Digitsole Pro (B2B)
Data Processing Agreement
Smart insoles (B2C)
AGREEMENT ON THE PROCESSING AND CERTIFIED HOSTING OF DATA FOR THE PODOSMART SERVICE
This Agreement applies only in the context of offering PodoSmart or Digitsole Pro solution products and services.
The signatory of the Agreement is requested to keep this contract with its documentation to establish its compliance with the regulations governing the processing of personal data (GDPR).
The data processing agreement (hereinafter referred to with the words “Agreement” or “Annex”) has the value of a Contract between the Parties. It is approved on the date of its acceptance by electronic means, in order to form an integral part of the Conditions of use of the service of the offer of products and services of PodoSmart or Digitsole Pro solution in their latest version (hereinafter referred to as the “Main contract”).
(Hereinafter referred to as the “Data Controller”, signatory of the Main Contract)
DIGITSOLE SAS ,
A French company whose registered office is located at 13, rue Héré - Place Stanislas, 54000 NANCY, FRANCE (hereinafter defined as a “Sub-processor”, supplier of the PodoSmart or Digitsole Pro solution product and service offer,
Hereinafter referred to as the “Sub-processor”.
Together referred to as the “Parties”
Article 1 – Purpose
The purpose of this Agreement is to define the conditions under which the Sub-processor undertakes to carry out, on behalf of the Data Controller, the data processing operations specified below as part of the PodoSmart or Digitsole Pro solution product and service offering.
In application of their contractual relationship, the Parties undertake to comply with the applicable laws on the protection of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter referred to as the “GDPR”).
This Agreement also provides the Data Controller, the Healthcare Professional and the data subjects of the data processing with the guarantees of the application of the French regulations on the certified hosting of healthcare data (HDS; Law no. 2002 -303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the Public Health Code)
Article 2 - Definitions
In this Agreement, the following terms shall have the meanings specified below and all formulations of the Agreement shall incorporate their meanings.
The following terms have the meaning of the definitions of the GDPR:
“Processing”, “Data Controller”, “Sub-processor”, “Data Subject”, “Personal Data”, “Healthcare Data” “Processing Activities”, “Data Breach”, “Recipient”, “Third Party”, “Consent”.
The following terms have the specific meaning of their application in this Agreement:
“Main Contract” means the service agreement for the use of the PodoSmart or Digitsole Pro solution and services
“Third party” means any stakeholder other than the Sub-processor, the Data Controller and the Healthcare Professional, the Natural Person concerned or the Distributor.
“Patients” means the physical Data subjects using the PodoSmart or Digitsole Pro solution product and service offer who are in contact with a healthcare professional.
“Healthcare Professional” means a healthcare professional considered by the Data Controller to be competent and authorised to use the products and services of the PodoSmart or Digitsole Pro solution.
“Distributor” means any stakeholder other than a Third Party authorised by Digitsole to market the Products, directly solicited by the Data Controller or the Healthcare Professional to subscribe to an offer to use the Services and benefit from personalised support from the Distributor during its use.
“EU” means the European Union.
“EEA” means the for European Economic Area.
“HDS” means the certified hosting service for Healthcare Data (French legislation on the hosting of healthcare data on digital media; Law no. 2002-303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the Public Health Code) provided by the Sub-processor to the Data Controller and to the Healthcare Professional for the storage and processing of data collected or produced on the occasion of prevention, diagnostic and treatment activities with a view to their filing in the Sub-processor’s systems during the use of the PodoSmart or Digitsole Pro solution product and service offer. The HDS host may not use the data for other purposes and may not transmit them to persons other than the recipients designated in this Agreement.
“Products” : Insoles and/or accessories from PodoSmart® or Digitsole Pro.
“Services” : all the services linked to the PodoSmart® or Digitsole Pro product
“Account” : A user account consists of a user name, a password and all information relating to the user that enables the use of the Services
“Third country” any country located outside the EU/EEA that does not have a regulation equivalent to the GDPR, with the exception of countries subject to an adequacy decision of the European Commission for the transfer of personal data to third countries.
General security policy for health information systems, defined by the French authorities.
Article 3 – Entry into force and duration of the agreement
This agreement comes into effect as of its electronic approval and its signature (hereinafter referred to as the “Effective date of the Agreement”) as long as the Product will be used under a valid Main Contract for an offer of PodoSmart or Digitsole Pro solution products and services.
Article 4 – Processing resulting from the Agreement
The processing of personal data carried out by the Sub-processor is implemented in order to provide the healthcare professional with Biomechanical information related to the use of the Products and Services by the Data subjects, in particular their market profile.
Article 5 – Description of processing
The Data Controller has instructed the Sub-processor to provide it with a data processing to achieve the following purposes and to carry out only the processing necessary in this context:
i. Management of data produced as part of the use of the PodoSmart or Digitsole Pro solution product and service offering, involving the Data Controller, a Healthcare Professional and a Patient;
ii. Management of Biomechanical parameters related to Patient mobility;
iii. Management of medical data (pathology) declared by the Patient in connection with their mobility.
Nature of the actions carried out using the data in order to achieve the purposes (i), (ii) and (iii):
· Collection, recording, modification, updating and deletion of all information related to the use of the Services and the management of the customer relationship;
· Collection, recording, modification, updating and deletion of information by the Healthcare Professional when using the Services;
· Provision of an interface for viewing the profile of Patients by persons authorised by the Data Controller;
· Provision of an import device within the Services of structured data provided by the Healthcare Professional or the Data Controller ;
· Anonymous use of Biomechanical data for statistical use and improvement of the PodoSmart or Digitsole Pro solution;
. Provision of the Distributor with minimised data in order to provide the Data Controller or the Healthcare Professional with personalised support when using the Products.
· Protection of the confidentiality and integrity of data and the availability of the service and the accounts, as well as the associated information in application of the GDPR regulations and those related to HDS hosting.
The categories of data subjects affected by the processing are as follows: Patients, Healthcare professionals, Data controller.
To provide the Services mentioned above in points (i), (ii) and (iii) on behalf of the Data Controller, the Sub-processor is authorised to process the following necessary information provided to it by the Data Controller, the Healthcare Professional and/or the Data subject of the processing:
Personal data of patient : surname, first name, , title, gender, date of birth, weight, height, title, email, address, telephone number (mobile, residential, professional), identifier assigned by the Data Controller or Healthcare Professional;
Identification data from official services : for example, a national identification number
Care data : pathology, Biomechanical measurements and parameters collected as results of the use of the Products and Services;
Identification data of the practitioner : name, first name, nature of the activity, professional title, address, professional phone number, professional email;
Electronic data : IP addresses, and connection data, connection cookies (cookies, etc.), electronic signature;
Article 6 - Obligations of the Data Controller
Under this Agreement, the Data Controller has contractual control over the processing carried out by the Sub-processor resulting from the provisions of Article 28.3 of the General Data Protection Regulation and must first of all in this respect:
· Provide the Sub-processor with the data mentioned in this document as well as all those that would be necessary for the implementation of the Services; the data must have been obtained in accordance with any applicable legislation;
· Provide the Sub-processor with all documented instructions relating to the processing operations to be carried out by the Sub-processor;
· Provide the Sub-processor with the data required to enable the implementation of the Agreement;
· Keep the register of processing activities required by the GDPR;
· Implement, in its activity, all organisational and technical measures, in particular in terms of security, to ensure the level of protection required by the GDPR when using the Services provided by the Sub-processor;
· Ensure, prior to and throughout the use of the services, its compliance with the requirements of the GDPR;
· Respect the rights of people subject to processing;
. Designate a health professional to guarantee the confidentiality of health data, the protection of the privacy of the Data subjects and the implementation of their rights;
· Report any security incident or data breach to the Sub-processor;
· Supervise the processing operations including, where applicable, the conduct of audits and inspections with the Sub-processor;
· Keep the Account contact details up to date;
· Take all appropriate protection measures to prevent unauthorised access to the account, data and services;
· Comply with the GDPR obligations in terms of information and obtaining consent from individuals.
The Data Controller is supposed to verify the compliance of its activity with all the regulations relating to the protection of personal data, as well as with regard to the contractual provisions binding it to the Sub-processor or to any third party.
Article 7 - Obligations of the Sub-processor
Under this Agreement, the Sub-processor undertakes, with regard to the Data Controller, to comply with the regulations applicable to data processing, in particular with regard to Article 28 of the GDPR, and the regulations on certified hosting of healthcare data:
7.1 Adaptation to applicable regulations
The Sub-processor undertakes to comply with all the provisions of the GDPR applicable to its activity, as well as any other applicable data protection regulations.
In particular, the processor undertakes to:
· Process the data only for the sole purpose(s) that is/are the subject of the subcontracting;
· Process the data in accordance with the documented instructions of the controller. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller.
· Guarantee the confidentiality of personal data processed under this contract
· Ensure that persons authorized to process personal data under this contract:
o Undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
o Receive the necessary training in personal data protection
· Take into account, with respect to its tools, products, applications or services, the principles of data protection by design and data protection by default
7.2 Obtaining regulatory authorisations and certifications
The Sub-processor undertakes to obtain the regulatory authorisations and certifications that would be necessary for the exercise of its activity in the countries where the Products and Services are provided. The Sub-processor has completed a certification process with the French State allowing healthcare professionals or healthcare establishments or the Data subject to submit personal healthcare data collected or produced during the prevention, diagnostic or treatment activities with people approved for this purpose.
The Sub-processor has obtained certification allowing it to exercise the activity of a certified healthcare data host under the Public Health Code (Law no. 2002-303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the French Public Health Code as part of the scope of certification for hosting and processing personal health data, collected through services entitled PodoSmart or Digitsole Pro, for the following activities:
3. provision and maintenance in operational condition of the information system application hosting platform;
4. the provision and maintenance in operational condition of the virtual infrastructure of the information system used for processing healthcare data;
5. the administration and operation of the information system containing healthcare data;
6. the backup of healthcare data.
The Sub-processor, in this context as an HDS certified host, is prohibited from using the hosted healthcare data for purposes other than the performance of the healthcare data host activity.
The certificate of conformity obtained by the Sub-processor, as well as its issuance and renewal dates, is accessible in the Compliance Centre:
On its first request, the Sub-processor would communicate the HDS audit reports created by the certifier using our online form:
7.3 Location of the activity, and hosting sites
The Sub-processor undertakes to transparently inform the Data Controller of the location of its activity and the places where the processing and data are hosted.
The location of the Sub-processor’s establishment is in France. Data processing is located within the EU. In the event of a change, the Sub-processor undertakes to ensure compliance. In the event of recourse to a subsequent Sub-processor in the course of its activity, the Sub-processor shall ensure compliance with the compliance commitments resulting from this Agreement. The Data Controller shall be informed as soon as possible of any possible change in this area.
7.4 Documented instructions
The Sub-processor undertakes to process only data falling within the scope of the documented instructions of the Data Controller.
The Sub-processor shall inform the Data Controller as soon as possible if it appears that an instruction communicated to it by the Data Controller constitutes a violation of the European Data Protection Regulation (GDPR) or of legislation applicable to the processing.
7.5 Record of processing activities
The Sub-processor undertakes to implement data processing in a documented manner in accordance with the requirements of the GDPR and any applicable regulations, in particular to the activity of certified hosting of healthcare data.
Under Article 30 of the GDPR, the Sub-processor shall maintain a register of all categories of processing, including:
· The contact details of the Data Controller, as well as that of any possible Sub-processor, if applicable, and those of the Data Protection Officer (DPO);
· The description of the processing activities, in particular including the description of the services provided under any regulatory authorisation or certification obtained in terms of hosting healthcare data;
· In the event of data transfer outside the EU, to a third country or an international organisation, the Sub-processor shall ensure the identification of the recipient by specifying the appropriate guarantees adopted to meet the requirements of the GDPR;
The register shall include a general description of the organisational and technical and security measures, including the following in particular, depending on the operational reality and any regulatory authorisation or certification obtained by the Sub-processor:
O The conditions for implementing data protection measures, in particular in the event of use of pseudonymisation or data encryption process;
O The measures to ensure that the confidentiality, integrity and availability of data, as well as the resilience of the Services, are maintained;
O The measures related to the ability to resume activity and restore access to data in the event of an incident;
O The processes of regular testing and evaluation of the effectiveness of the measures adopted, taking into account in particular the auditability requirements of the hosted data with regard to the certification of a healthcare data host.
7.6 Cooperation, audits
The Sub-processor shall assist the Data Controller in fulfilling the obligations resulting from Articles 32 to 36 of the GDPR applicable to security (adoption of measures, notification of data breaches,). The Sub-processor shall provide the Data Controller with the information in its possession to facilitate the performance of a data protection impact assessment, as well as with regard to the prior consultation of the competent data protection authority.
The Sub-processor shall provide the Data Controller with all the information needed to enable it to demonstrate its compliance with the obligations resulting from this Agreement and to facilitate any audit in particular in connection with the regulations applicable to the activity of a certified healthcare data host.
7.7 Technical and organisational, quality and performance measures of the Service
The Sub-processor undertakes to take into account, for the tools, Products, and Services, the principles of data protection from the design stage and by default by adopting technical and organisational measures.
The Sub-processor shall implement organisational and technical measures intended to ensure a level of data security and processing appropriate to the risks identified, as well as to guarantee the level of service announced.
The security measures are based in particular on the implementation of the following actions based on the risk analysis and the need to adopt protective measures:
O Data pseudonymisation or data encryption measures;
O Measures to ensure the existence and maintenance of data confidentiality, integrity and availability, as well as the resilience of information systems and services;
O Measures related to the ability to resume activity and restore access to data as soon as possible in the event of an incident that could give rise to such issues;
O Process of regular testing, evaluation and audit of the effectiveness of the measures adopted;
O Measures to protect data against the risk of loss, destruction or accidental or unlawful access, alteration or disclosure or unauthorised access.
The security organisation measures adopted by the Sub-processor must be based in particular on the requirements applying to the Data Controller aimed at ensuring compliance with the security organisation and best practices related to its General Policy on the Security of Health Information Systems.
By approving this Agreement, the Data Controller established in France is informed that it is required to implement a Health Information System that complies with the PGSSI-S and to undertake to respect the enforceable standards of this policy adopted by the French authorities in the field of healthcare data processing in France.
The Sub-processor undertakes to adopt a level of service that makes it possible in particular to meet the requirements of the certification obtained for data hosting.
The guaranteed level of service is as follows: 99 %.
Quality and performance indicators shall be adopted by the Sub-processor in order to allow verification of the service level of service, i.e. the guaranteed level, as well as the frequency of their measurement.
The link below, at the Compliance Centre, provides updated documentation of the organisational and technical measures envisaged for the Sub-processor:
7.8 Data protection officer (DPO), contractual reference
The Sub-processor undertakes to allow all organisational, technical and legal issues related to the implementation of the agreement to be taken into account as soon as possible, based on the designation of a contractual reference and a data protection officer.
The participation of these two internal functions with the Data Controller on the one hand and with the Sub-processor on the other hand, must make it possible to guarantee the application of the requirements of the GDPR and those resulting from the certification obtained in terms of healthcare data hosting.
The contractual reference person at the Data Controller may be contacted for all questions related to the execution of the agreement and primarily for the handling of incidents that have an impact on the healthcare data host.
The Data Controller, a client of the host, undertakes to designate a healthcare professional to be contacted for the handling of incidents that have an impact on the healthcare data host. Under this Agreement, the Data Controller signing the Agreement undertakes to take on the role of contractual reference person. If it is impossible to exercise this role, the Data Controller shall ensure that they are replaced by a person with the same authority.
The Data Protection Officer (DPO) may be contacted for any question relating to the application of European data protection regulations as well as for other relevant legislation. The DPO has extensive prerogatives with regard to the provisions of Articles 37 to 39 of the GDPR. The DPO, within the framework of their function and their tasks, shall support the Data Controller in order to facilitate the provision of information from the Sub-processor allowing the data controllers to carry out audits or answer any questions related to the application of the provisions on the protection of personal data or in connection with the standards applicable to data processing in the field of healthcare.
- Contractual reference person
7.9 Use of sub-processors and subsequent technical service providers
The Sub-processor, as the main subcontractor under the GDPR, undertakes to provide for the participation of subsequent subcontractors or technical service providers only in compliance with the provisions of the GDPR and those applicable to the certification of the healthcare data host activity. This must make it possible to maintain, in all circumstances and depending on the parties involved, a level of guarantees equivalent to that which applies to the Sub-processor. Sub-processors are prohibited from transferring data to a third country, unless it is established that this transmission is carried out under the conditions required by the GDPR.
The Data Controller authorises the Sub-processor to use subsequent sub-processors whose participation is necessary for the implementation of the Services. The Data Controller shall be kept informed of any plan to use a subsequent sub-processor in order to allow the Data Controller to make any observations or objections within 14 days from the date on which this information has been learned. The list of sub-processors involved shall be accessible in the Compliance Centre.
The link below, within the Compliance Centre, provides a list of Sub-processors, as well as the guarantees provided in terms of data transfer outside the EU:
7.10 Confidentiality, professional secrecy, access to personal health data
The Sub-processor undertakes to limit access to processing and personal data to strictly authorised persons only, as well as in application of the principle of minimisation of the GDPR.
In accordance with the regulations on the certified hosting of personal healthcare data, the Sub-processor and the persons placed under its authority who have access to the data shall be bound by professional secrecy. Only the data subjects of the processing and the healthcare professionals who care for them and who are therefore appointed may have access to the healthcare data host, in compliance with the provisions of the regulations applicable to secrecy and the protection of privacy.
The persons authorised by the Sub-processor are subject to a specific confidentiality commitment, unless they are exempted from such an obligation.
The Sub-processor shall ensure that the authorised persons have received appropriate awareness for them to comply with the rules of confidentiality in their participation and with regard to their functions. Access is limited to the context of application maintenance, security improvement or data protection measures.
In the event of a request for access to the personal healthcare data host, the Sub-processor shall propose methods for taking this request into account in compliance with the requirements of medical confidentiality.
7.11 Information of the data subjects
In the event that personal data is collected by the Sub-processor directly from the Data subjects, the latter shall receive appropriate information, taking into account the applicable provisions of the GDPR in terms of information. The Sub-processor shall also make the data protection policy freely accessible online.
7.12 Rights of the Data subjects, data portability
The Sub-processor shall implement specific procedures for supervising requests for access to hosted personal healthcare data resulting from the application of the GDPR and in accordance with the requirements of the certification of the healthcare data host activity.
In the event that the Data Subjects exercise the rights granted to them by the GDPR directly with the Sub-processor, the Sub-processor shall inform the Data Subject upon receipt that it is appropriate to contact the Data Controller directly. The Sub-processor shall cooperate as much as possible with the Data Controller, in order to facilitate the response to requests from persons subject to processing (questions, right of access, rectification and deletion, information, data portability, objection, including automated individual decision-making when using a profiling process).
With regard to the right to data portability, the Sub-processor shall ensure that the Data Controller and the person whose data are processed are offered the possibility of recovering part of the data concerned in a machine-readable format in order to allow such portable data to be stored elsewhere or to be easily transmitted from one system to another, with a view to reuse for other purposes.
7.13 Notification of breaches of personal data and reports
The Sub-processor undertakes to take all measures applicable to the management and reporting of security incidents falling within the framework of the legal regime of data breaches, in application of the GDPR as well as in compliance with the framework of the certification of the hosting of healthcare data. The Sub-processor shall notify the Data Controller so that it may receive a report in accordance with the regulatory provisions applicable to its activity and in particular those of the European Data Protection Regulation to inform it of any security incident falling within the scope of a personal data breach.
The procedures for reporting to the Data Controller are as follows:
- Sending of a message within 48 hours to the contractual e-mail address communicated by the Data Controller when subscribing to the Services as part of the acceptance of this Agreement.
The notification shall be accompanied, as far as possible, by any documentation enabling the Data Controller to fulfil the obligation of communication of the processing to the competent data protection authority or to the Data subjects.
7.14 Request from a judicial authority or an empowered authority
The Data Controller is informed of the possibility that the Sub-processor may have to respond to a request from a judicial authority or an authorised authority in order to obtain the communication of personal data, including, where applicable, healthcare data. Since such requests must be based on an authorisation decision that has legal weight, the Sub-processor shall in all cases carry out a prior verification of the legality of the requests in order to determine whether it is legally obliged to respond to them. Unless the Sub-processor is prevented from doing so by the existence of a previously verified legal obligation, it shall inform the Data Controller of the existence of this request as well as the extent of the data communicated to the empowered authority.
7.15 Relationships with the distributors
The Sub-processor undertakes to facilitate access by the Distributor, when directly requested by the Data Controller or the Healthcare Professional to subscribe to an offer to use the Services, only to the information necessary to provide personalised support when using the Product.
7.16 Data transfer outside the EU
The Sub-processor undertakes to comply with the requirements of the GDPR applicable to the transfer of data outside the European Union.
The Data Controller shall be informed in due time of all information related to the geographical location of the data processing operations, as well as their possible relocation (including the transfer from the place of establishment of the Sub-processor) and the notification, if applicable, of any third country (outside the EU or the EEA), to allow data controllers to have sufficient time to report any observations. In the event of an obligation for the Sub-processor to transfer data to a third country or an international organisation, with regard to European law or that of a member state to which the Sub-processor is subject, the Sub-processor shall inform the Data Controller of the legal bases for this processing, unless it is legally obliged not to disclose this information.
7.17 Modifications of the Services or technical changes, failure of the Services
The Sub-processor undertakes to take all measures to support the Data Controller in the event of any modifications of the services or technical changes, as well as in the event of possible failures. This support aims in particular to anticipate and take into account the specific requirements for business continuity and resumption as well as the framework of the various organisational and technical measures resulting from the GDPR and the certification of the healthcare data host.
Article 8 – End of Services, expiry of certified hosting
The Sub-processor undertakes to support the Data Controller at the end of this Agreement and the Main Contract for the use of services, as well as in the event of loss or withdrawal of the certification related to the data hosting in order to allow the reversibility of the hosting service for healthcare data as well as their restitution and destruction. The terms of the various resulting services are made available to the Data Controller.
In the event of the occurrence of a situation falling within the scope of this article, the Sub-processor undertakes to propose an action plan to the Data Controller no later than within thirty (30) days of the occurrence of the event. The implementation of the provisions of this clause may be requested at any time during the validity of the Main Contract, which has no effect on the validity of the financial clauses of the Main Contract.
The Sub-processor undertakes to implement either (a) the return of the requested data or their (b) destruction. These operations shall be carried out in accordance with the provisions of Article 28 (3) (g) of the GDPR.
After the date of implementation of the requested measure, the Sub-processor shall destroy or anonymise the data concerned in accordance with the process applicable in its organisation.
In the absence of an instruction from the Data Controller, the Sub-processor shall permanently destroy the data, within thirty (30) days of the last use of the Product, subject to the existence of another obligation applicable in the country of the establishment of the Sub-processor, the data contained in the backup system will be permanently destroyed during a cycle of three months.
Last updated on 13th of August 2021