Digitsole Pro (B2B)
Accord sur le traitement des données
Semelles intelligentes (B2C)
AGREEMENT ON THE PROCESSING AND CERTIFIED HOSTING OF DATA FOR THE PODOSMART SERVICE
This Agreement applies only in the context of offering PodoSmart or Digitsole Pro solution products and services.
The signatory of the Agreement is requested to keep this contract with its documentation to establish its compliance with the regulations governing the processing of personal data (GDPR).
The data processing agreement (hereinafter referred to with the words “Agreement” or “Annex”) has the value of a Contract between the Parties. It is approved on the date of its acceptance by electronic means, in order to form an integral part of the Conditions of use of the service of the offer of products and services of PodoSmart or Digitsole Pro solution in their latest version (hereinafter referred to as the “Main contract”).
(Hereinafter referred to as the “Data Controller”, signatory of the Main Contract)
DIGITSOLE SAS ,
A French company whose registered office is located at 13, rue Héré - Place Stanislas, 54000 NANCY, FRANCE (hereinafter defined as a “Sub-processor”, supplier of the PodoSmart or Digitsole Pro solution product and service offer,
Hereinafter referred to as the “Sub-processor”.
Together referred to as the “Parties”
Article 1 – Purpose
The purpose of this Agreement is to define the conditions under which the Sub-processor undertakes to carry out, on behalf of the Data Controller, the data processing operations specified below as part of the PodoSmart or Digitsole Pro solution product and service offering.
In application of their contractual relationship, the Parties undertake to comply with the applicable laws on the protection of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter referred to as the “GDPR”).
This Agreement also provides the Data Controller, the Healthcare Professional and the data subjects of the data processing with the guarantees of the application of the French regulations on the certified hosting of healthcare data (HDS; Law no. 2002 -303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the Public Health Code)
Article 2 - Definitions
In this Agreement, the following terms shall have the meanings specified below and all formulations of the Agreement shall incorporate their meanings.
The following terms have the meaning of the definitions of the GDPR:
“Processing”, “Data Controller”, “Sub-processor”, “Data Subject”, “Personal Data”, “Healthcare Data” “Processing Activities”, “Data Breach”, “Recipient”, “Third Party”, “Consent”.
The following terms have the specific meaning of their application in this Agreement:
“Main Contract” means the service agreement for the use of the PodoSmart or Digitsole Pro solution and services
“Third party” means any stakeholder other than the Sub-processor, the Data Controller and the Healthcare Professional, the Natural Person concerned or the Distributor.
“Patients” means the physical Data subjects using the PodoSmart or Digitsole Pro solution product and service offer who are in contact with a healthcare professional.
“Healthcare Professional” means a healthcare professional considered by the Data Controller to be competent and authorised to use the products and services of the PodoSmart or Digitsole Pro solution.
“Distributeur” signifie tout intervenant autre qu’une Tierce partie autorisé par Digitsole à commercialiser les Produits, sollicité directement par le Responsable de traitement ou le Professionnel de santé afin de souscrire une offre d’utilisation des Services et bénéficier d’un accompagnement personnalisé du Distributeur lors de son utilisation.
“EU” means the European Union.
“EEA” means the for European Economic Area.
"HDS" signifie le service d’hébergement certifié de Données de Santé (Législation française sur l’hébergement de données de santé sur support numérique ; Loi n°2002-303 du 4 mars 2002, Articles L1111-8 et R. 1111-11 du Code de la santé publique) fourni par le Sous-traitant au Responsable de traitement et au Professionnel de santé pour le stockage et le traitement de données recueillies ou produites à l’occasion d’activités de prévention, de diagnostic et de soin en vue de leur dépôt dans les systèmes du Sous-traitant à l’occasion de l’usage de l’offre de produits et services de solution PodoSmart ou Digitsole Pro. L’hébergeur HDS ne peut utiliser les données à d'autres fins et ne peut les transmettre à d'autres personnes que les destinataires désignés dans le présent Accord.
“Products” : Insoles and/or accessories from PodoSmart® or Digitsole Pro.
“Services” : all the services linked to the PodoSmart® or Digitsole Pro product
“Account” : A user account consists of a user name, a password and all information relating to the user that enables the use of the Services
“Third country” any country located outside the EU/EEA that does not have a regulation equivalent to the GDPR, with the exception of countries subject to an adequacy decision of the European Commission for the transfer of personal data to third countries.
General security policy for health information systems, defined by the French authorities.
Article 3 – Entry into force and duration of the agreement
This agreement comes into effect as of its electronic approval and its signature (hereinafter referred to as the “Effective date of the Agreement”) as long as the Product will be used under a valid Main Contract for an offer of PodoSmart or Digitsole Pro solution products and services.
Article 4 – Processing resulting from the Agreement
The processing of personal data carried out by the Sub-processor is implemented in order to provide the healthcare professional with Biomechanical information related to the use of the Products and Services by the Data subjects, in particular their market profile.
Article 5 – Description of processing
The Data Controller has instructed the Sub-processor to provide it with a data processing to achieve the following purposes and to carry out only the processing necessary in this context:
i. Management of data produced as part of the use of the PodoSmart or Digitsole Pro solution product and service offering, involving the Data Controller, a Healthcare Professional and a Patient;
ii. Management of Biomechanical parameters related to Patient mobility;
iii. Management of medical data (pathology) declared by the Patient in connection with their mobility.
Nature of the actions carried out using the data in order to achieve the purposes (i), (ii) and (iii):
· Collection, recording, modification, updating and deletion of all information related to the use of the Services and the management of the customer relationship;
· Collection, recording, modification, updating and deletion of information by the Healthcare Professional when using the Services;
· Provision of an interface for viewing the profile of Patients by persons authorised by the Data Controller;
· Provision of an import device within the Services of structured data provided by the Healthcare Professional or the Data Controller ;
· Anonymous use of Biomechanical data for statistical use and improvement of the PodoSmart or Digitsole Pro solution;
. Provision of the Distributor with minimised data in order to provide the Data Controller or the Healthcare Professional with personalised support when using the Products.
· Protection of the confidentiality and integrity of data and the availability of the service and the accounts, as well as the associated information in application of the GDPR regulations and those related to HDS hosting.
The categories of data subjects affected by the processing are as follows: Patients, Healthcare professionals, Data controller.
To provide the Services mentioned above in points (i), (ii) and (iii) on behalf of the Data Controller, the Sub-processor is authorised to process the following necessary information provided to it by the Data Controller, the Healthcare Professional and/or the Data subject of the processing:
Personal data of patient : surname, first name, , title, gender, date of birth, weight, height, title, email, address, telephone number (mobile, residential, professional), identifier assigned by the Data Controller or Healthcare Professional;
Identification data from official services : for example, a national identification number
Care data : pathology, Biomechanical measurements and parameters collected as results of the use of the Products and Services;
Identification data of the practitioner : name, first name, nature of the activity, professional title, address, professional phone number, professional email;
Electronic data : IP addresses, and connection data, connection cookies (cookies, etc.), electronic signature;
Article 6 - Obligations of the Data Controller
Under this Agreement, the Data Controller has contractual control over the processing carried out by the Sub-processor resulting from the provisions of Article 28.3 of the General Data Protection Regulation and must first of all in this respect:
· Provide the Sub-processor with the data mentioned in this document as well as all those that would be necessary for the implementation of the Services; the data must have been obtained in accordance with any applicable legislation;
· Provide the Sub-processor with all documented instructions relating to the processing operations to be carried out by the Sub-processor;
· Provide the Sub-processor with the data required to enable the implementation of the Agreement;
· Keep the register of processing activities required by the GDPR;
· Implement, in its activity, all organisational and technical measures, in particular in terms of security, to ensure the level of protection required by the GDPR when using the Services provided by the Sub-processor;
· Ensure, prior to and throughout the use of the services, its compliance with the requirements of the GDPR;
· Respect the rights of people subject to processing;
. Designate a health professional to guarantee the confidentiality of health data, the protection of the privacy of the Data subjects and the implementation of their rights;
· Report any security incident or data breach to the Sub-processor;
· Supervise the processing operations including, where applicable, the conduct of audits and inspections with the Sub-processor;
· Keep the Account contact details up to date;
· Take all appropriate protection measures to prevent unauthorised access to the account, data and services;
· Comply with the GDPR obligations in terms of information and obtaining consent from individuals.
The Data Controller is supposed to verify the compliance of its activity with all the regulations relating to the protection of personal data, as well as with regard to the contractual provisions binding it to the Sub-processor or to any third party.
Article 7 - Obligations of the Sub-processor
Under this Agreement, the Sub-processor undertakes, with regard to the Data Controller, to comply with the regulations applicable to data processing, in particular with regard to Article 28 of the GDPR, and the regulations on certified hosting of healthcare data:
7.1 Adaptation to applicable regulations
The Sub-processor undertakes to comply with all the provisions of the GDPR applicable to its activity, as well as any other applicable data protection regulations.
In particular, the processor undertakes to:
· Process the data only for the sole purpose(s) that is/are the subject of the subcontracting;
· Process the data in accordance with the documented instructions of the controller. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller.
· Guarantee the confidentiality of personal data processed under this contract
· Ensure that persons authorized to process personal data under this contract:
o Undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
o Receive the necessary training in personal data protection
· Take into account, with respect to its tools, products, applications or services, the principles of data protection by design and data protection by default
7.2 Obtaining regulatory authorisations and certifications
The Sub-processor undertakes to obtain the regulatory authorisations and certifications that would be necessary for the exercise of its activity in the countries where the Products and Services are provided. The Sub-processor has completed a certification process with the French State allowing healthcare professionals or healthcare establishments or the Data subject to submit personal healthcare data collected or produced during the prevention, diagnostic or treatment activities with people approved for this purpose.
The Sub-processor has obtained certification allowing it to exercise the activity of a certified healthcare data host under the Public Health Code (Law no. 2002-303 of 4 March 2002, Articles L1111-8 and R. 1111-11 of the French Public Health Code as part of the scope of certification for hosting and processing personal health data, collected through services entitled PodoSmart or Digitsole Pro, for the following activities:
3. provision and maintenance in operational condition of the information system application hosting platform;
4. the provision and maintenance in operational condition of the virtual infrastructure of the information system used for processing healthcare data;
5. the administration and operation of the information system containing healthcare data;
6. the backup of healthcare data.
The Sub-processor, in this context as an HDS certified host, is prohibited from using the hosted healthcare data for purposes other than the performance of the healthcare data host activity.
The certificate of conformity obtained by the Sub-processor, as well as its issuance and renewal dates, is accessible in the Compliance Centre:
On its first request, the Sub-processor would communicate the HDS audit reports created by the certifier using our online form:
7.3 Location of the activity, and hosting sites
The Sub-processor undertakes to transparently inform the Data Controller of the location of its activity and the places where the processing and data are hosted.
The location of the Sub-processor’s establishment is in France. Data processing is located within the EU. In the event of a change, the Sub-processor undertakes to ensure compliance. In the event of recourse to a subsequent Sub-processor in the course of its activity, the Sub-processor shall ensure compliance with the compliance commitments resulting from this Agreement. The Data Controller shall be informed as soon as possible of any possible change in this area.
7.4 Documented instructions
The Sub-processor undertakes to process only data falling within the scope of the documented instructions of the Data Controller.
The Sub-processor shall inform the Data Controller as soon as possible if it appears that an instruction communicated to it by the Data Controller constitutes a violation of the European Data Protection Regulation (GDPR) or of legislation applicable to the processing.
7.5 Record of processing activities
The Sub-processor undertakes to implement data processing in a documented manner in accordance with the requirements of the GDPR and any applicable regulations, in particular to the activity of certified hosting of healthcare data.
Under Article 30 of the GDPR, the Sub-processor shall maintain a register of all categories of processing, including:
· The contact details of the Data Controller, as well as that of any possible Sub-processor, if applicable, and those of the Data Protection Officer (DPO);
· The description of the processing activities, in particular including the description of the services provided under any regulatory authorisation or certification obtained in terms of hosting healthcare data;
· In the event of data transfer outside the EU, to a third country or an international organisation, the Sub-processor shall ensure the identification of the recipient by specifying the appropriate guarantees adopted to meet the requirements of the GDPR;
The register shall include a general description of the organisational and technical and security measures, including the following in particular, depending on the operational reality and any regulatory authorisation or certification obtained by the Sub-processor:
O The conditions for implementing data protection measures, in particular in the event of use of pseudonymisation or data encryption process;
O The measures to ensure that the confidentiality, integrity and availability of data, as well as the resilience of the Services, are maintained;
O The measures related to the ability to resume activity and restore access to data in the event of an incident;
O The processes of regular testing and evaluation of the effectiveness of the measures adopted, taking into account in particular the auditability requirements of the hosted data with regard to the certification of a healthcare data host.
7.6 Cooperation, audits
The Sub-processor shall assist the Data Controller in fulfilling the obligations resulting from Articles 32 to 36 of the GDPR applicable to security (adoption of measures, notification of data breaches,). The Sub-processor shall provide the Data Controller with the information in its possession to facilitate the performance of a data protection impact assessment, as well as with regard to the prior consultation of the competent data protection authority.
The Sub-processor shall provide the Data Controller with all the information needed to enable it to demonstrate its compliance with the obligations resulting from this Agreement and to facilitate any audit in particular in connection with the regulations applicable to the activity of a certified healthcare data host.
7.7 Technical and organisational, quality and performance measures of the Service
The Sub-processor undertakes to take into account, for the tools, Products, and Services, the principles of data protection from the design stage and by default by adopting technical and organisational measures.
The Sub-processor shall implement organisational and technical measures intended to ensure a level of data security and processing appropriate to the risks identified, as well as to guarantee the level of service announced.
The security measures are based in particular on the implementation of the following actions based on the risk analysis and the need to adopt protective measures:
O Data pseudonymisation or data encryption measures;
O Measures to ensure the existence and maintenance of data confidentiality, integrity and availability, as well as the resilience of information systems and services;
O Measures related to the ability to resume activity and restore access to data as soon as possible in the event of an incident that could give rise to such issues;
O Process of regular testing, evaluation and audit of the effectiveness of the measures adopted;
O Measures to protect data against the risk of loss, destruction or accidental or unlawful access, alteration or disclosure or unauthorised access.
The security organisation measures adopted by the Sub-processor must be based in particular on the requirements applying to the Data Controller aimed at ensuring compliance with the security organisation and best practices related to its General Policy on the Security of Health Information Systems.
By approving this Agreement, the Data Controller established in France is informed that it is required to implement a Health Information System that complies with the PGSSI-S and to undertake to respect the enforceable standards of this policy adopted by the French authorities in the field of healthcare data processing in France.
The Sub-processor undertakes to adopt a level of service that makes it possible in particular to meet the requirements of the certification obtained for data hosting.
The guaranteed level of service is as follows: 99 %.
Quality and performance indicators shall be adopted by the Sub-processor in order to allow verification of the service level of service, i.e. the guaranteed level, as well as the frequency of their measurement.
The link below, at the Compliance Centre, provides updated documentation of the organisational and technical measures envisaged for the Sub-processor:
7.8 Data protection officer (DPO), contractual reference
The Sub-processor undertakes to allow all organisational, technical and legal issues related to the implementation of the agreement to be taken into account as soon as possible, based on the designation of a contractual reference and a data protection officer.
The participation of these two internal functions with the Data Controller on the one hand and with the Sub-processor on the other hand, must make it possible to guarantee the application of the requirements of the GDPR and those resulting from the certification obtained in terms of healthcare data hosting.
The contractual reference person at the Data Controller may be contacted for all questions related to the execution of the agreement and primarily for the handling of incidents that have an impact on the healthcare data host.
The Data Controller, a client of the host, undertakes to designate a healthcare professional to be contacted for the handling of incidents that have an impact on the healthcare data host. Under this Agreement, the Data Controller signing the Agreement undertakes to take on the role of contractual reference person. If it is impossible to exercise this role, the Data Controller shall ensure that they are replaced by a person with the same authority.
Le Délégué à la protection des données (DPO) peut être contacté pour toute question liée à l'application de la réglementation européenne sur la protection des données ainsi que s'agissant des autres législations concernées. Le DPO dispose de prérogatives étendues au regard des dispositions de l'article 37 à 39 du RGPD. Le DPO, dans le cadre de sa fonction et de ses missions, accompagnera Responsable de traitement afin de faciliter la fourniture d'information émanant du Sous-traitant permettant aux responsables de traitement de réaliser des audits ou de répondre à toutes questions liées à l'application des dispositions sur la protection des données à caractère personnel ou en lien avec les référentiels applicables aux traitements de données dans le domaine de la santé.
- Contractual reference person
7.9 Use of sub-processors and subsequent technical service providers
Le Sous-traitant, en tant que sous-traitant principal au titre du RGPD, s’engage à recourir à l’intervention de sous-traitants ultérieurs ou de prestataires techniques uniquement dans le respect des dispositions du RGPD et de celles applicables à la certification de l’activité d’hébergement de données de santé. Cela doit permettre de maintenir en toutes circonstances et en fonction des intervenants un niveau de garanties équivalent à celui qui s’applique au Sous-traitant. Les Sous-traitants ultérieurs ont l'interdiction de transférer des données vers un Pays tiers, sauf s’il est établi que cette transmission est réalisée dans les conditions requises par le RGPD.
The Data Controller authorises the Sub-processor to use subsequent sub-processors whose participation is necessary for the implementation of the Services. The Data Controller shall be kept informed of any plan to use a subsequent sub-processor in order to allow the Data Controller to make any observations or objections within 14 days from the date on which this information has been learned. The list of sub-processors involved shall be accessible in the Compliance Centre.
The link below, within the Compliance Centre, provides a list of Sub-processors, as well as the guarantees provided in terms of data transfer outside the EU:
7.10 Confidentiality, professional secrecy, access to personal health data
The Sub-processor undertakes to limit access to processing and personal data to strictly authorised persons only, as well as in application of the principle of minimisation of the GDPR.
In accordance with the regulations on the certified hosting of personal healthcare data, the Sub-processor and the persons placed under its authority who have access to the data shall be bound by professional secrecy. Only the data subjects of the processing and the healthcare professionals who care for them and who are therefore appointed may have access to the healthcare data host, in compliance with the provisions of the regulations applicable to secrecy and the protection of privacy.
The persons authorised by the Sub-processor are subject to a specific confidentiality commitment, unless they are exempted from such an obligation.
The Sub-processor shall ensure that the authorised persons have received appropriate awareness for them to comply with the rules of confidentiality in their participation and with regard to their functions. Access is limited to the context of application maintenance, security improvement or data protection measures.
In the event of a request for access to the personal healthcare data host, the Sub-processor shall propose methods for taking this request into account in compliance with the requirements of medical confidentiality.
7.11 Information of the data subjects
In the event that personal data is collected by the Sub-processor directly from the Data subjects, the latter shall receive appropriate information, taking into account the applicable provisions of the GDPR in terms of information. The Sub-processor shall also make the data protection policy freely accessible online.
7.12 Rights of the Data subjects, data portability
The Sub-processor shall implement specific procedures for supervising requests for access to hosted personal healthcare data resulting from the application of the GDPR and in accordance with the requirements of the certification of the healthcare data host activity.
En cas d'exercice par les Personnes concernées directement auprès du Sous-traitant des droits qui leur sont reconnus par le RGPD, le Sous-traitant informera à réception la Personne concernée qu'il convient de s'adresser directement au Responsable de traitement. Le Sous-traitant coopérera autant que possible avec le Responsable de traitement, afin de faciliter la réponse aux demandes des personnes faisant l'objet d'un traitement (questionnement, droit d'accès, rectification et suppression, information, portabilité des données, opposition, Incluant la prise de décision individuelle automatisés en cas d'usage de procédé de profilage).
With regard to the right to data portability, the Sub-processor shall ensure that the Data Controller and the person whose data are processed are offered the possibility of recovering part of the data concerned in a machine-readable format in order to allow such portable data to be stored elsewhere or to be easily transmitted from one system to another, with a view to reuse for other purposes.
7.13 Notification of breaches of personal data and reports
Le Sous-traitant s’engage à prendre toutes mesures applicables à la gestion et au signalement des incidents de sécurité entrant dans le cadre du régime juridique des violations de données, en application du RGPD ainsi que dans le respect du cadre de la certification de l’activité d’hébergement de données de santé. Le Sous-traitant notifiera au Responsable de traitement afin que celui-ci puisse recevoir un signalement conforme en conformité avec les dispositions règlementaires applicables à son activité et notamment celles du Règlement européen sur la protection des données pour lui faire connaître tout incident de sécurité relevant d'une violation de données à caractère personnel.
The procedures for reporting to the Data Controller are as follows:
- Sending of a message within 48 hours to the contractual e-mail address communicated by the Data Controller when subscribing to the Services as part of the acceptance of this Agreement.
The notification shall be accompanied, as far as possible, by any documentation enabling the Data Controller to fulfil the obligation of communication of the processing to the competent data protection authority or to the Data subjects.
7.14 Request from a judicial authority or an empowered authority
Le Responsable de traitement est informé de l'éventualité pour le Sous-traitant de devoir répondre à une requête d'une autorité judiciaire ou d'une autorité habilitée afin d'obtenir la communication de données à caractère personnel incluant le cas échéant des données de santé. De telles demandes devant reposer sur une décision d'autorisation ayant une valeur légale, le Sous-traitant procédera dans tous les cas à une vérification préalable de légalité des demandes afin de déterminer s'il est légalement contraint d'y répondre. Sauf si le Sous-traitant en est empêché par l'existence d'une obligation légale préalablement vérifiée, il procédera à l'information du Responsable de traitement de l'existence de cette demande ainsi que sur l'étendue des données qui ont été communiquées à l'autorité habilitée.
7.15 Relationships with the distributors
The Sub-processor undertakes to facilitate access by the Distributor, when directly requested by the Data Controller or the Healthcare Professional to subscribe to an offer to use the Services, only to the information necessary to provide personalised support when using the Product.
7.16 Data transfer outside the EU
The Sub-processor undertakes to comply with the requirements of the GDPR applicable to the transfer of data outside the European Union.
Le Responsable de traitement sera informé dans les temps de toutes informations liées à la localisation géographique des traitements de données, ainsi que de leur éventuelle relocalisation (incluant le transfert du lieu d'établissement du Sous-traitant) et l'indication le cas échéant d'un Pays tiers (En dehors de l’UE ou de l’EEA), afin de permettre aux responsables de traitement de disposer du temps suffisant pour faire état de toutes observations. En cas d'obligation pour le Sous-traitant de transférer des données vers un pays tiers ou une organisation internationale, au regard de la législation européenne ou de celle d'un État membre auquel le Sous-traitant serait soumis, le Sous-traitant en informera le Responsable de traitement des bases légales de ce traitement, sauf s'il est légalement contraint de ne pas divulguer cette information.
7.17 Modifications of the Services or technical changes, failure of the Services
The Sub-processor undertakes to take all measures to support the Data Controller in the event of any modifications of the services or technical changes, as well as in the event of possible failures. This support aims in particular to anticipate and take into account the specific requirements for business continuity and resumption as well as the framework of the various organisational and technical measures resulting from the GDPR and the certification of the healthcare data host.
Article 8 – End of Services, expiry of certified hosting
The Sub-processor undertakes to support the Data Controller at the end of this Agreement and the Main Contract for the use of services, as well as in the event of loss or withdrawal of the certification related to the data hosting in order to allow the reversibility of the hosting service for healthcare data as well as their restitution and destruction. The terms of the various resulting services are made available to the Data Controller.
In the event of the occurrence of a situation falling within the scope of this article, the Sub-processor undertakes to propose an action plan to the Data Controller no later than within thirty (30) days of the occurrence of the event. The implementation of the provisions of this clause may be requested at any time during the validity of the Main Contract, which has no effect on the validity of the financial clauses of the Main Contract.
The Sub-processor undertakes to implement either (a) the return of the requested data or their (b) destruction. These operations shall be carried out in accordance with the provisions of Article 28 (3) (g) of the GDPR.
After the date of implementation of the requested measure, the Sub-processor shall destroy or anonymise the data concerned in accordance with the process applicable in its organisation.
In the absence of an instruction from the Data Controller, the Sub-processor shall permanently destroy the data, within thirty (30) days of the last use of the Product, subject to the existence of another obligation applicable in the country of the establishment of the Sub-processor, the data contained in the backup system will be permanently destroyed during a cycle of three months.
Dernière mise à jour le 13 août 2021