1.1 When UgenTec performs Services, it shall (i) have access to Personal Data (as defined hereinafter); (ii) will have to Process Personal Data for which the Customer is responsible as a Controller in accordance with the Privacy Legislation (as defined hereinafter).
1.2 This Data Processing Agreement (“DPA”) applies to the Processing of Personal Data by UgenTec and determines (i) how UgenTec will manage, secure and process the Personal Data, and (ii) Parties’ obligation to comply with the Privacy Legislation.
Relying on the Services of UgenTec entails the approval of the Customer with this Data Processing Policy and consequently of how UgenTec processes the personal data of the Customer. In case of any contradictions between this DPA and the Agreement or any other documents regarding the same subject matter, such provision in this DPA shall prevail to the extent the corresponding provisions are irreconcilable.
2. SPECIFIC DEFINITIONS
In addition to the definitions under the Agreement and/or the UgenTec’s GT&C, the following concepts have the meaning described in this article (when written with a capital letter):
3. ROLES OF THE PARTIES
3.1 Although the Parties acknowledge that their respective status is determined by the Privacy Legislation, the Parties are of the view that in the context of the Services and this DPA the Customer is a Data Controller and UgenTec shall be a Data Processor in respect of the Processing of Personal Medical Data during the course of the provision of the Services. The Parties acknowledge that the Customer alone determines all the purposes and essential means of the Processing of said Personal Medical Data and qualifies as Controller and UgenTec shall Process Personal Medical Data on behalf of the Customer, as Processor.
3.2 Notwithstanding the foregoing, UgenTec is also a Data Controller in respect of certain processing activities, of which an overview is provided in Annex A to this DPA.
4. PRIMARY SUBJECT OF THE AGREEMENT
4.1 The Parties acknowledge that given the provision of the Services, UgenTec will, as mentioned in the Agreement, process Personal Data on behalf of the Customer. When and where UgenTec acts as a Processor, it purely acts as a facilitator of the Services. Hence, the Controller shall be solely responsible on how it makes use of the Services.
4.2 The Parties guarantee that they (as well as their Employees) will process the Personal Data in accordance with the Privacy Legislation.
4.3 Both Parties will mutually support each other in the performance of their obligations under the Privacy Legislation and the Customer will inform UgenTec about any specific provisions of the Privacy Legislation that deviate from the legislation of the European Union regarding the protection of Personal Data (e.g. in correlation to the identity and thus location of the End Users).
4.4 Each Party, when and where it acts as a Controller, owns and retains full control concerning (i) the types of Processing of the Personal Data, (ii) the types of Personal Data to be Processed, (iii) the purposes of the Processing and (iv) the fact whether such Processing is proportionate.
4.5 Moreover, each Party, when and where it acts as a Controller, is solely responsible to comply with all (legal) obligations under the Privacy Legislation in its capacity as Controller and will have the sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which it acquired such Personal Data.
4.6 Irrespective of its roles (be it Controller or Processor), UgenTec shall solely disclose the Personal Data to those Employees who need (access to) the Personal Data for the performance of its obligations under the Agreement, and for the remainder keep them confidential, unless the Customer has given its prior consent to such disclosure or such disclosure is required by law or by court order or other governmental decision (of any kind).
4.7 UgenTec shall ensure that its Employees are informed about the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements (which obligations shall survive the termination of such Employee’s engagement).
5. ANONYMIZED AND AGGREGATED DATA
5.1 The Parties acknowledge that UgenTec may use anonymized and aggregate data, such as data generated by the UgenTec-Platform for a.o. the following purposes:
a) to provide summaries and insights on the use of the UgenTec-Platform and the assays for the UgenTec-Platform to the Customer (to the extent these Services are included in the Agreement),
b) to perform statistic (non-clinical) analyses and to create demographic overviews of test results in order to detect or predict epidemics, spread of illnesses, etc.,
c) to create fully anonymized demo data, and
d) to improve or increase the services offered by UgenTec.
5.2 Strictly related to these purposes, UgenTec may also provide the anonymized and aggregate data to third parties, it being noted that UgenTec is solely responsible to ensure full compliance thereof with Privacy Legislation.
5.3 As these anonymized and aggregate data cannot in any manner be linked to a corresponding data subject, these data do not constitute Personal Data in the context of the Agreement. The other provisions of this DPA do not apply to these anonymized and aggregate data. . After the data has been fully anonymized and aggregated by UgenTec, the other provisions of this DPA do not apply to this anonymized and aggregated data. In this respect, UgenTec is sole controller.
6.1 Schedule B lists the Sub Processors UgenTec may engage in the processing of the Personal Data.
6.2 UgenTec ensures that all Sub Processors engaged by it in the processing of the Personal Data are obliged to comply with at least the same level of protection of Personal Data as mentioned in this DPA.
6.3 Where a Sub Processor fails to fulfil its data protection obligations, UgenTec shall remain fully liable to the Customer for the performance of that Sub Processor's obligations.
6.4 UgenTec may update the list of Sub Processors from time to time and shall inform the Customer of any changes to this list where they are relevant to data processing activities where Customer is Controller and UgenTec is Processor. The Customer is entitled to reasonably oppose to the appointment of a new Sub Processor by UgenTec, which will be taken into consideration by UgenTec. If the Customer wishes to exercise this right to object, the Customer shall notify UgenTec in writing and in a reasoned manner ultimately within ten (10) days upon receipt of UgenTec’s notice. If no objection is raised during this period, the changes are deemed to be accepted by the Customer.
6.5 In the event the Customer reasonably objects to the engagement of a new Sub Processor, UgenTec will use reasonable efforts to (i) find another Sub Processor of whom the Customer approves or (ii) ensure that the Sub Processor guarantees to act according to the (additional) reasonable requirements and conditions set by the Customer.
6.6 UgenTec shall not transfer Personal Data to a Sub Processor located outside of the European Economic Area to a country not adducing an adequate level of data protection without the Customer's prior specific authorization and without that such transfer is covered by appropriate safeguards in accordance with the Privacy Legislation.
7. SECURITY OF THE PROCESSING
7.1 In accordance with the essence of the right to data protection, the fundamental rights and the interests of a data subject, the contractual agreements between the Parties (e.g. service level agreements) and taking into account the state of the art in data security, costs of implementation and the nature of the data (e.g. genetic data) and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, UgenTec implements appropriate technical and organizational measures for the protection, confidentiality and integrity of the Personal Data, including protection against Data Breach, such as:
a) the pseudonymisation and encryption of Personal Data,
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services,
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and
d) process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
7.2 The Parties agree that with regard to article 7.1 and in order to meet the reliability requirements set by the Customer, UgenTec will implement the technical and organizational security measures as described in Schedule C.
7.3 UgenTec will regularly review its technical and organizational security measures, and update them where necessary.
8. SECURITY REPORTS AND AUDIT RIGHT
8.1 As part of the review and evaluation of the security measures, UgenTec will once every year have a security audit performed by an independent third party (expert), according to generally accepted audit standards which will be documented in a written security report. The Customer may request a copy of this security report.
8.2 UgenTec shall take reasonable measures in order to adequately recover the observed critical threats, weaknesses and other identified problems, and promptly implement the necessary improvements identified in the security report.
8.3 UgenTec shall make available to the Customer all information reasonably required to allow verification by the Customer of UgenTec's compliance with the provisions of this DPA and allow for and reasonably participate to reasonable inspections, including audits, conducted by the Customer or by an auditor mandated by the Customer, which will be announced at least three (3) weeks in advance and occur at the Customer sole expense and with a maximum of once (1) a year.
9. LOCATION OF PROCESSING AND POSSIBLE TRANSFERS
9.1 Irrespective of the processing location chosen by the Customer, UgenTec will process all Personal Data (or have Personal Data processed by Sub Processors) related to logging in to the UgenTec-Platform (including authentication) in the European Economic Area.
9.2 UgenTec will not transfer such Personal Data outside of the European Economic Area, unless:
a) the Customer has given its express consent thereto and
b) the country to which the Personal Data are transferred falls under an adequacy decision issued by the European Commission, or such transfer is governed by the terms of an agreement, containing either standard contractual clauses as published in the Decision of the European Commission of 4 June 2021 (Decision 2021/914) or other mechanisms foreseen by the Privacy Legislation.
9.3 The Customer nor End Users shall not access the UgenTec-Platform from a country outside the European Economic Area, unless agreed otherwise in writing.
10. DATA BREACH NOTIFICATION
10.1 Both Parties maintain reasonable procedures designed to detect and respond to Data Breaches, including procedures for preventive and corrective actions, and also to avoid recurrence of any Data Breaches.
10.2 Irrespective of the roles of Parties (be it controller or processor), both Parties acknowledge and agree to support each other if either Party detects a Data Breach or has established that a Data Breach has occurred in the Processing operations related to this DPA, such Party shall notify the other Party as soon as possible and this within the legal timeframe as stipulated by Privacy Legislation and this, by e-mail and by telephone to the (backup) contact person(s) of the other Party referred to in Schedule D. Should such Party not reach the other Party’s contact persons immediately, it shall use all reasonable efforts to contact an appropriate person within the other Party directly.
10.3 When and where UgenTec acts as Processor and the Customer is Controller, UgenTec shall provide reasonable feedback and support to the Customer upon discovery or reasonable suspicion of a Data Breach where UgenTec is involved.
10.4 UgenTec shall notify the Customer in writing about the following: (i) the date of discovery or reasonable suspicion of a Data Breach, (ii) a description of the (potential) Data Breach, (iii) the names of the Data Subjects whose Personal Data might possibly have been affected as well as (iv) a description of the type of the affected Personal Data. In such case, UgenTec shall with all reasonable assistance (i) thoroughly investigate the potential Data Breach, (ii) take appropriate measures to remedy the situation / to avoid a recurrence or occurrence of a similar situation, and (iii) support the other Party in compliance with the Privacy Legislation in relation to its Data Breach notification duties towards affected Data Subjects or authorities.
11. REQUESTS OF DATA SUBJECTS
11.1 UgenTec shall at all times reasonably cooperate with the Customer to enable it to fully comply with its obligations as Data Controller if a Data Subject exercises any of its rights under the Privacy Legislation.
11.2 UgenTec shall notify the Customer in writing if it receives a request from a Data Subject as set forth in the previous clause no later than five (5) Business Days after receiving such request, and shall provide the Customer with copies of all the correspondence it has received in this respect. Upon timely provision of this information by UgenTec, solely the Customer is responsible to respond to the Data Subject’s request in accordance with the Privacy Legislation.
11.3 Upon express request by the Customer, UgenTec shall correct, delete or otherwise amend the Personal Data, in accordance with the reasonable instructions of Customer and to the extent permitted under the Privacy Legislation.
11.4 The Customer is not responsible for costs arising from UgenTec’s provision of regular assistance, which are considered as the costs involved with enabling the Customer to comply with its legal obligations towards Data Subjects or Governmental Authorities (such as correcting, deleting or amending Personal Data of Data Subjects or assistance in relation to Data Breaches). If the costs are the result of the Customer’s instructions with a broader scope, such costs will be borne by the Customer.
12. REQUESTS OF GOVERNMENTAL AUTHORITIES
12.1 In case UgenTec receives a request from a Governmental Authority relating to (inspection of) the Personal Data, UgenTec shall as soon as possible – to the extent reasonable prior to providing (inspection of) Personal Data – inform the Customer thereof in writing, and provide the Customer with copies of all the correspondence it has received in this respect. UgenTec shall solely respond to such request in case of a legal obligation under the Privacy Legislation. The Customer may provide UgenTec with reasonable instructions in this respect which UgenTec shall follow, unless this would impede the fulfillment of the aforementioned legal obligation under Privacy Legislation.
12.2 To safeguard the protection of Personal Data, UgenTec shall not provide more Personal Data to the Governmental Authority than strictly necessary to meet the request of such Governmental Authority.
13. TERM, TERMINATION AND RETURN AND DELETION OF PERSONAL DATA
13.1 This DPA remains in effect for the duration of the Agreement. In the event the Agreement is terminated, this DPA is terminated as well. Early termination of this DPA alone is not possible.
13.2 Unless UgenTec is required by the Privacy Legislation to retain the Personal Data, UgenTec shall upon termination of this DPA or on such earlier date that the Customer determines the Personal Data or any part of it is no longer required to provide the Services, ensure that, at the Customer’s choice, communicated to UgenTec in writing, (i) the Personal Data will be returned or provided to the Customer or an alternative service provider appointed by the Customer by download or at the expense of the Customer on a data carrier that the Customer deems to be suitable, or (ii) the Personal Data will be destroyed.
13.3 UgenTec commits to immediately cease and desist all Processing of (the relevant) Personal Data upon providing, returning or destroying the Personal Data, except to the extent these Personal Data may be part of backups which cannot for technical reasons be removed. UgenTec shall provide the Customer with a statement in writing and a guarantee, and allow Customer to verify that the (relevant) Personal Data will no longer be processed (save for storage) by UgenTec or a subcontractor engaged by UgenTec.
13.4 If the Customer, upon termination of the Agreement, has expressed its wish to continue the Processing of the Personal Data, and it is not reasonably possible to return the Personal Data to the Customer or a replacing service provider in such a manner that the Processing of the Personal Data can be continued without any irregularities, UgenTec will, upon the request and at the expense of the Customer, continue the Processing of the Personal Data during a reasonable term as an emergency plan, under similar conditions which have been laid down in this DPA and the Agreement, until the Customer or another service provider reasonably can take care of the Processing of the Personal Data and the Personal Data can be provided in an appropriate manner.
13.5 Any obligation arising from this DPA that by nature has post-contractual effect shall continue to be in effect after the termination of this DPA.
14.1 The Parties shall each be responsible and liable for their own actions.
14.2 Without detriment to the fact that the liability of Parties is regulated within the framework of the Agreement, it is expressly agreed that the Customer as Controller shall reimburse and indemnify UgenTec as Processor for all claims, actions, demands by third parties and for all direct damage and direct losses (also including fines imposed by the data protection authority) resulting from situations for which the Controller is liable and the Processor was involved in a unlawful or unnecessary manner.
14.3 The Parties shall ensure sufficient cover of their liability in this particular respect.
Schedule A: Overview of the Processing Activities
Ugentec as a Processor
Ways, purposes and means of the data processing activities
Duration of the data processing
Categories of Data subjects
- Store, process, visualize.
- To improve and/or expand the products and services offered by UgenTec, if so requested by Controller.
- Project management
- Support services
All PCR data and derived results are stored within the selected region.
Ugentec as a Controller
Ways, purposes and means of the data processing activities
Duration of the data processing
Schedule B: Subcontractors & Third-party Software
Schedule C: Technical & Organizational Security Measures
Reliability requirements and security measures
- Elaboration of specific technical and organizational measures implemented by UgenTec
- Organizational measures:
- Good practices to keep overview on the organization with an adequate governance framework.
- User level access control for all software/systems that can contain Personal Data.
- User-access-level requests with multiple reviewers to guarantee user access control policy.
- Strict infrastructure & security policy.
- Strict password management.
- Advanced training for every new employee in the infrastructure & security policy.
- Access control for every room who is used to store Personal Data..
- Certified supplier for the hosting of the FastFinder product.
- Recurrent risk analysis to detect potential product risks (f.e. in regards to data processing).
- Clear procedures to protect Personal Data..
- Clear procedure when access to Personal Data need to revoked.
- Clear resources/asset management for all electronic devices
- Dedicated security officer who is responsible to maintain the security policy and make sure the policy is followed
- Strict supplier management with recurring review and a advanced supplier assessment before selection of a new supplier
- Clear incident management plan
- all employees are adequately informed about the security controls of the IT system that relate to their everyday work.
- The organization ensures that all employees understand their responsibilities and obligations related to the processing of Personal Data. Roles and responsibilities are clearly communicated.
- Full backups are carried out regularly.
- During the development lifecycle best practices, state of the art and well acknowledged secure development practices, frameworks or standards are followed.
- Specific security requirements are defined during the early stages of the development lifecycle.
- SSL encrypted connections between client & server side.
- Dedicated databases per laboratory.
- Proven SSL certificates for the back-end services.
- Strict access control towards to database & storage management.
- Software development is done on a development environment, and in no case on the production environment with Personal Data.
- Copies of the backup are securely stored in different locations.
Schedule D : Contacts & Back ups
Name and job title
Other information, including email addresses
Wouter Uten, COO
Back up contact 1
Willem Geerts, support engineer
Back up contact 2
Steven Verhoeven, CEO