Data processing agreement
This data processing agreement is applicable to all processing of
personal data to be undertaken by Labmatisse B.V., registered with the
Chamber of Commerce under number 74032682, (hereinafter: Labmatisse) for
the benefit of another party to whom it provides services (hereinafter:
Controller) on the basis of EULA FOR MATISSE APP concluded between
these parties (hereinafter: the Agreement).
Reference is specially made to The Agreement as a relevant scope of the
processed data and limitation of Labmatisses’ liability. The content of
the Agreement, for example the usage of Content of Controller (User) in
article 5 and agreements liabilities in article 10, forms an integral
part of this Data processing agreement and will supplement the Purposes
of processing in article 1 and liability in article 11 of the Data
processing agreement.
Article 1. Purposes of
processing
-
Labmatisse hereby agrees under the terms of this Data Processing
Agreement to process personal data on behalf of the Controller.
Processing shall be done solely for the purpose of storing data (in
the 'cloud') for the benefit of Controller, and associated online
services, offering and maintaining the online Customer Relationship
Management service of Labmatisse for Controller,
the transmission
of newsletters
for Controller,
managing the
customer administration
of Controller, managing the patient administration of Controller,
establishing a reference (color) code for ceramic restorations of
teeth, and all purposes compatible therewith or as determined jointly.
-
The personal data to be processed by Labmatisse for the purposes as
set out in the previous clause and
the categories
of data
subjects involved
are set out in Appendix
1 to this Data Processing Agreement. Labmatisse shall not process the personal data for any
other purpose unless with Controller's consent. Controller shall
inform Labmatisse of any processing purposes to the extent not already
mentioned in this Data Processing
Agreement. Labmatisse however is permitted to use personal data for
quality assurance purposes, including surveys to data subjects and
statistical research purposes regarding the quality of Labmatisse's
services.
-
All personal
data processed
on behalf
of Controller
shall remain
the property
of Controller and/or the
data subjects in question.
Article 2. Labmatisse
obligations
-
Regarding the
processing operations referred
to in
the previous
clause, Labmatisse
shall comply with
all applicable
legislation, including at
least all
data processing
legislation such
as the GDPR.
-
Upon first request
Labmatisse shall inform Controller about
any measures taken to
comply
with its obligations under this Data Processing Agreement.
-
All obligations
for Labmatisse
under this
Data Processing
Agreement shall
apply equally
to any persons processing personal data under the supervision of
Labmatisse, including but not
limited to employees in the broadest sense of the term.
-
Labmatisse shall
inform Controller
without delay
if in
its opinion
an instruction
of Controller would
violate the legislation referred to in the first clause of this
article.
-
Labmatisse shall provide
reasonable assistance to Controller in the context
of any
data
protection impact assessments to be made by Controller.
-
Labmatisse shall, in
accordance with Article
30 GDPR, keep a register
of all categories of
processing activities which it carries out on behalf of the Controller
under this data processing agreement.
At Controller's
request, Labmatisse shall
provide Controller access
to this
register.
Article 3. Transfer of personal data
-
Labmatisse may process the personal data in any country within the
European Union.
-
Transfer to
countries outside
the European
Union is
not permitted,
unless it
is permitted
by Controller or when relevant safeguards are in place, maintaining
the same levels of
dataprotection as deemed sufficient under the GDPR.
Article 4. Allocation of
responsibilities
-
Labmatisse shall make available IT facilities to be used by Controller
for the purposes mentioned
above. Labmatisse
shall not
itself perform
processing operations unless
separately
agreed otherwise.
-
Labmatisse is solely responsible for the processing of personal data
under this Data Processing
Agreement in accordance with the instructions of Controller and under
the explicit supervision of Controller.
For any
other processing
of personal
data, including
but not
limited to any
collection of personal data by Controller, processing for purposes not
reported to Labmatisse, processing by third parties and/or for other
purposes, the Labmatisse does not
accept any responsibility.
-
Controller represents
and warrants
that the
content, usage
and instructions
to process
the personal data as meant in this Data Processing
Agreement are lawful and do not violate any right of any third party.
Article 5. Involvement of sub-controllers
-
Labmatisse shall involve third parties in the processing under this
Data Processing Agreement on the
condition that
such parties
are only
operating to
construe or
help Labmatisse
process data within the scope of article 1 of this agreement p in
favor of the Controller
-
In any
event, Labmatisse
shall ensure
that any
third parties
are bound
to at
least the
same obligations as agreed between Controller and Labmatisse.
-
Labmatisse shall ensure that
these third parties shall comply with the obligations under
this
Data Processing Agreement and is liable for any damages caused by
violations by these third parties as if it committed the violation
itself.
Article 6. Security
-
Labmatisse shall use reasonable efforts to implement appropriate
technical and organisational
measures to
ensure a
level of
security appropriate
to the
risk for
the processing operations
involved, against loss or unlawful processing (in particular from
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to personal data
transmitted, stored or otherwise processed).
-
Labmatisse does not warrant that the security is effective under all
circumstances. If any security measure explicitly agreed in this Data
Processing Agreement is
missing, then Labmatisse shall use
best efforts
to ensure
a level
of security
appropriate to
the risk
taking into account the
state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and
freedoms of natural persons.
-
Controller shall only provide personal data to Labmatisse for
processing if it has ensured that
the required
security measures
have been
taken. Controller
is responsible
for the
parties' compliance with these security measures.
Article 7. Notification and communication of data breaches
-
Controller is responsible at all times for notification of any
security breaches and/or personal
data breaches
(which are
understood as:
a breach
of security
leading to
the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise processed as
described in Article 4
(12) of the GDPR) to the competent supervisory authority, and for
communication of the same to data subjects. In order to enable
Controller to comply with this legal requirement, Labmatisse shall
notify Controller within 24 hours after becoming aware of an actual or
threatened security or personal data
breach.
-
A notification
under the
previous clause
shall be
made only
for actual
breaches with
severe impact. Other breaches (of lower impact) will be made to
Controller only, and will be registered by Labmatisse in internal
documentation.
-
The notification
shall include
at least
the fact
that a
breach has
occurred. In
addition, the
notification shall:
• describe the nature of the personal data breach including, where
possible, the categories and approximate
number of
data subjects
concerned and
the categories
and approximate number of personal data records concerned;
• describe the likely consequences of the personal data breach;
• include the name and contact details of the Data Protection Officer (if appointed) or a contact person regarding privacy subjects;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 8. Processing
requests from data subjects
-
In the event a data
subject makes a
request to exercise his
or her legal rights under the GDPR
(Articles 15-22)
to Labmatisse,
Labmatisse shall
handle the
request itself,
and inform
Controller of the manner in which the request is handled.
-
Labmatisse may not charge
any costs for handling the request
to Controller.
Article 9. Confidentiality
obligations
-
All personal
data that
Labmatisse receives
from Controller
and/or collects
itself is
subject to strict
obligations of confidentiality towards third parties. Labmatisse shall
not use this information for any goals other than for which it was
obtained, not even if the information has been converted into a form
that is no longer related to an identified or identifiable natural
person.
-
The confidentiality obligation shall not apply to the extent
Controller has granted explicit permission
to provide
the information
to third
parties, the
provision to
third parties
is reasonably necessary
considering the nature of the assignment to Controller or the
provision is legally
required.
Article 10. Audit
-
Controller has
the right
to have
audits performed
on Labmatisse
by an
independent third party
bound by confidentiality obligations to verify compliance with the
Data Processing
Agreement, and all issues reasonably connected thereto.
-
This audit
may be
performed in
case a
substantiated allegation of
misuse of
personal data has arisen.
-
Labmatisse shall
make available all
reasonably relevant
information, including
supporting
data such as system logs.
-
The audit findings shall
be assessed by Labmatisse and implemented if and to the
extent
deemed reasonable by Labmatisse.
-
The costs of the audit shall be borne by
Controller.
Article 11.
Liability
-
Parties explicitly
agree that
any liability
arising in
connection with
personal data
processing shall be as provided in the Agreement.
Article 12. Term and termination
-
This Data
Processing Agreement
enters into
force upon
acceptance by
the parties
and on the date of the
last signature.
-
This Data Processing Agreement is entered
into for the duration of the
cooperation
between the parties.
-
Upon termination of the Data Processing
Agreement, regardless of reason or manner, Labmatisse
shall -
at the
choice of
Controller -
return in
original format
or destroy
all personal
data available to it.
-
Labmatisse is entitled to amend this Data Processing
Agreement from time to time. Labmatisse
shall notify
the Controller
of amendments
at least
three months
prior to
their taking effect.
Controller may terminate if the amendments are unacceptable to it.
Article 13. Applicable law
and competent venue
-
This Data Processing
Agreement and its
execution are
subject to Dutch
law.
-
Any disputes
that may
arise between
the parties
in connection
with this
Data Processing Agreement
shall be brought to the competent court for the place of business of
Labmatisse.
Article 14. Signature
This Agreement was electronically accepted through the Labmatisse
website (www.matisse.ai). Parties acknowledge and accept that said acceptance will be
considered as a lawful signature. Parties hereby irrevocably waive the
right contest the validity of the signature (in court).
Appendix 1: Stipulation of personal data and data subjects Data
subjects and personal data of different purposes
Labmatisse shall process the below personal data of the categories
data subjects from different
purposes (with retention period if specified) under the supervision of
Controller, as specified in article 1 of the Data Processing Agreement:
Cloud storage of data
Customers
•
Names and addresses
•
Telephone numbers
•
Email addresses
•
Visitor behaviour
•
IP addresses
•
Medical data
Account holders
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
• Gebruikersnaam
• Wachtwoord
Website visitors
• Visitor behaviour
• IP addresses
Patients
• (Portrait)photos
Leads and potential customers
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
Send newsletters
Customers
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
Account holders
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
Website visitors
• Email addresses
• Visitor behaviour
• IP addresses
Leads and potential customers
• Email addresses
Customer and/or member
administration
Account holders
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
• Financial data
Leads and potential customers
• Names and addresses
• Telephone numbers
• Email addresses
Customer Relationship Management
Customers
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
Personnel
• Names and addresses
• Telephone numbers
• Email addresses
• Visitor behaviour
• IP addresses
• Civil service numbers
• Resumes
• Dates of birth
• Financial data
Account holders
• Names and addresses
• Telephone numbers
• Email addresses
Website visitors
• Visitor behaviour
• IP addresses
Patient administration
Patients
• (Portrait)photos
Controller represents and warrants that the description of personal data and categories of data subjects in this Appendix 1 is complete and accurate, and shall
indemnify and hold harmless Process for all faults and claims that may
arise from a violation of this representation and warranty.