Annex 1 - data processing agreement

This data processing agreement outlines the obligations of DocAid when processing personal data while providing the Service to the Client. According to the agreement, DocAid may only process personal data as instructed by the Client and cannot use it for its own purposes. Furthermore, DocAid must implement security measures to protect personal data and assist the Client with compliance requirements. The Client has the right to conduct audits to verify DocAid’s adherence to this agreement.

1. Introduction

1.1 This data processing agreement (“DPA”) governs the personal data processing conducted by DocAid as a data processor (“Processor”) on behalf of Client acting as personal data controller (“Controller”) within the scope of providing the Service under the Agreement.

1.2 The Parties acknowledge that this DPA and processing activities conducted during fulfilment of the Agreement in relation to the personal data are governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and other relevant legislative acts governing the processing of personal data (altogether with the GDPR “Legislation”).

1.3 All and every term, unless specifically defined herein, is being used in the meaning of the GDPR or the Agreement. For matters not stipulated in this DPA, the Agreement applies.

1.4 The Processor’s personal data processing’s subject-matter, nature, types of personal data and categories of data subjects and processing duration are specified in Annex 1 to this DPA.

2. Rights and obligations of the parties

2.1 The Controller shall:

2.1.1 ensure that all instructions for the processing of the personal data under the Agreement, this DPA or as otherwise agreed or stipulated shall comply with the Legislation, and such instructions will not in any way cause the Processor to be in breach of the Legislation;

2.1.2 comply with the Legislation, including ensure the accuracy, quality and lawfulness of the personal data processed by the Processor and inform the data subjects of the processing activities carried out by the Processor;

2.1.3 notify the Processor prior to concluding the Agreement if the Controller requires the Processor to adopt specific procedures, security measures or similar. Notwithstanding the foregoing, the Processor is entitled to invoice the Controller separately for complying with any such requests of the Controller.

2.2 The Processor shall:

2.2.1 process the personal data on behalf of the Controller only based on documented (e.g., received via e-mail or any other documented form) instructions given, received and updated (including the ones regulated herein), from time to time, from the Controller and in accordance with the Legislation, unless required to do so by the Legislation to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the Legislation prohibits this on important grounds of public interest;

2.2.2 inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe data protection provisions set forth in the Legislation;

2.2.3 ensure that all of its employees, subcontractors, members of the management board, or other persons to whom the Processor has provided access to the personal data are subject to confidentiality obligation or to an appropriate statutory confidentiality obligation and are aware of their duties and obligations in relation to the personal data processing;

2.2.4 take measures required pursuant to Article 32 of the GDPR and the Legislation, including implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk related to the processing of the personal data. As a minimum, the Processor undertakes to implement the technical and organisational measures set out in Annex 2 to this DPA;

2.2.5 provide assistance to the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to the data subjects’ requests for exercising their rights laid down in Chapter III of the GDPR;

2.2.6 not communicate to the data subjects nor perform the data subjects’ request directly and independently. The Processor shall forward any requests received from the relevant data subjects for exercising any of their rights to the Controller’s contact person as soon as reasonably possible after the receipt of such a request;

2.2.7 assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, to the extent that it is reasonable, appropriate and not unduly burdensome, while taking into account the nature of processing and the information available to the Processor;

2.2.8 notify the Controller in a form reproducible in writing without undue delay, but no later than within forty-eight (48) hours after becoming aware of a personal data breach concerning personal data processed by the Processor. Such notification shall contain at least the information required in Article 33 (3) of the GDPR. For clarity, a personal data breach as such shall not automatically mean that the Processor has infringed this DPA, the Agreement and the Legislation, provided that the necessary procedures as defined in this DPA, the Agreement and the Legislation have been duly applied by the Processor.

2.3 The Processor is entitled to invoice the Controller for additional costs and remuneration, in addition to the fees provided under the Agreement, for fulfilling its obligations under Sections 2.2.4 2.2.5 and 2.2.7 of the DPA in case the Processor assesses the costs for fulfilling its obligations to be excessive and unreasonable (e.g. due to the repetitive nature of the requests, volume of data to be processed). The Processor shall notify the Controller of such costs in advance and prior to issuing such invoices. The invoices shall be issued and paid adhering to the invoicing regulations agreed in the Agreement, if any.

2.4 The Processor acknowledges that according to Article 28 (10) of the GDPR if it infringes the DPA and the Legislation by determining the purposes and means of the processing, the Processor shall be considered a separate controller in respect of that processing.

3. controller’s Auditing rights

3.1 Upon the Controller’s reasonable request in a form reproducible in writing, the Processor shall provide the Controller with all information necessary (which may be redacted to remove confidential commercial information not relevant to the requirements to the fulfilment of this DPA) to demonstrate compliance with the obligations laid down in the DPA and the Legislation, within thirty (30) calendar days of the receipt of such request.

3.2 Where, in the reasonable opinion of the Controller, such information is not sufficient to verify the Processor’s compliance with the DPA and the Legislation, the Controller may, upon sixty (60) calendar days prior notice in a form reproducible in writing to the Processor and upon reasonable grounds, conduct an audit by an independent third-party auditor mandated by the Controller. Any costs for conducting the audit shall be borne by the Controller.

3.3 The notification provided according to Section 3.2 shall contain a proposal for an auditing plan. If parts of the requested scope of the audit are covered by an audit carried out within the last twelve (12) months as of submitting the notification, the Processor is entitled to provide the Controller that audit report instead of the proposed audit.

3.4 Any audit shall be solely limited to confirming the Processor’s compliance with its data protection obligations under this DPA and the Legislation, and shall exclude all information data and content which relates to:

3.4.1 any other clients, agents, or partners of the Processor;

3.4.2 any of the Processor’s internal accounting or financial information;

3.4.3 any Processor’s trade secrets.

3.5 The Controller can perform an audit once every twelve (12) months during the Processor’s regular business hours and the performance of the audit must not interrupt the Processor’s business activities. Furthermore, in order to minimise the operational disturbances, the Processor can combine the audit with audits conducted by other clients. The Controller shall ensure, to the extent permitted by the Legislation, to keep confidential any information gathered during the audit that, by its nature, should be confidential.

3.6 Unless prohibited by the Legislation, the Controller must provide a copy of the audit report to the Processor. The Processor shall be entitled to use the report in other client relationships, e.g. as stated in Section 3.3, in which case the Controller is entitled to redact or remove any part of the audit report that relates to its confidential information.

4. processor’s Use of sub-processors

4.1 The Processor is permitted to engage another processor (“Sub-processor”) for the performance of the DPA under the Controller’s general authorisation provided hereby. The Controller is entitled to request information from the Processor regarding the engaged Sub-processors.

4.2 Should the Processor wish to engage a new Sub-processor or replace a current Sub-processor with a new Sub-processor, then the Processor is obliged to inform the Controller in a form reproducible in writing. Upon having reasonable grounds, the Controller may object, in a form reproducible in writing, to any such additions, changes or replacements within fourteen (14) calendar days as of the Processor informing the Controller. If the Controller does not object during such time period, the addition, change or replacement shall be deemed accepted.

4.3 In case the Controller exercises, pursuant to Section 4.2 of the DPA, its opportunity to object to the addition or replacement of a Sub-processor and the Processor does not, under reasonable grounds, agree with such objections, both Parties have the right to terminate the Agreement effective immediately.

4.4 In the event the Processor engages or replaces a current Sub-processor, the Processor shall engage such Sub-processor under an agreement at least in a form reproducible in writing containing in substance the same obligations as those set out in this DPA and remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

5. Data transfers outside the eu/eea

5.1 The Controller allows the Processor to transfer the personal data outside of the European Union / European Economic Area (“EU/EEA”), including engage any Sub-processors located outside the EU/EEA, if the Processor transfers personal data to countries in relation to which the European Commission has issued an adequacy decision or if the Processor uses other appropriate safeguards set out in Chapter V of the GDPR (e.g., standard contractual clauses adopted by the European Commission).

5.2 The Controller is entitled to request information from the Processor regarding the countries to which the personal data is transferred to and of the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate safeguards.

5.3 In the event that any of the measures referred to in Section 5.1 are no longer sufficient to satisfy the requirements of the Legislation applicable to the processing of the personal data under the DPA to legalise the transfer of personal data outside the EU/EEA, the Processor shall use any reasonable efforts to implement either an alternative transfer mechanism which satisfies the requirements of the Legislation in order to legalise the transfer of personal data outside the EU/EEA or cease with such transfer.

6. LIABILITY

6.1 Notwithstanding any other provisions in the Agreement with regard to the Processor’s liability and indemnity obligations the Processor is only liable for a breach of the DPA, if the breach is intentional or caused due to gross negligence or any other action that cannot be excluded or limited by an applicable legislation (e.g. in case of death or personal injury).

6.2 To the extent permitted by applicable law, the Processor’s liability is limited only to direct material damages in the maximum amount of the fees due for the twelve (12) months’ period preceding the event giving rise to the claim or the actual damages, whichever is lesser.

7. term and Termination

7.1 This DPA enters into force on the effective date of the Agreement and is valid until the termination of the Agreement.

7.2 The Processor has the right to terminate the DPA effective immediately by notifying the Controller if it concerns the processing of personal data under this DPA where, after having informed the Controller in a form reproducible in writing, that its instructions infringe Legislation in accordance with Section 2.2.2., but the Controller does not respond within three (3) calendar days of receiving the notice or insists on compliance with the instructions.

7.3 Termination of the DPA causes automatic termination of the Agreement and vice versa. Termination of this DPA does not exempt the Parties from fulfilling their obligations as specified in the Legislation.

8. Deletion or return of personal data

8.1 After the receipt of the Controller’s request, in a form reproducible in writing, the Processor shall delete or return all of the personal data processed for the provision of the Service, unless storage of any personal data is required by the Legislation.

8.2 In the event that the Controller does not render a request as specified in Section 8.1 to either delete or return the personal data, the Processor shall delete permanently all of the relevant personal data within seven (7) days as of the termination of the DPA and the Agreement, unless otherwise agreed upon in a form reproducible in writing. The Controller takes note that after the period stipulated herein, the said personal data is permanently deleted. The prior obligation does not apply to anonymised data, including but not limited to usage statistics and technical parameters.

DPA Annex 1 – Details of Data Processing

9. subject-matter of the processing

The Processor will process the personal data as necessary to provide the Service according to the Agreement.

10. Nature of the processing

The Processor may conduct the following processing activities: recording, transcribing, summarising, uploading, analysing, anonymising, returning, erasing.

11. Categories of data subjects and Types of personal data

11.1 Client’s patients: voice, communication, including but not limited to symptoms.

11.2 Client’s End-Users, and where the Client is a legal person, the users of the Client Account: name, position, e-mail address.

12. Duration of processing

12.1 The Processor will process the personal data as long it is necessary for the provision of the Service.

DPA Annex 2 – Technical and organisational measures

To ensure the minimum level of security of the personal data processed, the Processor is required to implement at least the following technical and organisational measures:

13. ACCESS REGULATION

13.1 Access to the personal data and Controller’s systems is restricted only to persons who have been authorised to do so by the Processor and have signed a confidentiality agreement.

13.2 The authentication information (username, password, proof of identity, etc.) must be kept confidential and may not be disclosed without authorisation.

13.3 The authentication information received is intended for one user only. Sharing authentication information (username/password) with other persons is prohibited.

13.4 If access to the personal data is no longer required (e.g. in the event of a change or termination of employment), the Controller must be notified immediately, access must be denied, and all issued physical authentication devices must be returned to the Controller.

14. IT SECURITY

14.1 Access to the Controller’s system and personal data is only permitted from properly secured IT devices; the requirements include, but are not limited to:

14.1.1 the operating system must have vendor support (i.e., the vendor issues security patches for it). The use of unsupported operating systems (e.g. Windows XP) is prohibited;

14.1.2 the hardware, operating system, and software (including browsers) security patches must be installed regularly at the scheduled time;

14.1.3 IT devices must be protected against malicious software by anti-virus programs and local firewalls;

14.1.4 user privileges on the operating system must be restricted. Use of the Controller’s IT system/personal data (access, transmission, processing and storage) with administrator privileges is prohibited;

14.1.5 security logging must be enabled and configured according to the operating system manufacturer's instructions. Security logs must be retained for six months. The time of the IT device must be kept synchronised with the external accurate time display;

14.1.6 IT devices shall be configured according to the security recommendations of the manufacturer or other trusted source. After 15 minutes of inactivity, the computer shall automatically lock;

14.1.7 access to the IT device must be protected by a secure (complex) password or double authentication, if possible;

14.1.8 personal data (including electronic documents and temporary files) must be stored in encrypted form;

14.1.9 when IT device is decommissioned and re-used, established procedures, measures and rules must be followed to ensure that all personal data is securely deleted;

14.1.10 the Controller may use dedicated methods and software to automatically detect the security level of devices accessing the system/personal data and to restrict access.

15. Network security

15.1 Access to the Controller system and personal data is only permitted over properly secured networks; the requirements include, but are not limited to:

15.1.1 connection over unsecured networks (not managed or regulated by the Processor, e.g. public WiFi networks) is prohibited;

15.1.2 the Internet connection must be protected by a firewall;

15.1.3 where WiFi networks are used for network connection, they must be securely encrypted and protected by a secure authentication method.

16. Management of personal data

16.1 Electronic data or documents may not be stored for longer than is necessary for the purposes of the Agreement or the DPA.

16.2 After the data has been returned to the Controller, it must be securely deleted from the Processor's infrastructure (including computers, networks and email systems).

16.3 Personal data may only be transmitted over the network after reliable identification of the external party and must be encrypted.

16.4 Documents containing personal data may not be stored on shared or cloud platforms, nor on external storage media.

17. PHYSICAL SECURITY

17.1 IT devices and documents containing personal data must be protected from unauthorised physical access - access to premises must be restricted and controlled, and equipment and documents not in use must be kept locked.

18. USER RESTRICTIONS

18.1 Testing, scanning, evaluating, attempting to circumvent or undermine the security measures of the Controller’s IT system to which the Processor has access, if any, is prohibited.

18.2 It is forbidden to disclose technical information about the Controller’s information systems, including information about the system name, manufacturer, platform, architecture, authentication methods, security measures and techniques.

18.3 Information obtained from a Controller’s system may not be copied (including photocopied).

19. MAINTENANCE OF THE DEVICES

19.1 Before granting access to computers (or other devices containing personal data) for maintenance/support purposes (i.e. access rights to IT technicians), it is necessary to ensure that maintenance staff comply with the requirements of personal data protection.

20. AWARENESS

20.1 Security awareness training shall be provided to all staff with access to personal data to ensure that they are able to use the internet and email securely and are aware of information security risks and safeguards.