DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum (“Addendum”) is entered into as an integral part of the agreement between QuantCare (“Data Controller”) and you – hereafter referred to as the Sub Processor (“Data Processor”). The purpose of this Addendum is to ensure that the processing of personal data by the Data Processor on behalf of the Data Controller complies with all applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR). This Addendum sets forth the parties’ responsibilities for protecting personal data.
Parties to the Agreement:
This Addendum is entered into by and between QuantCare, a company incorporated under the laws of Australia, with its principal place of business at Victoria Australia, referred to herein as the “Data Controller,” and the Sub Processor, with its principal place of business referred to herein as the “Data Processor.” Both parties agree to adhere to the terms and conditions outlined in this Addendum.
This Addendum shall become effective as of the payment date for QuantCare. It shall remain in effect for the duration of the relationship between the Data Controller and the Data Processor or until terminated in accordance with the provisions set forth herein.
1. SCOPE OF THE PROCESSING
1.1 Description of Processing Activities: The Data Processor will perform specific data processing activities on behalf of the Data Controller as outlined in the main service agreement. These activities include, but are not limited to, collecting, storing, organising, structuring, altering, retrieving, consulting, using, disclosing, and erasing personal data. The Data Processor will only process personal data to the extent necessary to fulfil the services described in the agreement, ensuring that all processing complies with applicable data protection laws.
1.2 Categories of Personal Data: The personal data processed by the Data Processor on behalf of the Data Controller may include various types of information relating to the Data Controller’s customers, patients, employees, or other individuals. This may encompass the following categories of personal data:
- Identification Data: names, addresses, phone numbers, and email addresses.
- Health Data includes treatment notes, medical history, and appointment details.
- Financial Data: payment information, billing details, and transaction history.
- Technical Data: IP addresses, device identifiers, and login details.
- Behavioural Data: website usage patterns, interaction data, and communication logs.
The exact categories of personal data may vary depending on the specific services the Data Processor provides.
1.3 Categories of Data Subjects: The personal data processed may pertain to various categories of data subjects, including:
- Patients: individuals who receive healthcare services from the Data Controller and whose personal and health information is processed.
- Employees: staff members of the Data Controller whose employment-related data may be processed.
- Customers: individuals who interact with the Data Controller’s services, including those who make inquiries or engage in transactions.
- Practitioners: healthcare providers associated with the Data Controller, whose professional information may be processed.
The Data Processor is responsible for ensuring that all processing activities are in accordance with the rights and interests of the data subjects.
1.4 Purpose of Processing: The processing of personal data by the Data Processor is carried out solely to fulfil the obligations under the service agreement with the Data Controller. The specific purposes include:
- Service Provision: to deliver and manage the services contracted by the Data Controller, such as patient management, appointment scheduling, and communication services.
- Data Analysis: to analyse and generate insights from the data for improving the services offered by the Data Controller, enhancing patient care, and optimising business operations.
- Regulatory Compliance: to ensure compliance with applicable legal and regulatory requirements, including data protection laws, healthcare regulations, and financial reporting obligations.
The Data Processor shall not use the personal data for any purpose other than those explicitly stated in this Addendum and the main service agreement.
1.5 Duration of Processing: The Data Processor will process personal data for the duration necessary to fulfil the purposes outlined in this Addendum and the main service agreement. The specific duration of processing will depend on the nature of the services provided and the requirements of the Data Controller.
The Data Processor will retain Personal Data only for as long as necessary to meet contractual obligations, comply with legal requirements, or fulfil the purposes for which it was collected. Upon termination of the agreement or at the request of the Data Controller, the Data Processor will securely delete or return all personal data, subject to any legal obligations that require retention.
2. OBLIGATIONS OF THE DATA PROCESSOR
2.1 Processing Instructions: The Data Processor is obligated to process personal data only in accordance with the documented instructions provided by the Data Controller. These instructions must be specific, explicit, and agreed upon by both parties. The Data Processor shall not process personal data in any way that deviates from these instructions except where required by applicable law. In such cases, the Data Processor shall promptly inform the Data Controller of the legal requirement before processing unless the law prohibits such notification. The Data Processor must seek written consent from the Data Controller for any processing activities that fall outside the agreed instructions.
2.2 Compliance with Applicable Laws: The Data Processor must ensure that all data processing activities comply with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and any other relevant national or international data protection laws. The Data Processor is responsible for staying informed about changes in the legal landscape and adjusting their processing activities to remain compliant. This includes adhering to principles such as lawfulness, fairness, and transparency in processing and ensuring that data subjects’ rights are protected throughout the processing lifecycle.
2.3 Data Confidentiality: The Data Processor must maintain the confidentiality of all personal data processed on behalf of the Data Controller. This obligation extends to all personnel, agents, and sub-processors involved in the data processing activities. The Data Processor shall ensure that access to personal data is restricted to individuals who need access to fulfil their job responsibilities and that confidentiality agreements bind these individuals. Any unauthorised access, disclosure, or use of personal data must be promptly reported to the Data Controller, and appropriate measures must be taken to mitigate any potential harm.
2.4 Security Measures: The Data Processor is responsible for implementing and maintaining appropriate technical and organisational security measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. These measures should be commensurate with the nature of the personal data being processed and the risks associated with the processing activities.
2.5 Data Breach Notification: In the event of a data breach that compromises the security, confidentiality, or integrity of personal data, the Data Processor must notify the Data Controller without undue delay and, where feasible, within 24 hours of becoming aware of the breach. The notification should include a detailed description of the breach, the nature of the personal data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
2.6 Assistance with Data Subject Rights: The Data Processor shall assist the Data Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, such as the right to access, rectify, erase, restrict processing, object to process, or request data portability. The Data Processor must promptly notify the Data Controller of any such requests received directly from data subjects and must not respond to these requests without the Data Controller’s prior authorisation.
2.7 Sub-Processing Rules: The Data Processor may only engage sub-processors to carry out specific processing activities on behalf of the Data Controller with prior written consent. The Data Processor must ensure that sub-processors are bound by the same data protection obligations in this Addendum and provide sufficient guarantees to implement appropriate technical and organisational measures to protect personal data.
2.8 Data Retention and Deletion: The Data Processor must ensure that personal data is retained only for as long as necessary to fulfil the purposes of processing as instructed by the Data Controller or as required by applicable laws. Upon the termination or expiration of the service agreement or at the Data Controller’s request, the Data Processor shall securely delete or return all personal data in its possession unless otherwise required by law. The Data Processor must also ensure that any sub-processors involved in the processing activities adhere to the same data retention and deletion obligations. Any data that cannot be deleted due to legal or regulatory obligations must be securely archived and protected against unauthorised access.
3. OBLIGATIONS OF THE DATA CONTROLLER
3.1 Lawful Basis for Processing: The Data Controller is responsible for ensuring that all personal data processed by the Data Processor has a lawful basis under applicable data protection laws, such as the General Data Protection Regulation (GDPR). This includes but is not limited to obtaining valid consent from data subjects, fulfilling contractual obligations, complying with legal requirements, protecting vital interests, performing tasks carried out in the public interest, or pursuing legitimate interests, provided that such processing does not override the rights and freedoms of data subjects.
3.2 Data Subject Notifications: The Data Controller is obligated to inform data subjects about how their data will be processed, including the purposes of the processing, the legal basis, the categories of personal data involved, and any recipients or categories of recipients of the data. This information must be provided in a clear and accessible manner, typically through a privacy notice or policy. The Data Controller must ensure that data subjects know their rights, including access, rectify, erase, restrict processing, object to processing, and request data portability.
3.3 Instructions to Data Processor: The Data Controller must provide clear, specific, and documented instructions to the Data Processor regarding the processing of personal data. These instructions should cover all aspects of the processing activities, including the purpose, nature, and duration, the types of personal data to be processed, and the categories of data subjects involved.
3.4 Handling Data Subject Requests: The Data Controller is responsible for responding to data subject requests in accordance with applicable data protection laws. These requests may include access to personal data, rectification of inaccurate data, erasure of personal data (the right to be forgotten), restriction of processing, objection to processing, and data portability requests. The Data Controller must establish procedures to handle such requests promptly and effectively, ensuring that responses are provided within the timeframes specified by law (typically one month).
4. SUB-PROCESSORS
4.1 Approval of Sub-Processors: The Data Processor may engage third-party service providers, known as Sub-Processors, to assist in processing personal data. However, the Data Processor must obtain the Data Controller’s prior written consent before engaging or changing any Sub-Processor. The Data Processor shall provide the Data Controller with a list of proposed Sub-Processors, including details about their services and the personal data they will process.
4.2 List of Approved Sub-Processors: The Data Processor must maintain and provide an up-to-date list of all approved Sub-Processors engaged in processing personal data on behalf of the Data Controller. This list should include the name, address, and contact information of each Sub-Processor, along with a description of the processing activities they perform. The Data Processor must promptly notify the Data Controller of any changes to this list, including the addition or replacement of Sub-Processors, to allow the Data Controller sufficient time to review and potentially object to such changes.
4.3 Sub-Processor Obligations: The Data Processor must ensure that any Sub-Processor it engages agrees, by way of a written contract, to comply with the same data protection obligations that apply to the Data Processor under this Data Processing Addendum. These obligations include but are not limited to implementing appropriate technical and organisational measures to protect personal data, maintaining confidentiality, assisting the Data Processor in fulfilling data subject requests and notifying the Data Processor of any data breaches.
4.4 Liability for Sub-Processors: The Data Processor remains fully liable to the Data Controller for the performance of any Sub-Processor it engages, regardless of the contract terms between the Data Processor and the Sub-Processor. If a Sub-Processor fails to fulfil its data protection obligations, the Data Processor must immediately remedy the situation and ensure compliance. The Data Processor shall be responsible for any damages, fines, or other losses incurred by the Data Controller due to the Sub-Processor’s non-compliance.
5. DATA SUBJECT RIGHTS
5.1 Access, Rectification, and Erasure: Data subjects have the right to access their data processed by the Data Processor on behalf of the Data Controller. Upon receiving a request from a data subject, the Data Processor must provide access to the requested personal data in a structured, commonly used, and machine-readable format within the timeframe required by applicable data protection laws. If a data subject identifies inaccuracies in their data, they can request rectification. The Data Processor must promptly correct any inaccuracies or complete incomplete personal data. Additionally, data subjects have the right to request the erasure of their data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or when the data subject withdraws their consent (where consent is the lawful basis for processing).
5.2 Data Portability: Data subjects have the right to receive their data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller without hindrance from the Data Processor. This right to data portability applies when the processing is based on consent or a contract and is carried out by automated means. The Data Processor must assist the Data Controller in responding to data portability requests by exporting the requested personal data in a format that allows easy transfer to another data controller.
5.3 Restriction of Processing: Data subjects have the right to request the restriction of processing of their data under certain circumstances, such as when the accuracy of the data is contested, when the processing is unlawful, or when the data subject has objected to the processing and a decision on the objection is pending. In response to a valid request for restriction, the Data Processor must temporarily cease processing the affected personal data, except for storing it or processing it for legal reasons, such as exercising or defending legal claims.
5.4 Right to Object: Data subjects have the right to object to processing their data based on legitimate interests or performing a task in the public interest. They also have the right to object to processing their data for direct marketing purposes. Upon receiving an objection, the Data Processor must cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the data subject’s interests, rights, and freedoms or for establishing, exercising, or defence of legal claims.
5.5 Automated Decision-Making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly similarly affects them. Exceptions to this right exist when the automated decision is necessary for entering into or performing a contract, is authorised by law, or is based on the data subject’s explicit consent. In automated decision-making cases, the Data Processor must ensure that appropriate safeguards are in place, including the data subject’s right to obtain human intervention, express their point of view, and contest the decision.
6. SECURITY AND DATA PROTECTION MEASURES
6.1 Technical and Organizational Security Measures: The Data Processor is responsible for implementing and maintaining appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data. These measures must protect against unauthorised or unlawful processing, accidental loss, destruction, or damage of personal data. The security measures may include but are not limited to, physical security controls, access control mechanisms, secure processing environments, and regular security training for employees.
6.2 Regular Security Audits: The Data Processor shall conduct regular security audits to assess the effectiveness of its security measures and identify any vulnerabilities or areas for improvement. Independent third-party auditors or qualified internal teams should carry out these audits. They should cover all aspects of data processing, including physical security, network security, access controls, data handling procedures, and incident response capabilities. The results of the security audits should be documented and made available to the Data Controller upon request. Any identified security gaps or weaknesses must be addressed promptly, and appropriate remedial actions must be taken to mitigate potential risks to personal data.
6.3 Data Encryption and Pseudonymization: The Data Processor must implement encryption and pseudonymisation techniques where appropriate to enhance personal data protection. Encryption should be used to protect personal data both in transit and at rest, ensuring that data is unreadable to unauthorised parties. Encryption keys must be managed securely, with strict access controls in place. Pseudonymisation involves processing personal data so that it can no longer be attributed to a specific data subject without the use of additional information, which must be kept separately and securely.
6.4 Incident Response Plan: The Data Processor must establish and maintain a comprehensive incident response plan to effectively address data breaches and security incidents. This plan should outline the steps to be taken in the event of a security breach, including the identification, containment, and mitigation of the breach and the notification process. The incident response plan should include procedures for detecting and responding to security incidents, conducting forensic investigations, and communicating with affected parties, including the Data Controller and relevant supervisory authorities. The Data Processor must ensure that all personnel involved in data processing are trained on the incident response plan and prepared to act swiftly in case of a data breach
7.DATA BREACH MANAGEMENT
7.1 Notification Procedures: In case of a data breach involving personal data processed on behalf of the Data Controller, the Data Processor must promptly notify the Controller without delay. The notification should be made as soon as the Data Processor becomes aware of the breach and must include sufficient details to allow the Data Controller to understand the nature and scope of the breach. The notification must outline the type of data affected, the number of data subjects impacted, the potential consequences of the breach, and any measures that have been or will be taken to address the breach and mitigate its effects.
7.2 Incident Reporting Timeline: The Data Processor must report any data breach to the Data Controller as soon as possible, ideally within 24 hours of discovering the breach. This timeline is crucial to enable the Data Controller to assess the impact and take necessary actions, including reporting the breach to supervisory authorities within the required timeframes (typically 72 hours under GDPR). The initial report should be followed by a detailed incident report within a reasonable timeframe, which includes a comprehensive account of the breach, including how it occurred, the extent of the impact, the identification of affected data subjects, and any immediate corrective actions taken.
7.3 Mitigation and Remediation Efforts: Upon detecting a data breach, the Data Processor must immediately take steps to contain and mitigate the breach’s impact. This may involve isolating affected systems, revoking compromised access credentials, and implementing additional security measures to prevent further unauthorised access. The Data Processor must also work to identify the root cause of the breach and address any underlying vulnerabilities to prevent future occurrences. In collaboration with the Data Controller, the Data Processor should develop and implement a remediation plan to restore the security of the compromised data and systems.
8.INTERNATIONAL DATA TRANSFERS
8.1 Mechanisms for Transfers: When transferring personal data across international borders, especially outside the European Economic Area (EEA), the Data Processor must ensure that such transfers are conducted under appropriate mechanisms that provide adequate data protection. These mechanisms may include Standard Contractual Clauses (SCCs) approved by the European Commission, Binding Corporate Rules (BCRs), or reliance on adequacy decisions for specific countries recognised as providing sufficient data protection by the European Commission.
8.2 Obligations for Data Transfers Outside the EEA: When personal data is transferred to countries outside the EEA without an adequate decision, the Data Processor must implement additional safeguards to protect the data. This includes ensuring that the receiving entity (the data importer) complies with obligations equivalent to those under the GDPR. The Data Processor must also conduct a transfer impact assessment (TIA) to evaluate the risks associated with the transfer and determine if any supplementary measures are required to ensure adequate protection.
8.3 Compliance with Standard Contractual Clauses (SCCs): When SCCs are used as the legal basis for international data transfers, the Data Processor must ensure full compliance with the terms outlined in the SCCs. This includes adhering to the obligations set forth in the clauses, such as maintaining the confidentiality of the transferred data, implementing appropriate technical and organisational measures, and cooperating with the Data Controller and supervisory authorities.
9. AUDIT AND INSPECTION RIGHTS
9.1 Right to Audit: The Data Controller has the right to conduct audits of the Data Processor to ensure compliance with the terms of the Data Processing Addendum (DPA), applicable data protection laws, and the agreed-upon security measures. The Data Controller or an appointed third party can initiate these audits. The purpose of the audit is to verify that the Data Processor is handling personal data in a manner consistent with the agreed standards and legal requirements.
9.2 Audit Procedures: Audits will be conducted following a reasonable notice period, typically at least 30 days unless an urgent security issue requires immediate inspection. The Data Controller will bear the audit costs unless it reveals a material breach of the DPA or data protection laws, in which case the Data Processor may be responsible for the audit costs. Audits will be carried out during normal business hours to minimise disruption, and both parties must ensure that the audit process is efficient and causes as little impact as possible on the Data Processor’s operations.
9.3 Inspection by Supervisory Authorities: The Data Processor must accommodate and cooperate with inspections and inquiries from data protection supervisory authorities to ensure compliance with applicable data protection laws. If a supervisory authority requests an inspection or investigation, the Data Processor must promptly notify the Data Controller unless prohibited by law. The Data Processor will facilitate such inspections by providing access to all relevant information and supporting documentation.
10. DATA PROTECTION IMPACT ASSESSMENTS
10.1 Assistance with DPIAs: The Data Processor is required to assist the Data Controller in carrying out Data Protection Impact Assessments (DPIAs) when processing activities are likely to result in a high risk to the rights and freedoms of data subjects. This assistance includes providing all necessary information related to the processing operations, such as the nature, scope, context, and purposes.
10.2 Cooperation with Data Controller and Supervisory Authorities: The Data Processor must cooperate fully with the Data Controller and relevant supervisory authorities during the DPIA process. This cooperation includes responding to any queries or requests for information from the Data Controller or the supervisory authorities and implementing any necessary measures to address identified risks. If the supervisory authority provides recommendations or requirements based on the DPIA, the Data Processor must work with the Data Controller to ensure these are followed and integrated into the processing activities.
11. TERMINATION OF THE AGREEMENT
11.1 Conditions for Termination: The Data Processing Addendum (DPA) may be terminated under specific conditions outlined in the main agreement or within this addendum. These conditions include, but are not limited to, a material breach of the DPA by either party, failure to comply with applicable data protection laws, or upon the termination or expiration of the main agreement between the Data Controller and Data Processor. Either party may also terminate the DPA if a supervisory authority or court issues a binding decision that the processing of personal data under this DPA is in violation of applicable laws. Termination may also occur by mutual agreement between the parties.
11.2 Data Return and Deletion Obligations: Upon termination or expiration of the DPA, the Data Processor is obligated to return all personal data processed on behalf of the Data Controller. This return must occur within a reasonable timeframe and in a format agreed upon by both parties, typically in a commonly used electronic format. If the Data Controller requests, the Data Processor must securely delete all personal data, including all copies and backups, ensuring that the data is permanently erased and cannot be recovered. The Data Processor must provide a written certification confirming the return or deletion of the data.
11.3 Post-Termination Data Access: After termination, the Data Processor must ensure that the Data Controller can no longer access personal data processed under the DPA. All systems and environments where the personal data was stored must be purged of the Data Controller’s data. If continued access for a limited period after termination is needed to facilitate data return or deletion, such access must be granted under strict security controls and for the minimal time necessary.
12. INDEMNIFICATION
12.1 Liability of the Parties: The Data Controller and Data Processor each assume responsibility for their respective obligations under this Data Processing Addendum (DPA). The Data Processor is liable for any damage caused by the processing of personal data in violation of the DPA or applicable data protection laws to the extent that the Processor has not complied with its legal obligations or acted outside or contrary to the lawful instructions of the Data Controller.
12.2 Indemnification for Breaches: Each party agrees to indemnify, defend, and hold harmless the other party from and against any and all claims, damages, losses, and expenses (including reasonable attorney’s fees) arising out of or in connection with any breach of the DPA or applicable data protection laws by the indemnifying party. Specifically, if the Data Processor breaches any obligations under the DPA, it must indemnify the Data Controller for any resulting fines, penalties, damages, or costs incurred. Similarly, if the Data Controller’s instructions or actions lead to a violation of data protection laws, the Data Controller must indemnify the Data Processor for any related liabilities. The indemnified party must promptly notify the indemnifying party of any claims and provide reasonable assistance to defend such claims.
12.3 Limitation of Liability: The liability of each party under this DPA is limited to direct damages and excludes any indirect, incidental, consequential, or punitive damages to the maximum extent permitted by law. This limitation applies regardless of the theory of liability, whether in contract, tort, or otherwise. The total liability of either party under this DPA shall not exceed the amounts paid or payable by the Data Controller to the Data Processor under the main agreement during the twelve months preceding the event that gave rise to the liability.
13. MISCELLANEOUS
13.1 Governing Law and Jurisdiction: This Data Processing Addendum (DPA) shall be governed by and construed in accordance with the laws of the jurisdiction specified in the main agreement between the parties unless otherwise agreed in writing. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts in that jurisdiction.
13.2 Amendments to the DPA: Any amendments or modifications to this DPA must be made in writing and signed by authorised representatives of both parties. No oral modifications shall be valid. The parties may mutually agree to update this DPA as necessary to comply with changes in data protection laws, regulatory requirements, or business practices. Such amendments shall be effective from the date specified in the written agreement or, if not specified, upon signature by both parties.
13.3 Severability: If any provision of this DPA is found invalid, illegal, or unenforceable under applicable law, that provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is impossible, the relevant provision shall be deemed deleted. Any provision’s invalidity, illegality, or unenforceability shall not affect the validity, legality, or enforceability of the remaining provisions of this DPA, which shall remain in full force and effect.
13.4 Entire Agreement: This DPA, the main agreement, and any other documents expressly referred to constitute the entire agreement between the parties concerning the subject matter. It supersedes all prior discussions, negotiations, agreements, and understandings, whether oral or written, relating to the processing of personal data. The parties acknowledge that they have not relied on any representations, warranties, or statements not expressly set out in this DPA or the main agreement.
13.5 Notices: All notices, requests, consents, claims, demands, waivers, and other communications under this DPA must be in writing and delivered to the parties at their respective addresses specified in the main agreement or such other address as a party may designate in writing. Notices shall be deemed to have been duly given (i) when delivered by hand (with written confirmation of receipt), (ii) when received by the addressee if sent by a nationally recognised overnight courier (receipt requested), or (iii) on the third day after the date mailed, if sent by certified or registered mail, return receipt requested, postage prepaid. Electronic notices are only valid if expressly agreed by the parties in writing.
info(at)quantcare.io