SA OSIMIS, with its statutory seat at rue du Bois Saint-Jean 15/1, 4102 Seraing (Belgium) registered with the Crossroads Bank of Enterprises under number 0637.982.658 (the “Processor”)
The entity referred to as “client” in the Purchase Order (as defined below) (the “Controller”)
The Processor and the Controller being referred each individually as “party” and together as “parties”
Whereas the parties have entered into an agreement whereby the Processor provides certain services to the Controller that involve the processing by the Processor of certain personal data (the “Agreement”)
THE PARTIES HAVE AGREED AS FOLLOWS:
- The following terms shall have the following meanings in this Data Processing Addendum:
- “Applicable Data Protection Law” means the applicable data protection laws and regulations including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) and the Belgian Act of 30 July 2018 concerning the protection of the privacy with regard to the processing of personal data;
- “Data Concerning Health” means Personal Data related to the physical or mental health of a natural person, including data concerning the provision of health care services, which reveal information about his or her health status, including a patient number, medical services, blood levels, etc.;
- “Data Processing Addendum” means the present data processing addendum including its annexes;
- “Data Subject(s)” means the identifiable or identified natural person(s) whose Personal Data are processed in the context of the Agreement;
- “Personal Data” means any information which the Processor processes on behalf of the Controller in a capacity of processor under Applicable Data Protection Law (excluding any personal data that the Processor may be processing in a capacity of controller under Applicable Data Protection Law) within the context of the Agreement and which can identify a Data Subject or make a Data Subject identifiable;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data;
- “Purchase Order” means the purchase order signed by the Controller for the provision of software and/or services by the Processor;
- “Third Country” has the meaning given to that term in article 8.1.
- The Processor shall process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject ; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Controller ensures that any disclosure of Personal Data to the Processor is Personal Data that has been collected lawfully e.g. processed under an adequate legal basis and in respect of the required transparency obligations pursuant to Applicable Data Protection Law. The Controller shall indemnify the Processor against all losses, expenses and liabilities incurred by Processor arising directly or indirectly from the Controller’s breach of this obligation.
- The subject, duration, nature and purpose of the processing, as well as the categories of Personal Data and the categories of Data Subjects, are listed in Annex 1. The Controller shall inform the Processor of any change in one of the elements listed in Annex 1, which will result in an amendment to Annex 1, as mutually agreed by the parties.
- The parties will, each in their respective capacity, process the Personal Data in accordance with Applicable Data Protection Law.
- The Controller grants a general written authorisation for the Processor to engage processors for carrying out specific processing activities on behalf of the Controller (the “sub-processors”). The Processor ensures that it will impose no less onerous data protection obligations on its sub-processors than those set out in this Data Processing Addendum. The sub-processors engaged by the Processor are listed in Annex 2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the reasonable opportunity to object to such changes. If the Controller does not object to such changes within a reasonable period of time and at the latest within fifteen (15) calendar days after having made aware of the intention of the Processor, the Controller will be deemed to have accepted such addition or replacement of sub-processors.
- The Processor ensures that the Personal Data will be disclosed to only those persons that must access such Personal Data (access on a need-to-know basis) and that the persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Obligations to assist
- The Processor shall reasonably assist the Controller in ensuring compliance with its legal obligations under Applicable Data Protection Law.
- Upon the Controller’s request, the Processor shall, at the Controller’s costs, contribute to audits and inspections of its processing of the Personal Data. The Controller may itself carry out these audits and inspections or mandate a third party thereto. If the Controller mandates a third party, such third party shall not be a direct competitor of the Processor and such third party shall agree to be bound by confidentiality obligations that are no less onerous than those set out in this Data Processing Addendum.
- The Processor shall as soon as practicable transfer to the Controller any Data Subject’s request or question in connection with the (processing of) Personal data. On the written request of the Controller, the Processor shall assist and support the Controller in responding to such Data Subject’s requests insofar reasonably possible for the Processor.
- If the Controller is of the opinion that a data protection impact assessment must be conducted, the Processor shall assist the Controller, upon its written request and at the Controller’s costs, in the carrying out of the data protection impact assessment.
Personal Data Breach
- If a Personal Data Breach occurs or has occurred, the Processor shall, without undue delay after becoming aware of it, notify the Controller in writing of the Personal Data Breach.
- The Processor shall provide the Controller with the following information regarding the Personal Data Breach:
- The nature of the Personal Data Breach;
- Where possible the categories of Data Subject(s) affected;
- The estimated number of Data Subject(s) affected;
- The categories of Personal Data affected;
- The estimated number of Personal Data affected;
- The name and contact details of the data protection officer if the Processor has designated one or another contact point where more information on the Personal Data Breach can be obtained;
- A description of the likely consequences for the Data Subjects;
- A description of the measures taken to address the Personal Data Breach, including, where appropriate, the measures to mitigate its possible adverse effects.
- The Processor shall assist the Controller as much as reasonably possible when reporting a Personal Data Breach to the supervisory authority/ies and/or the Data Subject(s) affected.
Organisational and technical security measures
- The Processor undertakes to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks.
- The Processor shall take into account (i) the information provided by the Controller regarding the processing activities conducted on behalf of the Controller when determining the appropriate technical and organisational security measures; (ii) the state of the art; (iii) the implementation costs related to these measures; (iv) the nature, scope, context and purposes of the processing; (v) the risks involved for the Data Subjects’ rights and freedoms, in particular in case of a Personal Data Breach; and (vi) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects. The Controller shall provide as much information as possible to enable the Processor to determine the necessary technical and organisational security measures to implement.
- The Processor acts under the responsibility of the Controller for the processing of the Personal Data.
- The total liability of Processor shall, in any case, not exceed the total amount of fees paid by the Controller to the Processor.
Transfers of Personal Data
- The Processor shall not transfer Personal Data to a country located outside of the European Economic Area (each a “Third Country”) unless the Controller has given its prior written consent to the transfer and/or (i) the transfer falls within the scope of an EU Commission adequacy decision in respect of that Third Country pursuant to Applicable Data Protection Law; (ii) the transfer falls within the scope of the EU-US Privacy Shield program; (iii) the recipient has entered into a contract with the Controller that contains model clauses that have been approved by the EU Commission or another competent public authority in accordance with Applicable Data Protection Law; or (iv) alternative appropriate safeguards have been provided pursuant to Applicable Data Protection Law.
Duration and termination
- The Data Processing Addendum shall enter into force on the date of the Agreement and automatically terminate on the date of the end of the Agreement.
- Within thirty (30) calendar days after expiration or termination of this Data Processing Addendum, the Processor will, at the written request of the Controller and at the option of the Controller, (i) return to the Controller in a then commonly used electronic format all Personal Data that, as of the termination date or expiration date, are in the possession of the Processor; and/or (ii) destroy (any copies of) the Personal Data that, as of the termination date or expiration date, are in the possession of the Processor.
Annex 1 - Overview of the processing operations
Subject matter of the processing
Processing of Personal Data in the context of the provision of software and/or services related to such software (as set out in the Purchase Order)
Duration of the processing
Validity of the Agreement
Nature and purposes of the processing
Provide the software and/or the services set out in the Purchase Order, in particular:
- Provide support and maintenance services (if applicable);
- Provide hosting services for the Personal Data (if applicable)
Categories of Personal Data
The Processor may process the following Personal Data:
- Personally identifiable data (names, dates of birth, etc.);
- Data Concerning Health (medical images, diagnostic reports, patient relevant clinical data)
Categories of Data Subjects
Patients of the Controller
Annex 2 – Sub-processors
Microsoft Corporation, One Microsoft Way, Redmond WA, USA 98052 (Azure cloud infrastructure services)
Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105 (messaging services)
Mailgun Technologies, Inc. 548 Market St. #43099, San Francisco, CA 94104 (messaging services)