Data processing agreement

 

This data processing agreement is applicable to all processing of personal data to be undertaken by Labmatisse B.V., registered with the Chamber of Commerce under number 74032682, (hereinafter: Labmatisse) for the benefit of another party to whom it provides services (hereinafter: Controller) on the basis of EULA FOR MATISSE APP  concluded between these parties (hereinafter: the Agreement).

 

Reference is specially made to The Agreement as a relevant scope of the processed data and limitation of Labmatisses’ liability. The content of the Agreement, for example the usage of Content of Controller (User) in article 5 and agreements liabilities in article 10, forms an integral part of this Data processing agreement and will supplement the Purposes of processing in article 1 and liability in article 11 of the Data processing agreement.

 

Article 1. Purposes of processing

 

1. Labmatisse hereby agrees under the terms of this Data Processing Agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of storing data (in the 'cloud') for the benefit of Controller, and associated online services, offering and maintaining the online Customer Relationship Management service of Labmatisse for Controller, the transmission of newsletters for Controller, managing the customer administration of Controller, managing the patient administration of Controller, establishing a reference (color) code for ceramic restorations of teeth, and all purposes compatible therewith or as determined jointly.

2. The personal data to be processed by Labmatisse for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. Labmatisse shall not process the personal data for any other purpose unless with Controller's consent. Controller shall inform Labmatisse of any processing purposes to the extent not already mentioned in this Data Processing Agreement. Labmatisse however is permitted to use personal data for quality assurance purposes, including surveys to data subjects and statistical research purposes regarding the quality of Labmatisse's services.

3. All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

 

Article 2. Labmatisse obligations

 

1. Regarding the processing operations referred to in the previous clause, Labmatisse shall comply with all applicable legislation, including at least all data processing legislation such as the GDPR.

2. Upon first request Labmatisse shall inform Controller about any measures taken to comply

with its obligations under this Data Processing Agreement.

3. All obligations for Labmatisse under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Labmatisse, including but not

limited to employees in the broadest sense of the term.

4. Labmatisse shall inform Controller without delay if in its opinion an instruction of Controller would violate the legislation referred to in the first clause of this article.

5. Labmatisse shall provide reasonable assistance to Controller in the context of any data

protection impact assessments to be made by Controller.

6. Labmatisse shall, in accordance with Article 30 GDPR, keep a register of all categories of processing activities which it carries out on behalf of the Controller under this data processing agreement. At Controller's request, Labmatisse shall provide Controller access to this register.

 

Article 3. Transfer of personal data

1. Labmatisse may process the personal data in any country within the European Union.

2. Transfer to countries outside the European Union is not permitted, unless it is permitted by Controller or when relevant safeguards are in place, maintaining the same levels of dataprotection as deemed sufficient under the GDPR.

 

 

Article 4. Allocation of responsibilities

 

1. Labmatisse shall make available IT facilities to be used by Controller for the purposes mentioned above. Labmatisse shall not itself perform processing operations unless separately

agreed otherwise.

2. Labmatisse is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Labmatisse, processing by third parties and/or for other purposes, the Labmatisse does not

accept any responsibility.

3. Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.

 

Article 5. Involvement of sub-controllers

 

1. Labmatisse shall involve third parties in the processing under this Data Processing Agreement on the condition that such parties are only operating to construe or help Labmatisse

process data within the scope of article 1 of this agreement p in favor of the Controller

2. In any event, Labmatisse shall ensure that any third parties are bound to at least the same obligations as agreed between Controller and Labmatisse.

3. Labmatisse shall ensure that these third parties shall comply with the obligations under this

Data Processing Agreement and is liable for any damages caused by violations by these third parties as if it committed the violation itself.

 

Article 6. Security

 

1. Labmatisse shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data

transmitted, stored or otherwise processed).

2. Labmatisse does not warrant that the security is effective under all circumstances. If any security measure explicitly agreed in this Data Processing Agreement is missing, then Labmatisse shall use best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and

freedoms of natural persons.

3. Controller shall only provide personal data to Labmatisse for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties' compliance with these security measures.

 

Article 7. Notification and communication of data breaches

 

1. Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as described in Article 4 (12) of the GDPR) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Labmatisse shall notify Controller within 24 hours after becoming aware of an actual or threatened security or personal data

breach.

2. A notification under the previous clause shall be made only for actual breaches with severe impact. Other breaches (of lower impact) will be made to Controller only, and will be registered by Labmatisse in internal documentation.

3. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

 

•         describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

•         describe the likely consequences of the personal data breach;

•         include the name and contact details of the Data Protection Officer (if appointed) or a contact person regarding privacy subjects;

•         describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

Article 8. Processing requests from data subjects

 

1. In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Labmatisse, Labmatisse shall handle the request itself, and inform

Controller of the manner in which the request is handled.

2. Labmatisse may not charge any costs for handling the request to Controller.

 

Article 9. Confidentiality obligations

 

1. All personal data that Labmatisse receives from Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. Labmatisse shall not use this information for any goals other than for which it was obtained, not even if the information has been converted into a form that is no longer related to an identified or identifiable natural

person.

2. The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.

 

Article 10. Audit

 

1. Controller has the right to have audits performed on Labmatisse by an independent third party bound by confidentiality obligations to verify compliance with the Data Processing

Agreement, and all issues reasonably connected thereto.

2. This audit may be performed in case a substantiated allegation of misuse of personal data has arisen.

3. Labmatisse shall make available all reasonably relevant information, including supporting

data such as system logs.

4. The audit findings shall be assessed by Labmatisse and implemented if and to the extent

deemed reasonable by Labmatisse.

5. The costs of the audit shall be borne by Controller.

 

Article 11. Liability

 

1. Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the Agreement.

Article 12. Term and termination

 

1. This Data Processing Agreement enters into force upon acceptance by the parties and on the date of the last signature.

2. This Data Processing Agreement is entered into for the duration of the cooperation

between the parties.

3. Upon termination of the Data Processing Agreement, regardless of reason or manner, Labmatisse shall - at the choice of Controller - return in original format or destroy all personal

data available to it.

4. Labmatisse is entitled to amend this Data Processing Agreement from time to time. Labmatisse shall notify the Controller of amendments at least three months prior to their taking effect. Controller may terminate if the amendments are unacceptable to it.

 

 

Article 13. Applicable law and competent venue

 

1. This Data Processing Agreement and its execution are subject to Dutch law.

2. Any disputes that may arise between the parties in connection with this Data Processing Agreement shall be brought to the competent court for the place of business of Labmatisse.

 

Article 14. Signature

 

This Agreement was electronically accepted through the Labmatisse website (www.matisse.ai). Parties acknowledge and accept that said acceptance will be considered as a lawful signature. Parties hereby irrevocably waive the right contest the validity of the signature (in court).

Appendix 1: Stipulation of personal data and data subjects Data subjects and personal data of different purposes

Labmatisse shall process the below personal data of the categories data subjects from different

purposes (with retention period if specified) under the supervision of Controller, as specified in article 1 of the Data Processing Agreement:

 

Cloud storage of data

Customers

 

•          Names and addresses

•          Telephone numbers

•          Email addresses

•          Visitor behaviour

•          IP addresses

•          Medical data

 

Account holders

 

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

•         Gebruikersnaam

•         Wachtwoord

 

Website visitors

 

•         Visitor behaviour

•         IP addresses

 

Patients

•         (Portrait)photos

 

Leads and potential customers

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

 

Send newsletters

Customers

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

 

Account holders

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

 

Website visitors

•         Email addresses

•         Visitor behaviour

•         IP addresses

 

Leads and potential customers

•         Email addresses

 

Customer and/or member administration

Account holders

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

•         Financial data

 

Leads and potential customers

•         Names and addresses

•         Telephone numbers

•         Email addresses

 

Customer Relationship Management

Customers

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

Personnel

•         Names and addresses

•         Telephone numbers

•         Email addresses

•         Visitor behaviour

•         IP addresses

•         Civil service numbers

•         Resumes

•         Dates of birth

•         Financial data

 

Account holders

•         Names and addresses

•         Telephone numbers

•         Email addresses

 

Website visitors

•         Visitor behaviour

•         IP addresses

 

Patient administration

Patients

•         (Portrait)photos

 

Controller represents and warrants that the description of personal data and categories of data subjects in this Appendix 1 is complete and accurate, and shall indemnify and hold harmless Process for all faults and claims that may arise from a violation of this representation and warranty.