© 2020 PlenOptika. All rights Reserved.
The underlying agreement of this Data Processing Addendum (“Addendum”) apply only to the processing of Buyer Personal Data (as defined below), to the extent that such Personal Data is received by PlenOptika from Buyer pursuant to the underlying agreement of a separate, underlying agreement between the parties, and provided that Buyer and the exchange of the Personal Data provided hereunder is subject to GDPR.
In the course of Processing Buyer Personal Data (defined below) in connection with the Underlying agreement, PlenOptika and Buyer agree to comply with this Addendum, each acting reasonably and in good faith.
This Addendum has been drafted taking into account the nature of the Personal Data actually Processed including the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to whom the Personal Data relates.
The following capitalized underlying agreement used in this Addendum shall have the meanings given to them below:
“App” means PlenOptika’s mobile application provided by PlenOptika for use with the Products.
“appropriate technical and organizational measures,” “Commission” “Controller,” “Data Protection Impact Assessment,” “Data Subject,” “Member State,” “Processor,” “Processing,” “Personal Data,” “Personal Data Breach” and “Supervisory Authority,” have the meaning given to them by GDPR, and their cognate underlying agreement shall be construed accordingly.
“Data Protection Laws” means: (a) EU Directive 95/46/EC, together with any national implementing laws in any Member State of the European Union and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and (b) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each only as and to the extent as applicable to either party and each as amended, repealed, consolidated or replaced from time to time.
“EEA” means European Economic Area.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Buyer Personal Data” means, only to the extent it is Personal Data under applicable Data Protection Laws, Buyer Data processed by PlenOptika in connection with the Agreement.
“Privacy Shield Principles” means the data protection principles established under the EU-US Privacy Shield Framework, as administered by the US Department of Commerce, accessible at https://www.privacyshield.gov/article?id=Requirements-of-Participation.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC pursuant to the European Commission Decision of 5 February 2010. A copy of the Standard Contractual Clauses shall be attached hereto upon request.
“Sub-processor” means any Processor (including vendors, subcontractors, hosting service providers) engaged by PlenOptika to Process Buyer Personal Data in accordance with and as permitted by the Agreement.
The word “include” shall be construed to mean include without limitation, and cognate underlying agreement shall be construed accordingly.
2.1 The Parties hereby acknowledge and agree that, in the event that PlenOptika Processes Buyer Personal Data on behalf of Buyer, PlenOptika shall be a Processor on behalf of Buyer. Buyer is the Controller with respect to Buyer Personal Data.
2.2 Buyer, as a Controller of Buyer Personal Data, (i) shall comply with its obligations as a Controller under the applicable Data Protection Laws, and (ii) has provided notice and obtained (or will obtain) all consents and rights necessary for PlenOptika to process Buyer Personal Data pursuant to the Agreement and this Addendum.
2.3 Buyer instructs PlenOptika (and authorizes PlenOptika to instruct each Sub-processor) to (a) Process Buyer Personal Data, and (b) in particular, to transfer Buyer Personal Data to any country or territory, in each case as reasonably necessary to provide the Products and App and to perform the obligations set forth in the Agreement. Buyer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 2.3.
Buyer acknowledges that PlenOptika is reliant on Buyer for direction as to the extent to which PlenOptika is entitled to use and process Buyer Personal Data. Consequently, PlenOptika will not be liable for any claim brought by a user or any other third party arising from any action or omission by PlenOptika, to the extent that such action or omission resulted directly from Buyer’s instructions, or from Buyer’s request to process categories of Buyer Personal Data outside of those categories identified below.
This provision includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR, as set forth below:
Subject matter and duration of the Processing of Buyer Personal Data
The subject matter and duration of the Processing of the Buyer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Buyer Personal Data
The nature and purpose of the Processing of the Buyer Personal Data are set out in the Agreement and this Addendum, and include the provision of the Products, Software, Firmware and App by PlenOptika (and its Subprocessors) pursuant to the Agreement.
The types of Buyer Personal Data to be Processed
The types of Buyer Personal Data to be Processed may include:
· device log file (app and Product)
· GPS coordinates of the mobile phone using the App to the device log file
· time, date, and location of the Product which was paired to the App mobile phone
· the configuration file contains the settings set by the user on the Product
· the information related to the device startup, including: serial number, initialized libraries, opened databases, paths, and, initialization messages
· the number and type of mobile phones that have downloaded or uploaded any content, including what content has been uploaded or downloaded (however only mobile device IDs are provided, not any other mobile device owner information)
· The App downloads log file
No other Buyer Personal Data will be provided to PlenOptika without PlenOptika’s express written consent. Specifically, and without limitation, Buyer will not provide any patient names or other personally identifiable information related to any such patients. Buyer is responsible and liable for any breach of the Data Protection Laws resulting from Buyer providing additional Buyer Personal Data without PlenOptika’s express written consent, and any damages for the same.
The categories of Data Subjects to whom the Buyer Personal Data relates
Buyer may submit Buyer Personal Data to the Product and App, the extent of which is determined and controlled by Buyer in its sole discretion, relating to the following categories of data subjects: Buyer’s customers, and users of the Products and App. Buyer will obtain all required consents from Buyer’s customers and users of the Products and App.
The obligations and rights of Buyer
The obligations and rights of Buyer are set out in the Agreement and this Addendum.
Buyer authorises PlenOptika to appoint (and permit each Sub-processor appointed in accordance with this Section 4 to appoint) Sub-processors in accordance with this Section 4 and any restrictions in the Agreement.
PlenOptika may continue to use those Sub-processors already engaged by PlenOptika as at the date of this Addendum.
PlenOptika shall give Buyer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor, as it relates to Buyer. If, within 10 days of receipt of that notice, Buyer notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment, then PlenOptika shall not appoint (or disclose any Buyer Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by Buyer, and Buyer has been provided with a reasonable written explanation of the steps taken.
With respect to each Sub-processor, PlenOptika shall:
Upon request and at Buyer’s expense, PlenOptika shall provide reasonable assistance to Buyer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Buyer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Buyer Personal Data by, and taking into account the nature of the Processing and information available to PlenOptika.
Upon termination or expiration of the Agreement, PlenOptika shall delete (or, at the election of Buyer pursuant to the paragraph below, return) all Buyer Personal Data in the possession or control of PlenOptika, within one (1) year after the termination or expiration of the Agreement, unless otherwise required by any applicable EU Data Protection Law; and (ii) request that its Sub-processors shall do the same. This requirement shall not apply to Buyer Personal Data that is archived on back-up systems, which PlenOptika shall isolate and protect from any further Processing, except to the extent required by law, and which shall be subject to appropriate confidentiality restrictions.
Subject to the paragraph below in this Section 7, Buyer may in its absolute discretion by written notice to PlenOptika within 180 days of termination or expiration of the Agreement require PlenOptika to (a) return a copy of all Buyer Personal Data to Buyer by secure file transfer in such format as is reasonably agreed upon. PlenOptika shall comply with any such written request within 60 days of the request.
PlenOptika (and its Sub-processors) may retain Buyer Personal Data to the extent required by applicable Data Privacy Laws and any other applicable laws, and only to the extent and for such period as required by such applicable laws and always provided that PlenOptika shall ensure the confidentiality of all such Buyer Personal Data and shall ensure that such Buyer Personal Data is only Processed by PlenOptika as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Upon Buyer’s written request, PlenOptika shall provide written certification to Buyer that it has complied with this section 7, within 30 days following the first anniversary of the termination date.
Subject to the provisions below, PlenOptika shall make available to Buyer, upon written request, copies of all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Buyer or an independent third party auditor, solely in relation to the Processing of the Buyer Personal Data in accordance with this Addendum.
The foregoing information and audit rights of the Buyer only arise to the extent that the Agreement does not otherwise set forth information and audit rights meeting the relevant requirements of the applicable Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR). Buyer acknowledges that in all cases PlenOptika shall first provide copies of information, and only (a) in the event of a Buyer Personal Data Breach, (b) if PlenOptika is unable to provide such information, may Buyer request an on-site audit, or (c) if required under the applicable Data Protection Laws.
Buyer shall give PlenOptika reasonable notice of any audit or inspection to be conducted hereunder and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to PlenOptika’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. PlenOptika need not give access to its premises for the purposes of such an audit or inspection:
This provision only applies to certain transfers of data outside the European Economic Area that are permitted without breach of the applicable Data Protection Law.
The Standard Contractual Clauses will apply only to Buyer Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Buyer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
Buyer and PlenOptika hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Buyer to PlenOptika. The Standard Contractual Clauses shall come into effect on the later of either party becoming a party to them or the commencement of the relevant Restricted Transfer.