1. Object of the assignment
The Customer shall have personal data processed by the Contractor on behalf of derma2go AG, Mühlebachstrasse 84, 8008 Zurich, Switzerland, on the basis of a contract for the use of the derma2go.com platform (the “Terms of Use”). With the present contract, the parties conclude a contract for order processing in accordance with Art. 28 GDPR.
2. The object and purpose of the processing
1) The object of the processing of personal data is the provision of the services agreed in the Terms of Use by the Contractor for the Customer.
2) The purpose of the corresponding processing of personal data results from the terms of use. Exclusively for the fulfilment of this purpose and in connection with the services to be rendered by the contractor in this respect, personal data from the sphere of control of the client will be processed by the contractor. The purpose includes in particular the following tasks:
a) Support of the Customer in concluding and carrying out treatment contracts with patients
b) Accounting of the services of the client according to lit. a)
c) Temporary storage of treatment documents
3. Types of personal data concerned by the processing
The following types of personal data are affected by the processing of orders:
a) name data
b) address and contact details
c) age
d) image data
e) health data
f) billing data
g) Access data
4. Categories of data subjects involved in the processing
The following categories of persons are affected by order processing:
a) potential patients
b) patients
c) former patients
d) other users (doctors, administration)
5. Place of order processing
Insofar as the contractor collects, processes and / or uses the data in a member state of the European Union or in another state party to the Agreement on the European Economic Area or in third countries, provided that the special requirements of the GDPR are met.
6. Responsilibity of the client
1) The client is responsible for the order processing of the personal data within the meaning of Art. 4 No. 7 GDPR. He is responsible for compliance with the statutory provisions on data protection, in particular for the legality of data transfer to the Contractor and for the legality of data processing.
2) The Customer shall be responsible for deciding on the admissibility of data processing in individual cases. The Contractor shall be entitled and obliged to point out any concerns regarding the legal admissibility of data processing.
7. Right of the client to issue instructions
1) The client has the right at any time to issue supplementary instructions on the type, scope and method of processing personal data. Instructions may be given verbally or in text form. Oral instructions shall be confirmed to the Contractor and documented immediately in text form.
2) The Contractor shall inform the Customer immediately in text form if, in the Contractor’s opinion, an instruction issued by the Customer violates statutory provisions. The Contractor shall be entitled to suspend the execution of the instruction in question until it has been confirmed or amended by the Customer. Insofar as the instruction may threaten direct liability of the Contractor vis-à-vis third parties or in accordance with the provisions of the GDPR, the Contractor shall be entitled to reject the instruction.
8. Control rights of the client
1) The Customer shall be entitled to all control rights which are necessary in accordance with the provisions of the GDPR in order to comply with its data protection obligations.
2) At the request of the principal, the latter shall be granted access and inspection of the data processing systems of the contractor during normal business hours which he uses for the purposes of this contract. Such on-site inspections shall be limited to one inspection per calendar year unless there is an important reason, the Client has indications of a violation of the provisions of this Agreement, it is necessary to comply with the Client’s legal obligations or an inspection is carried out by the supervisory authority.
3) An on-site inspection requires prior notification with a reasonable period of time, unless there is an important reason. The Customer shall ensure that the inspections are carried out only to the extent necessary to ensure that the inspections do not disproportionately disrupt the Contractor’s operating procedures. If the inspector commissioned by the client is in a competitive relationship with the contractor, the contractor has a right of objection against the commissioning of this inspector.
4) The contractor may make the on-site inspection dependent on the signing of a confidentiality agreement with regard to the personal data and business secrets of other customers and the technical and organizational measures set up. This does not apply to activities of the supervisory authority.
5) The contractor may demand appropriate remuneration for assistance in carrying out an on-site inspection if he is not responsible for the reason for the inspection. The performance of the inspection shall be independent of any agreement between the parties on the remuneration due to the contractor.
9. Obligations of the contractor
1) Any processing of the personal data by the contractor or by any subcontractor subject to this contract shall be carried out exclusively on the basis of the contractor and the instructions given by the client. This shall not apply where the contractor is obliged by the law of the European Union or of the Member States to which the processor is subject to another processing operation; in such a case, the contractor shall inform the contracting authority of these legal requirements prior to the processing operation, unless the law in question prohibits such notification on grounds of an important public interest.
2) Within his area of responsibility, the Contractor shall design the internal organisation of the processing of personal data in such a way that it meets the statutory requirements and the requirements agreed in this contract. In particular, the Contractor shall take the technical and organisational measures necessary to
a) ensure the long-term confidentiality, integrity, availability and resilience of systems and services relating to the processing of personal data; and
b)ensure the availability of and access to personal data in the event of a physical or technical incident.
3) The contractor reserves the right to change the technical and organisational measures agreed upon in the plant, whereby it must be ensured, however, that the level of protection does not fall below the level agreed upon in each case. The Contractor shall inform the Customer of any material changes without being requested to do so.
4) The contractor corrects or deletes personal data, if the client instructs this and this is included in the scope of instruction.
5) The contractor confirms that he has appointed an operational data protection officer and will name this to the client in text form.
6) Persons authorised to process personal data shall be obliged by the Contractor to maintain confidentiality or shall be subject to an appropriate legal obligation of confidentiality. This must be proven to the customer upon request.
7) The contractor is obliged to inform the customer immediately of any (threatened) violation of data protection regulations or of the agreements made and/or the instructions given by the customer which has occurred or threatens to occur in the course of the processing of data by the contractor or other persons involved in the processing. The notification shall contain at least the following information:
a) a description of the nature of the breach of the protection of personal data, indicating where possible the categories and approximate number of data subjects, the categories and the approximate number of personal data sets involved;
b)the name and contact details of the Data Protection Officer or any other contact point for further information;
c) a description of the likely consequences of the violation of the protection of personal data;
d)a description of the measures taken or proposed by the controller to remedy the breach of the protection of personal data and, where appropriate, measures to mitigate its possible adverse effects.
8) If personal data have been processed or disclosed in an inadmissible manner, the Contractor shall take the necessary measures to secure the data and to mitigate possible adverse consequences for the persons concerned and shall immediately agree with the Client on the further course of action.
9) In the event that the contractor ascertains or facts justify for him the assumption that he has processed for the client
a) specific types of personal data; or
b)personal data covered by professional secrecy; or
c) personal data relating to criminal acts or offences or suspected criminal acts or offences; or
d)personal data relating to bank or credit card accounts
unlawfully transmitted or otherwise unlawfully disclosed to third parties, he shall inform the Client immediately and completely in text form of the time, type and extent of the incident(s). The information must contain a description of the nature of the unlawful acquisition of knowledge. The information shall also include a description of the possible adverse consequences of unlawful disclosure. In addition, the Contractor shall be obliged to inform the Contractor immediately of any measures taken by the Contractor to prevent unlawful transmission or unauthorised disclosure by third parties in the future. The consultant shall inform the contracting authority without delay if a supervisory authority acts against the consultant and this may also concern a control of the processing carried out by the consultant on behalf of the contracting authority.
10) The Contractor shall, on request, provide the Client with the order processing for his procedural index at the beginning of his activity and subsequently with each change.
10. Obligations of the contractor to provide evidence
1) The contractor shall prove to the satisfaction of the contracting authority, by any appropriate means, compliance with the obligations laid down in this contract.
2) The Contractor may refer to appropriate certifications or other suitable audit evidence for the verification of compliance with the agreed technical and organizational measures and their effectiveness.
11. Subcontractors
1) The contractor shall use the following subcontractors for processing:
a) HostEurope GmbH, Hansestr. 111, 51149 Köln, Germany; Hosting IT-Platform
b)Swiss4ward GmbH, Calle Hermanos Soto Chápuli 4, Alicante 03010, Spain; IT Development
c) Time4vps; UAB “Interneto vizija”, J. Kubiliaus St. 6, Vilnius, Lithuania; Hosting Webanalytic-Service Server and 2-Factor-Authentication Sever
d)Twilio Inc, 375 Beale Street, Suite 300, San Francisco, CA 94105; 2-Factor-Authentication
2) The contractor shall be obliged to inform the client in good time in advance about the commissioning of subcontractors or changes in subcontracting in text form. The client may object to the subcontracting in text form within four weeks of becoming aware of it.
3) The contractor shall impose on any sub-processors, by means of a contract or other legal instrument under Union law or the law of the Member State concerned, the same data protection obligations as those laid down in that contract or in any other legal instrument between the contracting authority and the contractor.
4) Subcontracting relationships within the meaning of the above provisions shall not include services which the Contractor uses with third parties as a pure ancillary service in order to carry out the business activity. This includes, for example, cleaning services, pure telecommunications services without concrete reference to services provided by the contractor for the customer, postal and courier services, transport services, security services. The contractor is nevertheless obliged to ensure that appropriate precautions and technical and organisational measures have been taken to ensure the protection of personal data, even in the case of ancillary services provided by third parties.
12. Rights of affected parties
1) If a data subject addresses the request for correction, deletion or information to the contractor, he will refer the data subject to the contracting authority, provided that allocation to the contracting authority is possible according to the data of the data subject, and forward the request immediately to the contracting authority. Insofar as the cooperation of the contractor is necessary for the implementation of the request – in particular information, correction, blocking or deletion – the contractor shall take the necessary measures in accordance with the instructions of the customer.
2) If a claim for liability and damages is asserted against the Customer by an affected person in accordance with the provisions of data protection law, the Contractor undertakes to support this person in defending the claim within the scope of his possibilities against appropriate remuneration.
13. Remuneration of the contractor
The contractor shall not be entitled to any separate remuneration for the services rendered by him under this contract, unless expressly agreed otherwise.
14. Liability
The liability of the parties shall be governed by the agreements of the respective contract on the basis of which an order processing takes place. The direct liability of the parties vis-à-vis a party affected by statutory provisions on data protection shall remain unaffected.
15. Duration of the contract, termination of the contract, right of retention
The term of this contract shall depend on the term of the contract in accordance with section 1.
16. Refund
1) Data, data carriers as well as all other materials with personal data which are subject to this contract are to be either surrendered or deleted at the end of the order depending on the client’s request. If the Customer issues an instruction for deletion which deviates from the previously agreed and this results in additional costs for the Contractor, these shall be borne by the Customer. The deletion shall be documented in an appropriate manner. The Customer shall have the right to check the complete and contractual return and deletion of the data by the Contractor. This can also be done by inspecting the data processing equipment.
2) The parties agree that the defence of the right of retention by the contractor within the meaning of § 273 BGB is excluded with regard to the processed data and the associated data carriers. This shall not apply if, according to Union law or the law of the member states, an obligation of the Customer to store personal data continues to exist. In this case, this contract shall continue to apply for the duration of this obligation.
3) The contractor reserves the right to retain the data in pseudonymised form (incl. images) for statistical evaluation after corresponding consent of the person concerned. This consent of the person concerned may be revoked at any time.
17. Final Clauses
1) This contract contains all agreements of the parties to the subject matter of the contract. Any deviating ancillary agreements and earlier agreements on the subject matter of the contract are hereby invalid.
2) Amendments and supplements to this contract must be made in writing, unless a stricter form is prescribed by law. This also applies to any waiver of the formal requirement.
3) General terms and conditions of the parties do not apply to this contract. This shall also apply if their inclusion in later documents in connection with this contract (e.g. call for services) was not objected to.
4) Should any provision of this contract be or become void, ineffective or unenforceable in whole or in part, or should any provision of this contract be or become void, ineffective or unenforceable, or should any provision of this contract be or become unenforceable, this shall not affect the validity and enforceability of the remaining provisions of this contract. Instead of the void, ineffective or unenforceable provision or to fill the loophole, the parties shall agree a legally permissible provision which corresponds as closely as possible to what the parties intended or would have agreed according to the spirit and purpose of this contract if they had recognised the ineffectiveness or loophole. If the invalidity of a provision is based on a specified measure of performance or time (period or deadline), the provision shall be deemed to have been agreed with a legally permissible measure that comes closest to the original measure. It is the express will of the parties that this severability clause does not merely result in a reversal of the burden of proof, but that § 139 BGB is waived in its entirety.
5) The contract is subject solely to Swiss law and the applicable data protection law. The provisions of the GDPR take precedence over Swiss law.
6) The sole place of jurisdiction for all disputes in connection with this agreement is the registered office of the contractor.
Annex 1
Technical and organisational measures
1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
1) Access control – The following implemented measures prevent unauthorised persons from having access to the data processing systems.
a) Personal and individual user login upon registration
b)Authorization process for access authorizations (administration of user authorizations)
c) Limitation of authorised users
d)Password procedures (specification of password parameters in terms of complexity and update interval)
e) Logging of access
f)Additional system log-in for certain applications
g)Automatic blocking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause switch)
h)Firewall (Server)
2) Access control – The following implemented measures ensure that unauthorized persons do not have access to personal data.
a) Administration and documentation of differentiated authorization
b)Conclusion of contracts for the processing of order data for the external care, maintenance and repair of data processing equipment, insofar as the processing of personal data is the object of the service during remote maintenance.
c) Evaluations/recordings of data processing operations
d)Use of authorization concepts
e) Minimum number of administrators
f)Profiles/Roles
g)Four-eyes principle
h)Administration of user rights by administrators
3) Separation control – The following measures ensure that personal data collected for different purposes are processed separately.
a) Access authorisations according to functional responsibility
b)Multi-client capability of IT systems
c) Use of test data
d)Separation of development and production environment
e) other: encryption of personal data (including images) in the database
2. Pseudonymisation (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data shall be carried out in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures.
1) Personal data such as name, address and date of birth shall be replaced by a unique identification number so that it can no longer be attributed to a specific data subject without additional information.
2) In the case of pseudonymisation: separation of allocation data and storage in a separate and secure system
3) Internal instruction to make personal data as anonymous / pseudonymous as possible in the event of disclosure or even after expiry of the statutory deletion period.
3. Integrity (Art. 32 para. 1 lit. b GDPR)
1) Controls on disclosure – it is ensured that personal data cannot be read, copied, altered or removed without authorisation when transferred or stored on data carriers and that it is not possible to check which persons or bodies have received personal data. The following measures have been implemented to ensure this:
a) E-mail does not contain any personal data or is encrypted
b)Secure data transport (e.g. SSL, ftps, TLS)
c) Logging of data transmission or data transport
d)Logging of read accesses
e) recording of the copying, alteration or removal of data
f)Tunneled remote data connections (VPN = Virtual Private Network) for remote maintenance
2) Input control – The following measures ensure that it can be checked who processed personal data at what time in data processing systems.
a) Technical logging of the input, modification and deletion of data
b)Manual or automated control of protocols
c) Traceability of input, modification and deletion of data by individual user names
d)Allocation of rights to enter, change and delete data on the basis of an authorization concept
4. Availability and resilience (Art. 32 para. 1 lit. b GDPR)
Availability and resilience control – The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client.
a) Security concept for software and IT applications
b) Back-up procedure
c) Ensuring data storage in the secure network
d) Importing security updates as required
5. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
1) Data protection management – The following measures are designed to ensure that there is an organisation that meets the basic data protection requirements:
a) Guidelines/instructions to ensure technical and organizational measures for data security
b)Appointment of a data protection officer
c) Obligation of employees to observe data secrecy
d)Adequate staff training in data protection matters
e) Keeping an overview of processing activities (Art. 30 GDPR)
2) Incident-Response Management – The following measures are designed to ensure that reporting processes are triggered in the event of data breaches:
a) Notification process for data protection violations pursuant to Art. 4 No. 12 GDPR vis-à-vis the supervisory authorities (Art. 33 GDPR)
b)Notification process for data protection violations pursuant to Art. 4 No. 12 GDPR vis-à-vis the data subjects (Art. 34 GDPR)
6. Data protection-friendly default settings (Art. 25 para. 2 GDPR)
1) The default settings have to be considered for the standardized presets of systems and apps as well as for the setup of the data processing methods. In this phase, functions and rights are specifically configured, the admissibility or inadmissibility of certain inputs or input options (e.g. free texts) is determined with regard to data minimisation and the availability of usage functions is decided (e.g. with regard to the scope of processing). Likewise, the type and scope of the personal reference or anonymisation (e.g. for selection, export and evaluation functions, which can be defined and preset or made freely available) or the availability of certain processing functions, protocols, etc. (Only necessary fields are used and marked as mandatory fields).
7. Order Control
The following measures ensure that personal data can only be processed in accordance with the instructions.
a) Agreement on order processing with provisions on the rights and obligations of the contractor and customer
b)Process for issuing and/or following instructions
c) Identification of contact persons and/or responsible employees
d)Control/verification of the execution of orders according to instructions
e) Training/instruction of all authorized employees at the contractor’s premises
f)Obligation of employees to maintain data secrecy
g)Agreeing on contractual penalties for breaches of instructions
h)Formalised order management
Additional technical and organizational measures by hosting provider HostEurope GmbH, Hansestr. 111, 51149 Köln, Germany
1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
1) Access control I – The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:
a) Access control system, card reader (magnetic/chip card)
b)Door locks (electric door openers, combination locks, etc.)
c) Security doors / windows
d)Grilles in front of windows/doors
e) Fencing systems
f)Key management/documentation of key allocation
g)Plant security, doorman
h)Alarm system
i)Protection of building shaft
j)Video surveillance
k) Specific server room safeguards
l)specific safeguards for the storage of back-ups and/or other data media
m) Non-reversible destruction of data media
n)Employee and authorisation cards
o)Restricted areas
p)Visitor regulations (e.g. pick-up at reception, documentation of visiting times, visitor pass, escort after the visit up to the exit)
2. Availability and resilience (Art. 32 para. 1 lit. b GDPR)
Availability and resilience control – The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client.
a) Security concept for software and IT applications
b) Back-up procedure
c) Ensuring data storage in the secure network
d) Importing security updates as required
e) The installation of an uninterruptible power supply (UPS)
f) Fire and/or fire water protection of the server room
g) Fire and/or fire-fighting water protection of the archive premises
h) Air-conditioned server room
i) Virus protection
j) Firewall
k) Emergency plan
Successful emergency exercises