IQ Messenger Cloud Data Protection Schedule (DPA)
In this Data Protection Schedule (“Schedule”), unless otherwise defined herein, all defined terms shall have the meaning set out in the Agreement.
1. Background and applicability
- Customer and IQM have entered into the Agreement. This Data Protection schedule, hereinafter DPA, is part of the Agreement. The Customer also BUSINESS PARTNER is responsible that End User uses the Product according to the terms and conditions as agreed in the Agreement including this schedule. This schedule describes the obligations of the Processor and Controller of the Data. Within the scope and for the purpose of the performance of the Agreement, Processor will process Personal Data on behalf of the Controller.
- Controller and Processor have entered into this DPA in order to fulfill the requirement of a written agreement as set out in Applicable Data Protection Legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to Processor’s Processing of Personal Data on behalf of the Controller.
2. Interpretation and Definitions
- In this DPA, unless the context otherwise requires:
- Reference to the parties include their respective successors and permitted assigns;
- Words in the singular include the plural and in the plural include the singular;
- Headings are for ease of reference only;
- Any reference to “DPA” also refers to any amendment or supplement to it;
- The term “including” means including without limitation;
- Capitalized words, phrases and acronyms shall have the meanings given to them herein, elsewhere in the Agreement or shall have their ordinary (technical or other) meaning;
- In the case of a conflict between any provision of this DPA and any other provisions set forth in the Agreement, the provisions of this DPA shall prevail. In the event there is a conflict between the provisions of this DPA and the provisions of the Exhibits, the body of this DPA shall prevail, and only to the extent the provisions (of the body) meet the requirements as set forth in the then current Applicable Data Protection Legislation. By way of derogation from the previous sentences, Section 8 of this DPA shall always prevail.
- “Agreement” means (as the context requires): (i) the existing agreement between the Parties for the provisioning of certain products and/or services (including the Exhibits attached thereto), or (ii) the agreement described under (i) and all quotes, orders and other contract documents including this DPA (taken together).
- “Affiliate” means in relation to an entity, another entity controlling, controlled by, or under common control with that entity;
- “Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations applicable at any time during the term of this DPA to the Processing of Personal Data under the Agreement;
- “Controller” means the legal entity which determines the purposes and means of the Processing of Personal Data as defined in the GDPR;
- “Data Protection Authorities” means any competent national data protection authority responsible for enforcing data privacy laws.
- “Data Subject” means the natural person to whom the Personal Data is related as defined in the GDPR;
- “EEA” means the European Economic Area;
- “Party” means the Controller or Processor;
- “Processor” means the legal entity processing Personal Data on behalf of the Controller as defined in the GDPR;
- “Personal Data” means any information relating to an identified or identifiable living, natural person as defined in the GDPR;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed that likely represents a risk to Controller or Controller Personal Data;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as defined in the GDPR;
- “Security Incident” shall mean any actual, anticipated or suspected i) breach of technical and organizational security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any data transmitted, stored or otherwise processed, including Personal Data (including a personal data breach as defined in article 4(12) of the GDPR); ii) breach of Privacy Legislation or this Agreement by any current or former employee, contractor or agent of the Processor or by any other person or third party and/or iii) event whereby the security, confidentiality, integrity or availability of data, including Personal Data, has otherwise been or reasonably could be compromised;
- “Subcontractor” means the legal entity which is engaged by Processor for carrying out Processing activities on behalf of Processor;
3. Processing of personal data
- Processor undertakes to only Process Personal Data in accordance with documented instructions communicated from time to time by the Controller. The Controller’s initial instructions to Processor regarding the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are set forth in this DPA and in Exhibit 1.
- Processor shall assist the Controller, either as a Processor or as a Controller, in fulfilling its legal obligations under Applicable Data Protection Legislation. This may include but is not limited to the Controller’s obligation to assist with and/or respond to requests for exercising the Data Subject’s rights such as right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability and right to object, as well as the Controller’s obligation to ensure a level of security appropriate to the risk and to perform a data protection impact assessment.
- Processor shall immediately inform the Controller if Processor does not have sufficient instructions for how to Process Personal Data in a particular situation or if instructions provided under this DPA, in Processor’s reasonable opinion, violates Applicable Data Protection Legislation.
- If Data Subjects, Data Protection Authorities or any other competent third parties request information from Processor regarding the processing of Personal Data covered by this DPA, Processor shall refer such request to the Controller. Processor may not in any way act on behalf of or as a representative of the Controller and may not, without prior instructions from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. In the event Processor, according to applicable laws and regulations, is required to disclose Personal Data that Processor Processes on behalf of the Controller, Processor shall, unless legally prevented, inform the Controller thereof immediately and shall request confidentiality in conjunction with the disclosure of requested information.
- Processor will engage the Subcontractors set out in Exhibit 1 for the purposes specified therein. Processor undertakes to ensure that all Subcontractors are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA.
- In the event Processor wants to engage a Subcontractor other than those specified in Exhibit 1, Processor shall without undue delay and at the latest 8 weeks prior to transferring any Personal Data to such Subcontractor, inform the Controller, in writing, of the identity of such Subcontractor as well as the purpose for which it will be engaged, thereby giving the Controller the opportunity to object to such changes within two weeks.
5. Transfer to third countries
The location(s) of the Processing of Personal Data is/ are set out in Exhibit 1. Processor may not transfer Personal Data outside the EEA unless specifically approved in writing by the Controller and provided that adequate protection of the Personal Data in the receiving country is secured.
6. Information security and confidentiality
- Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
- In assessing the appropriate level of security, Processor shall take into account the particular risks that are presented by Processing in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted stored or otherwise Processed.
- Processor shall immediately and in any event not later than 24 hours after becoming aware of it notify the Personal Data Breach to the Controller. The notification shall at least:
- describe the nature of the Personal Data Breach;
- communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
- describe the likely consequences of the Personal Data Breach;
- describe the measures taken or proposed to be taken by Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- include any other information available to Processor which the Controller is required by Applicable Data Protection Legislation to notify to the Data Protection Authorities and/or the Data Subjects.
- Processor will furthermore provide the reasonable assistance requested by the Controller in order to investigate the Personal Data Breach and notify it to the Data Protection Authorities and/or the Data Subjects as required by Applicable Data Protection Legislation.
- In case of any Security Incident, Processor will notify Controller as soon as reasonably possible – but no later than 24 hours after Processor has become aware of such Security Incident – and in such way that Controller can comply with any relevant legal obligations concerning Security Incidents, in particular relevant notification requirements related to Security Incidents and personal data breaches as defined in article 4(12) of the GDPR. Processor will ensure that it is duly aware of any such obligations in this regard.
- Processor undertakes to not disclose or otherwise make the Personal Data Processed under this DPA available to any third party, without the Controller’s prior written approval. Notwithstanding the above, disclosure to a Subcontractor listed in Exhibit 1 or subsequently notified to the Controller in accordance with Section 2 above is permitted.
- Processor undertakes to ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data in order to fulfill Processor’s obligations in accordance with this DPA and the Agreement. Processor shall ensure that such personnel (whether employees or others engaged by Processor) is bound by a confidentiality obligation concerning the Personal Data to the same extent as Processor in accordance with this DPA.
- The duties of confidentiality set forth in this Section 6 shall survive the expiry or termination of the DPA.
7. Audit rights
Processor undertakes to make available to the Controller all information and all assistance reasonably required by Controller to demonstrate compliance with the obligations laid down in this DPA. Processor will furthermore allow for and contribute to audits conducted by the Controller or a Data Protection Authority and in each case solely in relation to Processing of Controller Personal Data under this DPA.
8. Liability and Indemnification
- Notwithstanding the provisions in the Agreement, a Party shall be liable and indemnify, defend and hold harmless pursuant to clause 82 of the GDPR the other Party or its Affiliates for all damages (including damages resulting from loss of reputation or loss of data), fines, losses and costs, incurred and arising from or relating to non-compliance by the first Party (including its Subcontractors and Affiliates) with its obligations under the DPA or Applicable Data Protection Laws for Personal Data that it controls.
- Notwithstanding the provisions in the Agreement, each Party shall indemnify the other Party against claims brought by third parties, including Data Subjects and Data Protection Authorities, and against all associated damage and reasonably incurred costs arising from non-compliance by the first Party (including its subcontractors and Affiliates) with obligations under the DPA.
- Each Party’s entire liability as referred to in Section 1 as well as the obligation to indemnify the other party in Section 8.2 is cumulatively limited to an amount equal to the limitations set forth in the Agreement.
- Section 8.3 does not apply to liability or indemnification resulting from willful conduct or gross negligence or (if appropriate) to the extent any liability cannot be limited or excluded by law.
Any notice or other communication to be provided by one Party to the other Party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
10. Measures upon completion of processing of personal data
- After the end of the delivery of the products and/or the provision of the products and/or services pursuant to the Agreement, Processor shall on request delete or return all Personal Data (including any copies thereof) to the Controller, as reasonably instructed by the Controller, and shall ensure that any Subcontractor does the same.
- Upon request by the Controller, Processor shall provide a written notice of the measures taken with regard to the deletion or return of the Personal Data upon the completion of the Processing.
Type of Data Processing
Specify all purposes for which the Personal Data will be processed by Processor
|Storing and use of Customer Data for (scientific) research, error analysis, troubleshooting, compliance with regulations and laws to improve the SaaS Services. Only anonymized information can be used for commercial and product development purposes.
Specify the categories of Data Subjects whose Personal Data possibly can be Processed by Processor
|Patients receiving professional care by the Customer.
(Healthcare) professionals employed by the Customer.
|Categories of Personal Data
Specify the possible types of Personal Data that can be Processed by Processor in case provided by connected third party (medical) systems.
· Date of birth
· Patient ID
· Patient preferences
· Patient relatives
· Other patient related (medical) data
Specify all processing activities to be conducted by Processor
|Collection, alarm and event flow processing, storage, reporting, maintenance, troubleshooting and development of new functionalities for the IQM Cloud SaaS
Specify the Subcontractors engaged by Processor (if any) and the purposes for which the Personal Data is Processed by such Subcontractor
|Location of processing operations
Specify all locations where the Personal Data will be Processed by Processor and any Subcontractor (if applicable)
|Online Services and Cloud is hosted by Leaseweb at geographically redundant and separated data centers in The Netherlands (Western Europe)