Artificial Intelligence (AI) is impacting many areas of life, but its integration with medical...
Data Processing Agreement
Effective: 27 January 2021
This Data Processing Agreement and its Annexes (the “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Us on behalf of You in connection with the Services under the Full Health Medical Limited Subscription Agreement and Terms and Conditions (see https://www.fullhealthmedical.com/terms-of-services) between You and Us (the “Agreement”).
- This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. Subject to Clause 11.5 of this DPA, in case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement.
- We may update this DPA from time to time. If you have an active Full Health Medical Limited subscription, we will let you know via email.
AGREED TERMS
- Definitions
- The following definitions and rules of interpretation apply in this DPA.
Appropriate Safeguards means the measures set out in Article 46 of GDPR.
Appropriate Technical and Organisational Measures: the appropriate technical and organisational measures referred to in Data Protection Legislation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).
Authorised Person: the personnel authorised on Your behalf to provide instructions to Us in relation to the Processing.
Business Day: a day other than a Saturday, Sunday or public holiday in Ireland when banks are open for business.
Business Purpose: the provision of the Services.
Data: any data or information, in whatever form, including but not limited to images, still and moving, and sound recordings.
Data Controller: has the meaning given to such term in Data Protection Legislation.
Data Processor: has the meaning given to such term in Data Protection Legislation.
Data Protection Legislation: means the Data Protection Acts 1988 to 2018,General Data Protection Regulation (EU) 2016/679, and any other applicable law or regulation relating to the Processing of Personal Data and to privacy (including the E-Privacy Directive 2002/58/EC and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“E-Privacy Regulations”), as such legislation shall be supplemented, amended, revised or replaced from time to time.
Data Protection Officer: a data protection officer appointed pursuant to Data Protection Legislation.
Data Subject: an individual who is the subject of Personal Data (including any User).
Delete: to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.
DPC: Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.
EEA: European Economic Area.
Normal Business Hours: 9.00am to 5.00 pm in Ireland.
Our System: any information technology system or systems owned or operated by Us to which Your Data is delivered or on which the Services are performed.
Personal Data: has the meaning set out in Data Protection Legislation and relates only to personal data, or any part of such personal data, in respect of which You are the Data Controller, and in respect of which We are the Data Processor.
Personal Data Breach: means any “personal data breach” as defined in the GDPR in respect of the Personal Data which is caused by Us.
Processed Data: any of Your Data that has been Processed by Us.
Processing: has the meaning given to such term in Data Protection Legislation, and Processed and Process shall be interpreted accordingly.
Representatives: a Party’s employees, officers, representatives, advisers or subcontractors involved in the provision or receipt of the Services.
Restricted Transfer: any transfer of Personal Data to countries outside of the EEA which are not subject to an adequacy decision by the European Commission, where such transfer would be prohibited by Data Protection Legislation.
Security Features: any security feature, including any encryption, pseudonymisation, key, PIN, password, token or smartcard.
Services: has the meaning given to that term in Recital (A).
Specific Instructions: instructions meeting the criteria set out in Clause 2.1 of this DPA.
Standard Contractual Clauses: the contractual clauses dealing with the transfer of Personal Data outside the EEA, which have been approved by (i) the European Commission under Data Protection Legislation, or (ii) by the DPC or an equivalent competent authority under Data Protection Legislation as may be revised, updated or replaced from time to time.
Subscription Agreement: the agreement between Us and You in respect of the provision of the Services.
Sub-processor: has the meaning given to such term in Clause 12.1 of this DPA.
Term: the duration of the provision of the Services
Terms and Conditions: Our terms and conditions in respect of the Services.
Your Data: the Personal Data provided by You to Us (or to which We have access) from time to time in respect of the Services, and any other Personal Data Processed by Us on behalf of You or any User.
User: any individual person who is an employee, contractor, supplier, customer etc. of You.
- The following definitions and rules of interpretation apply in this DPA.
- Services
- We shall not act on any specific instructions given by You from time to time during the Term in respect of Processing unless they are:
- in writing (including by electronic means); and
- given by an Authorised Person.
- We shall Process Your Data for the Business Purpose only and in compliance with Your instructions from time to time, which may be:
- Specific Instructions; or
- the general instructions set out in this DPA or the Agreement referred to in Recital (A) unless required to do otherwise by law, in which case, where legally permitted, We shall inform You of such legal requirement before Processing.
- The types of Personal Data to be Processed pursuant to this DPA shall include (but shall not be limited to) Personal Data provided by You in respect of Users and for the purposes of Us providing the Services, which may include details such as User ) [Name; Address; Date of Birth; Gender; E-mail Address; Mobile Phone Number; Job Title; medical information and health data/special category data and the categories of Data Subject to whom such Personal Data relates shall include company employees, officers and directors.
- We shall not act on any specific instructions given by You from time to time during the Term in respect of Processing unless they are:
- Parties' obligations
- We shall:
- only make copies of the Your Data to the extent reasonably necessary for the Business Purpose; and
- not extract, reverse-engineer, re-utilise, use, exploit, redistribute, re-disseminate, copy or store Your Data other than for the Business Purpose.
- We shall notify You in writing without delay of any situation or envisaged development that shall in any way change the ability of Us to Process Your Data as set out in this DPA.
- In general, Your Data and any logs created by us relating to Your Data will be kept and stored for 6 years after which point it will then be automatically deleted by Us. Notwithstanding this, we shall, at Your cost and taking into account the nature of Our Processing of Personal Data, promptly comply with any written request from You requiring Us to amend, transfer or Delete any of Your Data in advance of the expiration of this period.
- At Your request and cost, We shall provide to You a copy of all Your Data held by Us in a commonly used format.
- At Your request and cost, taking into account the nature of Our Processing of the Personal Data and the information available, We shall provide to You such information and such assistance as You may reasonably require, and within the timescales reasonably specified by You, to allow You to comply with Your obligations under Data Protection Legislation, including but not limited to assisting You to:
- comply with Your own security obligations with respect to the Personal Data;
- discharge Your obligations to respond to requests for exercising Data Subjects’ rights with respect to the Personal Data;
- comply with Your obligations to inform Data Subjects about serious Personal Data Breaches;
- carry out data protection impact assessments and audit data protection impact assessment compliance with respect to the Personal Data; and
- consult with the DPC following a data protection impact assessment, where a data protection impact assessment indicates that the Processing of the Personal Data would result in a high risk to Data Subjects.
- Any proposal by Us to in any way use or make available Your Data other than as provided for pursuant to this DPA shall be subject to prior written approval of You.
- You acknowledge that We are under no duty to investigate the completeness, accuracy or sufficiency of (i) any instructions received from You, or (ii) any of Your Data.
- You shall:
- ensure that You are entitled to transfer Your Data to Us so that We may lawfully process and transfer (if applicable) Your Data in accordance with this DPA;
- ensure that the relevant Data Subjects have been informed of, and have given their consent (when necessary) to, such use, processing, and transfer as required by Data Protection Legislation;
- notify Us in writing without delay of any situation or envisaged development that shall in any way influence, change or limit the ability of Us to process Your Data as set out in this DPA;
- ensure that Your Data which You instruct Us to Process pursuant to this DPA is:
- obtained lawfully, fairly and in a transparent manner in relation to the Data Subject (including in respect of how consent is obtained);
- collected and processed for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate, and where necessary kept up to date;
- erased or rectified without delay where it is inaccurate, having regard to the purposes for which they are processed;
- kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (subject to circumstances where Personal Data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and subject to the implementation of Appropriate Technical and Organisational Measures);
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using Appropriate Technical and Organisational Measures; and
- provide such information and such assistance to Us as We may reasonably require, and within the timescales reasonably specified by Us, to allow Us to comply with Our obligations under Data Protection Legislation.
- Your Data passed to Us for Processing shall not be kept by You for a period that is longer than necessary.
- We shall:
- Our employees
- We shall take reasonable steps to ensure the reliability of all Our employees who have access to Your Data, and to ensure that such employees have committed themselves to a binding duty of confidentiality in respect of Your Data.
- Records
- We shall keep at Our normal place of business records (including in electronic form) relating to all categories of Processing activities carried out on behalf of You, containing:
- the general description of the security measures taken in respect of the Personal Data, including details of any Security Features and the Appropriate Technical and Organisational Measures;
- the name and contact details of Us; any sub-supplier; and where applicable Our representatives; and where applicable any Data Protection Officer appointed by Us;
- the categories of Processing by Us on behalf of You;
- the time limits for erasure of the Personal Data; and
- details of any non-EEA Personal Data transfers, and the safeguards in place in respect of such transfers.
- We shall keep at Our normal place of business records (including in electronic form) relating to all categories of Processing activities carried out on behalf of You, containing:
- Audits
- Subject to Clause 6.2, 6.3 and 6.5, and to the extent required by Data Protection Legislation, You shall have the right to examine and review the use by Us of Your Data provided to Us by You only for the purpose of ascertaining that Your Data has been used and Processed in accordance with the terms of this DPA.
- An audit under this Clause 6 shall be carried out on the following basis: (i) You must first contact Us by email asking for evidence of compliance with Our obligations under this DPA, and We shall respond to such email within 30 Business Days; (ii) if We have not responded to Your email with a response which is reasonably satisfactory to You within such 30 Business Day period then, no more than once in any twelve (12) month period and during Normal Business Hours during the course of one Business Day You may audit Our Processing of Your Personal Data at a location agreed by Us. You shall bear the reasonable expenses incurred by Us in respect of any such audit and any such audit shall not interfere with the normal and efficient operation of Our business. We may require, as condition of granting such access, that You (and representatives of You) enter into reasonable confidentiality undertakings with Us.
- The scope of any examination and review by You of the use by Us of the Personal Data shall be agreed in writing prior to the commencement of any such examination and review.
- In the event that the audit process determines that We are materially non-compliant with our obligations under this DPA, You may, by notice in writing, deny further access to Your Data.
- To the extent permitted under Data Protection Legislation, We may demonstrate Our and, if applicable Our Sub-processors’, compliance with Our obligations under this DPA through Our compliance with a certification scheme or code of conduct approved under Data Protection Legislation.
- Data Subject Requests
- Taking into account the nature of Our Processing of the Personal Data and at Your cost, We shall assist You by employing Appropriate Technical and Organisational Measures, insofar as this is possible, in respect of the fulfilment of Your obligations to respond to requests from a Data Subject exercising his/her rights under Data Protection Legislation.
- We shall, at Your cost, notify You as soon as reasonably practicable if We receive:
- a request from a Data Subject for access to that person’s Personal Data (relating to the Services);
- any communication from a Data Subject (relating to the Services) seeking to exercise rights conferred on the Data Subject by Data Protection Legislation in respect of Personal Data; or
- any complaint or any claim for compensation arising from or relating to the Processing of such Personal Data.
- We shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of You, as provided for in this DPA, or as required by law in which case We shall to the extent permitted by law inform You of that legal requirement before We disclose the Personal Data to any Data Subject or third party.
- We shall not respond to any request from a Data Subject except on the documented instructions of You or an Authorised Person or as required by law, in which case We shall to the extent permitted by law inform You of that legal requirement before We respond to therequest.
- Data Protection Officer
- We shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide You with the contact details of such Data Protection Officer.
- You shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide Us with the contact details of such Data Protection Officer.
- Security
- We shall, in accordance with Our requirements under Data Protection Legislation, implement Appropriate Technical and Organisational Measures to safeguard the Your Data from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage, and that, having regard to the state of technological development and the cost of implementing any measures (and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects), such measures shall be proportionate and reasonable to ensure a level of security appropriate to the harm that might result from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage and to the nature of the Personal Data to be protected.
- We shall ensure that Your Data provided by You can only be accessed by persons and systems that are authorised by Us and necessary to meet the Business Purpose, and that all equipment used by Us for the Processing of Your Data shall be maintained by Us in a physically secure environment.
- You shall make a back-up copy of Your Data as often as is reasonably necessary and record the copy on media from which Your Data can be reloaded in the event of any corruption or loss of Your Data.
- Breach reporting
- We shall promptly inform You if any of Your Data is lost or destroyed or becomes damaged, corrupted, or unusable, or if there is any accidental, unauthorised or unlawful disclosure of or access to any of Your Data. In such case, We will use Our reasonable endeavours to restore Your Data at Your expense (save where the incident was caused by Our negligent act or omission, in which case it will be at Our expense), and will comply with all of Our obligations under Data Protection Legislation in this regard.
- We must inform You of any Personal Data Breaches, or any complaint, notice or commnication in relation to a Personal Data Breach, without undue delay. Taking into account the nature of Our Processing of the Personal Data and the information available to Us and at Your cost, We will provide sufficient information and assist You in ensuring compliance with Your obligations in relation to notification of Personal Data Breaches (including the obligation to notify Personal Data Breaches to the DPC within seventy two (72) hours), and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects. Taking into account the nature of Our Processing of the Personal Data and the information available to Us and at Your cost, We shall co-operate with You and take such reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Restricted transfer
- A Restricted Transfer may not be made by Us (other than transfers to our Affiliates and to any agents and sub-contractors for the purposes of performing the Services) without the prior written consent of You, and if such consent has been obtained, such Restricted Transfer may only be made where there are Appropriate Safeguards in place with regard to the rights of Data Subjects (including but not limited to the Standard Contractual Clauses, binding corporate rules, or any other model clauses or transfer mechanism approved by the DPC).
- Subject to Clause 11(i), in the event of any Restricted Transfer by Us to a contracted Sub-processor, to any affiliate of You or otherwise for which consent has been obtained, We and You shall procure that (i) You (where the Restricted Transfer is being made at the request of You) or Us acting as agent for and on behalf of You (where the Restricted Transfer is being made at the request of the Supplier), and (ii) the Data Importer, shall enter into the Standard Contractual Clauses in respect of such Restricted Transfer. The Party who is entering into the Standard Contractual Clauses with a Data Importer shall comply with the guidance of any relevant regulatory authority on Restricted Transfers in particular with respect to the use of Standard Contractual Clauses and any additional measures required to be taken in the context of any such Restricted Transfers.
- Subject to Clause 11.(iv), any Restricted Transfer made by one Party (“Data Exporter”) to the other Party (“Data Importer”) shall be made subject to the provisions set out in the Standard Contractual Clauses, and such Standard Contractual Clauses (except for any optional provisions contained in same, which shall not apply) are hereby specifically incorporated into this DPA by reference for such purpose. The terms “Data Importer” and “Data Exporter” shall have the meanings as set forth in the Standard Contractual Clauses.
- Clauses 11(i), 11(ii) or 11(iii) shall not apply to a Restricted Transfer if other compliance steps (which may include, but shall not be limited to, obtaining explicit consents from Data Subjects) have been taken to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Legislation.
- In the event that there is any conflict between the Standard Contractual Clauses and the other provisions of this DPA, such Standard Contractual Clauses shall take precedence in respect of such conflict (other than in respect of legislative references etc. which have been updated pursuant to Data Protection Legislation since the date of approval of such Standard Contractual Clauses.)
- Sub-processors
- You agree and acknowledge that We are generally authorised to have Your Data Processed by any of Our Affiliates and by any agents and contractors for the purpose of providing the Services (a “Sub-processor”). We will maintain a list of Sub-processors used by Us, which will be available to You on request by You, and which will contain details of current appointed Sub-processors and any intended changes concerning the addition or replacement of other Sub-Processors. If You object to such sub-processing arrangements, then You should confirm this to Us and, if You do so confirm, You acknowledge that You may no longer be able to avail of some or all of the Services.
- We must enter into a data processing contract with the Sub-processor which places the same data protection obligations on the Sub-processor as We have in this DPA (in particular, providing sufficient guarantees to implement Appropriate Technical and Organisational Measures in such a manner that the Processing will meet the requirements of Data Protection Legislation).
- With respect to each Sub-processor, We shall, before the Sub-processor first Processes Your Data, ensure that the Sub-processor is capable of providing the level of protection for Your Data required by this DPA.
- We will remain fully liable to You in respect of any failure by the Sub-processor to fulfil its data protection obligations in this regard.
- Warranties and Undertakings
- We warrant and undertake to You that:
- We will Process Your Data in compliance with our obligations under Data Protection Legislation;
- We will maintain Appropriate Technical and Organisational Measures against the unauthorised or unlawful Processing of Your Data and against the accidental loss or destruction of, or damage to, Your Data; and
- We will discharge Our obligations under this DPA with all due skill, care and diligence.
- You hereby warrant and undertake that:
- You have complied with and shall comply with Your obligations under Data Protection Legislation;
- You have the right to transfer (or to authorise Users to transfer) Your Data to Us in accordance with the terms of this DPA;
- Your instructions that are set out in this DPA accurately reflect the instructions of the Data Controller to the extent that We are a Data Processor on behalf of the Data Controller;
- You shall and shall cause, appropriate notices to be provided to, and valid consents to be obtained from (when necessary), Data Subjects, in each case that are necessary for Us to Process (and have Processed by Sub-processors) Personal Data under or in connection with this DPA, including Processing outside the EEA on the basis of any of the legal conditions for such transfer and Processing set out in Clause 11 above;
- You shall not, by act or omission, cause Us to violate any Data Protection Legislation, notices provided to, or consents obtained from, Data Subjects as a result of Our or Our Sub-processors Processing the Personal Data; and
- notwithstanding anything contained in this DPA, You shall pay in immediately available funds Our costs incurred or likely to be incurred, at Our option in advance under this DPA (where matters are to be at Your cost).
- We warrant and undertake to You that:
- Indemnity
- You (the “Indemnifying Party”) agree to indemnify and keep indemnified and defend at Your own expense Us (the “Indemnified Party”) against all costs, claims, damages or expenses incurred by the Indemnified Party or for which the Indemnified Party may become liable due to any failure by the Indemnifying Party or its employees or agents to comply with any of its obligations under this DPA or any breach of warranty in this DPA, and/or under Data Protection Legislation.
- Limitation of liability
- Unless required to do so by the DPC or any other competent supervisory authority, We shall not make any payment or any offer of payment to any Data Subject in response to any complaint or any claim for compensation arising from or relating to the Processing of Your Data, without the prior written agreement of You.
- You acknowledge and agree that We are reliant on You for direction as to the extent to which We are entitled to use and process Your Data. Consequently, We will not be liable for any claim brought by a Data Subject arising from any action or omission by Us, to the extent that such action or omission resulted directly from Your instructions and/or the transactions contemplated by this Section.
- Consequences of termination on Your Data.
- Upon termination or expiry of this DPA, at the choice of You, We shall Delete or return all Your Data to You and Delete existing copies of Your Data, unless legally required/entitled to store Your Data for a period of time. If You make no such election within a ten (10) day period of termination or expiry of this DPA, We may Delete any of Your Data in our possession; and if You elect for destruction rather than return of Your Data, We shall as soon as reasonably practicable ensure that all Your Data is Deleted from Our System, unless legally required/entitled to store Your Data for a period of time.
- Governing Law and Jurisdiction
- This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Ireland courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims)
- Counterparts
- This DPA may be executed in any number of counterparts, and by different parties on separate counterparts, each of which, when executed and delivered will constitute a duplicate original of this DPA, but all of which together will constitute one and the same instrument. Each party agrees that it and each other party may execute this DPA Terms by way of e-signature, and agrees that execution in such manner will be valid and binding on each of the parties hereto. No party executing this DPA by way of e-signature shall seek to avoid its responsibilities under this DPA based on the fact that it signed this DPA using an e-signature as opposed to a hand-written signature on paper. Transmission of an executed counterpart of this DPA (or of the executed signature page of a counterpart of this DPA) by email (in PDF, JPEG or other agreed format) or any electronic document signing platform (including, but not limited to DocuSign) shall take effect as delivery of an executed counterpart of this DPA. If either method of delivery is adopted, without prejudice to the validity of this DPA thus made, each party shall provide the others with the original of such counterpart as soon as reasonably possible thereafter.
Annex 1 - List of Sub-Processors
Third Party Sub-Processor | Purpose | Applicable Service | Location |
Amazon Web Services | Hosting & Infrastructure | Used as a on-demand cloud computing platforms and APIs | Ireland |
Twilio | SMS and Two Factor Authentication Functionality (2FA) | Used as a service which enables SMS and 2FA in Full Health | *United States |
HubSpot | Providing support and customer relationship management to our customers | Used as a service for customer relationship management and providing support | Ireland and Germany |
Global Payments | Provide a secure payments infrastructure | Used as a service to support online payments on behalf of our customers | *Multi region |
Stripe | Provide a secure payments infrastructure | Used as a service to support online payments on behalf of our customers | Ireland |
New Relic | Monitors application performance | Used as part of our quality assurance | EU |
*you may choose not to use the functionality provided by our Sub-Processors marked with an asterisk above.