measures taken to ensure the safety of personal data processing,

d) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of GDPR, the documentation of suitable safeguards.

7 SUB-PROCESSING

7.1   The Data Processor has the Data Controller’s general authorisation for the engagement of sub-processors from an agreed list made available to the Data Controller in accordance with section 7.7.

7.2   The Data Controller shall only allow the Data Processor to engage other processors (“Sub-Processors”) in processing the personal data (“Sub-processing”) and performing the tasks resulting therefrom, provided that:

a) The Data Processor informs in writing the Data Controller of any intended changes to the list of Sub-Processors made available to the Data Controller in accordance with section 7.7 through the addition or replacement of Sub-Processors in advance, thereby giving the Data Controller reasonable time to be able to object to such changes before the engagement of the concerned Sub-Processor(s).

b) The Data Controller has the right to object to the intention of Sub-processing or any change concerning the conditions of Sub-processing made by the Data Processor. Upon request, the Data Processor shall provide the Data Controller with the information necessary to enable the Data Controller to exercise the right to object.

c) The scope and purpose of Sub-processing are not wider than the ones resulting herefrom.

d) The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the Data Controller are in line with the terms and conditions stipulated herein.

e) Sub-processing is necessary to perform the Service.

f) Sub-processing does not infringe any of the Data Controller’s interests.

g) The Sub-processing agreement is concluded in writing, pursuant to legal provisions in force connected with data processing, and all obligations of the Data Processor resulting herefrom are applicable to the Sub-Processor under the Sub-processing agreement.

h) The Sub-Processor meets all the requirements stipulated in the GDPR and concerning the Data Processor directly as defined in the GDPR, in particular the obligation to keep a record of processing activities and implement technical and organisational measures that ensure the safety of data processing, as stipulated in the GDPR.

7.3   The Data Processor shall oblige the Sub-Processor in the Sub-processing agreement to meet the requirements concerning data protection at least on the same level as the one stipulated herein and/or in the GDPR while processing the entrusted data.

7.4   At the Data Controller’s request, the Data Processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Data Controller. To the extent necessary to protect a business secret or other confidential information, including personal data, the processor may redact the text of the agreement before sharing the copy.

7.5   The Data Processor shall remain fully responsible to the Data Controller for performing the Sub-Processor’s obligations in accordance with its contract with the Data Processor. The Data Processor shall notify the Data Controller of any failure by the Sub-Processor to fulfil its contractual obligations.

7.6   The Data Processor shall agree on a third party beneficiary clause with the Sub-Processor whereby – in the event the Data Processor has factually disappeared, ceased to exist in law, or has become insolvent – the Data Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the personal data.

7.7   As of the date this Agreement is entered into, the Data Processor shall be allowed to engage processors rendering the following categories of services:

  • data storage services
  • customer relationship management system services
  • customer surveying services
  • emailing services
  • certificate issuing services
  • invoicing and accounting services
  • web hosting services
  • learning management system services
  • document sending services
  • printing services in performing the tasks resulting herefrom.

The list of the Sub-Processors currently engaged by the Data Processor is available to the Data Controller upon request.

8 INTERNATIONAL TRANSFERS

8.1   Any transfer of data to a third country or an international organisation by the Data Processor shall be done only on the basis of documented instructions from the Data Controller or to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of GDPR.

8.2   The Data Controller agrees that where the Data Processor engages a Sub-Processor in accordance with Section above for carrying out specific processing activities (on behalf of the Data Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of GDPR, the Data Processor and the sub-processor shall ensure compliance with Chapter V of GDPR by using an adequate legal mechanism for international data transfer, e.g., Commission Adequacy Decision or standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met.

9 PERSONAL DATA BREACH

9.1   As soon as the Data Processor becomes aware that a personal data breach has occurred, it should notify the personal data breach to the Data Controller without undue delay and, where feasible, not later than 72 hours after having become aware of it for the Data Controller to comply with its obligations under GDPR and any other applicable data protection legislation.

9.2   The notification referred to in section 9.1 shall at least:

a) Describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,

b) communicate the name and contact details of the data protection officer or another contact point where more information can be obtained,

c) describe the likely consequences of the personal data breach

d) describe the measures taken or proposed by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3   To perform the obligations stipulated hereinabove, the Data Processor shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken.

9.4   Where, and insofar as it is impossible to provide all this information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.

10 FINAL PROVISIONS

10.1   This Agreement is entered into for a limited period and shall terminate on the day Group Account is deleted under the TOS.

10.2   All amendments made hereto shall be in writing otherwise shall be null and void.

10.3   Following termination of the Agreement, the Data Processor shall at least anonymise all the entrusted data and all existing copies thereof unless otherwise stipulated in the legal provisions in force or, at the choice of the Data Controller, delete all personal data processed on behalf of the Data Controller and certify to the Data Controller that it has done so, or, return all the personal data to the Data Controller and delete existing copies unless Union or Member State law requires the storage of the personal data. Until the data is deleted or returned, the Data Processor shall continue to ensure compliance with this Agreement. The provisions shall be applicable respectively to the Sub-Processors.