COMMISSIONED DATA PROCESSING AGREEMENT
§1 SUBJECT MATTER AND DURATION OF COMMISSIONED DATA PROCESSING
1.1. We collect, process, and use personal data for the purpose of providing services as detailed under Clause 2.1.
1.2. The Agreement is entered into as of the date of your acceptance below and is concluded for an unlimited amount of time. The Agreement can be terminated by either party with four weeks’ notice effective from the end of the month. This does not prejudice the right to termination of the Agreement without notice. Due to the dependency on the Medical Device Agreement, this Agreement will in either case terminate at the same time as the Medical Device Agreement.
1.3. These provisions on commissioned data processing supplement the Medical Device Support Agreement. In the event of a contradiction between these provisions and the Medical Device Support Agreement, these provisions on commissioned data processing prevail.
§2 SPECIFICATION OF ORDER DETAILS
2.1. We provide you with support in using specific medical and dental technology systems, in particular in using the aligner system you specified earlier in the registration process and the relevant application software (setup software).
2.2. We shall use personal data provided to us only for the fulfillment of the contractually agreed upon services. We may create temporary duplicates and copies, as far as they are necessary to ensure technical and organizational security, and as far as the data is not altered. We may not provide the personal data you handed us to systems of third parties, including for testing purposes, unless the third party is an authorized subcontractor of TPSOLUTION. Furthermore, we may not duplicate or copy personal data without authorization.
2.3. Upon your consent, we are authorized to check individual data records, e.g., customer accounts, for the purpose of support and error-proofing. In the event of finding errors or irregularities during the examination of order results, we will notify you without delay.
2.4. Further details on the extent, nature, and purpose of data collection, processing, and usage are listed under Letter A of the Addendum 1 of this Agreement.
2.5. The different types of personal data are listed under Letter B of the Addendum 1 to this Agreement.
2.6. Data subjects are listed under Letter C of the Addendum 1 to this Agreement.
2.7. Fulfillment of the contractually agreed data processing shall only take place in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation of the data to and any access to the data from a country not party to the European Union or the European Economic Area is subject to your prior written consent and may only take place if there is an appropriate data protection level ensured by compliance with the specific conditions and regulations of Article 44 et sqq. of the GDPR. An appropriate data protection level requires (a) a European Commission adequacy decision, (b) legally binding internal data protection rules, (c) implementation of the standard data protection regulations of the European Union or (d) an authorized code of conduct.
§3 TECHNICAL AND ORGANIZATIONAL MEASURES
3.1. Taking into account technical progress and further development, implementation costs, the nature, scope, circumstances, and purposes of processing as well as the different probabilities of occurrence and the severity of risk to the rights and freedom of natural persons, we establish appropriate technical and organizational measures to ensure a protection level appropriate to the risk. Before the commencement of processing, we document the execution of the technical and organizational measures, specifically with regards to detailed fulfillment of the order, in writing or in another way that is suitable to be presented to third parties and will present these documented measures to you upon request.
3.2. The measures stated here shall include, among others, aspects of pseudonymization, encryption, confidentiality, integrity, and resilience of systems and services as well as the availability of data. Additionally, a process for regular testing and assessment of the effectiveness of the technical and organizational measures shall be implemented in order to ensure the security of processing. Should measures prove to be ineffective in ensuring the security of processing while testing and assessing, in particular considering technical progress, we will implement immediate appropriate technical and organizational measures corresponding to Clause 3.1, document this implementation, and provide said documentation upon request.
3.3. We may implement alternative adequate measures, whereby the security level of the stated measures may not be undercut. We will document any substantial changes and provide them to you upon request.
§4 RECTIFICATION, ERASURE, AND BLOCKING OF DATA
4.1. Only upon your instruction may we rectify, erase or block the usage of data being processed as per the order. Should a data subject contact us directly in order to have his or her data rectified, erased, or blocked from usage, we will immediately inform you of such a request in writing.
4.2. Insofar as the Medical Device Support Agreement does not stipulate otherwise, we will without undue delay ensure the erasure policy, right to be forgotten, data portability, and availability in accordance with documented instructions from you in the sense of Clause 9 of this agreement.
§5 RESPONSIBILITIES OF TPSOLUTION
5.1. We will process personal data only upon document request by you.
5.2. We oblige any and all persons authorized to process personal data to confidentiality or ensure their subjection to an appropriate, legally binding confidentiality agreement. We also ensure that they have been familiarized with the data protection provisions relevant to their work prior to starting data processing. Clause 5.1 applies to said persons accordingly.
5.3. Taking into account the nature of processing and the information made available to us, we will make every effort to support you in complying with your obligations concerning the security of processing, reporting requirements for personal data breaches towards supervisory authorities and towards the data subject as well as the data protection impact assessment and any ensuing consultation requirements towards supervisory authorities.
5.4. We are subject to any inspection by the supervisory authorities and shall inform you without undue delay in writing if data deriving from your order is concerned. This also applies insofar as we are under investigation or party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data. Insofar as you are subject to an inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the data processing by TPSOLUTION, we will make every effort to support you. Support services comprise information procurement and are only rendered if legal and if the effort is reasonable. In particular, we are under no obligation to bear any costs.
5.5. We comply with the relevant rules referring to the appointment of a Data Protection Officer. The Data Protection Officer’s contact details will be provided to you upon request for the purpose of establishing direct communication. In case of a change of the Data Protection Officer, you will be notified in writing without undue delay.
5.6. Insofar the effort involved is reasonable in relation to the desired level of protection, we will fulfill and implement technical and organizational measures and periodically inspect these measures and the internal processes accordingly. We will ensure the technical and organizational measures conducted are verifiable by you.
5.7. We maintain a register of all categories of processing services provided as a result of orders placed by you.
5.8. We will immediately notify you in writing if we have good reason to believe that instructions given by you infringe against German or European data regulation laws.
§6 SUBCONTRACTING
6.1. You agree in principle to us commissioning carefully selected subcontractors. Any planned change with regards to adding or replacing a subcontractor will be communicated to you at least 14 days in advance. You agree to only object to changes to subcontractors for important reasons.
6.2. In the event of subcontracting, we will make legally binding contractual agreements with the subcontractors for commissioned data processing. The subcontract is to be determined in writing. The contract shall impose on the subcontractor data protection provisions corresponding to the provisions contractually agreed upon between you and us.
6.3. Should the subcontractor not comply with their data protection obligations; we shall be liable to you for compliance of any subcontractor. The general rules regarding the relation between us and subcontractor remain untouched.
6.4. Addendum 2 of this Agreement lists any and all subcontractors of TPSOLUTION at the time of conclusion of this Agreement.
6.5. Sharing your personal data with the subcontractor is only permissible after all preconditions for subcontracting have been met. Should the subcontractor provide their agreed upon services outside of the European Union/European Economic Area, we will take appropriate measures to ensure data protection.
6.6. Subcontractors may only outsource to further subcontractors upon explicit written approval from you.
6.7. For the purpose of this Agreement, subcontracting is not to be understood as meaning services which TPSOLUTION renders from third parties as ancillary services to support the commissioned data processing, such as telecommunication services, postal/transport services, maintenance and user services, cleaning services, testing services or the disposal of data carriers as well as measures to ensure confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. We are, however, obliged to make appropriate and legally binding contractual agreements and take appropriate inspection measures to ensure the data protection and the data security of your data, even in the case of outsourced ancillary services.
§7 YOUR SUPERVISORY POWERS; OUR OBLIGATIONS TO COOPERATE
7.1. TPSOLUTION grants you and/or your authorized representatives the right to survey and inspect measures implemented to ensure data protection and data security (inspection right).
7.2. The objective of this inspection right shall be to review whether we meet our obligations within our business operations. Evidence may be provided by on-the-spot checks as well as by reports and certificates issued by independent bodies. If on-the-spot checks are to be carried out, these shall be structured as random sample checks and shall be on principle announced in due time. We will furthermore provide you with all required information. The inspection right shall neither be misused in any way nor shall it be exercised in a manner that unreasonably interferes with business operations. You agree to us appointing independent, third-party auditors if we make available a copy of the audit report. In case of a competitive relationship between the auditor appointed by TPSOLUTION and you, you have the right to object. Costs related to a third-party auditor are to be borne by you. For our support during the execution of an audit, we may claim reasonable remuneration.
§8 COMMUNICATION IN THE CASE OF INFRINGEMENTS BY TPSOLUTION
8.1. We will notify you immediately in writing in case of reasonable grounds to suspect an infringement of the data protection and data security clauses determined in this Agreement, either by us or by a third party contracted by us. The same applies for infringements of general rules concerning the protection of personal data.
8.2. We will assist you in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments, and prior consultations with supervisory authorities.
8.3. We may claim reasonable compensation for support services which are not included in the description of services and which are not attributable to failures on the part of TPSOLUTION. Prior to commissioning third parties to support them in the fulfillment of support services not included in the description of services, we will consult with you with regard to costs arising from such commissioning in order to retain the cost reimbursement claim.
§9 YOUR AUTHORITY TO ISSUE INSTRUCTIONS
9.1. We will process personal data only upon your request. The request shall be documented in writing or in another way that is suitable to be presented to third parties. This applies especially in the case of submitting personal data to a third country or an international organization. Within the scope of the regulations determined in this Agreement, you retain the right to issue instructions on the nature, extent, and method of data processing by concrete individual directives. Changes to the subject matter of processing and procedural changes are to be mutually consented.
9.2. If we are unable to comply with instructions, we will notify you immediately in writing. In such a case, you will have the right to suspend data transfer and/or to rescind this Agreement and the Medical Device Support Agreement linked to this Agreement.
9.3. You will confirm verbal instructions immediately in writing. TPSOLUTION will have the right to suspend compliance with the relevant instruction until such point that you confirm or adjust said instruction in writing.
9.4. We will immediately inform you if we consider an instruction to be in violation against data protection regulations.
§10 DELETION OF DATA AFTER CONCLUSION OF ORDER
10.1. After the conclusion of the work, or earlier upon your request, or at the termination of this Agreement, we will hand over to you or – subject to prior written consent – destroy all documents, processing and utilization results, and data sets related to the agreement that have come into our possession in a manner compliant to data protection regulations. Data will be deleted and destroyed completely and in accordance with recognized, state-of-the-art technical measures for multi-pass overwriting of data. The same applies to any and all connected test, waste, redundant, and discarded material, which shall be stored in compliance with data protection regulations until deletion or return. Upon request, the log of the destruction or a copy of said log shall be provided to you.
10.2. Data deletion and destruction will not be executed insofar and as long as we are in need of this data for our own legitimate purposes, especially to demonstrate orderly data processing in accordance with the Agreement (e.g., invoicing you), or insofar and as long as we are legally or by administrative orders obliged to store the data.
ADDENDA
ADDENDUM 1
A. PERTAINS TO §2 - METHOD AND PURPOSE OF DATA PROCESSING
Management of computer-aided planning processes involving digital treatment planning up to your approval of that plan towards the aligner manufacturer. Management of correspondence and communication with external dental laboratories affiliated to or commissioned by the aligner manufacturer on the one hand and you on the other hand. Processing the setup design taking into account your specific clinical and treatment preferences, efficient application of the above-mentioned medical product/device and fulfilling your planning requirements to achieve the best possible result.
On an individual, case-by-case basis, you will specify the scope of support services.
B. PERTAINS TO §2 - TYPE OF PERSONAL DATA
Name, Surname, Photographs, Radiographs, Date of birth, and email address of the patient, treatment plan and development.
C. PERTAINS TO §2 - DATA SUBJECTS
Patients who undergo such treatment.
ADDENDUM 2: LIST OF SUBCONTRACTORS
Currently, we do not make use of any subcontractors.
