Data Processing Addendum
This Data Processing Addendum (“DPA”) applies when Addatech Inc. (“Addatech” or “we” or “us”) processes personal data that is subject to the General Data Protection Regulation (GDPR) on behalf of an organization or person (“Subscriber”) who has subscribed to Addatech’s clinic management platform (the “Services”).
In this Addendum, “GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
In this Addendum, “Personal Data” refers to any information relating to an identified natural person or which can be used (directly or indirectly) to identify a natural person, such as name, address, email address, username, credit card, billing information, health information or other like information.
In this Addendum, “Process” or “Processing” refers to the collection, use, storage, disclosure, erasure or destruction of Personal Data, or any other operation or set of operations performed on Personal Data, whether or not by automated means.
The Subscriber will act as the “Controller”, i.e. the party who determines the purposes and means of the Processing of Personal Data. Addatech will act as the “Processor” of this information, being the service provider who Processes Personal Data on behalf of the Subscriber. Each party will comply with the provisions of the GDPR that apply to its respective role as either Controller or Processor.
Purpose and Duration of Processing
Each party will Process Personal Data only as necessary for the provision and use of the Services, and for as long as the Subscriber has a valid paid subscription to the Services.
Categories of Personal Data
The categories of Personal Data to be Processed will be determined by the Subscriber, and may include the following: name, address, email address, telephone number, health insurance information, billing information and data concerning health. The categories of individuals whose Personal Data may be processed include the following: employees, contractors and clients of the Subscriber.
- not transfer Personal Data to a country outside the European Union, the EEA or the United Kingdom, except where such third country provides appropriate safeguards by way of an adequacy decision or where the recipient of the Personal Data provides appropriate safeguards through adherence to an approved certification framework, Standard Contractual Clauses or binding corporate rules, or other legal mechanisms are in place to safeguard the Personal Data being transferred;
- ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement and maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of the Personal Data (including, but not limited to, pseudonymization, encryption, incident management, restoration and access controls), and will regularly monitor compliance with these measures;
- use only sub-processors who maintain at least the same level of security measures and adequate safeguards as required under this DPA and who have entered a written agreement, electronic or otherwise, with Addatech requiring such measures and safeguards. We will inform the Subscriber of any intended changes to its sub-processors. If a sub-processor fails to fulfill its data protection obligations, Addatech will be liable for the performance of such obligations;
- notify the Subscriber, within reasonable time, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Addatech, and take all steps reasonably within Addatech’s control to mitigate and remediate the breach;
- meet its obligations under the GDPR to assist the Subscriber, insofar as this is possible and at the expense of the Subscriber, to:
- respond to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by Addatech, provided however, that Addatech will not respond directly to any individual; and
- meet the Subscriber’s legal obligations with respect to breach notification, data protection impact assessments, or the cooperation or prior consultation with a supervisory authority with respect to Personal Data Processed by Addatech;
- upon request of the Subscriber, either delete or return Personal Data after completion of Services relating to the Processing, subject to any legal or regulatory obligations to maintain or store the Personal Data; and
- provide the Subscriber with all information necessary to demonstrate Addatech’s compliance with the GDPR, and contribute to audits or inspections to be conducted by or on behalf of the Subscriber no more than once in any calendar year, unless an additional audit is required by the GDPR or regulatory authority, or is reasonably necessary due to genuine concerns regarding our compliance with this DPA. The Subscriber will provide reasonable advance notice of any audit and will abide by Addatech’s reasonable security requirements. Addatech may charge for any time expended for such audit or inspection at our then-current hourly rates.