Data Processing Agreement

Data Processing Agreement
(Schedule 5.3 of the EULA)

Of the one part, you or your organization, as the “Data Controller”.

And of the other part, Quibim, S.L., as “Quibim” or the “Data Processor”.

The Data Controller and Quibim shall hereinafter be jointly referred to as the “Parties” and individually as a “Party”.

The Parties acknowledge each other’s sufficient legal capacity to execute this personal data processing agreement (the “Data Processing Agreement”) and, accordingly,

WHEREAS

  1. The Parties have subscribed a legal agreement and/or license quotation (the “Agreement”), which incorporates this End User License Agreement (the “EULA”) -to which this Data Processing Agreement is a Schedule-, for the granting of the License to access to and use the Software and/or provision of the services described in the Agreement (the “Services”), whereby Quibim must access personal data controlled by the Data Controller to correctly perform such Services.
  2. Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, “GDPR”), Spanish Act 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (“LOPDgdd”) and other applicable data protection legislations that may amend, supplement or replace them (altogether, the “Data Protection Legislation”), it is necessary to regulate the data protection obligations assumed by the Parties under the Agreement.
  3. Now therefore, in light of the above, the Parties agree to enter into this Data Processing Agreement, which shall be governed by the provisions of article 28 of the GDPR and, in particular, the following:

 

CLAUSES

One.- Object of the Agreement
The object of this Data Processing Agreement is to regulate the Parties’ obligations with regard to the access by Quibim to personal data for which the Data Controller is responsible in order for Quibim to perform its obligations under the Agreement. Quibim may have access to the following categories of personal data:

  1. Identifying data of patients, employees or collaborators of the Data Controller.
  2. Special categories of data of the patients of the Data Controller (i.e., Medical Data).
  3. Data regarding personal characteristics of patients of the Data Controller.

Quibim shall carry out the following types of processing operations on behalf of the Data Controller and following its instructions: collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, interconnection, restriction, erasure, comparison, limitation, use, anonymization and destruction.

Two.- Duration
This Data Processing Agreement shall enter into force on the date of the acceptance of the EULA by the Data Controller and shall remain in force until the Services have been fully performed.

Three.- Quibim’s obligations
Quibim, in its capacity as data processor, represents and warrants the following to the Data Controller:

  1. It has sufficient technical capacity to comply with the obligations deriving from the Agreement in full observance of personal Data Protection Legislation and it can give an undertaking, to the extent required by the provision of the Services, to comply with the requirements of the Data Protection Legislation.
  2. It shall maintain the secrecy and confidentiality of any personal data controlled by the Data Controller to which it will have access.
  3. It shall process the personal data to which it has access solely on behalf of the Data Controller and, in all case, in accordance with the documented instructions given to it by the Data Controller. Equally, it undertakes to use said data during the term of this Agreement solely for the provision of the Services and, consequently, not to use them or apply them in any way that exceeds such purpose. Quibim is not responsible for compliance with any Data Protection Legislation applicable to the Data Controller or Data Controller’s industry that are not generally applicable to Quibim.
  4. It shall not disclose to third parties, not even for their storage, any data to which it has access by virtue of the provision of the Services, or any preparations, evaluations or similar processes it may carry out with said data, nor shall it duplicate or reproduce some or all of the information, results or relationships regarding such data, save where legally required to do so.
  5. It shall make available to the Data Controller all information necessary to evidence the fulfilment of its obligations, and for the performance of any audits or inspections carried out by the Data Controller, or any other auditor on its behalf. 

    Audits may be performed periodically, on a planned or “ad hoc” basis, prior notification to Quibim at least  THIRTY (30) days in advance, during normal business hours and in a way that does not unreasonably interfere with the provision of services by Quibim or otherwise. that it does not unreasonably interfere with Quibim’s business (except for those interferences that can be reasonably expected, in a general and necessary way, in any audit process).The above requirements shall not apply in the event the audit is commenced by a competent authority.

  6. It shall ensure that the persons authorized to process personal data expressly undertake in writing to respect the confidentiality thereof and to comply with the corresponding security measures, of which they shall be duly informed. 
  7. It shall ensure the necessary personal data protection training is given to the persons authorized to process personal data under its charge. 
  8. It shall assist the Data Controller in performing impact assessments relating to the personal data to which it has access, where applicable under Data Protection Legislation and so requested by the Data Controller. 
  9. It shall assist the Data Controller in submitting prior consultations to the supervisory authority, where applicable. 
  10. If Quibim considers that compliance with a specific instruction of the Data Controller could entail a breach of Data Protection Legislation, Quibim must immediately notify the Data Controller (unless prohibited from doing so under Data Protection Legislation) and ask it to withdraw, amend or confirm the instruction in question. Quibim may suspend application of the instruction in question while awaiting the Data Controller’s decision regarding the withdrawal, amendment or confirmation of the relevant instruction. 
  11. On completion of the Services, Quibim shall immediately proceed to the absolute anonymization of (i) the personal data to which it has had access, as well as (ii) the documents or media in which any of these data are recorded, in terms equivalent to its destruction in accordance with the provisions of the GDPR. Quibim shall then be entitled to use that anonymized data for its own purposes and in particular to train its algorithms in order to keep its database permanently updated, on the basis that the Data Controller has complied with all legal requisites to disclose that anonymized data to Quibim. As recognized by the Data Controller, this further processing of anonymized data by Quibim results in the constant improvement of the services provided by Quibim. 

    The Data Controller represents and warrants that (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Data Protection Legislation for Quibim lawfully process personal data controlled by the Data Controller to correctly perform the Services, and that (ii) it has complied with all applicable Data Protection Legislation in the collection and provisions to Quibim of such personal data.Quibim shall not destroy the data where there is a legal obligation to store the data, in which case Quibim shall return the data to the Data Controller, in the manner indicated by it, and the Data Controller must ensure the data are stored.

  12. That Quibim, as data processor, shall notify, via email, the Data Controller without undue delay and in any event shall, were feasible, occur no later than 48 hours from Quibim becoming aware of any suspected or confirmed incident relating to protection of the data, any data processing that may be considered unlawful or unauthorized, any loss, destruction or damage to personal data within the area of responsibility of Quibim (caused by Quibim, its personnel, agents or subcontractors) and of any incident that may be considered a personal data breach, together with all relevant information in order to document and communicate the incident to the authorities or affected data subjects. In this connection, it shall, where it has it, provide the following information at minimum:
    • a description of the nature of the data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    • the name and contact details of the data protection officer or other contact point where more information can be obtained;
    • a description of the likely consequences of the personal data breach; and
    • a description of the measures taken or proposed to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Quibim shall also immediately open a full investigation into the circumstances relating to the incident and shall present its report or observations thereon to the Data Controller, collaborating fully with any investigation carried out by the Data Controller and providing the Data Controller with any assistance required for the investigation of the incident. Quibim’s notification of or response to an incident under this Section l) will not be construed as an acknowledgment by Quibim of any fault or liability with respect to the incident.

13. It shall also assist the Data Controller in the event of a personal data breach in order to ensure compliance with the obligations to notify a personal data breach in accordance with the Data Protection Legislation (in particular, articles 33 and 34 GDPR) and with any other applicable rules that may amend or supplement it or which may be enacted in the future.

14. It shall assist the Data Controller providing any kind of information and/or documentation required by the Data Controller to adequately respond to any request for exercise of the rights of access, rectification, erasure, objection, restriction of processing and/or portability it may receive from data subjects and, in all cases, sufficiently in advance to enable the Data Controller to meet the legally applicable deadlines for responding to such requests.

15. If Quibim directly receives a request for exercise of the rights of access, rectification, erasure, objection, restriction of processing and/or portability from the data subject, it undertakes to immediately convey such request to the Data Controller and, in any case in less than SEVEN (7) business days.

16. It shall not outsource the Services to any third party unless it obtains the prior written consent of the Data Controller or they are auxiliary services needed by Quibim in order to correctly provide its services, such as those needed to securely store the data.

Where Quibim needs to outsource any data processing, it must notify the Data Controller of the services and processing it intends to outsource, the identity of the subcontractor and its contact details. This notice must be served by Quibim at least ONE (1) week in advance of the signature of the outsourcing agreement, during which period the Data Controller may object to the outsourcing, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If Quibim cannot provide an alternative sub-processor, or the Parties are not able to achieve resolution as provided herein, the Data Controller as its sole and exclusive remedy, may terminate the relevant part of the Agreement, regarding those Services which cannot be provided by Quibim without the use of the sub-processor concerned, without liability to either Party (but without prejudice to any fees incurred by the Data Controller prior to suspension or termination).

Quibim shall inform the Data Controller of any intended changes concerning the addition or replacement of other subcontractors, thereby giving the Data Controller the opportunity to object to such changes.

The sub-processor shall also be subject to the obligations imposed on Quibim under this Agreement and to the instructions issued from time to time by the Data Controller. In this connection, Quibim must set out the relationship with the sub-processor and the obligations of the sub-processor in a contract to be signed by Quibim and the sub-processor, which meets the formal requirements contained in this Agreement and provides the same level of protection as herein. In the event of breach by the sub-processor of its data protection obligations, Quibim shall bear all liability to the Data Controller for such breach, as if the breach had been committed by Quibim.

17. It shall keep a written record of all categories of processing activities carried out by virtue of the Agreement, containing:

  • the name and contact details of Quibim and, where applicable, the representative of the Data Controller or of Quibim, and the data protection officer;
  • the categories of processing carried out by virtue of the Agreement; and
  • in the case of international data transfers (which must be regulated or authorized by the Data Controller in all cases), the identity of the third country of final destination of the data controlled by the Data Controller and documentation of the suitable safeguards.

18. It shall not carry out international transfers of the personal data to which it has access that are controlled by the Data Controller unless it obtains prior written authorization from the Data Controller and it has implemented the additional safeguards regarding international data transfers in accordance with the GDPR are adopted.

In this regard, if the Data Controller is based outside the European Economic Area (EEA) it authorizes Quibim, by virtue of this Data Processing Agreement, to internationally transfer the personal data that Quibim processes in name and on behalf of the Data Controller back to the Data Controller. Quibim undertakes to take all measures as necessary to ensure that the transfer is in compliance with this Data Processing Agreement and applicable Data Protection Legislation.

Regarding the safeguards implemented by Quibim to carry out such international transfers:

  • If the Data Controller is located in a third country outside the EEA which has been declared by the European Commission, via an adequacy decision, as having an adequate level of protection of personal data (see full list here), Quibim shall internationally transfer the data on the basis of such adequacy decision; and 
  • If the Data Controller is located in any third country outside the EEA other than the ones described in point (i) above, the international transfer shall be carried out by virtue of the processor-to-controller Standard Contractual Clauses adopted by the European Commission and subscribed between Quibim and the Data Controller which are attached to this Data Processing Agreement as Appendix I. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the EULA (including this Data Processing Agreement) the Standard Contractual Clauses shall prevail to the extent of such conflict.

19. Quibim shall have a general description of the technical and organizational security measures implemented relating to: (i) the pseudonymization and encryption of personal data, as applicable; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) the process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Quibim also undertakes to implement all technical and organizational security measures applicable in accordance with the provisions of the Data Protection Legislation (in particular, Article 32 of the GDPR) and any other applicable rules that may amend, supplement or replace them. In the specific context of this relationship, Quibim shall implement the security measures indicated in Appendix II (the “Security Measures”).

These Security Measures, and any others that must be implemented, may be amended at the request of the Data Controller for the purposes of bringing them into line with regulatory changes or changes in the type of personal data to which Quibim will have access. The Data Controller is responsible for reviewing the information made available by Quibim relating to data security and making and independent determination as to whether the Security Measures meet the Data Controller’s requirements and legal obligations under Data Protection Legislation.

The Data Controller acknowledged that the Security Measures established in Appendix II are subject to technical progress and development and that Quibim may update or modify them from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed by the Data Controller.

If, following the formalization of the Agreement, the Data Controller requires Quibim to adopt or maintain security measures other than the Security Measures agreed in this clause and specified in Appendix II, or if it is compulsory to adopt them due to any rule that may be enacted in the future, and this significantly affects the cost of performing the services engaged under this Agreement, Quibim and the Data Controller shall agree on the appropriate measures to resolve the situation.

Four.- Prohibition of other uses
In accordance with the provisions of the Data Protection Legislation, and except for the provisions of Clause Three regarding anonymized data, Quibim will be considered data controller in the event that it uses the personal data for other purposes, communicates them or uses them in breach of the stipulations of this Data Processing Agreement, and shall therefore be deemed personally liable for the infractions that may have been incurred.

Five.- Information on the processing of the signatories and representatives’ personal data  by the Parties
In accordance with applicable Data Protection Legislation, the Parties inform the signatories acting on behalf of the other Party to this EULA (the “Representatives“) that the personal data they provide herein or may subsequently provide, will be the responsibility of the other Party, which will process it on the basis of that Party’s legitimate interest in maintaining, complying with, developing, monitoring and enforcing the provisions of this EULA.

The Parties shall process the other Party Representative’s personal data for the duration of this EULA and may subsequently maintain such data blocked for the duration of the statute of limitations of any legal actions relating to such processing.

For the appropriate purposes, the Parties inform the Representatives that their personal data shall not be disclosed to any third party or internationally transferred except under a legal obligation and that only the Parties’ service providers in the systems and technology, legal and administrative management sectors shall have access to such data.

Should your Representatives wish to exercise their rights of access, rectification, erasure, restriction of processing and, in those cases where possible, objection, they may do so by writing to the address indicated in Clause 10.14 of the EULA or to the following addresses:

  • To exercise the rights before Quibim’s Data Protection Officer: dpo@quibim.com

In addition, the Representatives may also contact the Spanish Data Protection Agency to claim their rights.

 

Six.- Relationship with the EULA
The Parties agree that this Data Processing Agreement shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services or the Software.

This Data Processing Agreement will be governed and construed in accordance with the governing law and jurisdiction provisions in the EULA, unless required otherwise by applicable Data Protection Legislation.

Appendix I

Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

 

SECTION I

Clause 1 – Purpose and scope

a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

b. The Parties:

    1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A (hereinafter each “data exporter”), and
    2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 – Effect and invariability of the Clauses

a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 – Third-party beneficiaries

a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    2. Clause 8.1 (b) and Clause 8.3 (b);
    3. Clause 13;
    4. Clause 15.1 (c), (d) and (e);
    5. Clause 16 (e);
    6. Clause 18.

b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 – Interpretation

a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 – Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 – Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Docking clause

a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

 

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 – Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

a. The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

b. The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

c. The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

 d. After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

a. The Parties shall implement appropriate technical and organizational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data[1], the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

b. The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

c. The data exporter shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

a. The Parties shall be able to demonstrate compliance with these Clauses.

b. The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9 – Use of sub-processors
Not applicable.

Clause 10 – Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11 – Redress

a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body[2] at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.

Clause 12 – Liability

a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

b. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

c. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

d. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

e. The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 – Supervision
Not applicable.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 – Local laws and practices affecting compliance with the Clauses
Not applicable

Clause 15 – Obligations of the data importer in case of access by public authorities
Not applicable

 

SECTION IV – FINAL PROVISIONS

Clause 16 – Non-compliance with the Clauses and termination

a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

    1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
    2. the data importer is in substantial or persistent breach of these Clauses; or
    3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

d. Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

c. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

 

Clause 17 – Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Spain.

Clause 18 – Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Spain.

 

[1] This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

[2] The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

 

Annex I

A. List of Parties

Data exporter(s):

  1. Name: Quibim, S.L.Address: Avda. Aragón 30, Edificio Europa, 13th floor, Office I-J, 46021 Valencia (Spain)Contact person’s name, position and contact details: Pridatect, S.L., Quibim’s Data Protection Officer: dpo@quibim.com

    Activities relevant to the data transferred under these Clauses: Quibim, as the Data Controller’s data processor, shall have access to certain personal data under the Data Controller responsibility.

    In this sense, Quibim shall carry out the following types of processing operations on behalf of the Data Controller and following its instructions: collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, interconnection, restriction, erasure, comparison, limitation, use, anonymization and destruction.

    Within the context of the service provision, Quibim shall provide access to the Data Controller to the personal data of its responsibility, which would imply carrying out an international transfer of personal data.

    Signature and date: Please refer to the date and signature of the Agreement.
    Role (controller/processor): Processor

 

Data importer(s):

  1. Name: The Data Controller.Address: As indicated in the Agreement.Contact person’s name, position and contact details: As indicated in the Agreement.

    Activities relevant to the data transferred under these Clauses: The Data Controller shall have access, through Quibim’s Software, to the personal data of its responsibility that Quibim is processing on the Data Controller’s behalf to provide it with the relevant services.

    Given that such access shall take place from a location outside the European Economic Area (EEA), Quibim shall be carrying out international data transfers.

    Signature and date: Please refer to the date and signature of the Agreement.

    Role (controller/processor): Controller

 

B. Description of Transfer

Categories of data subjects whose personal data is transferred

Data subjects include individuals about whom data is provided to Quibim via the Services, by or at the direction of the Data Controller, which shall include End Users and patients.

Categories of personal data transferred

Identifying data, special categories of data (i.e., Medical Data) and data regarding personal characteristics of patients of the Data Controller.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

Medical Data of the Data Controller’s patients. Such Medical Data is processed by Quibim on a pseudonymized basis as it is only associated with a patient code which only the Data Controller can link to a specific data subject.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

On a continuous basis, to the extent required for the provision of the Services.

Nature of the processing

Quibim transfers the data back to the Data Controller given its role as Data Processor. In this sense, Quibim allows the Data Controller to have access, via the Software, to the personal data it processes on the Data Controller’s behalf in accordance with the Agreement and the EULA. The data is processed during and for the provision of the Services.

Purpose(s) of the data transfer and further processing

Given that Quibim processes personal data on the Data Controller’s behalf to provide it with the Services, as described in the EULA and the Agreement, the Data Controller should be able to access such data under its responsibility at any time, which implies a processor-to-controller international transfer regulated by virtue of these Standard Contractual Clauses.

The purpose of the transfer is for Quibim to comply with its role as data processor.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Quibim shall process the personal data responsibility of the Data Controller and therefore carry out the international transfers for the duration of the EULA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Quibim shall not transfer the Data Controller’s personal data to sub-processors located outside the EEA (unless it obtains the prior written consent of the Data Controller or they are auxiliary services needed by Quibim in order to correctly provide its services as per Section o) of the Data Processing Agreement herein), although it may subcontract certain services to sub-processors within the EEA. Sub-processor shall mean any third party engaged by Quibim to process personal data (but shall not include Quibim employees, advisors or consultants).

Appendix II

Technical and Organizational
Security Measures

 

Description of the technical and organizational measures implemented by Quibim to ensure an appropriate level of security and protection of personal data (the “Security Measures”), taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of data subjects.

 

Confidentiality and access control

  • Access to personal data by unauthorized persons is to be prevented. To this end, Quibim’s internal Clean Desk Policy prevents from leaving personal data exposed to third parties. Electronic media and paper documents shall be stored in a secure place (closed cabinets or restricted access rooms). When absent from the workstation, the screen will be locked, or the session will be closed.
  • Physical access control is established to prevent unauthorized access to data processing systems. Quibim has implemented an automated access control system, an alarm system and other safeguards, such as security locks or a protocol for logging visitors.
  • Documents or electronic media (CDs, pen drives, hard disks, etc.) containing personal data will not be disposed of without guaranteeing their destruction. Nevertheless, employees shall generally not use any external storage device in accordance with Quibim’s internal Corporate-owned Device Policy and standard operating procedure (or “SOP”) regarding asset management.
  • No personal data or personal information will be communicated to third parties without following the procedures established in applicable personal data protection regulations. Special care will be taken not to disclose personal data during telephone inquiries, in e-mails, or similar.
  • A password management system is in place to ensure quality passwords are in place and, therefore, to guarantee the appropriate confidentiality and security of personal data stored in electronic systems, in accordance with Quibim’s internal Password Policy and best practices in cybersecurity SOP. Two-authentication factors must be provided for access to systems and platforms where technically possible.
  • The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case shall passwords be shared or left written down, and access by persons other than the user shall not be allowed.
  • A formal user registration and de-registration process is implemented to enable assignment and revocation of access rights for all user types to all systems and services. The allocation and use of privileged access rights is restricted and controlled. Access rights are removed upon termination of employment, upon termination of the provision of services or adjusted upon change.
  • When it is necessary to extract personal data outside the premises where it is processed, either by physical or electronic means, end-to-end encryption methods are used to guarantee the confidentiality of personal data in the event of improper access to the information.
  • Quibim uses cryptographic techniques to protect the confidentiality, integrity, and authenticity of information during its storage and/or transmission. Specifically, encryption techniques are used for the following techniques: remote access via VPN, communications between developed apps and servers, encryption of information at rest (databases and storages) on the Microsoft Azure storage system using Azure Storage Service Encryption (256-bit Advanced Encryption Standard (AES) encryption), electronic signature certificates, laptop encryption or backup encryption.
  • Data access control is established in accordance with Quibim’s internal policies (namely, the Access Management Policy and the access control SOP), requiring, among other measures, the logging of access to applications, specifically when entering, changing, and deleting data.
  • Separation of processing of data collected for different purposes is implemented with the separation of development, testing and production environments (all client integrations are developed and tested in a test environment, and updates are only released to production after sufficient testing), the physical separation of systems, databases and data carriers, and the determination of database rights.
  • When a security breach of personal data occurs, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency shall be notified within 72 hours about such security breaches, including all the information necessary to clarify the facts that had given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address: https://sedeagpd.gob.es.

 

Integrity

  • As per Quibim’s internal Access Management Policy, access management SOP and access control SOP, there are to be as few administrator user accounts as possible following the need-to-know and least privilege principles.
  • When personal data is accessed by different persons, for each person with access to personal data a specific username and password will be mandatory. All users shall use a unique identifier to access all systems and applications.
  • Devices and laptops used for the storage and processing of personal data are kept updated to the latest available versions.
  • A hardware and software asset inventory is in place to identify assets associated with information systems to determine accountability and ownership of assets.
  • Transmission control is implemented, where applicable, by using a Virtual Private Network (VPN), logging accesses and retrievals, and deployment over encrypted connections like HTTPS or email encryption.
  • Entry control is implemented with event logs, which record user activities and information security events. Logging facilities and log information are protected against tampering and unauthorized access. System administrator and system operator activities are logged, and the logs are protected and regularly reviewed.
  • The integrity of data is ensured with the management and individualized control of every change, allocating individualized rights to enter, change and delete data on the basis of an authorization concept, the technical logging of the input, modification and deletion of data and appropriate traceability measures of input, modification and deletion of data by individual usernames, among others.
  • Any changes made to the source code are reviewed by Static Code Analysis prior to being put into production to ensure, among other aspects, that there are no critical vulnerabilities or security hotspots in it.

 

Availability and resilience

  • All computers and devices where the automated processing of personal data is carried out have an antivirus system or analogous measures that guarantee, as far as possible, the theft and destruction of personal information and data, detecting, preventing, and recovering control against malware.
  • In order to avoid undue remote access to personal data, a firewall system, which is regularly updated, is deployed in all laptops and devices (under Quibim’s management) where personal data is stored and/or processed.
  • Encrypted backup copies of all business, development and production information contained in Quibim’s cloud service provider’s infrastructure (hosted by Microsoft Azureâ) are taken regularly in accordance with Quibim’s internal backup procedures. Azure Backup and Azure Site Recovery services are employed to ensure a disaster recovery plan for Azure file share storage. These services enable the Geo-Redundant Storage (GRS) option to allow the storage of backups in a separate region from their source data. This allows the use of the backup in the event of a regional outage or failure. It also allows to separate backups from source data for added security.
  • Application files and production data are backed up in accordance with established backup policies.
  • A Business Continuity Plan is in place to ensure the required level of continuity for business operations during an adverse situation that may impact business continuity. As part of the Business Continuity Plan, an emergency plan specifies the procedures and actions to reestablish the operations of the essential services in the shortest possible time and under the best possible conditions.

 

Data subjects’ rights

All of Quibim’s employees know their obligations concerning the processing of personal data and are informed about the procedure for addressing the rights of data subjects. Quibim’s internal GDPR rights management policy clearly defines the mechanisms by which the rights can be exercised, acknowledging that the data controller shall respond to the data subjects without undue delay.

  • For the right of access, the interested parties will be provided with a list of the personal data in Quibim’s possession together with the purpose for which they have been collected, the identity of the recipients of the data, the storage periods, and the identity of the person responsible to whom they can request rectification, deletion, and opposition to the processing of the data.
  • For the right of rectification, the data controller will proceed to modify the data of the interested parties that were inaccurate or incomplete according to the purposes of treatment.
  • For the right of erasure, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to the consent for the processing of their data, and there is no legal duty to prevent it.
  • For the right of portability, data subjects must communicate their decision and inform the data controller, where appropriate, about the identity of the new data controller to whom to provide their personal data.
  • For the right of objection, the data of the interested parties will no longer be processed according to the purposes for which objection of processing is requested by the data subjects.
  • For the right of not being subject to automated individual decision-making, the data controller will inform of the lack of processing of the data subject’s data in this regard, providing appropriate evidence.

 

Procedures for regular review, assessment, and evaluation

  • Quibim has been granted the following certifications:
    • ISO/IEC 27001:2013 and UNE-EN ISO/IEC 27001:2017 – Information Security Management System
    • ISO 13485:2016 and EN ISO 13485:2016 – Quality Management system
    • Cyber Essentials Scheme.
  • All software is developed under Quibim’s Quality Management System, certified under ISO 13485.
  • An annual review is carried out, through independent internal audits, of all secure development provisions, established under the ISMS framework, and Quibim will periodically review the effectiveness of the Security Measures herein.
  • Quibim conducts post-market surveillance activities regularly to monitor the safety and performance of all of Quibim’s products and services.
  • All employees are trained regularly on data protection and are obliged under confidentiality and data secrecy obligations, which survive the termination and expiration of employees’ employment relationship with Quibim.
  • Quibim enters into data processing agreements with all contractors outlining their data protection and security requirements, with a prior hiring process that involves due diligence concerning data security.
  • In accordance with articles 37, 38, and 39 of GDPR, Quibim has appointed a Data Protection Officer (dpo@quibim.com) that monitors Quibim’s compliance with Data Protection Legislation.

 

Quibim may update or modify this Security Measures from time to time, provided such updates and modifications do not result in the degradation of the overall security.