Data Processing Agreement
This Data Processing Agreement (the “DPA”) is agreed between DECAURA LIMITED (“Supplier”) and the customer (“Customer”). In case of any conflicts or inconsistencies between this DPA and any other agreement, the provisions in this DPA shall prevail.
In consideration of the Customer making the Customer's Personal Data available to the Supplier, the Supplier hereby agrees to process the Customer’s Personal Data in accordance with the terms and conditions of this DPA.
1.DEFINITIONS
“Appropriate Technical and Organisational Measures” means processes and procedures such that having regard to the state of technological development and the cost of implementation, and the nature of the Customer's Personal Data, will ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing of, or accidental loss or destruction of, or damage to, the Customer's Personal Data. Such measures shall comprise, as a minimum, those measures set out in Appendix 2 (Information Security) of the DPA and any additional measures from time to time notified in writing by the Customer to the Supplier and reasonably agreed by the Parties;
“Data Controller and Data Processor” shall have the meaning given to it in the relevant Data Protection Laws;
“Data Protection Laws” means
-
Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR");
-
the EU e-Privacy Directive (Directive 2002/58/EC); and
-
any and all applicable national data protection laws made under or pursuant to (a), (b);
-
in each case as may be amended or superseded from time to time.
“Data Subject” means an identifiable individual whose Personal Data is being processed through or in relation to the Services;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Personal Data” shall have the same meaning as in the Data Protection Laws;
“Non-adequate Country” means a country that is deemed not to provide an adequate level of protection for Personal Data within the meaning of the Data Protection Laws; and
“Services” shall mean the services provided by the Supplier in relation to the processing of the Customer’s Personal Data as described in the Agreement.
2.GENERAL OBLIGATIONS OF THE DATA CONTROLLER AND DATA PROCESSOR
The Parties acknowledge that the Customer is a Data Controller and that Supplier is a Data Processor. All the Personal Data processed by the Supplier on behalf of the Customer belongs to the Customer and the Supplier shall have no rights to such Personal Data. This DPA sets out the terms and conditions for Suppliers processing of Personal Data on behalf of the Data Controller.
The Customer (Data Controller) agrees to:
-
act in compliance with Data Protection Laws; and
-
not intentionally instruct Supplier to process Personal Data in a manner that would constitute a breach of Data Protection Laws. If the Supplier believes an instruction of the Customer to be in breach of Data Protection Laws, Supplier must inform the Customer accordingly and Supplier is not obligated to carry out the relevant processing until the Parties have decided on a solution.
Supplier (Data Processor) agrees to:
-
process the Personal Data in accordance with this DPA and in compliance with the Data Protection Laws;
-
not do or omit to do anything which would cause the Customer to breach any of its obligations under the Data Protection Laws;
-
process the Personal Data only to the extent, and in such manner, as is necessary for the purposes of providing the Services pursuant to the Agreement, this DPA and in accordance with the Customer’s written instructions issued from time to time. For the avoidance of doubt, if Supplier is ever unsure as to the parameters of the instructions issued by the Customer it will as soon as reasonably practicable revert to the Customer for the purpose of seeking clarification or further instructions;
-
keep the Personal Data strictly confidential and not use or disclose it for any purpose other than the specific activities authorised pursuant to this DPA;
-
promptly inform the Customer of any request made by the Data Subject or any other third party or authority to access information from Supplier which relates to processing of Personal Data.
-
take appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk of the processing and to protect against unauthorised or unlawful processing, accidental loss or destruction of or damage to the Personal Data;
-
assist the Customer in accordance with section 8 below; and
-
ensure that all the Customer Personal Data is encrypted or otherwise protected at all times while in the possession or under the control of the Supplier.
3.CHANGE OF CIRCUMSTANCES AND LAW
If Supplier:
-
determines that it is unable for any reason to comply with its obligations under this Agreement and Supplier cannot cure this inability to comply; or
-
becomes aware of any circumstance or change in the Data Protection Laws, that is likely to have a substantial adverse effect on Supplier's ability to meet its obligations under this Agreement;
Supplier shall promptly notify the Customer thereof, in which case the Customer will have the right to temporarily suspend the processing until such time the processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Customer shall have the right to terminate the relevant part of the processing by Supplier.
4.SUBPROCESSORS
-
Supplier shall make available to Customer the current list of Subprocessors for the Services, including the identities of those Subprocessors and their country of location (Appendix 3).
-
Supplier will notify the Customer of new Sub-processors by updating the list of Subprocessors above. If, within a reasonable time specified in the notice, Customer notifies supplier in writing of any objections to the proposed appointment based on reasonable grounds relating to data protection: Supplier shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor. Where such a change cannot be made, notwithstanding anything in the Terms, Customer may by written notice to Supplier with immediate effect terminate the relationship to the extent that it relates to the Services which require the use of the proposed Subprocessor. Such termination is without prejudice to any fees incurred by Customer prior to the termination.
-
Where Supplier is permitted by the Customer to sub-contract any of its obligations under this DPA, Supplier shall remain the Customer's sole point of contact for all matters falling within the scope of this DPA, and shall procure that its Subprocessor complies with and is bound by the requirements of this DPA as they apply to Supplier.
-
Supplier shall procure that all Subprocessors used by it in the provision of the Services from time to time under this Agreement execute a confidentiality undertaking on terms that are substantially the same as (and no less onerous than) those set out in this DPA.
-
The Subprocessors listed in Appendix 3 of the DPA are approved for processing of Personal Data under the circumstances specified in this DPA.
5.ACCESS TO THE CUSTOMER´S PERSONAL DATA
-
Supplier shall ensure that access to the Personal Data processed by Supplier under scope of the Agreement is limited to:
-
duly authorised officers, employees, agents and contractors (“Supplier Personnel”) who need access to the Personal Data to meet the Supplier’s obligations under the Agreement and this DPA; and
-
such part or parts of the Personal Data as is strictly necessary for performance of the relevant Supplier Personnel’s duties.
-
-
Supplier shall ensure that all Supplier Personnel:
-
are informed of the confidential nature of the Personal Data;
-
have undertaken training in the care, protection and handling of personal data; and
-
are aware of both Supplier’s duties and their personal duties and obligations under the Data Protection Laws and this DPA
-
-
The Supplier shall take reasonable steps to ensure the reliability of any of the Supplier’s Personnel and Subprocessors who have access to the Personal Data.
6.TRANSFER OF PERSONAL DATA
-
Any transfer of, or provision of access to, Personal Data outside the EEA to a third party (including affiliates of Supplier) who is located in a Non-adequate Country shall be governed by the terms of a data transfer agreement between the Supplier and the Customer, which will contain standard controller-Supplier contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC) or any other similar contractual clauses as may be adopted by the European Commission from time to time (‘EU Model Clauses’).
-
If Clause 6.1 above is applicable, the Parties agree to separately enter and sign the EU Model Clauses.
7.NOTIFICATION AND INCIDENTS AND DATA SECURITY BREACHES
-
Supplier shall promptly, without undue delay, inform the Customer if:
-
it receives an enquiry or a request for inspection or audit from a public authority relating to the processing of Personal Data, unless Supplier is otherwise prohibited by law from making such disclosure;
-
it intends to disclose Personal Data to any public authority;
-
it receives a request for disclosure of the Customer Personal Data or information relating to the processing of the Customer Personal Data from a third party or a the Customer employee, customer or contractor; or
-
it detects or reasonably suspects that a Personal Data Breach has occurred.
-
8.SUPPLIER´S OBLIGATION TO ASSIST THE CUSTOMER
-
Where necessary, Supplier shall provide assistance to the Customer in complying with any such request and/or enquiry, investigation or assessment of processing initiated by a Company employee, customer, third party or any relevant public authority.
-
In particular, Supplier shall:
-
contract with respected external security firms who perform regular audits of the Supplier’s Services to verify that our security practices are sound and to monitor Supplier Services for any new vulnerabilities discovered by security research community.
-
make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in the GDPR and upon reasonable notice by Customer and at Customer’s expense allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Before the commencement of any such onsite audit, Customer and Supplier shall mutually agree upon the scope, timing, and duration of the audit, in addition to a reasonable reimbursement rate. Customer shall promptly notify Supplier with information regarding any noncompliance discovered during the course of an audit in order to allow Supplier to deal with it promptly.
-
to the extent legally permitted, notify Customer without undue delay if Supplier receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making
-
9.TERM AND TERMINATION
-
The DPA shall enter into force on the date on which it has been signed by both Parties and shall remain in force for as long as processing of Personal Data is carried out by Supplier and or Suppliers sub-Supplier for the purpose stated in this DPA.
-
Upon termination of the Agreement, the Supplier shall return all data containing Personal Data to the Data Controller (or to another party in accordance with the Customer´s instructions) or, where the Customer so requests, destroy all Personal Data and certify to the Customer that this has been done. Where this is not technically possible or where Supplier is prevented from doing so by Data Protection Laws, Supplier shall provide a warranty that the Personal Data will remain confidential and will no longer be processed in any other manner than being stored, or, alternatively, will anonymise the data in such a way that makes it impossible to re-identify a data subject.
10.MISCELLANEOUS
-
This DPA constitutes the entire agreement between the Parties relating to the subject matter hereof and may not be amended except in a written document executed by both Parties. In case of discrepancies between this DPA and the Agreement, this DPA shall prevail.
-
Should any provision of this DPA be or become invalid, the legal validity of the remaining provisions shall not be affected. Instead of the invalid provision, a valid provision shall be deemed to have been agreed upon which comes as close as possible to the intentions of the Parties.
-
This DPA applies to and covers any changes, additions or amendments to the Agreement unless a new DPA is entered into. If the Agreement is terminated and a new contract with a similar scope and purpose to the Agreement is entered into, but without a new DPA, this DPA shall apply to the new contract. This also applies if an explicit reference is made to this DPA in a contract between the Customer and the Supplier.
11.GOVERNING LAW AND DISPUTES
-
The DPA shall be applied and interpreted in accordance with the law stated in the Agreement. Notwithstanding this, Supplier must at all times process Personal Data in accordance with Data Protection Laws.
-
Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision in the Agreement.
Appendix 1 - Personal Data
REQUIRED INFORMATION REGARDING THE DATA TO BE PROCESSED BY SUPPLIER
Data subjects
The personal data to be processed concern the following categories of data subjects (please specify):
-
Service users & their relatives from the Customer
-
Care workers & staff from the Customer
-
Authorized 3rd parties, including Health Care Professionals.
Nature and purposes of the processing
The processing of data is necessary for the following purposes (please specify): care management solution including:
-
Care assessment
-
Care planning
-
Integrated Medication scheduling & management
-
Task planning
-
Visit scheduling
-
Accident & incident management
-
Integrated CRM Module
-
Visit report including QR code and Location based check-in
-
Care Circle to manager family and external access
-
Service user map for optimized visit planning
-
Employee management
-
Staff training
-
Automated Staff Rostering
-
Staff Interview, Pre-employment checks and on-boarding
-
Staff Induction and appraisal management
-
Staff timesheet and travel mileage management
-
New customer enquiries management
-
Dedicated Web Portal and Native Mobile App for customer branding
-
Dedicated E-Learning portal for care staff
Data must be anonymized when used for any purpose other than those mentioned above.
Categories of data
The personal data to be processed fall within the following categories of data (please specify): Contact details, address, contract details, medical history, medical conditions, health data, emergency contact details, GP/care agency name, ethnic origin, religion, carer’s location.
Sensitive data (if appropriate)
The personal data to be processed fall within the following categories of sensitive data (please specify): medical history, medical conditions, health data, ethnic origin, religion, philosophical belief.
Storage limit
The personal data transferred may be stored for no more than 50MB: End of the Master Services Agreement, unless dictated by law.
Appendix 2 - Information Security
1.GENERAL REQUIREMENTS
-
Supplier shall not carry out any act or make any omission which has, or could reasonably be expected to have, an adverse impact on the Customer’s systems or Personal Data.
-
Supplier shall ensure that appropriate technical and organizational measures are implemented to ensure a level of security that is appropriate to the risk of the Processing. In particular, the Supplier shall:
-
secure the Personal Data in such a way as to prevent destruction, alterations, blocking, unauthorized disclosure or access, copying, distribution or any other kind of unauthorized Processing;
-
ensure that Personal Data and the data files containing Personal Data may only be accessed by authorised personnel that need the data to perform their duties in order to satisfy the Supplier's obligations under the Main Contract and the Agreement and in accordance with the Customer’s instructions ("Authorised Personnel");
-
ensure that Authorised Personnel have either entered into a confidentiality undertaking or are under an appropriate statutory duty of confidentiality that remains valid after the end of their employment or the service with regard to the processing of Personal Data;
-
ensure that it has an access control system in place that prohibits unauthorised access to the Personal Data (and, as regards Processing that carries a high risk of privacy breaches, a two-step-authentication process shall be employed), and a login system through which it can be established who has accessed the Personal Data;
-
ensure that Authorized Personnel comply with the terms and conditions of the DPA and the instructions provided by the Customer, and that such personnel are informed of the provisions of the GDPR;
-
take all appropriate technical, administrative and organisational security measures that are appropriate to the risk of the processing to protect Personal Data received from the Data Controller against, among other things, unauthorised access, destruction, accidental loss, alteration, blocking, copying, distribution, unauthorised disclosure or access, and against all other unlawful Personal Data processing. (Such security measures shall include for Personal Data to be encrypted, pseudonymised password-protected and that appropriate firewalls are installed.) The Supplier shall ensure that Personal Data is stored in such a way as to ensure that it cannot be accessed by unauthorised persons, and that the Personal Data is held separately from other data;
-
ensure that there is appropriate, up-to-date virus protection at all times in respect of the data files containing Personal Data and that backup copies of such files are made;
-
-
Supplier shall ensure that Supplier's information security policies are at all times observed by Supplier in the course of providing the Services.
2.ACCESS MANAGEMENT
-
Where Supplier provides services connected directly to the Customer's systems, Supplier must validate the identity of all Supplier personnel with access to the Customer's systems. Supplier must notify the Customer upon request of the names of Supplier personnel and the required and actual levels of access to the Customer’s information.
3.PHYSICAL SECURITY
-
Supplier is responsible for protecting the Customer´s Personal Data from harm through unauthorised physical access and/or damage. This includes physical access controls such as protecting buildings against unauthorised access (e.g. by using locks, bolts or equivalent measures on vulnerable doors and windows), restricting physical access to critical areas to authorised staff only, supervising external parties when they are granted access and protecting communication links and data storage media.
Appendix 3 - Subprocessors
LIST OF APPROVED SUBPROCESSORS
The authorised Subprocessors of the Supplier currently in use are the following:
Name
Purpose
Location
Safeguard if not located in the EU
Zoho Creator
Application platform as a service (PaaS).
Netherlands
Maps API
UK