1. Definitions and interpretation
1.1. In addition to the definitions in the Agreement, the following words and expressions have the meanings stated below in the Data Processing Agreement, unless the context requires otherwise. For the sake of clarity and readability of this Data Processing Agreement, some definitions are repeated from the General Terms and Conditions.
the agreement comprises of the Order Form, the General Terms and Conditions and the Data Processing Agreement and any schedules and amendments hereto.
means appendices to this Data Processing Agreement.
the Customer as defined in the Agreement and in accordance with the definition in the applicable Data Protection Law.
the legal entity that has entered into the Agreement with Auditdata as described in the Agreement on the terms and conditions set forth in the Agreement.
General Terms and Conditions
the general terms and conditions which is part of the Agreement.
means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data Protection Law
the legislation, as amended, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a Controller in the EEA country where the Controller is established.
an identified or identifiable natural person (an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
Data Processing Agreement
this agreement with Appendices.
the European Economic Area.
the order form between Auditdata and Customer concerning Auditdata’s delivery of Strato Clinic Management System Software and related Software Services entered into online through Auditdata’s website.
any information relating to an identified or identifiable natural person.
Personal Data Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Auditdata and in accordance with the definition in the applicable Data Protection Law.
2. Purpose and background
2.1. Auditdata and Customer has entered into the Agreement under which Auditdata provides the cloud-based clinic management software system named “Strato” (defined as the “Software” in the Agreement) and certain related Software Services to Customer. As part of the provision of services Auditdata Process Personal Data, notably in the form of Health Data that may be linked to specific natural persons (Data Subject), for which the Customer is Controller.
2.2. In additions to the terms and conditions set forth in the General Terms and Conditions, the Data Processing Agreement sets out the terms and conditions which apply to Auditdata’s Processing of Personal Data.
3.1. The Data Processing Agreement applies to any Processing of Personal Data performed by Auditdata in connection with the performance of its services to the Customer.
3.2. The categories of Data Subjects, Personal Data and Processing Operations are set out in Appendix A (Categories of Data Subjects, Personal Data and Processing Operations).
4. Obligations of the processor
4.1. Auditdata will perform the Processing in accordance with Data Protection Law. Notably, Auditdata will:
- process Personal Data only on documented instructions from the Customer as specified in the Agreement and for the purposes set out in Appendix A (Categories of Data Subjects, Personal Data and Processing Operations);
- ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of Processing, including the requirements with respect to such measures under the Danish Act on Processing of Personal Data (in Danish: “persondataloven”);
- only subcontract with sub-processors in accordance with the requirements of clause 6;
- immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law;
- assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s non-exclusive rights to access, rectification and erasure, as these are stated in the Data Protection Law;
- at the choice of the Customer delete or return all the Personal Data to the Customer after the end of the provision of services relating to Processing within the period stated in the currently applicable Microsoft Online Service Terms as amended from time to time (“Microsoft OST”) which may be accessed as set out in Schedule 3.1 (Microsoft OST).
- make available to the Customer all information necessary to demonstrate compliance with the Data Protection Law, e.g. annual audit certificate from Auditdata’s third party accountants,
- in connection with clause 1 h), if legally and technically possible allow for and contribute to audits, including inspections conducted by the Customer or another mandated by the Customer as set out in clause 7.
4.2. Auditdata will indemnify the Customer from any loss directly resulting from Auditdata’s failure to comply with its obligations hereunder. Auditdata’s liability for failure to comply with its obligations under the Agreement, including the Data Processing Agreement, is, however, capped and disclaimed according to the provisions of the General Terms and Conditions.
4.3. The Customer warrants that Auditdata’s strict compliance with any instruction from the Customer with respect to the Processing of Personal Data, shall not result in a violation of applicable Data Protection Law. In this context, Customer will indemnify Auditdata for any loss suffered as a result of Auditdata relying on and complying with Customer’s non-compliant instructions.
4.4. Auditdata shall inform the Customer without undue delay if Auditdata becomes aware of any Personal Data Breach.
4.5. Auditdata shall be entitled to charge the Customer separately for any costs (including internal resources at Auditdata’s standard rates) that Auditdata may incur in relation to assistance under clause 1.f), g) and i).
5. Obligations of the Controller
5.1. The Customer will be solely responsible and liable for its compliance with applicable law as Controller. The Customer will before using the Software and related Software Services under the Agreement in a way that includes Processing of Personal Data ensure that it complies with all Data Protection Law, e.g. in relation to the provision of required information/notification to and/or approvals from Data Subjects and/or regulatory authorities related to the Processing.
5.2. The Customer will promptly notify Auditdata if it becomes aware that Processing of the Customer’s Personal Data may be contrary to Data Protection Law.
5.3. The Customer will indemnify Auditdata from any loss resulting from the Customer’s failure to comply with its obligations hereunder.
6.1. By signing the Agreement, the Customer authorizes Auditdata to engage sub-processors, including without limitation Microsoft and other sub-processors as stated in Appendix A, clause 3, to perform Processing of Personal Data, provided that Auditdata enters into a written agreement with each sub-processor.
6.2. Auditdata will inform the Customer by email about any intended addition or replacement of a sub-processor in advance allowing the Customer/Data Subject the opportunity to object and/or render its informed consent, such not to be unreasonably withheld. Customer cannot object without a bona fide, reasonable and objective reason. If the Customer object to any addition or replacement of a sub-processor, and such objection is based on a bona fide, reasonable and objective reason, Auditdata is entitled to (i) terminate the Agreement with immediate effect by written notice and (ii) to invoice Customer the payment for any services already rendered under the Agreement.
7.1. Auditdata will if possible allow for and contribute to audits at Auditdata facilities, including inspections, conducted by the Customer or another auditor mandated by the Customer subject to a reasonable prior written notice from Customer to Auditdata of at least 90 days, unless mandatory law requires otherwise.
7.2. The written notice shall include a proposed audit plan. If part of the requested audit scope is covered by the scope of an audit report by a qualified third-party auditor within the last 12 months, Auditdata may request the Customer to consider whether it could rely on such report instead of an audit. Auditdata will be entitled to choose the date and time of the audit to minimize business disruption and may combine the audit with audits from other customers.
7.3. At the request of Customer according to Clause 1 and 7.2, the Customer (or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality appointed by the Customer) will be entitled to perform audits of Auditdata’s facilities and security practices directly related to the Processing of Personal Data under the Agreement in order to monitor compliance with the Data Processing Agreement, however, subject to Clause 7.7. Unless a supervisory authority requires otherwise, such audit shall be limited to 1 audit per 24 months’ period.
7.4. Any audit shall be conducted in accordance with Auditdata’s internal policies and all participants shall be subject to written confidentiality obligations no less restrictive than as set out in the General Terms and Conditions. To the extent allowed under applicable law, the Customer shall deliver to Auditdata a copy of the audit report and Auditdata shall be entitled to use such report free of charge in relation to other customers.
7.5. The Customer may use the information obtained during any audit, including any audit report, only for the purpose of meeting its audit obligations under Data Protection Law. For the avoidance of doubt, Customer is not allowed to disclose to the public any parts of the audit report, without prior written consent from Auditdata, unless required by mandatory law.
7.6. The Customer will bear any costs related to audits and Auditdata shall be entitled to charge the Customer separately for any cost (including internal resources at Auditdata’s standard rates) Auditdata may incur in relation to its assistance with such audits.
7.7. Customer or another auditor mandated by the Customer subject to confidentiality is allowed to conduct audits with Auditdata’s sub-processor, Microsoft, to the extent this is possible according to the terms and conditions in the then currently valid and applicable version of the Microsoft OST. Audit at Microsoft shall always be conducted in accordance with Microsoft OST and applicable Microsoft internal policies. The now current version of Microsoft OST may be accessed as set out in appendix C (Microsoft Online Service Terms). Customer can at any time request the latest version of the Microsoft Online Service Terms from Auditdata. On request, Auditdata will deliver the latest version within reasonable time.
8. Term and termination
8.1. The Data Processing Agreement will take effect from the date of the last signature on the Agreement and will continue in force until Auditdata no longer Process Personal Data on behalf of the Customer.
9. Auditdata’s rights to changes due to changes in mandatory law
9.1. If there are changes in mandatory Data Protection Law, Auditdata is entitled to change the Data Processing Agreement accordingly. If the Customer objects to the change in the Data Processing Agreement, Auditdata is entitled to (i) terminate the Agreement with immediate effect by written notice and (ii) to invoice Customer the payment for the remaining part of the Term as specified in the Agreement.
10. Governing law and disputes
10.1. The Data Processing Agreement is governed by and will be interpreted in accordance with Danish law. However, the conflict of laws rules must be disregarded to the extent that such rules are non-mandatory.
10.2. Any dispute arising out of the Data Processing Agreement, including any dispute concerning the existence or validity of the Data Processing Agreement shall be brought before the Danish courts.