Digitsole-Compliance-Zentrum

The signatory of the Agreement is requested to keep this contract with its documentation to establish its compliance with the regulations governing the processing of personal data (GDPR).

Agreement

The data processing agreement (hereinafter referred to with the words “Agreement” or “Annex”) has the value of a Contract between the Parties. It is approved on the date of its acceptance by electronic means, in order to form an integral part of the Conditions of use of the service of the offer of products and services of PodoSmart or Digitsole Pro solution in their latest version (hereinafter referred to as the “Main contract”).

Between:

“the Client”

(Hereinafter referred to as the “Data Controller”, signatory of the Main Contract)

AND

DIGITSOLE SAS ,

A French company whose registered office is located at 13, rue Héré - Place Stanislas, 54000 NANCY, FRANCE (hereinafter defined as a “Sub-processor”, supplier of the PodoSmart or Digitsole Pro solution product and service offer,

Hereinafter referred to as the “Sub-processor”.

Together referred to as the “Parties”

Article 1 – Purpose

The purpose of this Agreement is to define the conditions under which the Sub-processor undertakes to carry out, on behalf of the Data Controller, the data processing operations specified below as part of the PodoSmart or Digitsole Pro solution product and service offering.

In application of their contractual relationship, the Parties undertake to comply with the applicable laws on the protection of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter referred to as the “GDPR”).

This Agreement also provides the Data Controller, the Healthcare Professional and the data subjects of the data processing with the guarantees of the application of the French regulations on the certified hosting of healthcare data (HDS; Law no. 2002 -303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the Public Health Code)

Article 2 - Definitions

In this Agreement, the following terms shall have the meanings specified below and all formulations of the Agreement shall incorporate their meanings.

The following terms have the meaning of the definitions of the GDPR:

“Processing”, “Data Controller”, “Sub-processor”, “Data Subject”, “Personal Data”, “Healthcare Data” “Processing Activities”, “Data Breach”, “Recipient”, “Third Party”, “Consent”.

The following terms have the specific meaning of their application in this Agreement:

“Main Contract” means the service agreement for the use of the PodoSmart or Digitsole Pro solution and services

“Third party” means any stakeholder other than the Sub-processor, the Data Controller and the Healthcare Professional, the Natural Person concerned or the Distributor.

“Patients” means the physical Data subjects using the PodoSmart or Digitsole Pro solution product and service offer who are in contact with a healthcare professional.

“Healthcare Professional” means a healthcare professional considered by the Data Controller to be competent and authorised to use the products and services of the PodoSmart or Digitsole Pro solution.

„Vertriebspartner“ bezeichnet eine andere Partei als eine von Digitsole zur Vermarktung der Produkte autorisierte Drittpartei, die direkt vom Datenverantwortlichen oder der medizinischen Fachkraft angefragt wird, um ein Angebot zur Nutzung der Dienste zu abonnieren und während der Nutzung von der persönlichen Unterstützung des Vertriebspartners zu profitieren.

“EU” means the European Union.

“EEA” means the for European Economic Area.

„HDS“ bezeichnet den zertifizierten Health Data Hosting Service (französische Gesetzgebung zum Hosting von Gesundheitsdaten auf digitalen Medien; Gesetz Nr. 2002-303 vom 4. März 2002, Artikel L1111-8 und R. 1111-11 des Gesetzes über das öffentliche Gesundheitswesen), den der Auftragsverarbeiter dem Datenverantwortlichen und dem Angehörigen der Gesundheitsberufe für die Speicherung und Verarbeitung von Daten zur Verfügung stellt, die während der Präventions-, Diagnose- und Pflegetätigkeiten im Hinblick auf ihre Hinterlegung in den Systemen des Unterauftragnehmers während der Nutzung des Produkt- und Dienstleistungsangebots der PodoSmart oder Digitsole Pro-Lösung gesammelt oder erzeugt wurden. Der Host HDS darf die Daten nicht für andere Zwecke verwenden und nicht an andere als die in dieser Vereinbarung genannten Empfänger weitergeben.

“Products” : Insoles and/or accessories from PodoSmart® or Digitsole Pro.

“Services” : all the services linked to the PodoSmart® or Digitsole Pro product

“Account” : A user account consists of a user name, a password and all information relating to the user that enables the use of the Services

“Third country” any country located outside the EU/EEA that does not have a regulation equivalent to the GDPR, with the exception of countries subject to an adequacy decision of the European Commission for the transfer of personal data to third countries.

“PGSSI-S” General security policy for health information systems, defined by the French authorities.

Article 3 – Entry into force and duration of the agreement

This agreement comes into effect as of its electronic approval and its signature (hereinafter referred to as the “Effective date of the Agreement”) as long as the Product will be used under a valid Main Contract for an offer of PodoSmart or Digitsole Pro solution products and services.

Article 4 – Processing resulting from the Agreement

The processing of personal data carried out by the Sub-processor is implemented in order to provide the healthcare professional with Biomechanical information related to the use of the Products and Services by the Data subjects, in particular their market profile.

Article 5 – Description of processing

The Data Controller has instructed the Sub-processor to provide it with a data processing to achieve the following purposes and to carry out only the processing necessary in this context:

i. Management of data produced as part of the use of the PodoSmart or Digitsole Pro solution product and service offering, involving the Data Controller, a Healthcare Professional and a Patient;

ii. Management of Biomechanical parameters related to Patient mobility;

iii. Management of medical data (pathology) declared by the Patient in connection with their mobility.

Nature of the actions carried out using the data in order to achieve the purposes (i), (ii) and (iii):

· Collection, recording, modification, updating and deletion of all information related to the use of the Services and the management of the customer relationship;

· Collection, recording, modification, updating and deletion of information by the Healthcare Professional when using the Services;

· Provision of an interface for viewing the profile of Patients by persons authorised by the Data Controller;

· Provision of an import device within the Services of structured data provided by the Healthcare Professional or the Data Controller ;

· Anonymous use of Biomechanical data for statistical use and improvement of the PodoSmart or Digitsole Pro solution;

. Provision of the Distributor with minimised data in order to provide the Data Controller or the Healthcare Professional with personalised support when using the Products.

· Protection of the confidentiality and integrity of data and the availability of the service and the accounts, as well as the associated information in application of the GDPR regulations and those related to HDS hosting.

The categories of data subjects affected by the processing are as follows: Patients, Healthcare professionals, Data controller.

To provide the Services mentioned above in points (i), (ii) and (iii) on behalf of the Data Controller, the Sub-processor is authorised to process the following necessary information provided to it by the Data Controller, the Healthcare Professional and/or the Data subject of the processing:

Personal data of patient : surname, first name, , title, gender, date of birth, weight, height, title, email, address, telephone number (mobile, residential, professional), identifier assigned by the Data Controller or Healthcare Professional;

Identification data from official services : for example, a national identification number

Care data : pathology, Biomechanical measurements and parameters collected as results of the use of the Products and Services;

Identification data of the practitioner : name, first name, nature of the activity, professional title, address, professional phone number, professional email;

Electronic data : IP addresses, and connection data, connection cookies (cookies, etc.), electronic signature;

Article 6 - Obligations of the Data Controller

Under this Agreement, the Data Controller has contractual control over the processing carried out by the Sub-processor resulting from the provisions of Article 28.3 of the General Data Protection Regulation and must first of all in this respect:

· Provide the Sub-processor with the data mentioned in this document as well as all those that would be necessary for the implementation of the Services; the data must have been obtained in accordance with any applicable legislation;

· Provide the Sub-processor with all documented instructions relating to the processing operations to be carried out by the Sub-processor;

· Provide the Sub-processor with the data required to enable the implementation of the Agreement;

· Keep the register of processing activities required by the GDPR;

· Implement, in its activity, all organisational and technical measures, in particular in terms of security, to ensure the level of protection required by the GDPR when using the Services provided by the Sub-processor;

· Ensure, prior to and throughout the use of the services, its compliance with the requirements of the GDPR;

· Respect the rights of people subject to processing;

. Designate a health professional to guarantee the confidentiality of health data, the protection of the privacy of the Data subjects and the implementation of their rights;

· Report any security incident or data breach to the Sub-processor;

· Supervise the processing operations including, where applicable, the conduct of audits and inspections with the Sub-processor;

· Keep the Account contact details up to date;

· Take all appropriate protection measures to prevent unauthorised access to the account, data and services;

· Comply with the GDPR obligations in terms of information and obtaining consent from individuals.

The Data Controller is supposed to verify the compliance of its activity with all the regulations relating to the protection of personal data, as well as with regard to the contractual provisions binding it to the Sub-processor or to any third party.

Article 7 - Obligations of the Sub-processor

Under this Agreement, the Sub-processor undertakes, with regard to the Data Controller, to comply with the regulations applicable to data processing, in particular with regard to Article 28 of the GDPR, and the regulations on certified hosting of healthcare data:

7.1 Adaptation to applicable regulations

The Sub-processor undertakes to comply with all the provisions of the GDPR applicable to its activity, as well as any other applicable data protection regulations.

In particular, the processor undertakes to:

· Process the data only for the sole purpose(s) that is/are the subject of the subcontracting;

· Process the data in accordance with the documented instructions of the controller. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller.

· Guarantee the confidentiality of personal data processed under this contract

· Ensure that persons authorized to process personal data under this contract:

o Undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality

o Receive the necessary training in personal data protection

· Take into account, with respect to its tools, products, applications or services, the principles of data protection by design and data protection by default

7.2 Obtaining regulatory authorisations and certifications

The Sub-processor undertakes to obtain the regulatory authorisations and certifications that would be necessary for the exercise of its activity in the countries where the Products and Services are provided. The Sub-processor has completed a certification process with the French State allowing healthcare professionals or healthcare establishments or the Data subject to submit personal healthcare data collected or produced during the prevention, diagnostic or treatment activities with people approved for this purpose.

The Sub-processor has obtained certification allowing it to exercise the activity of a certified healthcare data host under the Public Health Code (Law no. 2002-303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the French Public Health Code as part of the scope of certification for hosting and processing personal health data, collected through services entitled PodoSmart or Digitsole Pro, for the following activities:

3. provision and maintenance in operational condition of the information system application hosting platform;

4. the provision and maintenance in operational condition of the virtual infrastructure of the information system used for processing healthcare data;

5. the administration and operation of the information system containing healthcare data;

6. the backup of healthcare data.

The Sub-processor, in this context as an HDS certified host, is prohibited from using the hosted healthcare data for purposes other than the performance of the healthcare data host activity.

The certificate of conformity obtained by the Sub-processor, as well as its issuance and renewal dates, is accessible in the Compliance Centre:

https://compliance.digitsole.com/certifications

On its first request, the Sub-processor would communicate the HDS audit reports created by the certifier using our online form:

https://compliance.digitsole.com/data-subject-requests

7.3 Location of the activity, and hosting sites

The Sub-processor undertakes to transparently inform the Data Controller of the location of its activity and the places where the processing and data are hosted.

The location of the Sub-processor’s establishment is in France. Data processing is located within the EU. In the event of a change, the Sub-processor undertakes to ensure compliance. In the event of recourse to a subsequent Sub-processor in the course of its activity, the Sub-processor shall ensure compliance with the compliance commitments resulting from this Agreement. The Data Controller shall be informed as soon as possible of any possible change in this area.

7.4 Documented instructions

The Sub-processor undertakes to process only data falling within the scope of the documented instructions of the Data Controller.

The Sub-processor shall inform the Data Controller as soon as possible if it appears that an instruction communicated to it by the Data Controller constitutes a violation of the European Data Protection Regulation (GDPR) or of legislation applicable to the processing.

7.5 Record of processing activities

The Sub-processor undertakes to implement data processing in a documented manner in accordance with the requirements of the GDPR and any applicable regulations, in particular to the activity of certified hosting of healthcare data.

Under Article 30 of the GDPR, the Sub-processor shall maintain a register of all categories of processing, including:

· The contact details of the Data Controller, as well as that of any possible Sub-processor, if applicable, and those of the Data Protection Officer (DPO);

· The description of the processing activities, in particular including the description of the services provided under any regulatory authorisation or certification obtained in terms of hosting healthcare data;

· In the event of data transfer outside the EU, to a third country or an international organisation, the Sub-processor shall ensure the identification of the recipient by specifying the appropriate guarantees adopted to meet the requirements of the GDPR;

The register shall include a general description of the organisational and technical and security measures, including the following in particular, depending on the operational reality and any regulatory authorisation or certification obtained by the Sub-processor:

O The conditions for implementing data protection measures, in particular in the event of use of pseudonymisation or data encryption process;

O The measures to ensure that the confidentiality, integrity and availability of data, as well as the resilience of the Services, are maintained;

O The measures related to the ability to resume activity and restore access to data in the event of an incident;

O The processes of regular testing and evaluation of the effectiveness of the measures adopted, taking into account in particular the auditability requirements of the hosted data with regard to the certification of a healthcare data host.

7.6 Cooperation, audits

The Sub-processor shall assist the Data Controller in fulfilling the obligations resulting from Articles 32 to 36 of the GDPR applicable to security (adoption of measures, notification of data breaches,). The Sub-processor shall provide the Data Controller with the information in its possession to facilitate the performance of a data protection impact assessment, as well as with regard to the prior consultation of the competent data protection authority.

The Sub-processor shall provide the Data Controller with all the information needed to enable it to demonstrate its compliance with the obligations resulting from this Agreement and to facilitate any audit in particular in connection with the regulations applicable to the activity of a certified healthcare data host.

7.7 Technical and organisational, quality and performance measures of the Service

The Sub-processor undertakes to take into account, for the tools, Products, and Services, the principles of data protection from the design stage and by default by adopting technical and organisational measures.

The Sub-processor shall implement organisational and technical measures intended to ensure a level of data security and processing appropriate to the risks identified, as well as to guarantee the level of service announced.

The security measures are based in particular on the implementation of the following actions based on the risk analysis and the need to adopt protective measures:

O Data pseudonymisation or data encryption measures;

O Measures to ensure the existence and maintenance of data confidentiality, integrity and availability, as well as the resilience of information systems and services;

O Measures related to the ability to resume activity and restore access to data as soon as possible in the event of an incident that could give rise to such issues;

O Process of regular testing, evaluation and audit of the effectiveness of the measures adopted;

O Measures to protect data against the risk of loss, destruction or accidental or unlawful access, alteration or disclosure or unauthorised access.

The security organisation measures adopted by the Sub-processor must be based in particular on the requirements applying to the Data Controller aimed at ensuring compliance with the security organisation and best practices related to its General Policy on the Security of Health Information Systems.

By approving this Agreement, the Data Controller established in France is informed that it is required to implement a Health Information System that complies with the PGSSI-S and to undertake to respect the enforceable standards of this policy adopted by the French authorities in the field of healthcare data processing in France.

The Sub-processor undertakes to adopt a level of service that makes it possible in particular to meet the requirements of the certification obtained for data hosting.

The guaranteed level of service is as follows: 99 %.

Quality and performance indicators shall be adopted by the Sub-processor in order to allow verification of the service level of service, i.e. the guaranteed level, as well as the frequency of their measurement.

The link below, at the Compliance Centre, provides updated documentation of the organisational and technical measures envisaged for the Sub-processor:

https://compliance.digitsole.com/technical-and-organisational-security-measures

7.8 Data protection officer (DPO), contractual reference

The Sub-processor undertakes to allow all organisational, technical and legal issues related to the implementation of the agreement to be taken into account as soon as possible, based on the designation of a contractual reference and a data protection officer.

The participation of these two internal functions with the Data Controller on the one hand and with the Sub-processor on the other hand, must make it possible to guarantee the application of the requirements of the GDPR and those resulting from the certification obtained in terms of healthcare data hosting.

The contractual reference person at the Data Controller may be contacted for all questions related to the execution of the agreement and primarily for the handling of incidents that have an impact on the healthcare data host.

The Data Controller, a client of the host, undertakes to designate a healthcare professional to be contacted for the handling of incidents that have an impact on the healthcare data host. Under this Agreement, the Data Controller signing the Agreement undertakes to take on the role of contractual reference person. If it is impossible to exercise this role, the Data Controller shall ensure that they are replaced by a person with the same authority.

Der Datenschutzbeauftragte (DSB) kann für alle Fragen im Zusammenhang mit der Anwendung der europäischen Datenschutzbestimmungen sowie anderer relevanter Gesetze kontaktiert werden. Der DSB hat weitreichende Befugnisse gemäß den Bestimmungen der Artikel 37 bis 39 der DSGVO. Der DSB wird im Rahmen seiner Funktion und seiner Aufgaben den Datenverantwortlichen begleiten, um die Bereitstellung von Informationen seitens des Auftragsverarbeiter zu erleichtern, die es den Verantwortlichen für die Datenverarbeitung ermöglichen, Audits durchzuführen oder Fragen im Zusammenhang mit der Anwendung der Bestimmungen zum Schutz personenbezogener Daten oder im Zusammenhang mit den für die Datenverarbeitung im Gesundheitsbereich geltenden Referenzsystemen zu beantworten.

Contact information:

- Contractual reference person

Email: legal@digitsole.com

- DPO

Email: dpo@digisole.com

7.9 Use of sub-processors and subsequent technical service providers

Der Auftragsverarbeiter als Hauptunterauftragnehmer im Sinne der DSGVO verpflichtet sich, den Einsatz nachfolgender Unterauftragnehmer oder technischer Dienstleister nur in Übereinstimmung mit den Bestimmungen der DSGVO und den für die Zertifizierung der Gesundheitsdaten-Hosting-Tätigkeit geltenden Bestimmungen zu nutzen. Dieser muss unter allen Umständen und in Abhängigkeit von den Interessengruppen ein Garantieniveau aufrechterhalten können, das dem entspricht, das für den Unterauftragnehmer gilt. Nachfolgenden Auftragsverarbeitern ist es untersagt, Daten in ein Drittland zu übermitteln, es sei denn, es wird festgestellt, dass eine solche Übermittlung unter den von der DSGVO geforderten Bedingungen durchgeführt wird.

The Data Controller authorises the Sub-processor to use subsequent sub-processors whose participation is necessary for the implementation of the Services. The Data Controller shall be kept informed of any plan to use a subsequent sub-processor in order to allow the Data Controller to make any observations or objections within 14 days from the date on which this information has been learned. The list of sub-processors involved shall be accessible in the Compliance Centre.

The link below, within the Compliance Centre, provides a list of Sub-processors, as well as the guarantees provided in terms of data transfer outside the EU:

https://compliance.digitsole.com/sub-processors

7.10 Confidentiality, professional secrecy, access to personal health data

The Sub-processor undertakes to limit access to processing and personal data to strictly authorised persons only, as well as in application of the principle of minimisation of the GDPR.

In accordance with the regulations on the certified hosting of personal healthcare data, the Sub-processor and the persons placed under its authority who have access to the data shall be bound by professional secrecy. Only the data subjects of the processing and the healthcare professionals who care for them and who are therefore appointed may have access to the healthcare data host, in compliance with the provisions of the regulations applicable to secrecy and the protection of privacy.

The persons authorised by the Sub-processor are subject to a specific confidentiality commitment, unless they are exempted from such an obligation.

The Sub-processor shall ensure that the authorised persons have received appropriate awareness for them to comply with the rules of confidentiality in their participation and with regard to their functions. Access is limited to the context of application maintenance, security improvement or data protection measures.

In the event of a request for access to the personal healthcare data host, the Sub-processor shall propose methods for taking this request into account in compliance with the requirements of medical confidentiality.

7.11 Information of the data subjects

In the event that personal data is collected by the Sub-processor directly from the Data subjects, the latter shall receive appropriate information, taking into account the applicable provisions of the GDPR in terms of information. The Sub-processor shall also make the data protection policy freely accessible online.

7.12 Rights of the Data subjects, data portability

The Sub-processor shall implement specific procedures for supervising requests for access to hosted personal healthcare data resulting from the application of the GDPR and in accordance with the requirements of the certification of the healthcare data host activity.

Macht die betroffene Person ihre Rechte aus der DSGVO direkt gegenüber dem Auftragsverarbeiter geltend, wird der Auftragsverarbeiter die betroffene Person nach Erhalt darüber informieren, dass sie sich direkt an den Datenverantwortlichen wenden soll. Der Auftragsverarbeiter wird so weit wie möglich mit dem Datenverantwortlichen zusammenarbeiten, um die Beantwortung der Anfragen der verarbeiteten Personen zu erleichtern (Befragung, Recht auf Auskunft, Berichtigung und Löschung, Information, Datenübertragbarkeit, Widerspruch, einschließlich des Treffens von automatisierten Einzelentscheidungen im Falle des Einsatzes von Profilingverfahren).

With regard to the right to data portability, the Sub-processor shall ensure that the Data Controller and the person whose data are processed are offered the possibility of recovering part of the data concerned in a machine-readable format in order to allow such portable data to be stored elsewhere or to be easily transmitted from one system to another, with a view to reuse for other purposes.

7.13 Notification of breaches of personal data and reports

Der Auftragsverarbeiter verpflichtet sich, alle Maßnahmen zu ergreifen, die für das Management und die Meldung von Sicherheitsvorfällen gelten, die unter das gesetzliche Regime für Datenverletzungen fallen, in Anwendung der DSGVO sowie in Übereinstimmung mit dem Rahmen der Zertifizierung der Gesundheitsdaten-Hosting-Tätigkeit. Der Auftragsverarbeiter benachrichtigt den Datenverantwortlichen, damit dieser gemäß den für seine Tätigkeit geltenden gesetzlichen Bestimmungen und insbesondere denen der Europäischen Datenschutzverordnung einen Bericht erhält, um ihn über jeden Sicherheitsvorfall im Zusammenhang mit einer Verletzung des Schutzes personenbezogener Daten zu informieren.

The procedures for reporting to the Data Controller are as follows:

- Sending of a message within 48 hours to the contractual e-mail address communicated by the Data Controller when subscribing to the Services as part of the acceptance of this Agreement.

The notification shall be accompanied, as far as possible, by any documentation enabling the Data Controller to fulfil the obligation of communication of the processing to the competent data protection authority or to the Data subjects.

7.14 Request from a judicial authority or an empowered authority

Der Datenverantwortliche wird darüber informiert, dass der Auftragsverarbeiter unter Umständen einem Ersuchen einer Justizbehörde oder einer bevollmächtigten Behörde nachkommen muss, um die Übermittlung personenbezogener Daten, einschließlich ggf. Gesundheitsdaten, zu erhalten. Da solche Anfragen auf einer rechtskräftigen Genehmigungsentscheidung beruhen müssen, führt der Auftragsverarbeiter in jedem Fall eine vorherige Überprüfung der Rechtmäßigkeit der Anfragen durch, um festzustellen, ob er rechtlich verpflichtet ist, darauf zu antworten. Sofern der Auftragsverarbeiter nicht durch das Bestehen einer zuvor geprüften rechtlichen Verpflichtung daran gehindert wird, informiert er den Datenverantwortlichen über das Bestehen dieses Ersuchens und über den Umfang der Daten, die an die autorisierte Behörde übermittelt wurden.

7.15 Relationships with the distributors

The Sub-processor undertakes to facilitate access by the Distributor, when directly requested by the Data Controller or the Healthcare Professional to subscribe to an offer to use the Services, only to the information necessary to provide personalised support when using the Product.

7.16 Data transfer outside the EU

The Sub-processor undertakes to comply with the requirements of the GDPR applicable to the transfer of data outside the European Union.

Der Datenverantwortliche wird rechtzeitig über alle Informationen in Bezug auf den geografischen Standort der Datenverarbeitung sowie deren mögliche Verlagerung (einschließlich der Verlegung des Standorts des Auftragsverarbeiters) und die Angabe eines eventuellen Drittlandes (außerhalb der EU oder des EWR) informiert, um dem für die Verarbeitung Verantwortlichen ausreichend Zeit für eventuelle Anmerkungen zu geben. Für den Fall, dass der Auftragsverarbeiter verpflichtet ist, Daten an ein Drittland oder eine internationale Organisation zu übermitteln, die dem europäischen Recht oder dem Recht eines Mitgliedstaates, dem der Auftragsverarbeiter unterliegt, informiert der Auftragsverarbeiter den Datenverantwortlichen über die Rechtsgrundlage für diese Verarbeitung, es sei denn, er ist gesetzlich verpflichtet, diese Informationen nicht offen zu legen.

7.17 Modifications of the Services or technical changes, failure of the Services

The Sub-processor undertakes to take all measures to support the Data Controller in the event of any modifications of the services or technical changes, as well as in the event of possible failures. This support aims in particular to anticipate and take into account the specific requirements for business continuity and resumption as well as the framework of the various organisational and technical measures resulting from the GDPR and the certification of the healthcare data host.

Article 8 – End of Services, expiry of certified hosting

The Sub-processor undertakes to support the Data Controller at the end of this Agreement and the Main Contract for the use of services, as well as in the event of loss or withdrawal of the certification related to the data hosting in order to allow the reversibility of the hosting service for healthcare data as well as their restitution and destruction. The terms of the various resulting services are made available to the Data Controller.

In the event of the occurrence of a situation falling within the scope of this article, the Sub-processor undertakes to propose an action plan to the Data Controller no later than within thirty (30) days of the occurrence of the event. The implementation of the provisions of this clause may be requested at any time during the validity of the Main Contract, which has no effect on the validity of the financial clauses of the Main Contract.

The Sub-processor undertakes to implement either (a) the return of the requested data or their (b) destruction. These operations shall be carried out in accordance with the provisions of Article 28 (3) (g) of the GDPR.

After the date of implementation of the requested measure, the Sub-processor shall destroy or anonymise the data concerned in accordance with the process applicable in its organisation.

In the absence of an instruction from the Data Controller, the Sub-processor shall permanently destroy the data, within thirty (30) days of the last use of the Product, subject to the existence of another obligation applicable in the country of the establishment of the Sub-processor, the data contained in the backup system will be permanently destroyed during a cycle of three months.

Zuletzt aktualisiert am 13. August 2021