Data Processing Agreement
BETWEEN
The NEXUS User
Hereinafter referred to as "the Controller".
On the one hand,
AND
VISIONIX - Luneau Technology Operations, a simplified joint-stock company (société par actions simplifiée), registered under SIREN number 08615020800048, with its head office at 2 rue Roger Bonnet, 27340, Pont de l'arche, France.
Hereinafter referred to as "the Processor".
On the other hand,
Hereinafter referred to together as "the Parties" and individually as "the Party".
- Personal Data : any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
- Sensitive Data : information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a natural person personally, data concerning health, sex life or sexual orientation. This data is subject to enhanced protection based on the principle that it may not be collected or processed. However, it is possible to get around this prohibition by means of a number of exceptions set out in Article 9.2 of the GDPR (including consent).
- Processing (of Personal Data): the operation or an organized set of operations performed on Personal Data (collection, consultation, structuring, storage, modification, communication, etc.).
- Controller: the person who determines the purposes and means of the processing of Personal Data . He defines the purpose of the operation carried out on Personal Data, and defines the way in which Personal Data will be processed. He or she determines what the data will be used for, what tools will be used to process it, when to act on the data, and so on.
- Processor : natural or legal person, public authority, agency or another body, which processes Personal Data on behalf of the Controller.
- Data Protection Officer (DPO) : the data protection officer, often referred to as the DPO, is responsible for steering and ensuring compliance with the RGPD and LIL within the organization in which he or she is appointed.
- Data breach: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Medical device (MD): any instrument, apparatus, equipment, software, implant, reagent, material or other article, intended by the manufacturer to be used, alone or in combination, in humans for one or more of the medical purposes referred to in Article 2 of REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 5, 2017 concerning medical devices.
ARTICLE 1: OBJECT
In the context of providing our Solutions and NEXUS platform, as subscribed to in the Contract, to vision health professionals, the Processor is required to process Personal Data on behalf of and in accordance with the instructions of the Controller.
The object of these clauses is to define the conditions under which the Processor undertakes to carry out, on behalf of and on the instructions of the Controller, the Processing operations defined in the framework of the Contract.
As part of their contractual relations, the Parties undertake to comply with the applicable data protection regulations and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 : "the General Data Protection Regulation" (hereinafter the « GDPR »).
ARTICLE 2: INFORMATION RELATING TO THE PROCESSING
The Processor provides the services and solutions defined in the Contract.
The Processor is authorized, for the entire duration of the Contract and of the use of the Visionix Solutions, to process on behalf of Controller, the Personal Data necessary for the following main purpose :
- Making the Nexus platform available to eyecare professionals
2.1. And more specifically the following sub-purposes :
- Telehealth data hosting
For Operators/Opticians :
- collect the information needed to measure refraction
- generate a summary report for the design of vision correction equipment
- contact the doctor responsible for analyzing and validating MD measurements (validating visual corrections), if necessary
For Eye Care Provider
- collect and display the information needed to measure refraction and detect eye diseases
- Generate a summary report enabling the eye care provider to structure his or her expertise and adapt his or her support.
- collect the additional information needed for the eye care provider to prescribe visual corrections
2.2. The categories of Personal Data processed by the Processor on behalf of the Controller are as follows:
- Identification data: personal information on patients entered by the Operator in Visionix Solutions, i.e. first name, surname, date of birth, gender, internal code.
- Contact details: city
- Professional life: information on eye care providers who may be involved in using the solutions.
- Data needed to pay eye care providers
- Sensitive data: collected through Visionix Solutions as ethnicity (important information in the field of visual health), health-related data (measurements used to define the correction formula for lenses, posterior and anterior measurements of the eye enabling the eye care providers to detect any diseases). Medical history and other health-related information if patients choose to provide it to their Operator.
- Exchanges between Nexus platform users
2.3. Categories of Data Subjects:
- Patients = end users
- Healthcare professionals involved in the use of Visionix solutions
- Operators / opticians
2.4. Processing operations carried out by Visionix as Processor :
Collection
Recording (storage)
Transmission
Hosting
Pseudonymization
Usage (report generation)
Destruction
2.5. Visionix DPO contact details :
Full name: Yossi Constantinis
Mail: dpo@visionix.com
Address: DPO, VISIONIX - Luneau Technology Operations, à l’attention du DPO, 2 rue Roger Bonnet, 27340, Pont de l'arche
ARTICLE 3: INFORMATION CONCERNING PROCESSING CARRIED OUT FOR VISIONIX - LUNEAU TECHNOLOGY OPERATIONS' OWN PURPOSES (AS CONTROLLER)
The Processor is authorized, for the entire duration of the Contract and of the use of Visionix Solutions, to process the Personal Data referred in this agreement for its own purposes and on its behalf, for the following purpose(s):
- Improvement of its services (R&D), based on data that do not allow direct identification by Visionix – Luneau technology Operations
- Production of anonymous statistical analysis/studies (based on pseudonymized or anonymized data), in particular relating to the monitoring of its Medical Devices (in order to meet its legal obligations).
ARTICLE 4: PROCESSOR 'S OBLIGATIONS TO THE CONTROLLER
The Processor undertakes to :
1. Process Peronal Data solely for the purpose(s) set out in Articles 2 and 3 of this DPA.
2. Process Personal Data exclusively on behalf of the Controller and in accordance with the latter's documented instructions. If the Processor considers that an instruction constitutes a breach of the GDPR or of any other provision of Union or Member State law relating to data protection, it shall immediately inform the Controller. In addition, if the Processor is required to transfer Personal Data to a third country or to an international organization under Union law or the law of the Member State to which it is subject, it must inform the Controller of this legal obligation prior to Processing, unless the relevant law prohibits such information for important reasons of public interest. Furthermore, within the framework of the Contract, the processing of Data entrusted to Sub-Processor may give rise to transfers outside the EU and are, where applicable, subject to adequacy decisions or the implementation of appropriate safeguards (in particular standard contractual clauses), in accordance with Articles 45 et seq. of the RGPD.
3. Guarantee the confidentiality of Personal Data processed in the context of the Contract.
4. Not to :
• Disclosing, in any form whatsoever, all or part of the Personal Data processed;
• Copy or store, in any form whatsoever and for any purpose, all or part of the information or Personal Data contained on the media or documents entrusted to it or collected by it during the performance of the Contract, except in the cases covered herein.
5. Ensure that the persons authorized to process Personal Data under the Contract :
• Undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality,
• Receive the necessary training or awareness-raisong in Personal Data protection.
6. Take into account the principles of data protection by Design and data protection by Default for its tools, products, applications and services.
7. Sub-Processing :
The Processor is authorized to engage the entities listed in Appendix below : the "Sub-Processor(s) », to carry out the processing activities referred to.
In the event of the recruitment of other Sub-Processors, the Processor must obtain the specific prior written authorization of the Controller.
The Sub-Processor is required to comply with the obligations of the Processor on behalf of and in accordance with the instructions of the Controller. It is the responsibility of the Processor to ensure that the Sub-Processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the GDPR. If the Sub-Processor fails to meet its data protection obligations, the Processor remains fully liable to the Controller for the Sub-Processor’s performance of its obligations.
8. Data subjects' right to information
The Controller is responsible for informing the data subjects about the Processing operations it carries out itself and on its behalf. It is up to the Processor to inform data subjects about the Processing operations it carries out on its own behalf and those it carries out on behalf of the Data Controller at the time the Data is collected, by means of a specific information form.
9. Exercising the rights of data subjects
Insofar as possible, the Processor shall assist the Controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, to rectification, to erasure and to object, right to restriction of Processing, right to data portability....
Where data subjects make requests to the Processor to exercise their rights, the Processor must respond, in the name and on behalf of the Controller and within the time limits provided for by the GDPR, to the data subjects’requests, insofar as they concern data data that is the subject of this processing agreement.
10. Notification of Data Breaches
The Processor shall notify the Controller of any Data Breach as soon as possible after becoming aware of it.
After agreement from the Controller, the Processor notifies the competent supervisory authority in accordance with Article 55 of the GDPR, in the name and on behalf of the Controller, of Data Breaches as soon as possible and, if possible, no later than 72 hours after becoming aware of it, unless the breach in question is not likely to give rise to a risk to the rights and freedoms of natural persons.
In the event of a high risk to the rights and freedoms of natural persons, with the agreement of the Data Controller, the Subcontractor shall, in the name and on behalf of the Data Controller, communicate the personal data breach to the data subject as soon as possible.
The communication to the data subject describes, in clear and simple terms, the nature of the personal data breach and contains at least :
- a description of the nature of the Data Breach, including, if possible, the categories and approximate number of persons affected by it, and the categories and approximate number of personal data records involved;
- the name and contact details of the DPO or other point of contact from whom further information can be obtained;
- a description of the likely consequences of the Data Breach;
- a description of the measures taken or proposed to be taken by the Controller to remedy the Data breach, including, where appropriate, measures to mitigate any negative consequences.
11. Assisting the Processor in complying with the Controller's obligations
The Processor assists the Controller in carrying out Data protection impact assessement or prior consultation with the competent supervisory authority.
12. Security measures
The Processor undertakes to implement appropriate technical and organizational security measures taking into account the state of the art, costs, nature, scope, context and purposes of the Processing operations, in order to guarantee a level of security appropriate to the risks, and in particular:
• Pseudonymisation and encryption of Personal Data, depending on its criticality
• The means to guarantee :
o Confidentiality of information by preventing disclosure to unauthorized third parties;
o Integrity of information by preventing its intentional or accidental modification or destruction outside the scope of Processing;
o The availability of the information and Processing systems, and resilience of Processing systems and services;
o The traceability of information operations;
• Means for restoring availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
In this respect, the Processor has implemented the following measures in particular :
• Encrypting databases, data streams and hardware
• Pseudonymisation of data that cannot be identified by the Processor
• Partitioning mesures
• Logical access control, including an authorization management policy, personal accounts with strong authentication, password robustness checks, and secure storage of encrypted passwords.
• Logging to track access and manage incidents
• Secure archiving
• Commitment to confidentiality on the part of staff and Sub-Processors
• Secure servers (ISO 27001 - HDS certification from hosting provider)
• Hosting on servers located in Europe only
• Daily backups and redundant servers
• Organizational measures such as :
- Integrating privacy protection into projects
- Managing third parties
- Appointing a DPO
- Implementation of internal data breach and rights exercise procedures
13. Copy and fate of Personal Data at the end of the Contract
The Processor undertakes, at the end of the Contract or in the event of early termination thereof, not to keep any copies of the personal data hosted, unless otherwise required by the regulations applicable to the Processor, in particular as a manufacturer of Medical Devices.
14. Register of categories of processing activities
The Processor declares that it keeps a written record of all categories of processing activities carried out on behalf of the Controller, including:
• The name and contact details of the Processor, and Controller on whose behalf it is acting, and, where applicable, of the DPO;
• Categories of Processing carried out on behalf of the Controller;
• Where applicable, transfers of personal data to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documents attesting to the existence of appropriate safeguards;
• As far as possible, a general description of technical and organizational security measures, including but not limited to, as appropriate:
o Pseudonymization and encryption of personal data ;
o Means to guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
o Means to restore availability and access to personal data within appropriate timeframes in the event of a physical or technical incident;
o A procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
15. Documentation and auditing
The Processor shall make available to the Controller the documentation or certification necessary to demonstrate compliance with all its obligations.
The Processor allows audits, including practical verification of contractual guarantees, to be carried out by the Controller, within the limits of any elements protected by business secrecy, professional secrecy or intellectual property right(s).
It is specified that any audit of the Processor’s technical or organizational security is carried out at the expense of the Controller, by a competent and independent auditor, appointed by mutual agreement with the Processor, and in the presence of the latter.
ARTICLE 5 : OBLIGATIONS OF THE CONTROLLER TOWARDS THE PROCESSOR
The Controller undertakes to :
1. Provide the Processor with the data specified herein.
2. Document in writing any instructions concerning the Processing by the Processor.
3. Ensure, beforehand and throughout the duration of the Processing, that the Processor complies with the obligations set out in the GDPR.
As part of the supervision of Processing, the Controller may carry out audits and inspections of the Processor.
The Controller may make available to data subjects, if they so request, a copy of these clauses and a summary description of the security measures, as well as a copy of any Sub-Processing contract concluded in accordance with these clauses, unless these clauses or contract contain(s) commercial information, in which case it may withdraw such information.
