Data Processing Agreement

By and Between MakeMeClear and The Specialist

 

The purpose of this Data Processing Agreement is to determine the way MakeMeClear will process the data, as the Specialist`s Processor for the processing of personal data of the patients.

The parties agree that, in accordance with the Data Protection Legislation, the Specialist is the Controller who entrusts the processing of personal data of patients to MakeMeClear, as Processor.

The Data Controller shall be informed with all the information regarding the necessary processing performed by MakeMeClear.

1. Terminology

The following terms, whether written in capital letters or in lower case, shall have the meaning set out in Regulation (EU) 2016/679: "Supervisory Authority", "Personal Data", "Personal Data Violation", " Data subject”,“ Processing ”.

2. Processing according to the Data Controller's instructions and purposes

2.1. The Controller is the one who establishes the purposes and limits of the processing of Personal Data carried out on the basis of this Agreement, as well as, as the case may be, the means by which they are performed and other processing details depending on the specific processing.

2.2. Data Processor has the obligation to process the Personal Data only at and within the limits established in the Instructions issued by the Data Controller, including regarding the transfer of Personal Data to a Third Party.

3. Patient data processing

3.1. The Controller decides the purpose and means of processing patients' data, and so the Specialist has the obligation to inform patients about how their data is processed (including information about Processors, such as MakeMeClear)

3.2. Due to the conduct of the activity through the MakeMeClear platform and the processing of personal data using the platform, MakeMeClear has access to patient data, exclusively for the execution of the contract with the Data Controller.

3.3. Patient data is processed by MakeMeClear within the limits set by the Data Controller and will not be processed for purposes other than those entrusted to it by the Data Controller.

3.4. Due to the functionality of the platform, MakeMeClear stores patient information, as introduced in the platform by the Specialist. For this processing, the Data Controller establishes the storage period, having the right to request at any time the deletion of patient data from the databases. In this case, it is the obligation of the Data Controller to ensure the storage of medical data in compliance with applicable law, the Data Processor not being liable for any damage caused by the execution of the Data Controller's instructions on deleting personal data from the systems it manages.

4. Maintaining Data Confidentiality

4.1. The Processor shall maintain the confidentiality of the processing and the results obtained on the basis of the processing of Personal Data, except for the prior written permission of the Data Controller to disclose them.

4.2. The Processor will ensure that any person in charge of processing the Personal Data by the Processor, whether his employee or his sub-processor, has undertaken, in writing, to maintain the confidentiality of the Personal Data before starting the respective processing activities. The undertaking will expressly provide that all it’s employees who have access to Personal Data are strictly prohibited from disclosing it without prior authorization from a person entitled to issue such authorization. The obligation of confidentiality will apply to both the Personal Data and the content of this Agreement, together with all Annexes thereto, the Controller's instructions and any other correspondence, notification, document, relating to the Data, Contract or Agreement.

4.3. The Processor will ensure that all it’s employees involved in the processing of Personal Data process the personal data only on the basis and within the limits of the instructions received from the Controller. The Processor is obliged to ensure that access to Personal Data is permitted only to persons who are responsible for processing such Data for the purpose set out in this Agreement ("need-to-know basis").

4.4. Obligations of the Data Controller to maintain the confidentiality of the data will remain imposed on him even after the cessation of processing activities under this Agreement or the termination of the provision of services to the Controller or other contracts concluded between the Parties.

5. Security of processing of personal data

5.1. In order to assess the appropriate level of protection, the Processor will take into account, in particular, the risks associated with the processing, such as destruction, loss, alteration, unauthorized disclosure or unauthorized access to such Personal Data unintentionally or unlawfully.

5.2. The Processor will take one or more of the following measures, but not be limited to them, to ensure the security of the data processing:

5.3. The Processor shall support the Controller in making available to him all the information on the technical and organizational measures implemented and the documentation of compliance with the technical and organizational measures implemented by it, considering the way of processing this data, respectively through the platform developed and provided by the Power of Attorney.

5.4. The Processor must ensure that persons outside the area of responsibility for the processing of Personal Data or who do not present security guarantees do not have access to such Personal Data and that there are rules and procedures to prevent unauthorized access and to limit the consequences of such access.

5.5. The Processor has the obligation to make a strict and precise selection of access to the Personal Data processed to ensure that unauthorized access to the data is not possible.

5.6. The Processor will provide the Controller with all possible support in fulfilling its obligations to respond to the requests made by the data subjects and the issues related to the exercise of the rights of the data subjects.

In the event of a breach of the Security of Personal Data, the Processor will notify the Controller of this in writing, without delay, at the latest within 24 (twenty-four) hours from the knowledge of the respective breach.

6. Sub-processors

6.1. To provide the services available on the platform, MakeMeClear may use the services of Sub-processors. Thus, in order to access the services, the Controller understands that the data processed from the patients will be transferred by the Processor to the Sub-processors who provide the services.

6.2. In this regard, we mention that our sub-processors are, as follows:

Sub Processor Service provided Location and transfers
AWS Infrastructure, database Europe with transfer to USA
Recurly Subscription billing management USA
Stripe Financial service Europe with transfer to USA
Autopilothq Marketing campaigns
Sending e-mails from the app
USA