Data Processing Agreement

ARTICLE 1. INTRODUCTORY PROVISIONS

Article 1.1
The terms defined in the GDPR and used in this Data Processing Agreement (DPA) shall have the meanings described therein.

Article 1.2
Where this Data Processing Agreement refers to a provision of the Wbp (Dutch Data Protection Act), the corresponding provision of the General Data Protection Regulation (GDPR) shall apply as of May 25, 2018.

Note:
The Processor is Medica Europe B.V., and the Data Controller is the client.

ARTICLE 2. PURPOSES OF PROCESSING

Article 2.1
The Processor commits to processing personal data on behalf of the Data Controller under the conditions set out in this Data Processing Agreement. Processing will only occur within the framework of executing the Agreement and for purposes that are further specified with additional consent.

Article 2.2
The Data Controller determines which (types of) personal data it has the Processor process and which (categories of) data subjects this personal data pertains to. The Processor has no influence over this.

Article 2.3
The Processor will not process the personal data for any other purpose than specified by the Data Controller. The Data Controller will inform the Processor of the processing purposes if they are not already mentioned in the Data Processing Agreement.

Article 2.4
The personal data to be processed on behalf of the Data Controller remain the property of the Data Controller or the relevant data subject(s).

Article 2.5
The Data Controller guarantees that the content, use, and instruction for processing personal data as described in the Data Processing Agreement are not unlawful and do not infringe any third-party rights. Additionally, the Data Controller ensures that: (i) the processing of personal data falls under one of the exemptions under the GDPR, or if not, that a notification has been made to the Dutch Data Protection Authority; and (ii) it will maintain a register of the processing activities covered by this Data Processing Agreement from May 25, 2018.

Article 2.6
The Data Controller indemnifies the Processor against all claims related to non-compliance or incorrect compliance with the obligations in Article 2.5.

ARTICLE 3. OBLIGATIONS OF THE PROCESSOR

Article 3.1
Regarding the processing activities mentioned in Article 2, the Processor will ensure compliance with the conditions imposed by the GDPR for the processing of personal data.

Article 3.2
The Processor will, upon the Data Controller’s first request, inform the Data Controller of the measures taken regarding its obligations under this Data Processing Agreement and the GDPR.

Article 3.3
The obligations of the Processor under this Data Processing Agreement also apply to those who process personal data under the Processor’s authority.

ARTICLE 4. TRANSFER OF PERSONAL DATA

Article 4.1
The Processor may process personal data in countries within the European Union. Transfers to countries outside the European Union are only permitted in compliance with the applicable provisions of the GDPR.

Article 4.2
The Processor will inform the Data Controller, upon request, of the country or countries involved.

ARTICLE 5. ALLOCATION OF RESPONSIBILITY

Article 5.1
The permitted processing will be carried out by the Processor within a (semi)automated environment under the Processor’s control.

Article 5.2
The Processor is only responsible for the processing of personal data under this Data Processing Agreement, according to the Data Controller’s instructions, and under the explicit (final) responsibility of the Data Controller.

Article 5.3
For all other personal data processing, including but not limited to the collection of personal data by the Data Controller, processing for purposes not reported to the Processor by the Data Controller, processing by third parties, or other purposes, the Processor is not responsible.

ARTICLE 6. ENGAGING THIRD PARTIES OR SUBPROCESSORS

Article 6.1
The Data Controller authorizes the Processor to use third parties in the processing of personal data under this Data Processing Agreement, in compliance with applicable privacy laws and regulations.

Article 6.2
The Processor will inform the Data Controller as soon as possible about the third parties engaged, upon the Data Controller’s request. The Data Controller has the right to object to any third parties engaged by the Processor.

Article 6.3
The Processor shall not object on unreasonable grounds and must sufficiently justify the objection. If the Data Controller objects to any third parties engaged by the Processor, the Parties will consult to find a solution.

Article 6.4
The Processor ensures that any third parties it engages are bound by written obligations that are at least as strict as the obligations imposed on the Processor under this Data Processing Agreement.

Article 6.5
The Processor is responsible for ensuring that the third parties it engages comply with the obligations referred to in Article 6.4 and is liable to the Data Controller for any errors made by these third parties as if the Processor had made the errors itself.

Article 6.6
The Processor’s maximum liability for damages as mentioned in Article 6.5 is limited to the amount agreed upon in the Agreement (including the Processor’s general terms and conditions).

ARTICLE 7. SECURITY

Article 7.1
The Processor will take appropriate technical and organizational measures concerning the processing of personal data to protect against loss or any form of unlawful processing (such as unauthorized access, alteration, or disclosure of personal data).

Article 7.2
Although the Processor must implement appropriate security measures under paragraph 1 of this Article, it cannot guarantee that security will always be effective under all circumstances. The Processor will, however, make every effort to limit the loss of personal data in the event of a threat to or actual breach of these security measures.

Article 7.3
If a specifically described security measure is missing from the Data Processing Agreement, the Processor will ensure that the security level meets a standard that, considering technological advancements, the sensitivity of personal data, and the costs associated with implementing security, is not unreasonable.

Article 7.4
The Data Controller will only provide personal data to the Processor for processing if the Data Controller has ensured that the required security measures have been implemented.

ARTICLE 8. NOTIFICATION OBLIGATION

Article 8.1
In the event of a data breach (defined as a breach of security leading to a significant risk of adverse consequences for the protection of personal data, as described in Article 34a of the Wbp), the Processor will endeavor to inform the Data Controller as soon as possible, but in any case within 48 hours after the data breach becomes known to the Processor.

Article 8.2
The notification obligation only applies if the breach has actually occurred and includes at least the notification of the fact that a data breach has occurred, as well as, if available:

  • The (alleged) cause of the breach;
  • The (currently known or expected) consequences;
  • The (proposed) solution;
  • Contact details for follow-up of the notification;
  • The number of individuals whose data has been breached, or the minimum and maximum number of individuals if the exact number is not known;
  • A description of the group of individuals whose data has been breached;
  • The type or types of personal data breached;
  • The date the breach occurred, or the period during which the breach occurred if no exact date is known;
  • The date and time when the breach was known to the Processor or a third party or sub-processor engaged by them;
  • Whether the data has been encrypted, hashed, or otherwise made unintelligible or inaccessible to unauthorized persons; and
  • The intended and already taken measures to address the breach and mitigate its effects.

Article 8.3
The Data Controller will determine whether to inform the relevant authorities and/or data subjects and is responsible for compliance with (legal) notification obligations. If required by privacy laws and regulations, the Processor will cooperate in informing the relevant authorities or data subjects.

ARTICLE 9. HANDLING REQUESTS FROM DATA SUBJECTS

Article 9.1
If a data subject wishes to exercise one of their legal rights and directs the request to the Processor, the Processor will forward this request to the Data Controller. The Data Controller will then handle the request. The Processor may inform the data subject of this.

Article 9.2
If a data subject directs a request to exercise one of their legal rights to the Data Controller, the Processor will, if requested by the Data Controller, assist as far as possible and reasonable. The Processor may charge reasonable costs to the Data Controller for this assistance.

ARTICLE 10. CONFIDENTIALITY

Article 10.1
All personal data received from the Data Controller or collected by the Processor in the context of this Data Processing Agreement is subject to confidentiality towards third parties.

Article 10.2
This confidentiality obligation does not apply if the Data Controller has expressly consented to providing the information to third parties, if providing the information to third parties is logically necessary for the performance of the Data Processing Agreement, or if there is a legal obligation to provide the information to a third party.

Article 10.3
If the Processor is legally required to provide information to a third party, the Processor will inform the Data Controller as soon as possible, provided this is legally permissible.

ARTICLE 11. AUDIT

Article 11.1
The Data Controller has the right to have audits conducted by an independent expert bound by confidentiality to verify the security requirements as agreed in Article 7 of the Data Processing Agreement.

Article 11.2
The audit mentioned in Article 11.1 will only take place in the event of a specific suspicion of misuse demonstrated by the Data Controller. The audit initiated by the Data Controller will take place two weeks after prior notification by the Data Controller.

Article 11.3
The Processor will cooperate with the audit and provide all reasonably relevant information for the audit, including supporting data such as system logs, and employees as promptly as possible and within a reasonable period, with a maximum period of two weeks being reasonable.

Article 11.4
The findings from the audit will be reviewed by the Parties in mutual consultation and, based on these findings, may or may not be implemented by one or both Parties.

Article 11.5
The costs of the audit will be borne by the Data Controller.

ARTICLE 12. LIABILITY

Article 12.1
For the liability of the Parties for damages resulting from a breach of the Data Processing Agreement, or from unlawful acts or otherwise, the liability provisions agreed upon in the Agreement (including the Processor’s general terms and conditions) will apply.

ARTICLE 13. DURATION AND TERMINATION

Article 13.1
This Data Processing Agreement is entered into for the duration specified in the Agreement and, in the absence of such, at least for the duration of the cooperation between the Parties. This Data Processing Agreement cannot be terminated prematurely.

Article 13.2
The Parties may only amend this Data Processing Agreement with mutual consent but will fully cooperate to adapt the Data Processing Agreement to any new or amended privacy laws and regulations.

Article 13.3
Upon termination of the Data Processing Agreement, the Processor will destroy all personal data in its possession unless otherwise agreed by the Parties.

Medica Europe B.V. Oss, version 01-07-2024

Maak een vrijblijvende afspraak

Vul onderstaand formulier in
Veuillez activer JavaScript dans votre navigateur pour remplir ce formulaire.

Of bel ons op +31 6 12 34 56 78