Data Processing Agreement

Data Processing Agreement – Rods&Cones acting as Processor

This Data Processing agreement (“DPA”), signifies that the undersigned:

Rods&Cones BV  a company incorporated under the laws of Belgium, having its registered office at Oudebaan 2, 2350 Vosselaar, Belgium and registered in the trade register of the Chamber of Commerce under number BE0741.795.919 or Rods&Cones Sales B.V. a company incorporated under the laws of The Netherlands, having its registered office at Apollolaan 69-3; 1077AH Amsterdam; The Netherlands and registered in the trade register of the Chamber of Commerce under number 80331947  (hereinafter to be referred to as “Rods&Cones/Processor”),

hereinafter jointly also to be referred to as the “Parties” and each separately as a “Party”;

Declare to have agreed as follows:

Rods&Cones will provide the remote assistance Solution to the extent made available under the Underlying Agreement to reflect the parties’ agreement with regard to the Processing of Personal Data.

In the course of providing the Services to Customer pursuant to the DPA, Rods&Cones may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

With effect from 25 May 2018, Rods&Cones will Process Personal Data in accordance with the General Data Protection Regulation, or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 repealing Directive 95/46/EC (hereafter indicated as: ‘GDPR’) requirements directly applicable to Rods&Cones’ provision of its Services.

1. Definitions

2. Details of the Processing

The Personal Data Processed under this DPA concern the following categories of Data Subjects:

• Customer employees and contractors
• Health care professionals
• patients

Rods&Cones consists of an online web-based back-end to store and manage Customer data (including Personal Data) as well as the interacting front-end clients that allow to viewing of audio and video (including identifiable Personal Data) as well as generating analytics on the usage (“Services”).

Nature and purpose of the processing: The Processor collects, processes and uses the Personal Data of the Data Subjects on behalf of the Controller in order to enable remote experts to support health care professionals remotely without requiring on-site presence.

The headset used in the operating room visualizes the following privacy related images:

• OR Staff
• Images of unidentified patient
• Displays and screens in the OR

The audio and video is only transmitted to a certified remote assistant in a 1-to-1 mode. Upon specific exception, the session can be broadcasted to a larger audience (for training & education use cases). By default, videos and images are not stored during or after transmission. With an exceptional setting, remote assistants can be allowed to record a session on their personal computer hard disk.

The remote assistants consent to strict instructions for professional behaviour as they would in the OR (https://rods-cones.com/re_terms/)

Rods&Cones stores the following personal data of  the remote assistants: Email address; Surname, first name.

3. Rights and Obligations of Controller

The Controller remains the responsible data controller for the Processing of the Personal Data as instructed to the Processor based on this DPA and as otherwise instructed. The Controller has instructed and throughout the duration of the commissioned data processing will instruct Rods&Cones to Process the Personal Data only on Controller’s behalf and in accordance with the Applicable Data Protection Law, this DPA and Controller’s instructions. The Controller is entitled and obliged to instruct Rods&Cones in connection with the Processing of the Personal Data, both generally and in individual situations. Instructions may also relate to the correction, deletion, blocking of the Personal Data. Instructions shall generally be given in writing, unless the urgency or other specific circumstances require another (e.g., oral, electronic) form. Instructions in another form than in writing shall be confirmed by the Controller in writing without delay. To the extent that the implementation of an instruction results in costs for Rods&Cones, it will first inform the Controller about such costs. Only after the Controller’s confirmation to bear such costs for the implementation of an instruction, the Processor is required to implement such instruction.

4. Obligations of Processor

Rods&Cones shall:

1. process the Personal Data only as instructed by the Controller and on the Controller’s behalf; such instruction is provided in this DPA and otherwise in documented form as specified in clause 3 above. Such obligation to follow the Controller’s instruction also applies to the transfer of the Personal Data to a Third Country.
2. inform the Controller promptly if Rods&Cones cannot comply with any instructions from the Controller for whatever reasons;
3. keep the Personal Data in strict confidence and
4. and shall only Process the Personal Data to perform the Services and for no other purpose, unless authorized in advance in writing by Customer.
5. ensure that persons authorized by Rods&Cones to Process the Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to the Personal Data Process such Personal Data in compliance with the Controller’s instructions.
6. implement the Technical and Organizational Security Measures which will meet the requirements of the GDPR before Processing of the Personal Data and ensure to provide sufficient guarantees to the Controller on Such Technical And Organizational Security Measures.
7. assist the Controller by appropriate technical and organizational measures, insofar as this is feasible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subjects rights concerning information, access, rectification and erasure, restriction of processing, notification, data portability, objection and automated decision-making; to the extent such feasible technical and organizational measures require changes or amendments to the Technical And Organizational Measures, the Processor will advise the Controller on the costs to implement such additional or amended technical and organizational measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended technical and organizational measures to assist the Controller to respond to Data Subject’s requests.
8. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and allow for and contribute to audits, including inspections conducted by the Controller or another auditor mandated by Controller. The Controller is aware that any in-person on-site audits may significantly disturb Rods&Cones’ business operations and may entail high expenditure in terms of cost and time. Hence, the Controller may only carry out an in-person on-site audit if the Controller reimburses the Processor for any costs and expenditures incurred by the Controller due to the business operation disturbance.
9. notify the Controller without undue delay:
   • about any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
   • about any complaints and requests received directly from Data Subjects (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless it has been otherwise authorized to do so;
   • if the Processor is required pursuant to EU or Member State law to which the Processor is subject to process the Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that EU or Member State law prohibits such information on important grounds of public interest; such notification shall specify the legal requirement under such EU or Member State law;
   • if, in the Processor’s opinion, an instruction infringes the GDPR; upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and
   • after the Processor becomes aware of a Personal Data Breach at Rods&Cones. In case of such a Personal Data Breach, the Processor upon the Controller’s written request will assist the Controller with the Controller’s obligation under Applicable Data Protection Law to inform the data subjects and the Supervisory Authorities, as applicable, and to document the Personal Data Breach.
10. assist the Controller with any Data Protection Impact Assessment as required by Art. 35 of the GDPR that relates to the Services provided by the Processor to the Controller and the Personal Data processed by the Processor on behalf of the Controller.
11. deal with all inquiries from the Controller relating to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred.
12. that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delay. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as “blocking”). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.

5. Sub-processing

1. The Controller authorizes the use of Sub-processor(s) engaged by the Processor for the provision of the Services. The Controller approves the use of the following Sub-processor(s):
   

   Name	Address	Purpose of use
   Microsoft Ireland ltd	One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland	Hosting of application
   Xirsys LLC	25061 Avenue Stanford, Suite 10; Santa Clarita, California 91355, US	Turn server provider
   OpenVPN	7901 Stoneridge Drive, Suite 240, Pleasanton, California 94588, US	VPN client

2. In case the Processor intends to engage new or additional Sub-processors, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Sub-processor (“Sub-processor Notice“). If the Controller has a reasonable basis to object to the use of any such new or additional Sub-processor, the Controller shall notify the Processor promptly in writing within 14 days after receipt of the Sub-processor Notice. In the event the Controller objects to a new or additional Sub-processor, and that objection is not unreasonable, the Processor will use reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new or additional Sub-processor without unreasonably burdening the Controller. If the Processor is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Controller may terminate the effected part of the DPA with respect only to those Services which cannot be provided by the Processor without the use of the objected-to new or additional Sub-processor by providing written notice to the Processor.
3. The Processor shall impose the same data protection obligation as set out in this DPA on any Sub-processor by contract. The contract between the Processor and the Sub-processor shall in particular provide sufficient guarantees to implement the Technical and Organizational Security Measures, to the extent such Technical and Organizational Security Measures are relevant for the services provided by the Sub-processor.
4. The Processor shall choose the Sub-processor diligently.
5. In case any such Sub-processor is located in a Third Country, the Processor upon the Controller’s written request will enter with the relevant Sub-processor on the Controller’s behalf (in the name of the Controller) into EU Model Contract (Controller to Processor), pursuant to Decision 2010/87/EU. In this case, the Controller instructs and authorizes the Processor to instruct Sub-processors in the Controller’s name and to make use of all Controller’s rights vis-a-vis the Sub-processors based on the EU Model Contract.
6. The Processor shall remain liable to the Controller for the performance of the Sub-processor’s obligations, should the Sub-processor fail to fulfill its obligations. However, the Processor shall not be liable for damages and claims that ensue from the Controller’s instructions to Sub-processors.

6. Limitation of liability

Any liability arising out of or in connection with this DPA shall follow, and be exclusively governed by, the liability provisions set forth in, or otherwise applicable this DPA and not elsewhere. Therefore, and for the purpose of calculating liability caps and/or determining the application of other limitations on liability, any liability occurring under this DPA shall be deemed to occur under the provisions of this DPA.

7. Duration and termination

1. The term of this DPA is identical with the term of the Underlying Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the  Underlying Agreement.
2. The Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete any existing copies unless EU or Member State law requires the Processor to retain such Personal Data.

8. Miscellaneous

1. In the event of inconsistencies between the provisions of this DPA and any other existing agreements between the Parties, the provisions of this DPA shall prevail with regard to the Parties’ data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties’ data protection obligations, this DPA shall prevail.
2. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.
3. Without prejudice to the applicability of the GDPR to this DPA and the Processing thereunder, his DPA shall be governed by the same law of Belgium.

9. Security Measures

Rods&Cones shall, as a minimum, maintain Technical and Organizational Security Measures and procedures to protect the security of personal data created, collected, received, or otherwise obtained.

Technical and organizational security measures can be considered as state of the art. Rods&Cones will evaluate technical and organizational security measures over time, considering costs for implementation, nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Rods&Cones shall ensure:

1. that it has properly configured access rights for its employees, including a well-defined joiners and leavers process to ensure access rights are properly managed;
2. that it has proper controls in place to make sure that complex alphanumeric passwords are required for access to the Personal Data and that training is provided in relation to the need to keep such passwords secure;
3. it has in place procedures to identify wrongful use of Personal Data, including the monitoring of wrongful access to Personal Data;
4. it has in place procedures to identify wrongful use of Personal Data, including the monitoring of wrongful access to Personal Data;
5. suitable and effective authentication processes are established and used to protect Personal Data;
6. the Personal Data stored on laptops or other portable media is encrypted;
7. the Personal Data is not visible via the internet. In the event that web based access to the Personal Data is allowed such access shall only be with regard to the relevant data.
8. any Personal Data held as hard copy shall be stored in locked cabinets within locked offices, accessed only by authorised individuals.
9. that it maintains an accurate, up to date asset register, including all such portable media used for the Processing;
10. that employees are not able to access the Personal Data from home or via their own electronic device other than through a secure electronic network and that the Personal Data may not be stored on such devices;
11. that suitable physical security measures are established commensurate to the harm that could result from the unlawful disclosure of Personal Data.  Such  physical security measures shall be as identified in Rods&Cones’ data security policy;
12. that Rods&Cones establishes and maintains adequate data security compliance policies and audits its use of personal data in compliance with its data security policies on a regular basis and in any event annually; and
13. that it nominates in writing an individual to take responsibility and be accountable for compliance with the DPA.