(the “Data Processing Addendum“)
- Introduction
- This Data Processing Addendum describes privacy practices of Powerful Medical s.r.o. (“Powerful Medical”) regarding the Processing of the Personal Data on your behalf, to the extent applicable, as part of the provision of the Subscription Services. Where Powerful Medical provides the Subscription Services to you, Powerful Medical acts as a Processor and you act as a Controller. This Data Processing Addendum applies globally to any and all the Subscription Services provided by Powerful Medical to you, unless (i) otherwise agreed by the parties or (ii) unless you are located in the United States.
- For the avoidance of doubt, this Data Protection Agreement does not apply to such Processing where Powerful Medical acts as a Controller. Powerful Medical refers to its separate Privacy Notice for more information about what specific activities are conducted by Powerful Medical as Controller.
- Definitions
- The capitalized terms used herein and not otherwise defined below shall have the meaning given to them in the EULA.
- “Act” means the Act no. 18/2018 Coll. on Personal Data Protection.
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Protection Legislation” means the Act and the Regulation.
- “Personal Data” means any information about an identified or identifiable natural person or which may directly or indirectly identify a natural person processed by Powerful Medical as Processor in accordance with Section 3.1 of this Data Processing Addendum.
- “Processing” means any operation or set of operations which is performed upon the Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the party, which Processes Personal Data on behalf of the Controller.
- “Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “you” means you as a user of the Subscription Services authorised to use such services based on the EULA.
- Processing of Personal Data.
- Powerful Medical will process (i) data provided by you, in particular ECG image, sex, age, patient’s national identification number (optional), and further data required to determine patient management recommendations about those individuals that you determine (e.g. volunteers, patients), (ii) identification, contact details, workplace, occupation, profile picture about you in relation to the operation and administration of the Subscription Services (ECG digitization, ECG interpretation, patient management recommendation); and (iii) any further data that may be necessary upon your demand. The data processed may include information about the ECG device used, such as the paper speed settings, voltage gain settings, and similar.
- Powerful Medical will not provide the Personal Data to any third party other than (i) as necessary to perform activities and the Subscription Services outlined in the EULA; (ii) in accordance with the documented instructions from you; (iii) within entities affiliated to Powerful Medical by common control, management or ownership; (iv) as part of a merger, acquisition or other investment by a third party into Powerful Medical, or (v) as required to comply with Data Protection Legislation or other laws to which Powerful Medical is subject, in which case Powerful Medical shall (to the extent permitted by law) inform you of that legal requirement before Processing the Personal Data.
- In addition, Powerful Medical is allowed to use (i) aggregated data, to the extent they can no longer be considered personal data, or (ii) de-identified data (i.e., data which does not allow an identification of the patient) for scientific research purposes, for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of the Subscription Services, or (iii) personal data in accordance with the Privacy Notice and Sections 11 and 13 of the EULA.
- In the event this Data Processing Addendum, or any actions to be taken or contemplated to be taken in performance of this Data Processing Addendum, do not or would not satisfy either party’s obligations under future Data Protection Legislation, rules, regulations, orders or guidance adopted, enacted, implemented, promulgated, issued, entered or deemed applicable by or under the authority of any governmental body having jurisdiction over matters covered by this Data Processing Addendum, Powerful Medical and you must cooperate with each other in good faith and must execute an appropriate amendment to this Data Processing Addendum or the EULA or, if applicable, conclude another type of agreement, including a data processing agreement or a join-controllership agreement, to give effect to either party’s obligations under such future Data Protection Legislation, rules, regulations, orders or guidance.
- Obligations of Powerful Medical
- Powerful Medical undertakes to:
- process the Personal Data only on documented instructions from you, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or Member State law to which Powerful Medical is subject; in such a case, Powerful Medical will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The documented instructions are contained in this Data Processing Addendum and the EULA;
- take all commercially reasonable technical and organizational measures to protect the Personal Data in conformity with the provisions of Article 32 of the Regulation;
- assist you, as the Controller, to perform their obligations resulting from Article 32-36 of the Regulation taking into account the nature of processing and the information available to the processor;
- taking into account the nature of the Processing, assists you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests exercising the data subject’s rights laid down in Chapter III of the Regulation, subject to Section 5 of this Data Processing Addendum;
- ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- inform you about a Personal Data breach without undue delay after Powerful Medical becomes aware of it, specifying (1) the nature of the Personal Data breach, (2) the likely consequences and (3) the measures taken to address the Personal Data breach; such information may be provided gradually if not readily available. Powerful Medical shall provide full cooperation to you and act as instructed by you to assist in the investigation and remediation of such Personal Data breach;
- at your choice, delete or return all the Personal Data without undue delay after the termination of the MSA, delete existing copies of the Personal Data, unless otherwise provided by law or agreed by the Parties in the EULA and this Data Processing Addendum;
- make available to you upon reasonable request all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the Regulation and allow for, and upon reasonable prior notice not shorter than 2 weeks contribute to, audits, including inspections if provision of documents is insufficient to demonstrate compliance, conducted during regular business hours, not more often than once per year by an independent third party expert auditor mandated by you at your expense.
- Data Subject Requests
- You, acting as a controller, are solely responsible for handling all data subject requests addressed to you. Powerful Medical will you in handling data subject requests as described below.
- Deletion Requests
- If you receive a deletion request (Art. 17 of the GDPR) from a data subject or if the data subject otherwise requests deletion (including deletion in accordance with Section 4.1(vii) of this Data Processing Addendum), you must inform Powerful Medical about the request without undue delay and Powerful Medical will revoke any access to the Personal Data and Powerful Medical will only process such data for storage purposes for 180 days after receiving the deletion request from you. Upon lapse of the 180 days, Powerful Medical will definitely and irreversibly delete the requested Personal Data, unless necessary to comply with a legal request from public authorities (including healthcare authorities), compliance with legal obligations (such as for medical vigilance or other regulatory purposes), or for the establishment, exercise or defence of legal claims.
- Access Requests
- If you receive an access request (Article 15 of the Regulation) from a data subject, you must verify the identity of the data subject and, subsequently, you may either use the self-serve function within the Subscription Services (if available) or if such function is not available request that Powerful Medical provides the relevant information to you. In no event, shall Powerful Medical respond directly to the requesting data subject.
- Subprocessors and Recipients
- Powerful Medical may appoint certain third parties to provide parts of the Services or assist with providing technical or professional support. You authorize Powerful Medical to subcontract the Processing of Personal Data to subprocessors, in particular to procure the Subscription Services, such as regulatory compliance, authentication, customer support. Subprocessors are, in each case subject, to binding obligations between Powerful Medical and the subprocessor, which contain substantially similar provisions as those set out in this Data Processing Addendum. Powerful Medical will inform the Customer of the details of such subprocessor(s) upon a written request from the Customer.
- Powerful Medical may share Personal Data with third parties, in particular (i) as necessary to perform activities outlined in the EULA; (ii) as required to comply with applicable regulatory requirements, in particular regarding medical devices, healthcare and Regulation, (iii) within entities affiliated to Powerful Medical by common control, management or ownership; (iv) as part of a merger, acquisition or other investment by a third party into Powerful Medical; or (v) as required to comply with the Regulation or other laws to which Powerful Medical is subject, in which case Powerful Medical will (to the extent permitted by law) inform you of that legal requirement before Processing the Personal Data.
- International Data Transfers
- Powerful Medical stores and processes Personal Data within the European Economic Area (the “EEA”) or within countries recognized by the European Commission as providing adequate level of protection of personal data. Powerful Medical may, however, transfer Personal Data to countries outside the EEA in the following circumstances:
- if you reside, are based in or operates the Subscription Services from a country outside of the EEA, the Personal Data from such use will be transferred to the EEA and back to you; the respective Customer and Powerful Medical hereby specifically agree to be bound by the Standard Contractual Clauses which can be found here (the “SCCs”);
- with Affiliates of Powerful Medical located outside of the EEA, if relevant for the provision of the Subscription Services;
- in the limited circumstances where Powerful Medical uses subprocessors located outside the EEA; and
- if Powerful Medical shares Personal Data with other recipients strictly as necessary and in accordance with the MSA or the Privacy Notice.
- Any transfer of Personal Data outside of the EEA is undertaken in compliance with the Regulation, in particular Chapter V of the Regulation and subject to the conclusion of SCCs.
- Powerful Medical stores and processes Personal Data within the European Economic Area (the “EEA”) or within countries recognized by the European Commission as providing adequate level of protection of personal data. Powerful Medical may, however, transfer Personal Data to countries outside the EEA in the following circumstances:
- Liability
- You commit to Process all Personal Data, in particular to provide the Personal Data to Powerful Medical, in accordance with Data Protection Legislation, including, without limitation:
- ensuring that all notifications to and approvals from regulators, which are required by Data Protection Legislation, are made and maintained by you; and
- ensuring that all Personal Data is processed fairly and lawfully (in particular, you have a valid legal basis for any Processing necessary in accordance with the EULA and this Data Processing Addendum as well as the SCCs), in a transparent manner (in particular, you have provided appropriate privacy notices to data subjects), is accurate and up to date.
- You shall indemnify and hold Powerful Medical harmless from and against any losses, fines, damage, fees or any additional expenses (including reasonable attorney fees and other reasonable costs of litigation), due from or incurred in relation to a breach of this Data Processing Addendum or non-compliance with Data Protection Legislation by you. In accordance with Article 82(2) of the Regulation, Powerful Medical, as a Processor, shall be liable for the damage caused by Processing only where it has not complied with obligations of the Regulation specifically directed to processors or where Powerful Medical has acted outside or contrary to lawful instructions of the Controller.
- The liability of Powerful Medical arising out of or in connection with this Data Processing Addendum and the SCCs shall be limited to the amounts specified in the EULA..
- You commit to Process all Personal Data, in particular to provide the Personal Data to Powerful Medical, in accordance with Data Protection Legislation, including, without limitation:
- Final Provisions
- Powerful Medical may charge reasonable fees for any activities or assistance undertaken upon request by you which go beyond the scope of the Subscription Services.
- This Data Processing Addendum has been concluded for the term of the EULA and shall be governed and subject to the same laws and jurisdiction as the EULA.