Data Processing Addendum

Christina 30 Jul 2024

19 mins read

share this post

Data Processing Addendum

 

This Data Processing Addendum with its appendices (together, this “DPA”) is incorporated into the Terms of Use that may be entered by and between Impatients N.V., trading under the name myTomorrows (“myTomorrows”, the “Processor”) and the healthcare professional using the Referral Services, as defined in the Terms of Use (“Physician”, the “Controller”). This DPA is effective as of the day Physician agrees to myTomorrows’ Terms of Use.

 

1. General Provisions

1.1. This DPA sets out the rights and obligations of myTomorrows and the Controller, regarding myTomorrows processing of personal data as Processor on behalf of the Physician as Controller, in the context of the use of the Referral Services by the Controller.

1.2. This DPA has been designed to ensure the Parties’ compliance with article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR).Capitalised terms not defined in this DPA that are defined in the GDPR or in the Terms of Use, shall have the same meaning as set forth in the GDPR or the Terms of Use.

1.3.Each Party shall comply with its obligations under the data protection laws (including, but not limited to the GDPR) applicable to its activities at all times.

2. Controller obligations

2.1. The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see article 24 GDPR), the applicable EU or Member State[1] data protection provisions and this DPA.

2.2. In particular, the Controller is responsible for ensuring that the Processing of Personal Data has an adequate legal basis. This includes, but is not limited to, ensuring that the sharing of Personal Data respects medical secrecy and confidentiality.

2.3. The Controller is solely responsible for the accuracy, reliability, adequacy of the data shared.

2.4. The Controller is solely responsible for informing Data Subjects of the processing carried out in the context of the provision of Services and to obtain their consent where this is necessary under Applicable Laws. The Controller shall inform Data Subjects adequately of the purposes and of the Processing and any other information that may be required by Applicable Laws.

3. myTomorrows obligations

3.1.  myTomorrows shall only Process Personal Data:
a. As strictly necessary to provide the Referral Services;
b. As required by Applicable Data Protection Laws;
c. As instructed by Controller in writing, including electronically;
d. In accordance with this DPA and the Terms of Use;

3.2. myTomorrows shall inform the Controller without undue delay if, in myTomorrows’ opinion, any instructions given by the Controller infringe any applicable laws or regulations. In such case, the Controller shall provide revised instructions within four (4) weeks. In the event the Controller does not provide has not provided revised instructions within four (4) weeks, or if myTomorrows also deems the revised instructions to contravene the GDPR or data protection provisions of the applicable law to which myTomorrows is subject, myTomorrows has the right to terminate (the relevant part of) the Agreement in line with article 1.14. of the Terms of Use.

3.3. myTomorrows shall not Process Personal Data for any purpose other than for the specific purpose of performing the Services, as further specified in Annex I of this DPA, unless otherwise required to do so by Union or Member State law to which myTomorrows is subject.

3.4. myTomorrows shall assist the Controller in ensuring the Controller’s compliance with its obligations under GDPR, in particular article 35 GDPR and article 36 GDPR. myTomorrows shall provide, to the best of its ability, any assistance as may be reasonably requested by the Controller to maintain compliance with Applicable Data Protection Laws.

3.5. In particular, myTomorrows shall assist the Controller, insofar as this is possible, in the fulfilment of the Controller’s obligations to respond to requests for exercising the Data Subject’s rights and complaints, for as far as Controller is unable to fulfil these obligations without myTomorrows’ assistance.

4. Confidentiality

4.1. myTomorrows shall only grant access to the personal data being processed on behalf of the Controller to persons under myTomorrows’ authority who have committed themselves to confidentiality and probity or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis.

4.2. myTomorrows shall, at the Controller’s request, demonstrate that the concerned persons under myTomorrows’ authority are subject to the abovementioned obligations of confidentiality.

5. Security of processing

5.1. myTomorrows shall implement appropriate technical and organizational security measures, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as requested by Article 32 GDPR, which measures are detailed in Annex II.

5.2. myTomorrows’ implementation of the security measures described in paragraph 5.1 shall not relieve the Controller from implementing adequate technical and organizational security measures for the security and confidentiality of all information shared with myTomorrows.

6. Use of sub-processors

6.1. myTomorrows has the Controller’s general authorization to use the sub-processors listed in Annex III. myTomorrows shall make reasonable efforts to inform the Controller in writing of intended changes concerning the addition or replacement of a sub-processor. If the Controller has legitimate and reasonable grounds to object to the change, they must notify myTomorrows immediately at dataprotection@mytomorrows.com, within fifteen (15) days, after which the Controller shall be deemed to have approved and accepted such appointment.

6.2. If the Controller expresses legitimate ground to object to the change, the Parties shall discuss in good faith. In the absence of an agreement between the Parties following such discussion, myTomorrows shall have the right to remove the Controller’s access to the portion of the Services affected by the change of sub-processor.

6.3. Where myTomorrows engages a sub-processor for carrying out specific processing activities, essentially the same level of data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

6.4. If a sub-processor does not fulfil its data protection obligations, myTomorrows shall remain liable to the Controller for the performance by the sub-processors of its obligations under the Agreement.

7. Transfer of data to third countries or international organisations

7.1. Without documented instructions from the Controller, myTomorrows cannot within the framework of this DPA:
a. transfer personal data to a data controller or a data processor in a third country or in an international organization;
b. transfer the processing of personal data to a sub-processor in a third country;
c. have the personal data processed by myTomorrows in a third country.

7.2. For the provision of Referral Services to the Controller under the Agreement, personal data may be processed in and transferred to third countries. Any transfer shall always take place in compliance with chapter V of the GDPR. Data transfers of sub-processors or third parties known to the Controller shall be deemed authorized by the Controller.

7.3. myTomorrows shall be authorized to transfer personal data to its sub-processors and affiliated entities or other parties if required to do so per the Controller’s instructions or as necessary for the provision of Referral Services, based upon the following legitimization mechanisms:
a. An adequacy decision of the European Commission issued in line with article 45 of the GDPR, as referred to in article 45(3) of the GDPR;
b. The relevant module of the standard data protection clauses to legitimize transfers as adopted by the European Commission in accordance with the examination procedure mentioned in article 93 of the GDPR (“Transfer SCCs”), as referred to in article 46(2)(c) of the GDPR.
c. Another legitimation mechanism mentioned in article 46 GDPR, provided myTomorrows is able to establish that the mechanism is compliant having regards to all the circumstances surrounding the transfer of personal data.

7.4. To the extent that the Data Protection Act 2018 (“UK GDPR”) applies to the processing of personal data under this DPA, the International Data Transfer Agreeement issued by the Information Commissionner’s Office (ICO) (the “IDTA”), is incorporated herein by reference. For the purposes of the IDTA, the parties agree:
a. That the Controller shall be considered Data Exporter and the Controller’s details shall be the details provided to myTomorrows by the Controller;
b. That myTomorrows shall be considered Data Importer and myTomorrows’ details are those mentioned in this document;
c. Regarding the transfer details requested for Table 2:
– UK country law that governs the IDTA: England & Wales;
– Primary place for legal claims to be made: England & Wales;
– Exporter is a controller;
– Importer is the Exporter’s Processor;
– UK GDPR applies to the Importer’s Processing of the transferred data;
– The present DPA and myTomorrows’ terms of use set out the Processor’s instructions for the Processing of the Transferred Data;
– The Importer may process the transferred data for the period for which the Agreement is in force.
– The Parties cannot end the IDTA before the end of the Term unless there’s a breach of the IDTA or the Parties agree in writing;
– The Importer may end the IDTA when the approved IDTA changes;
– The Importer may transfer on the transferred data to another organisation or person, in accordance with Section 16.1. of the IDTA;
– The Importer may only forward the transferred data in accordance with Section 16.1 of the IDTA to perform the requested Referral Services under the Agreement, in particular to refer patients           to clinical research teams in the location selected by the Controller;
– Review dates: the Parties must review the security requirements at least once every 3 years as detailed in Annex III of this DPA;
d. Regarding Table 3 and 4, the Parties refer to Annexes I, II and III of this DPA;

7.5. The Parties acknowledge and agree that the provision of the Referral Services may necessitate the transfer of personal data outside of the UK or the EEA, at the Controller’s request. The Parties understand and agree that such transfers will be considerated a transfer to an independent controller, as detailed in the Agreement. The Controller shall be exclusively responsible for ensuring that an adequate legal basis exists for the transfer of data. In particular, if the Controller relies on the data subject’s consent to legitimize the transfer (article 49 (1) (a) GDPR), the Controller shall be responsible for ensuring adequate information is provided to the data subject and shall be able to demonstrate compliance with article 49(1)(a) GDPR upon request.

8. Notification of personal data breach

8.1. In case of any Personal Data Breach, myTomorrows shall, without undue delay after having become aware of it, notify the Controller of the Personal Data Breach. myTomorrows shall provide, at minimum, the following information to the Controller to assist the Controller in its assessment of the Personal Data Breach:
– The nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data             records concerned;
– the likely consequences of the Personal Data Breach;
– the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.2. myTomorrows shall, insofar as possible, assist Controller in ensuring Controller’s compliance with its obligations under article 33 GDPR and article 34 GDPR. The Controller is solely responsible for determining whether a Personal Data Breach shall be notified to the supervisory authority or communicated to the Data Subjects.

9. Erasure and return of data

9.1. The Controller understands and agrees that myTomorrows’ Referral Services are not intended as a place to store data or documents relating to Patients, but shall only be used for the purposes for which they are intended and according to myTomorrows’ Terms of Use.

9.2. The Controller has, in its use of the Referral Services, the option to delete or export all Personal Data on or from its device. If the Personal Data has been shared, upon the Controller’s instructions, with other users and in particular with Clinical Research Teams, the shared content is under the control of these Users and are not part of any deletion request that may be submitted by the Controller or any procedures described in the present section.

9.3. At the end of this DPA, or upon termination of the use of the Referral Services by the Controller, myTomorrows shall undertake to delete or return all Personal Data Processed under this DPA, unless (i) Union or Member State law requires storage of the Personal Data, or (ii) the data is retained in back-ups in which the data is not separately accessible.

10. Audit and inspection

10.1. The Controller acknowledges that myTomorrows is regularly audited by independent third-party auditors and/or internal auditors against the standards specified in Annex II. Upon the Controller’s written request during the term of the Agreement, myTomorrows shall supply a summary copy of its audit report(s) (“Report”), subject to a non-disclosure agreement, within due course, so that the Controller can verify myTomorrows’ compliance with this DPA.

10.2. myTomorrows shall also provide written responses, subject to a non-disclosure agreement, to reasonable requests for information made by the Controller related to its processing of personal data under this DPA, provided that the Controller shall not exercise this right more than once per year.

10.3. For as far as the Controller is reasonably not able to assess myTomorrows’ compliance with this DPA for its processing of the personal data based upon the information provided under section 10.1 and 10.2, myTomorrows shall give the Controller the opportunity to periodically verify compliance with this DPA upon at least a three (3) months’ notice and at the Controller’s own costs. The checks shall be carried out on behalf of the Controller by an independent certified auditor. The certified auditor shall under no circumstances be a competitor of myTomorrows.

10.4. The scope of the audit shall be limited to the verification of the processes, organizations and tools directly and exclusively related to the performance of this DPA. The determination of whether the requested processes, organizations and tools are relevant to the scope of the audit shall be at myTomorrows’ exclusive discretion.

10.5. The audit shall not disrupt or unreasonably interfere with myTomorrows’ activities and systems.

10.6. The information obtained during the audit is Confidential Information and shall be treated as such by the Controller. An appropriate non-disclosure agreement shall be signed between the Parties prior to any disclosure of confidential information.

11. Indemnification

11.1. The Controller shall indemnify and hold myTomorrows harmless against claims by third Parties on the basis of damage suffered as a result of the Controller’s failure to comply with the GDPR or other laws or regulations. Indemnification shall apply not only to the damage that third Parties may have suffered (both material and immaterial), but also to (i) the costs that myTomorrows must incur in connection therewith, for example in any legal proceedings, (ii) to the costs of any fines imposed on myTomorrows as a result of the Client’s acts or omissions, and (iii) to any damages suffered by myTomorrows as a result of the Client’s acts or omissions, including but not limited to reputational damages.

11.2. Indemnification is contingent upon the Party to be indemnified:
(i) promptly notifying the other Party of a claim, and
(ii) providing reasonable cooperation and assistance to the other Party in defence of such claim.

12. Liability

12.1. The limitation of liability defined in clause 1.17. of the Terms of Use shall apply mutatis mutandis to myTomorrows’ liability towards the Controller under this DPA.

13. Commencement and termination

13.1. This DPA shall become effective on the date of the Controller’s acceptance of myTomorrows’ Terms of Use.

13.2. This DPA shall apply for the duration of the personal data processing activities in the performance of the Agreement. For the duration of the personal data processing activities, this DPA cannot be terminated unless other clauses governing data protection have been agreed between the Parties.

14. Final provisions

14.1. This DPA is governed by Dutch law.

14.2. Disputes with regard to, or in relation to, this DPA shall be heard exclusively by Amsterdam Courts. If any dispute should arise, the Parties shall first make a concerted effort to resolve said dispute by mutual agreement. This includes the possibility of resolving the dispute by means of mediation, to be determined by mutual agreement.

14.3. A signed copy of this DPA may be provided upon request from the Controller, which request shall be addressed to dataprotection@mytomorrows.com.

14.4. Any question or notices related to this DPA shall be addressed to dataprotection@mytomorrows.com.

ANNEX I – DETAILS OF THE PROCESSING

Categories of data subjects

The categories of data subjects whose personal data is processed in the context of the provision of Services may include: Patients, defined as individuals whose personal data the Physician is allowed to share due to the Physician-Patient relationship, in the context of the Services myTomorrows acknowledges that, depending on Controller’s use of the Services, Controller may provide additional instructions in accordance with this DPA to include personal data from a category of data subjects not specified above.

Categories of personal data

Personal data:
• Full name;
• Contact details;
• Date of birth;
• Gender;
• City/country of residence;
• Professional occupation.

Special categories of data:
• Weight;
• Health data;
• Treatment data;
• Genetic data; and
• Other medical information as may be relevant to ensure the performance of the Referral Services.

Nature and purpose of the processing

myTomorrows processing of personal data on behalf of Controller shall pertain to the provision of the Referral Services, as described in myTomorrows’ Terms of Use. The purpose of the Referral Services is to enable physicians such as the Controller to perform clinical trial referrals independently through the use of myTomorrows’ platform.

Frequency of the processing

myTomorrows processes the personal data on an intermittent basis.

Duration of processing / retention period

myTomorrows will process personal data for the duration of the Agreement, after which the procedure as detailed in the relevant section of this DPA shall apply, unless otherwise agreed upon in writing by Parties.

Competent supervisory authority

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the competent supervisory authority. If another Data Protection Authority is competent based on any applicable Standard Contractual Clauses to legitimize data transfers as published by the Commission of the European Union, the competence of such Data Protection Authority shall prevail.

ANNEX II– SECURITY

myTomorrows has implemented appropriate technical and organizational security measures and controls to protect personal data and to ensure the ongoing confidentiality, integrity, and availability of the myTomorrows’ Services in accordance with article 32 of the GDPR. myTomorrows has processes in place to regularly test, assess and evaluate our technical and organizational security measures.

myTomorrows is an ISO/IEC 27001:2022 certified company. ISO27001 is an international standard for information security that guarantees the implementation of a high level of technical and organizational measures. These measures are subsequently audited yearly by an independent auditor to ensure compliance.

Governance

myTomorrows implemented internal policies and procedures to appropriately manage information throughout its lifecycle. myTomorrows has drafted and implemented a complete set of computer security policies and procedure covering multiple domains to satisfy ISO 27001 requirements. Also, data breach procedure, data breach register, and processing register are in place to ensure compliance against GDPR requirements.

Environmental and physical (access) controls

myTomorrows implemented various measures to prevent unauthorized access and reduce risks from environmental threats to the physical premises of myTomorrows, including:

• Secured areas protected by appropriate entry controls (e.g. access tokens) to ensure only authorized personnel has access;
• Equipment is sited and protected, to reduce the risks of environmental threats, hazards, and opportunities for unauthorized access;
• Surveillance systems including alarms and, as appropriate, CCTV monitoring; and
• Receptionists and visitor policies are in place.

Virtual/Data access control

myTomorrows adopts a Zero Trust approach to its logical access controls, ensuring that every connection from a computerized system is verified and monitored. Access to internal resources is granted following the least-privilege and need-to-know principles.

myTomorrows implemented appropriate measures to prevent its systems from being used by unauthorized persons, including:

• Individual, identifiable and role-based user account assignment;
• Role-based and password protected access and authorization procedures;
• Centralized, standardized password management and password policies;
• Deactivation of user accounts after several failed login attempts;
• Automatic screen lock after 15 minutes of inactivity;
• Anti-virus and critical security patch management;
• Logging of system and network activities to produce an audit-trail in the event of system misuse.

Datacenter security

myTomorrows does not maintanin any kind of on-premise server as it relies on IaaS, PaaS and SaaS solutions. It uses Microsoft Azure and Amazon Web Services platform for hosting its Services. Both service providers are market leaders in the field of information security. These platforms have all the controls in place to guarantee the security and availability of our platform. Please click on the link provided in the sections below to read detailed information regarding Microsoft and Amazon Web Services’ datacenter security:

• Microsoft Datacenter security overview.
• Amazon Web Services Datacenter security overview

Encryption controls

myTomorrows has recognized encryption measures in place at an appropriate level, in accordance with good industry practices for data in transit and data at rest.

Availability controls

myTomorrows uses Amazon Web Services and Microsoft Azure infrastructure which provide robust availability of data and improves security. Examples of measures include:

• myTomorrows’ databases are implemented [three-fold] geo-redundant;
• Backups of myTomorrows’ databases are continuous (point-in-time);
• Storage location of myTomorrows’ backups are the West-Europe datacenters of Microsoft Azure and Amazon Web Services.
• myTomorrows uses a microservice architecture for our applications;
• myTomorrows uses standard high available platform services of Microsoft Azure as a base for myTomorrows’ applications; and
• BCM is in place as part of myTomorrows’ planned ISO27001 certification.

ANNEX III – AUTHORIZED SUB-PROCESSORS

Approved Sub-Processors

On commencement of this DPA, Client authorizes myTomorrows to engage the following Sub-Processors for the processing included in the schedule below.

FULL LEGAL NAME CHAMBER OF COMMERCE NO. LOCATION DESCRIPTION OF PROCESSING
Microsoft Ireland Operations Limited 256796 Datacenters located in Western-Europe Cloud hosting provider.
CometChat Inc. 43373 Datacenters located in the European Economic Area Provides the software to enable the chat functionalities of the Referral Services
HubSpot Netherlands B.V. 86156349 Datacenters located in the European Economic Area CRM software provider.
Amazon Web Services EMEA SARL 68579780 Datacenters located in Western-Europe Provides hosting to myTomorrows for utilizing online applications.