This Data Processing Agreement (DPA) forms part of the “Main Agreement” (including the agreements entitled “RetinAI End User License Agreement (EULA)” dated as of 01.09.2020 and the agreed Service Agreement), as amended or updated from time to time.
The Parties: ______COMPANY-NAME_________
– hereinafter referred to as the Controller –
and RetinAI MEDICAL AG, 3 FREIBURGSTRASSE, 3010 BERN, SWITZERLAND
– hereinafter referred to as the Processor –
hereby agree the following:
This Data Processing Agreement details the obligations of the parties related to the protection of data resulting from the scope of the processing of personal data on behalf of the Controller as defined in detail in the Main Agreement. It shall apply to all activities within the scope of and related to the Main Agreement, and in whose context the Processor's employees or a third party acting on behalf of the Processor may come into contact with personal data of the Controller.
The terms, ‘personal data’ (or ‘data’), ‘processing’, ‘supervisory authority’, ‘data subject’, ‘member state’ and ‘transfer’ shall have the same meaning as in Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “the GDPR”), and their cognate terms shall be construed accordingly.
3. Subject matter, Duration, and Specification of the Data Processing
The subject matter and duration of this Data Processing Agreement shall be as defined in the Main Agreement. Except where this Data Processing Agreement expressly stipulates any surviving obligation, the term of this Data Processing Agreement shall follow the term of the Main Agreement.
Data processing shall include the following data:
a) Type of personal data
- User Data: Name, group, email, password, Phone → End Users
- Patient Data: Identity (name, age, gender, may also be coded or de-identified), visit dates, images, AI results, demographics.
- Application logs: File status, Access Logs, Error reports
b) Type and purpose of data processing:
The type and purpose of processing is for performance of the RetinAI Services (medical image and data management to organize and structure the information generated routinely in a clinic or during a clinical study and for research) as defined in the Main Agreement.
c) Categories of data subjects:
The categories of data subjects comprise:
- employees including contingent workers, consultants, contractors
- patients, including prospects institutional client and/or counter-party representatives
- authorized signatories
- professional advisers, agents, experts
- third party vendors
The processing of personal data shall be carried out exclusively with an adequate data protection level, meaning either in a member state of the EU or EEA or an adequate country, or with additional safeguards and technical and organizational measures. Each and every transfer of data to a country which is not a member state of either the EU or EEA or regarded as an adequate country, requires the prior consent of the Controller and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled. If the Processor contracts such a transfer with the current EU Standard Contractual Clauses (EU Model Clauses), there shall be no separate prior consent required.
4. Scope of Application and Responsibility
(a) Processor shall process personal data on behalf of Controller. The foregoing shall include the activities enumerated and detailed in the Main Agreement and its scope of the RetinAI services (including public cloud services). Within the scope of the Main Agreement, Controller shall be solely responsible for complying with the GDPR and/or other EU or applicable individual member state data protection provisions, hereinafter referred to as “regulations on data protection”, including but not limited to the lawfulness of the transmission to the Processor and the lawfulness of processing personal data (Controller shall be the “responsible body” as defined in Article 4(7) of the GDPR).
(b) The instructions shall initially be specified in the Main Agreement and may, from time to time thereafter, be amended, amplified, or replaced (individual instructions) as specified by Controller by individual instructions in writing or in electronic form (text form). Instructions that are not provided for in the Main Agreement shall be handled as a change request. Verbal instructions must be immediately confirmed in writing or in text form.
5. Rights and Obligations of Processor
(a) Processor shall collect, process, and use data related to data subjects only within the scope of the Main Agreement and the processing instructions issued by Controller, except if it is an exceptional case within the meaning of Article 28(3) of the GDPR. Processor shall immediately notify the Controller if it thinks that an instruction violates applicable laws. Processor may suspend implementation of the instruction until it is confirmed or amended by Controller.
(b) Within Processor’s area of responsibility, Processor shall structure its internal organization so it complies with the specific requirements of the protection of personal data. Processor shall implement and maintain technical and organizational measures to adequately protect Controller’s data against misuse and loss in accordance with the requirements of the GDPR (in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR). Processor shall implement technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of the systems and services in the long term with respect to the processing of personal data as described in Appendix 1 of this Data Processing Agreement (Technical and Organizational Measures). Controller is aware of these technical and organizational measures and shall ensure that they offer an adequate level of protection for the risks of the data to be processed. Processor reserves the right to change the security measures, although it must ensure that they do not fall below the contractually agreed level of protection.
(c) Processor shall assist Controller within the scope of its abilities in addressing the inquiries and rights of data subjects (right to access, rectification, erasure and to object, right to restriction of processing, right to portability, right to not be subject to an automated individual decision) in accordance with Chapter III of the GDPR, as well as in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor. For this purpose, the parties may agree on an arrangement regarding compensation in the Main Agreement.
(d) Processor shall ensure that any personnel entrusted with processing Controller’s personal data and other persons working for Processor are prohibited from processing the data other than as instructed. Furthermore, Processor shall ensure that any personnel entrusted with processing Controller's personal data have agreed to maintain data secrecy or are subject to a statutory obligation to maintain confidentiality. The obligation to maintain data secrecy/confidentiality shall continue even after termination of the activities.
(e) Processor shall, without undue delay, inform Controller of any material breach of the regulations on data protection for the protection of Controller's personal data. If Processor is of the opinion, that the data processing or any part thereof is not compliant or the Controller has not mitigated the issue within thirty (30) days of Processor’s notice, Processor shall be entitled to terminate the Agreement with immediate effect. Processor shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall consult with the Controller about it without delay.
(f) Processor shall provide Controller with a point of contact for all issues related to data protection and data processing within the scope of the Main Agreement.
(g) Processor warrants that it will regularly review the effectiveness of the technical and organizational measures to adequately ensure the security of the data processing (Article 32(1)(d) of the GDPR).
(h) Processor may at any time, or when Controller instructs it to do so, rectify or erase data in scope of the Main Agreement. The agreed data processing activities do not contain any storage or archiving obligation of any personal data of the Controller. If a specific deletion upon request that is compliant with regulations on data protection or restriction of data processing is not reasonably or technically possible, Processor shall either delete the whole account or agree a special restriction or other measure with the Controller, unless stipulated differently in the Main Agreement. Processor is entitled to regularly delete data in the cloud services for data minimization purposes as stipulated in the Main Agreement.
(i) Upon Controller's reasonable instructions, Processor shall provide to Controller or delete any data, storage media, and other related materials after the termination or expiration of the Main Agreement. Notwithstanding the foregoing, the Parties agree that, to the extent that electronic records containing confidential information is retained as data or records for the purposes of backup, recovery, contingency planning or are otherwise not accessible in the ordinary course of business, the Parties shall continue to comply with the terms of this Agreement, but shall not be required to access such data or records separately in order to delete them at the end of the Main Agreement to be compliant with its obligations hereunder.
(j) In the event that a data subject asserts a claim against the Controller pursuant to Article 82 of the GDPR, Processor agrees to use reasonable efforts to assist Controller in the defence of the claim. For this purpose, the parties may agree on an arrangement regarding compensation in the Main Agreement.
6. Rights and Obligations of Controller
(a) This Data Processing Agreement does not in any way oblige the Controller to transfer any personal data to the Processor. If Controller requests any data processing by the Processor, Controller shall ensure that it is entitled to process that personal data lawfully and that the scope of the data processing does not exceed the the purpose it was collected for. For any data transferred to the Processor, including the data the Controller uploads into the cloud services, Controller warrants that it is authorized to collect, process and transfer such personal data and that - where necessary - adequate consent has been obtained by Controller from the relevant data subjects.
(b) Controller shall, without delay and in a comprehensive fashion, inform Processor of any defect Controller may detect in Processor’s work results and of any irregularity in the implementation of regulations on data protection.
(c) Controller shall ensure compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
(d) In the event that a data subject asserts a claim against the Processor pursuant to Article 82 of the GDPR, Controller agrees to assist Processor in the defense of the claim.
(e) Controller shall keep its own back-up and storage of any data uploaded into the cloud services according to the Main Agreement.
(f) Controller shall give Processor the name of the contact person responsible for data protection issues that may arise as part of the Main Agreement.
7. Inquiries by Data Subjects
If a data subject requests that Processor rectify, access, erase, restrict or transmit data, Processor shall refer the data subject to Controller, provided that allocation to Controller is possible based on the data subject's information. Processor shall forward the data subject's request to Controller without undue delay. Processor shall assist Controller within the scope of its abilities as instructed, insofar as agreed. Processor shall not be liable if Controller does not answer the data subject's request, does not answer it correctly, or does not answer it within any given deadline.
8. Means of Proof
(a) Processor shall prove its compliance with the obligations specified in this Data Processing Agreement to Controller using suitable means. If specific types of proof can be specified or used to prove compliance with the agreed obligations, Processor may submit the following information to Controller:
- Variation 1 Results of an internal audit
- Variation 2 Internal company codes of conduct including proof of compliance by an external auditor
(b) Controller may approve the appointment of an independent external auditor by Processor, provided Processor provides Controller with a copy of the audit report. Processor may request remuneration for its assistance during the audit. Auditing shall be limited to one audit per calendar year, where reasonably possible.
Should, in individual cases, audits by Controller or by an auditor hired to perform an audit be required, they shall be performed during regular business hours, without disrupting Processor’s business operations, and after reasonable advance notice. Processor may make them dependent on reasonable and timely advance agreement and on the signing of a confidentiality agreement with regard to the data of other customers and the implemented technical and organizational measures. If the auditor hired by Controller is a competitor of Processor, Processor shall have the right of veto.
(c) If a data protection supervisory authority or other supervisory authority of Controller performs an audit, clause 6(b) above shall apply accordingly. A confidentiality agreement does not need to be signed if the supervisory authority is already subject to professional or legal confidentiality under applicable laws.
(a) The contractually agreed services or the deliverables defined below may be performed by the following pre-approved subcontractors:
Name of the subcontractor / third party provider: Amazon Web Services (AWS)
Description of the individual services: Cloud Hosting and Platform Services
Processor has concluded EU Standard Contractual Clauses with the subcontractors that are sub-processors to the extent required, in order to ensure appropriate data protection and information security measures. The applicable data processing agreement with AWS can be shared with Controller upon request.
(b) Controller permits Processor to use other subcontractors. Processor shall notify Controller before hiring or replacing a subcontractor (if necessary, specifying a time limit and/or arrangement for emergency situations). Controller may refuse the change – within an appropriate period – for good cause. When no objection is made during this term, agreement to the change shall be deemed to be given. If there is good cause related to data protection and the parties are unable to reach an agreement, Controller shall be entitled to exercise a special right of termination (as an option).
Processor shall conclude appropriate data processing agreements with these third parties if they are sub-processors to the extent required in order to ensure appropriate data protection and information security measures.
(c) If the subcontractor provides the agreed service outside the EU/EEA or an adequate country, the Processor shall ensure compliance with the regulations on data protection and agree suitable safeguards (e.g. EU Standard Contractual Clauses).
10. Duties to Inform, Mandatory Written Form, Choice of Law
(a) Should Controller’s personal data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being processed, Processor shall inform Controller without delay. Processor shall, without delay, notify all pertinent parties in such action that any personal data affected thereby are in Controller’s sole property and area of responsibility, that personal data are at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.
(b) Changes and amendments to this Data Processing Agreement and all of its components, including any commitment issued by Processor, must be made in writing (including in electronic format (text form)) to be legally binding and must make express reference to being a change or amendment to these provisions. This also applies to the waiver of mandatory written form.
(c) If there are any conflicts, the provisions of this Data Processing Agreement shall take precedence over the provisions of the Main Agreement. Should individual provisions of this Data Processing Agreement be legally invalid, this shall not affect the validity of the remaining provisions.
(d) The governing law and submission to jurisdiction of this Data Processing Agreement shall be Swiss Law, for as long as Switzerland remains an adequate country. If this adequacy status changes in the future, the parties shall negotiate in good faith which EU member state law shall be applicable instead.
11. Liability and Damages
Subject to the agreed liability caps and stipulations in the Main Agreement, each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations under this Data Processing Agreement.
Nothing in this Data Processing Agreement shall limit or change the responsibility the Data Controller has under the GDPR.
Art. 82 GDPR shall apply accordingly.
September 1st 2020 - RetinAI Medical AG, Freiburgstrasse 3, 3010, Bern - All rights reserved ©