Data Processing Agreement
1. Introduction
The purpose of the Data Processing Agreement (hereinafter the "Agreement") is to govern the use of personal data of customers (hereinafter the "Customer") of Ummon HealthTech SAS (hereinafter the "Processor") using its services (hereinafter the "Service").
2. Definitions
All terms relating to the applicable personal data protection regulations used in the Agreement are defined in Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR").
3. Role of the Parties
Under the Agreement, the Customer acts as the data controller and the Processor acts as the data processor within the meaning of Article 28 of the GDPR (hereinafter, together, the "Parties").
4. Contractual documents and duration
The Agreement, which is an indivisible appendix to the contract signed between the Customer and the Processor for the use of the Service (hereinafter the "Contract"), shall apply for the entire duration of the existing contractual relationship between the Parties.
In the event of any contradiction between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall take precedence over the Contract with regard to the applicable data protection rules.
5. Declarations and undertakings
The Processor declares that it complies with all the rules applicable to the protection of personal data and presents all the sufficient guarantees to meet the requirements of the GDPR in the context of the provision of the Service.
The Processor declares that all internal or external staff who are required to process the Customer's personal data are bound by a confidentiality clause, an information systems charter or any other binding legal document and receive regular training and awareness sessions.
The Processor declares that the Service has been created in compliance with the rules of "Privacy by design" and "Privacy by default" and therefore that the Service is accompanied by functionalities enabling the Customer to comply with its obligations as data controller.
6. Documented instructions
The Processor undertakes to use the Customer's personal data in connection with the use of the Service only on the Customer's documented instructions.
The list of treatments carried out is detailed in the appendix or supplied on request by the Customer.
7. Security
The Processor undertakes to guarantee the security of the Customer's personal data and to implement all the technical and organisational measures necessary for its Service.
All the technical and organisational security measures are detailed in the appendix hereto or are supplied on request by the Customer.
8. Data breach
The Processor undertakes to notify the Customer, in accordance with the obligations set out in Article 33 of the RGPD, as soon as possible after becoming aware of any personal data breach that may affect the Customer's personal data.
The Processor undertakes to communicate, as soon as possible after becoming aware of it, all the necessary and required information in its possession to reduce the effects of the personal data breach suffered and to enable the Customer to take the appropriate safeguarding and protection measures.
Unless the Parties agree otherwise, the Processor is not authorised to take charge of notifications of data breaches to the relevant supervisory authority and to inform, on behalf of the Customer, the persons concerned by the processing carried out under the Contract.
9. Help and assistance
The Processor shall provide the Customer, upon written request, with all necessary and required information on the technical and organisational security measures to be implemented to guarantee the security of the Customer's personal data.
The Processor shall provide the Customer, upon written request, with all the information necessary and required to ensure that an impact analysis ("AIPD") is carried out.
The Processor undertakes to notify the Customer, as soon as possible after becoming aware of it, of any request for rights made to the Customer.
The Processor shall provide the Customer, upon written request, with all necessary and required information to enable the Customer to fulfil its obligation to act on requests from the persons concerned.
The Processor shall, at the Customer's written request, carry out the actions to be taken so that the Customer can fulfil its obligation to follow up the requests of the persons concerned.
10. Liability
The Processor shall never be liable for any use made by the Customer using the Service that does not comply with the applicable rules on the protection of personal data.
The Processor is not obliged to manage requests for personal rights in place of and on behalf of the Customer. Any additional request for such management may be refused and, where appropriate, an additional service charged for.
The Processor is not obliged to ensure or audit the Customer's security or to carry out DPIAs in place of and on behalf of the Customer. Any request in addition to the provision of information may be refused and, where appropriate, an additional service may be charged for.
11. Sub-processors
The Customer accepts that the Processor may recruit subsequent sub-processors (hereinafter "STUs") as part of the performance of the Agreement provided that it informs the Customer, by any means, of any changes concerning these STUs occurring during the performance of the Contract and remains responsible for the actions of the subsequent sub-processors as part of the Agreement.
The Processor undertakes only to recruit STUs that offer the necessary and sufficient guarantees to ensure the security and confidentiality of the Customer's personal data.
The Processor undertakes to monitor its STUs and to ensure that the contract entered into with the STU used as part of the service contains obligations similar to those set out in the Agreement.
The Customer may raise objections by registered letter with acknowledgement of receipt i) if the STU is one of its competitors, ii) if the Customer and the STU are in a pre-litigation or litigation situation, and iii) if the STU has been convicted by a data protection supervisory authority in the year of its recruitment.
The Processor has 6 months from receipt of the objection to amend the STU.
12. Fate of personal data
The Processor shall delete the Customer's personal data at the end of the period of performance of the Contract entered into in connection with the use of the Service and agrees that the Processor may, where technically possible, anonymise the Customer's personal data for statistical purposes.
The Processor shall certify to the Customer, upon written request, that its personal data and all existing copies thereof have been effectively deleted.
The Customer must recover his personal data before the end of the Agreement. Failing this, the Customer may no longer recover his or her personal data, as the deletion of personal data is irreversible.
The Customer remains solely responsible for the loss of his/her personal data following the deletion of data at the end of the Agreement.
13. Audits
The Customer has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor.
The questionnaire may be sent in any form to the Processor, who undertakes to reply within a maximum of two months of receipt.
The Customer also has the right to carry out an audit at the Processor's premises, at its own expense, once a year, solely in the event of a data breach or proven and demonstrated failure to comply with the applicable data protection rules and this Agreement.
An audit at the Processor's premises may be carried out either by the Customer or by an independent third party appointed by the Customer and must be notified to the Processor in writing at least thirty (30) days before the audit is carried out.
The Processor has the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with the Processor. In this case, the Customer undertakes to choose a new independent third party to carry out the audit.
The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor carries out the audit in these areas and communicates the results to the Customer.
In the event of a discrepancy being identified during the audit, the Processor undertakes to implement, without delay, the necessary measures to comply with this Agreement.
14. Data transfers outside the European Union
The Processor undertakes to take all necessary steps not to transfer the Customer's personal data outside the European Union or to recruit STUs located outside the European Union.
Nevertheless, in the event that such transfers prove necessary as part of the Service, the Processor undertakes to implement all the mechanisms required to govern such transfers, in particular by entering into the standard data protection clauses ("SCC") adopted by the European Commission.
15. Cooperation with supervisory authorities
Where this concerns processing carried out under the Agreement, the Processor undertakes to provide, on request, all the information necessary for the Customer to cooperate with the competent supervisory authority.
16. Contact
The Customer and the Processor shall each appoint a contact person to be responsible for this Agreement, who shall be the addressee of the various notifications and communications to be made under the Agreement.
The S Processor informs the Customer that it has appointed Dipeeo SAS as its Data Protection Officer, who can be contacted at the following address:
- Email address: dpo@ummon.health
- Postal address: Société Dipeeo SAS, 95 avenue du Président Wilson, 93100 Montreuil, France
- Telephone number: 01 59 06 81 85
17. Review
The Processor reserves the right to amend this Agreement in the event of changes to the rules applicable to the protection of personal data which would have the effect of amending any of its provisions.
18. Applicable law and jurisdiction
This Agreement is governed by French law. Any dispute relating to the performance of this Agreement shall fall within the exclusive jurisdiction of the courts within the jurisdiction of the Court of Appeal of the place where the Processor is domiciled.
Certified by Dipeeo ®.