Data Processing Addendum
The underlying agreement of this Data Processing Addendum (“Addendum”) apply only to the processing of Buyer Personal Data (as defined below), to the extent that such Personal Data is received by PlenOptika from Buyer pursuant to the underlying agreement of a separate, underlying agreement between the parties, and provided that Buyer and the exchange of the Personal Data provided hereunder is subject to GDPR.
In the course of Processing Buyer Personal Data (defined below) in connection with the Underlying agreement, PlenOptika and Buyer agree to comply with this Addendum, each acting reasonably and in good faith.
This Addendum has been drafted taking into account the nature of the Personal Data actually Processed including the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to whom the Personal Data relates.
The following capitalized underlying agreement used in this Addendum shall have the meanings given to them below:
“App” means PlenOptika’s mobile application provided by PlenOptika for use with the Products.
“appropriate technical and organizational measures,” “Commission” “Controller,” “Data Protection Impact Assessment,” “Data Subject,” “Member State,” “Processor,” “Processing,” “Personal Data,” “Personal Data Breach” and “Supervisory Authority,” have the meaning given to them by GDPR, and their cognate underlying agreement shall be construed accordingly.
“Data Protection Laws” means: (a) EU Directive 95/46/EC, together with any national implementing laws in any Member State of the European Union and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and (b) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each only as and to the extent as applicable to either party and each as amended, repealed, consolidated or replaced from time to time.
“EEA” means European Economic Area.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Buyer Personal Data” means, only to the extent it is Personal Data under applicable Data Protection Laws, Buyer Data processed by PlenOptika in connection with the Agreement.
“Privacy Shield Principles” means the data protection principles established under the EU-US Privacy Shield Framework, as administered by the US Department of Commerce, accessible at https://www.privacyshield.gov/article?id=Requirements-of-Participation.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC pursuant to the European Commission Decision of 5 February 2010. A copy of the Standard Contractual Clauses shall be attached hereto upon request.
“Sub-processor” means any Processor (including vendors, subcontractors, hosting service providers) engaged by PlenOptika to Process Buyer Personal Data in accordance with and as permitted by the Agreement.
The word “include” shall be construed to mean include without limitation, and cognate underlying agreement shall be construed accordingly.
2. ROLES AND RESPONSIBILITIES OF THE PARTIES
2.1 The Parties hereby acknowledge and agree that, in the event that PlenOptika Processes Buyer Personal Data on behalf of Buyer, PlenOptika shall be a Processor on behalf of Buyer. Buyer is the Controller with respect to Buyer Personal Data.
2.2 Buyer, as a Controller of Buyer Personal Data, (i) shall comply with its obligations as a Controller under the applicable Data Protection Laws, and (ii) has provided notice and obtained (or will obtain) all consents and rights necessary for PlenOptika to process Buyer Personal Data pursuant to the Agreement and this Addendum.
2.3 Buyer instructs PlenOptika (and authorizes PlenOptika to instruct each Sub-processor) to (a) Process Buyer Personal Data, and (b) in particular, to transfer Buyer Personal Data to any country or territory, in each case as reasonably necessary to provide the Products and App and to perform the obligations set forth in the Agreement. Buyer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 2.3.
1. DETAILS OF DATA PROCESSING
Buyer acknowledges that PlenOptika is reliant on Buyer for direction as to the extent to which PlenOptika is entitled to use and process Buyer Personal Data. Consequently, PlenOptika will not be liable for any claim brought by a user or any other third party arising from any action or omission by PlenOptika, to the extent that such action or omission resulted directly from Buyer’s instructions, or from Buyer’s request to process categories of Buyer Personal Data outside of those categories identified below.
This provision includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR, as set forth below:
Subject matter and duration of the Processing of Buyer Personal Data
The subject matter and duration of the Processing of the Buyer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Buyer Personal Data
The nature and purpose of the Processing of the Buyer Personal Data are set out in the Agreement and this Addendum, and include the provision of the Products, Software, Firmware and App by PlenOptika (and its Subprocessors) pursuant to the Agreement.
The types of Buyer Personal Data to be Processed
The types of Buyer Personal Data to be Processed may include:
· device log file (app and Product)
· GPS coordinates of the mobile phone using the App to the device log file
· time, date, and location of the Product which was paired to the App mobile phone
· the configuration file contains the settings set by the user on the Product
· the information related to the device startup, including: serial number, initialized libraries, opened databases, paths, and, initialization messages
· the number and type of mobile phones that have downloaded or uploaded any content, including what content has been uploaded or downloaded (however only mobile device IDs are provided, not any other mobile device owner information)
· The App downloads log file
No other Buyer Personal Data will be provided to PlenOptika without PlenOptika’s express written consent. Specifically, and without limitation, Buyer will not provide any patient names or other personally identifiable information related to any such patients. Buyer is responsible and liable for any breach of the Data Protection Laws resulting from Buyer providing additional Buyer Personal Data without PlenOptika’s express written consent, and any damages for the same.
The categories of Data Subjects to whom the Buyer Personal Data relates
Buyer may submit Buyer Personal Data to the Product and App, the extent of which is determined and controlled by Buyer in its sole discretion, relating to the following categories of data subjects: Buyer’s customers, and users of the Products and App. Buyer will obtain all required consents from Buyer’s customers and users of the Products and App.
The obligations and rights of Buyer
The obligations and rights of Buyer are set out in the Agreement and this Addendum.
Buyer authorises PlenOptika to appoint (and permit each Sub-processor appointed in accordance with this Section 4 to appoint) Sub-processors in accordance with this Section 4 and any restrictions in the Agreement.
PlenOptika may continue to use those Sub-processors already engaged by PlenOptika as at the date of this Addendum.
PlenOptika shall give Buyer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor, as it relates to Buyer. If, within 10 days of receipt of that notice, Buyer notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment, then PlenOptika shall not appoint (or disclose any Buyer Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by Buyer, and Buyer has been provided with a reasonable written explanation of the steps taken.
With respect to each Sub-processor, PlenOptika shall:
- carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Buyer Personal Data required by the Agreement relative to Sub-Processor’s role thereunder;
- ensure that the arrangement is governed by a written agreement between PlenOptika and the applicable Sub-processor including underlying agreement which offer at least the same level of protection for Buyer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR; where the parties acknowledge and agree that for the purposes of this Addendum: (a) “the same” as referenced in Article 28(4) may mean different words and phrasing, so long as the obligations are at least as restrictive as those undertaken by Provider hereunder, (b) certain obligations, such as governing law, may vary with Sub-processors, and (c) obligations hereunder that are not expressly required to be imposed upon a data processor pursuant to Articles 28(2) and 28(4) of GDPR do not need to be replicated with any such Sub-processor, and;
- provide to Buyer for review such copies of the agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Buyer may request from time to time.
5. SECURITY MEASURES AND INCIDENT RESPONSE
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PlenOptika shall implement appropriate technical and organizational measures to protect Buyer Personal Data from a Personal Data Breach. Such measures shall ensure a level of security appropriate to the risk, including, if and to the extent appropriate, measures referred to in Article 32(1) of GDPR. Buyer acknowledges that such measures are subject to technical progress and development and that PlenOptika may update or modify such security measures from time to time, provided that such updates and modifications do not result in a degredation of the overall security of the Product, Software, Firmware and App.
- PlenOptika will ensure that its employees, officers, representatives, advisers, consultants and any Sub-processors, have committed themselves to ensuring the confidentiality of all Buyer Personal Data that they Process. PlenOptika shall further ensure that access to Buyer Personal Data is limited to those individual who need to know or access the relevant Buyer Personal Data as required for the purposes of the Agreement and to comply with applicable laws including Applicable Data Protection Laws.
- Notwithstanding the above, Buyer agrees that except as set forth in the Agreement and this Addendum, Buyer is responsible for secure use of the Product, Software, Firmware and App, including securing its account authentication credentials.
- Upon becoming aware of a Personal Data Breach affecting Buyer Personal Data, PlenOptika will notify Buyer without undue delay and will provide information relating to the Personal Data Breach affecting Buyer Personal Data as it becomes known or as reasonably requested by Buyer.
- PlenOptika shall co-operate with Buyer and take such reasonable commercial steps as are directed by Buyer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Upon request and at Buyer’s expense, PlenOptika shall provide reasonable assistance to Buyer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Buyer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Buyer Personal Data by, and taking into account the nature of the Processing and information available to PlenOptika.
7. RETURN OR DELETION OF DATA
Upon termination or expiration of the Agreement, PlenOptika shall delete (or, at the election of Buyer pursuant to the paragraph below, return) all Buyer Personal Data in the possession or control of PlenOptika, within one (1) year after the termination or expiration of the Agreement, unless otherwise required by any applicable EU Data Protection Law; and (ii) request that its Sub-processors shall do the same. This requirement shall not apply to Buyer Personal Data that is archived on back-up systems, which PlenOptika shall isolate and protect from any further Processing, except to the extent required by law, and which shall be subject to appropriate confidentiality restrictions.
Subject to the paragraph below in this Section 7, Buyer may in its absolute discretion by written notice to PlenOptika within 180 days of termination or expiration of the Agreement require PlenOptika to (a) return a copy of all Buyer Personal Data to Buyer by secure file transfer in such format as is reasonably agreed upon. PlenOptika shall comply with any such written request within 60 days of the request.
PlenOptika (and its Sub-processors) may retain Buyer Personal Data to the extent required by applicable Data Privacy Laws and any other applicable laws, and only to the extent and for such period as required by such applicable laws and always provided that PlenOptika shall ensure the confidentiality of all such Buyer Personal Data and shall ensure that such Buyer Personal Data is only Processed by PlenOptika as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Upon Buyer’s written request, PlenOptika shall provide written certification to Buyer that it has complied with this section 7, within 30 days following the first anniversary of the termination date.
- At Buyer’s request and expense and taking into account the nature of the Processing, PlenOptika will provide Buyer with reasonable assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, this assistance may include, to the extent necessary and commercially feasible, implementation of appropriate technical and organizational measures that are required by the applicable Data Protection Laws.
- PlenOptika shall promptly notify Buyer if it receives a request for a Data Subject under any Data Protection law with respect of Company Personal Data. PlenOptika shall not respond to any such request except on the umented instructions of Buyer or as required by applicable laws to which PlenOptika is subject.
- At Buyer’s request and expense, PlenOptika will promptly provide the Buyer with information necessary to enable Buyer to demonstrate compliance with its obligations under Applicable Data Protection Laws, to the extent that PlenOptika is able to provide such information.
- Upon the Buyer’s reasonable request and expense, promptly provide Buyer with all reasonable assistance necessary to enable Buyer to: (i) notify relevant breaches of applicable Data Protection Laws to the relevant Supervisory Authorities and/or affected Data Subjects; and (ii) obtain any necessary authorizations from Supervisory Authorities.
- If a law enforcement agency sends PlenOptika a demand for Buyer Personal Data (for example, through a subpoena or court order), PlenOptika will attempt to redirect the law enforcement agency to request that data directly from Buyer. As part of this effort, PlenOptika may provide Buyer’s basic contact information to the law enforcement agency. If compelled to disclose Buyer Personal Data to a law enforcement agency, then PlenOptika will give Buyer reasonable notice of the demand to allow Buyer to seek a protective order or other appropriate remedy unless PlenOptika is legally prohibited from doing so.
Subject to the provisions below, PlenOptika shall make available to Buyer, upon written request, copies of all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Buyer or an independent third party auditor, solely in relation to the Processing of the Buyer Personal Data in accordance with this Addendum.
The foregoing information and audit rights of the Buyer only arise to the extent that the Agreement does not otherwise set forth information and audit rights meeting the relevant requirements of the applicable Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR). Buyer acknowledges that in all cases PlenOptika shall first provide copies of information, and only (a) in the event of a Buyer Personal Data Breach, (b) if PlenOptika is unable to provide such information, may Buyer request an on-site audit, or (c) if required under the applicable Data Protection Laws.
Buyer shall give PlenOptika reasonable notice of any audit or inspection to be conducted hereunder and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to PlenOptika’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. PlenOptika need not give access to its premises for the purposes of such an audit or inspection:
- outside normal business hours; or
- in excess of one per calendar year, except for any additional audits or inspections which:
- arise out of a Buyer Personal Data Breach; or
- Buyer is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory.
10. RESTRICTED TRANSFER
This provision only applies to certain transfers of data outside the European Economic Area that are permitted without breach of the applicable Data Protection Law.
The Standard Contractual Clauses will apply only to Buyer Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Buyer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
Buyer and PlenOptika hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Buyer to PlenOptika. The Standard Contractual Clauses shall come into effect on the later of either party becoming a party to them or the commencement of the relevant Restricted Transfer.
- For the avoidance of doubt, any claim or remedies that either party may have arising under or in connection with this Addendum will be subject to any limitation of liability provisions that apply under the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this Addendum or otherwise.
- No one other than a party to this Addendum, their successors and permitted assignees shall have any right to enforce any of its underlying agreement.
- This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- The provisions of this Addendum are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Addendum shall remain in full force and effect.
- This Addendum may be entered into by the parties in any number of counterparts. Each counterpart will, when executed and delivered, be regarded as an original, and all the counterparts will together constitute one and the same instrument.