Last update: 17 October 2023
DATA PROCESSING ADDENDUM
Qinematic values personal integrity, and does it best to comply with the Data Protection Act (DPA) of each region. We ask that our Customers (End-Users and Organisations) who use or provide a service using Qinematic software to do the same.
Qinematic enters into a Service Agreement that recognises Qinematic AB as a "Data Processor", and the Customer as the "Data Controller".
The Data Controller and the Data Processor are each referred to as a "Party" and collectively as the "Parties".
BACKGROUND
The Parties have entered into a Service Agreement under which the Data Processor will process the Personal Data of Data Subjects on behalf of the Data Controller. This Data Protection Addendum has been entered into in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Controller to the Data Processor of personal data and the processing of personal data by the Data Processor on behalf of the Data Controller.
1.DEFINITIONS
The specific terms and expressions relating to data processing that are not defined herein shall have the same meaning as in the EU General Data Protection Regulation (GDPR).
The following terms, used in this Data Processing Addendum, shall have the following meanings:
"Business Day" means a day on which banks are open for business in Sweden other than for Internet banking services only (excluding Saturdays, Sundays and public holidays);
The "Data Protection Act" means the GDPR, or the local legal requirements for Third Countries;
"Personal Data" means all kinds of information that directly or indirectly may be referable to a natural person who is alive, for which the Data Controller is the controller and which the Data Processor shall process on behalf of the Data Controller under the Service Agreement;
"Third Country" means a state or region that is not included in the European Union or part of the European Economic Area.
"Data Subject" means the identified or identifiable living individual to whom Personal Data relates.
“Customer” means a natural person subscribing as an End-User (‘Client’ or ‘Health Seeker’) to the Services provided by Qinematic directly, and/or an Organisation (Health Service Provider’) that is subscribing to the Software and/or Services provided by Qinematic.
2.OBLIGATIONS & RESPONSIBILITIES
2.1 A data controller is a natural person or an organisation that determines for what purposes the personal data is processed, and how it is processed. The Data Controller is responsible for ensuring that all collection and processing of Personal Data is legal and made in accordance with the local Data Protection Act, including that there is a legal ground for the processing and that informed consent has been collected from the registered persons where necessary, and with a positive action to opt-in. Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers and must decide together their respective responsibilities for compliance with the different obligations under this GDPR.
(a) The End-User is in full control of their data via their personal Moovment Pro account. They may consent to sharing their data with one or more service provider Organisations, which in turn decides on which employees or associated (‘Specialists’) have legitimate access to the data. End-Users can revoke access at any time. End-Users can close their account and permanently delete their data at any time.
(b) During the time that the End-User has granted access to their personal data to one or more Organisations, and the Organisation/s accept the request, the Organisation/s and the End-User are joint controllers.
2.2 The Data Processor agrees and warrants:
(a) that the processing of Personal Data is carried out in accordance with the relevant provisions of the local or applicable Data Protection Act;
(b) to process the Personal Data only on behalf of the Data Controller and in compliance with its instructions and the Service Agreement (which for the sake of clarity shall imply that the processing is carried out only for the purposes decided by the Data Controller); if it cannot comply with such instructions for whatever reasons, it agrees to inform promptly the Data Controller of its inability to comply, in which case the Data Controller is entitled (as its sole and exclusive remedy) to suspend the transfer of data, request the immediate return thereof and/or terminate the Service Agreement;
(c) to deal promptly and properly with all enquiries from the Data Controller relating to its processing of the Personal Data;
(d) to, at the request of the Data Controller, provide a list of the locations where the Personal Data is being processed or may be processed;
(e) to implement the appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage, and (taking into account the technological development and the cost of implementing any measures), ensure that such measures shall provide for a level of security proportionate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data;
(f) that it will promptly notify the Data Controller about any completed unauthorised access;
(g) that it will without undue delay refer any third-party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (i.e. to preserve the confidentiality of a law enforcement investigation);
(h) at the request of the Data Controller, to submit its data-processing facilities for audit of the processing activities covered by the Agreement which shall be carried out by the Data Controller or such person that the Data Controller appoints, provided that such person is bound by a duty of confidentiality; and
(i) not to transfer Personal Data from the EU to a Third Country unless approved in writing by the Data Controller or executed by the Data Controller.
3.SUB-PROCESSING
3.1 The Data Processor is entitled to sub-contract the processing of the Personal Data described herein. Consequently, the Data Processor does not need to obtain any specific consent for sub-processing of Personal Data. The Data Controller hereby authorises the Data Processor to enter into agreements with such sub-processors on behalf of the Data Controller, on materially the same terms as those included in this Data Protection Addendum.
3.2 The Data Controller acknowledges that the services provided under the Service Agreement are delivered over the Microsoft Azure and the Data Controller consequently accepts the use of Microsoft as a sub-processor to the Data Processor. Generic information around security, compliance, privacy, SLAs, support etc. can be found on https://azure.microsoft.com/en-us/support/trust-center/.
In addition, the Data Controller acknowledges and agrees that the terms set forth in the Microsoft Online Service Agreement http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 is acceptable and in a sufficiently clear manner mirrors the terms of this Data Protection Addendum and reflects the instructions of the Data Controller.
3.3 If the Data Processor engages additional sub-processors it agrees to without delay inform the Data Controller of the identity of the sub-processor, as well upon the request of the Data Controller other relevant information related thereto such as a copy of the agreement entered into with between the Data Processor and such sub-processor.
3.4 The Data Processor shall not be held liable to the Data Controller for the performance of sub-processors, but will endeavour to take reasonable steps to maintain optimal performance.
4.OBLIGATIONS AFTER THE TERMINATION OF PERSONAL DATA-PROCESSING SERVICES
4.1 The Parties agree that on the termination of the Service Agreement, the following shall apply. The Data Processor shall, and where applicable see to it that the sub-processor shall, return all Personal Data to the Data Controller or, at the request of the Data Controller, as soon as practically possible under the Microsoft Online Service Terms deletes all Personal Data and confirm to the Data Controller when completed.
4.2 The Parties agree that all external records containing or referring to data used or created during the term of the service, remain the responsibility of the Data Controller. This may include, but is not limited to emails, weblinks, printed reports, images or other data.
4.3 In the event legislation imposed upon the Data Processor prevents it from returning or deleting all or part of the Personal Data, the Data Processor warrants that it will guarantee the confidentiality of the Personal Data and that it will not actively process the Personal Data or else anonymize the Personal Data in a manner that makes it impossible to recreate the Personal Data.
5. TERM & TERMINATION
5.1 This Data Protection Addendum is a fully integrated part of the Services Agreement and shall remain valid until the termination of the Service Agreement.
6.LIMITATION OF LIABILITY
6.1 Regardless of what is set forth in the Service Agreement, the Data Processor's liability under the Data Protection Addendum shall be limited to liability for direct costs, and consequently excluding any form of indirect or consequential loss or damage.
7.COSTS
7.1 The Data Controller shall compensate the Data Processor for any costs arising in conjunction with the fulfillment of its obligations under the Agreement. This includes, but is not limited to, compensation (by the hour) for resources provided by the Data Processor for the provision of information upon request and other forms of assistance.
8.ACKNOWLEDGEMENT OF PROCESSING FOR RESEARCH PURPOSES ETC.
8.1 The Parties acknowledge that, according to the Privacy Policy accepted by each end-user, the Data Processor will to a limited extent collect Personal Data and process it in anonymized form for its own purposes (as described in the Privacy Policy and following collection of consent from each end-user only).