Startup data processing agreement
This data processing agreement is affected as integral part of the Thryve startup package contract.
1 DEFINITIONS
(1) Controller according to Art. 4 (7) GDPR, is the body which, on its own or together with other controllers, decides on the purposes and means of processing personal data.
(2) The processor is according to Art. 4 (8) GDPR a natural or legal person, public authority, institution or other body that processes personal data on behalf of the person responsible.
(3) Personal data are according to Art. 4 (1) of the GDPR all information relating to an identified or identifiable natural person (‘the person concerned’); a natural person is considered to be identifiable who, directly or indirectly, in particular by means of assignment to an identifier such as a name, to an identification number, to location data, to an online identifier or to one or more special features, the expression of the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person can be identified.
(4) Particularly vulnerable personal data are personal data acc. Art. 9 GDPR, showing the racial and ethnic origin, political opinions, religious or ideological convictions or the trade union affiliation of the person concerned, personal data acc. Art. 10 GDPR on criminal convictions and criminal offenses or related safe-guards and genetic data pursuant to Art. Art. 4 (13) GDPR, biometric data, health data as well as data on the sexual life or the sexual orientation of a natural person.
(5) Processing is acc. Article 4 (2) of the GDPR any operation or series of operations performed with or without the aid of automated procedures in relation to personal data such as collection, collection, organization, organization, storage, adaptation or modification, reading out, querying, using, disclosing through trans-mission, dissemination or any other form of provision, reconciliation or linking, restriction, erasure or destruction.
(6) Supervisory authority according to Art. 4 (21) GDPR is an established independent state agency in-stalled by one of a Member State acc. Art. 51 GDPR.
2 RESPONSIBLE DATA PROTECTION SUPERVISORY AUTHORITY
(1) The responsible supervisory authority for the Company is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.
(2) The Customer and the Company and, where applicable, their representative shall, upon request, cooperate with the supervisory authority in the performance of their duties.
3 SUBJECT MATTER OF THE CONTRACT
(1) The Company performs services for the Customer in the processing of activity and vital data from mobile devices for the purpose of standardizing, researching, supplementing and providing health-related data on the basis of this contract (“Enterprise Service Agreement” in connection with the “General terms and Conditions” of the Company), hereinafter referred to as the “main contract”. The Company receives access to personal data and processes these exclusively on behalf and under the instruction of the Customer. Scope and purpose of the data processing by the Company result from the main contract (and the corresponding service specifications). The Customer is responsible for the assessment of the legitimacy of data processing.
(2) To clarify the mutual rights and obligations under data protection law, the parties conclude this agreement. In case of doubt, the provisions of this agreement override the provisions of the main contract.
(3) The provisions of this agreement shall apply to all activities related to the main contract in which the Company and his employees or Company agents come into contact with personal data originating from the Customer or collected for the Customer.
(4) The term of this agreement is based on the term of the main contract unless the following provisions result in obligations or termination rights beyond this.
4 RIGHT OF INSTRUCTIONS
(1) The Company may only collect, process or use data within the framework of the main contract and in accordance with the instructions of the Customer; This applies in particular to the transfer of personal data to a third country or to an international organization. If the Company is obliged by the law of the European Union or of the Member States under which he is subject to further processing, he shall inform the contracting entity of these legal requirements before processing.
(2) All issued instructions are to be documented by both the Customer and the Company. Instructions that go beyond the specified service as agreed in the main contract are treated as an application for a change in service specifications.
(3) If the Company is of the opinion that an instruction of the Customer violates data protection regulations, he must inform the Customer immediately. The Company is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the Customer. The Company may refuse to carry out a manifestly illegal instruction.
5 TYPE OF PROCESSED DATA, PERSONS CONCERNED
(1) Within the framework of the execution of the main contract, the Company shall have access to the personal data specified in Annex 2.1. These data include the specific categories of personal data listed in Annex 2.1 and identified as such.
(2) The persons concerned by the data processing are shown in Annex 2.2.
6 PROTECTIVE MEASURES OF THE COMPANY
(1) The Company is obliged to observe the statutory provisions on data protection and not to disclose the information obtained from the Customer’s area to third parties or to expose their access. Documents and data are to be secured against the knowledge of unauthorized persons taking into account the state of the art.
(2) The Company will, in his area of responsibility, de-sign the in-house organization in such a way that it meets the special requirements of data protection. He shall take all necessary technical and organizational measures to adequately protect the data of the Customer in accordance with Art. Art. 32 GDPR, in particular at least the measures listed in Annex 2.3 that are
a) entry control
b) admission control
c) access control
d) pass-on control
e) input control
f) order control
g) availability control
h) separation control
A change in the security measures taken is reserved to the Company, ensuring that the contractually agreed level of protection is not undercut.
(3) Appointed as a company data protection officer / as a contact for data protection for the Company: Hannes Schenk, privacy@thryve.de.
(4) Persons employed in the processing of data by the Company are prohibited from collecting, processing or using personal data without authorization. The Company will oblige all persons entrusted by him with the processing and fulfillment of this contract (hereinafter referred to as employee) (obligation to confidentiality, Art. 28 para. 3 lit. b GDPR) and with due diligence ensure compliance with this obligation. These obligations must be such that they persist even after termination of this contract or employment relationship be-tween the employee and the Company. The customer must prove the obligations on request in an appropriate manner.
7 INFORMATION OBLIGATIONS OF THE COMPANY
(1) In the event of faults, suspected breaches of data protection or breaches of contractual obligations by the Company, suspected security incidents or other irregularities in the processing of personal data by the Company, persons employed by the Company or by third parties, the Company will inform the Customer without undue delay in writing or text form. The Company is aware that the Customer is legally obliged to inform the competent data protection supervisory authority within 72h and will make every effort to ensure that the Customer will be able to comply with this time limit. The same applies to inspections of the Company by the data protection supervisory authority. The notification of personal data breach contains at least the following information:
a) a description of the nature of the breach of the protection of personal data, indicating, where possible, the categories and the number of data subjects, the categories concerned and the number of personal data records involved;
b) a description of the remedial action taken or proposed by the Company and, where appropriate, measures to mitigate its potential adverse effects.
(2) The Company shall without undue delay take the necessary measures to safeguard the data and to mitigate any possible adverse consequences of the per-sons concerned, inform the Customer about this and request further instructions.
(3) In addition, the Company is obliged to provide the Customer with information at any time as far as its data are affected by an infringement according to paragraph 1.
(4) Should the data of the Customer be endangered by seizure or confiscation, by bankruptcy or settlement proceedings or by other events or measures of third parties, the Company shall inform the Customer with-out delay, unless this is done by court order or official order is prohibited. In this context, the Company will promptly inform all competent authorities that the decision-making authority on the data lies exclusively with the Customer as “responsible party” within the meaning of the GDPR.
(5) The Company must inform the Customer of any significant changes to the security measures pursuant to § 6 (2) without undue delay.
(6) A change in the person of the company data protection officer / contact person for the data protection is to inform the Customer immediately.
(7) The Company and, if applicable, his representative in line with GDPR keeps a register of all categories of processing activities carried out on behalf of the Customer, which contains all information in accordance with Art. 30 (2) GDPR. The list must be made available to the Customer upon request.
(8) The Company must cooperate to a reasonable ex-tent in compiling the list of procedures by the Custom-er.
8 CONTROL RIGHTS OF THE CUSTOMER
(1) The Customer shall ensure that the data processing is commenced and that the Company’s technical and organizational measures are regularly followed. For this he can for example, request information from the Company, vet certificates issued by experts, certifications or internal audits or personally check the technical and organizational measures of the Company after timely coordination with the usual business hours or have them checked by a knowledgeable third party, if this is not in competition with the Company. The Customer will only carry out checks to the required ex-tent and will not disproportionately disturb the operations of the Company.
(2) The Company will provide to the Customer, at his verbal or written request within a reasonable period of time, all the information and evidence necessary to carry out a check on the technical and organizational measures taken by the Company.
(3) The Customer documents the result of the inspection and informs the Company. In the case of errors or irregularities which the Customer ascertains, in particular when checking the results of the contract, he must inform the Company immediately. If circumstances are identified during the inspection, the future avoidance of which requires changes to the order of procedure, the Customer shall notify the Company of the necessary procedural changes without delay.
(4) Upon request, the Company shall provide the Customer with a comprehensive and up-to-date data protection and security concept for order processing and authorized persons. The Company shall prove to the Customer the obligation of the employees according to § 6 (4) on request.
(5) The Company shall be entitled to invoice those expenses incurred by inquiries or orders of the Customer or its end users within the scope of the Order Data Processing Agreement at the daily man rate, if not required by law.
9 USE OF SUBCONTRACTORS
(1) The contractually agreed services or the partial services described below are carried out with the involvement of the subcontractors listed in Annex 2.4. The Company is authorized to establish further sub-contracts with subcontractors (“subcontractor relationship”) as part of its contractual obligations. He shall inform the Customer immediately and the Customer has the right to object to newly added subcontractors within 10 business days. Customer’s consent to newly added subcontractors shall not be withheld unreasonably. Company is required to carefully select subcontractors for their suitability and reliability. When engaging subcontractors, the Company must oblige them to do so in accordance with the provisions of this agreement and to ensure that the Customer can also exercise his rights from this agreement (in particular his inspection and control rights) directly vis-à-vis the subcontractors. If subcontractors are to be included in a third country, the Company must ensure that the respective subcontractor has an adequate level of data protection (e.g. by concluding an agreement based on the EU standard data protection clauses). The Company will prove to the Customer on request the conclusion of the aforementioned agreements with its subcontractors.
(2) A subcontractor relationship within the meaning of these provisions does not exist if the Company entrusts third parties with services that are to be considered as ancillary services. These include for example post, transport and shipping services, cleaning services, telecommunications services without specific reference to services that the Company provides for the Company and security services. Maintenance and testing services constitute subcontractor agreements subject to approval, insofar as these are provided for IT systems that are also used in connection with the provision of services for the Customer.
10 INQUIRIES AND RIGHTS OF PERSONS CONCERNED
(1) The Company shall, as far as possible, assist the Customer with suitable technical and organizational measures in the fulfillment of its obligations under Art. 12-22 and 32 to 36 GDPR. (2) If a person concerned asserts rights, such as the provision of information, rectification or deletion of his data directly against the Company, he does not react independently, but immediately refers the person concerned to the Customer and waits for his instructions.
11 LIABILITY
(1) For the compensation of damages suffered by per-son concerned due to an inadmissible or inaccurate data processing or use in the context of order processing according to the data protection laws, the Customer alone is responsible to the person concerned.
(2) The parties shall each release themselves from liability if a party proves that they are in no way responsible for the circumstances in which the damage occurred to an affected party.
(3) The limitations of liability agreed in the main con-tracts shall apply and shall not be restricted by this agreement.
12 EXTRAORDINARY RIGHT OF TERMINATION
(1) The Customer may terminate the main contract without notice in whole or in part if the Company fails to fulfill his obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or cannot or will not execute a legitimate instruction of the Customer within two weeks. In the case of simple – i.e. neither deliberate nor grossly negligent – violations, the Customer sets the Company a reasonable period within which the Company can stop the infringement.
13 TERMINATION OF THE MAIN CONTRACT
(1) Upon completion of the main contract or at its re-quest, the Company shall return to the Customer all documents, data and data carriers provided to it or delete at the request of the Customer if there is no obligation under EU law or the law of the Federal Republic of Germany to store the personal data. This also applies to any data backups with the Company. The Company has to carry the documented proof of the orderly deletion of still existing data. Documents to be disposed of must be destroyed using a document shredder in accordance with DIN 32757-1. Media to be disposed of must be destroyed according to DIN 66399.
(2) The Customer has the right to control the complete and contractual return or deletion of the data by the Company in a suitable manner.
(3) The Company shall be obliged to keep the data dis-closed to him in connection with the main contract confidential even after the end of the main contract. This agreement shall survive the end of the main contract as long as the Company has personal data provided to him by the Customer or collected by him.
14 FINAL PROVISIONS
(1) The parties agree that the objection of the right of retention by the Company in line with German Civil Code § 273 BGB regarding the data to be processed and the associated data carrier is excluded.
(2) Changes and additions to this agreement must be made in writing. This also applies to the waiver of this form requirement. The priority of individual contract agreements remains unaffected.
(4) Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
(5) This agreement is subject to German law. Exclusive place of jurisdiction for disputes arising from this agreement is the registered office of the Company.
ANNEXES
Annex 2.1 Description of data / categories of data requiring special protection
Annex 2.2 Description of the affected / affected groups
Annex 2.3 Technical and organizational measures of the Company
Annex 2.4 List of Subcontractors
Annex 2.5 Authorized Persons
Annex 2.1 – Description of the most vulnerable data / data categories
Through Thryve, health and activity-related data is aggregated from various sources. This aggregation takes place on the base of pseudonymised identifiers, so that Thryve does not store personal identity data of End users. The aggregated data fall into the following categories:
* daily activities (such as running, walking, activity etc.)
* location
* sports (such as football, workouts, aerobics etc.)
* sleep (such as deep sleep, light sleep, etc.)
* vital data (such as weight, heart rate, blood pres-sure, blood sugar level, respiration etc.)
* behavioral information (such as nutrition information, mood information, etc.)
* Meta information (such as stress, range of motion)
The future incremental expansion of integrated sources can expand the number of data and data categories. The Company grants the clients access to the current extent of processed data at any time.
Annex 2.2 – Description of the affected / affected groups
Thryve enables the End Users of the Customer to provide the data stored with other services to the Customer. Those affected by data processing are thus the customers of the Customer as natural persons. Thryve aggregates health-related information from multiple sources. This aggregation takes place on a pseudonymised base, so that Thryve does not store personal identity data of the user.
Annex 2.3 – Technical and organizational measures of the Company
Entry Control
The mHealth Pioneers GmbH is located in an office building in Berlin Kreuzberg. Entrances to the office are protected with two doors each. An automatic alarm system is in place surveying doors and movement, that can only be disabled by employees of mHealth Pioneers GmbH.
Admission Control
If required, mHealth Pioneers GmbH provides employees access to the systems / services of mHealth Pioneers GmbH via their own employee access. The access rights are limited to the responsibilities of the respective employee or team. If a user leaves, the ac-count is deactivated immediately. mHealth Pioneers GmbH regulates access to its own systems via multi-layered, password-protected access levels. All data transfers are encrypted using state-of-the-art mechanisms. Administrator access to underlying servers is only possible via SSH. In addition, the mHealth Pioneers GmbH has a rule for the creation of passwords. This provides high security even for systems that provide password-based access.
The passwords must meet the following characteristics:
Min.16 characters long
Min. 1 letter in upper case and min. 1 letter in lower case
Min. 1 number
The systems of mHealth Pioneers GmbH are protected by firewalls. If employees of clients are granted access to parts of the system as part of the performance of the service, the above applies analogously.
Access Control
All servers and services of mHealth Pioneers GmbH are subject to continuous monitoring. This includes the logging of server access as well as personal access in the user interface. Blocking or logging off when leaving the workplace is arranged in writing and is practiced.
Pass-On Control
Professional equipment is procured, set-up and provided solely by the company. Hard drives are encrypted to grant access only to authorized persons and to ensure data security even in the event of physical loss. Access to computers is only possible with personal access. All computers are equipped with up-to-date anti-virus software that performs a full system check (<1 month) at regular intervals. All computers use a current and active firewall software. The use of mobile data media is prohibited. Access to data-retaining systems is only possible via access secured via web authentication.
Input Control
Any manual adaption of data by a user in the backoffice is registered with a reference to this user. These change logs are stored indefinitely.
Users receive access to the backoffice based on a roles- and rights concept (Administrator, tenant administrator, tenant employee). For users of a tenant, access to data is restricted to the data of their specific tenant. Only administrators are allowed to create new user accounts, while the password strength is automatically ensured. Any login to the backoffice is logged.
Order Control
Contractors are obliged in writing to comply with data protection regulations. MHealth Pioneers GmbH examines the security measures taken by the Company during the cooperation.
Availability Control
The data stored in the management system is automatically backed up at least daily. The state-of-the-art data center is ISO 27001 certified and has redundancy for all critical systems (firewall, switch, power, climate, Internet connection, backup system, hard drives, cores, etc.).
Separation Control
Our employees are committed to data secrecy. Compliance with the legal data protection requirements is ensured by the internal data protection officer. The further development of the software takes place on test system, which are separated from the productive systems.
Annex 2.4 – List of Subcontractors
Exedio GmbH
Registered in: Buchenstraße 16b, 01097 Dresden, Deutschland
The Company commissions the exedio Gesellschaft für Softwareentwicklung mbH with the development of software components as well as the administration of the technical infrastructure. Data access is not part of this contract, however cannot be excluded due to the technical accessibility. A data processing agreement is in place.
Telekom Deutschland GmbH
Registered in: Landgrabenweg 151, 53227 Bonn, Germany
The Company commissions the Telekom Deutschland GmbH with the provision of technical infrastructure (Open Telekom Cloud). Data access is not part of this contract, however cannot be excluded due to the technical accessibility. A data processing agreement is in place.
Annex 2.5 – Authorized Persons
Company Contact:
Friedrich Lämmel
Geschäftsführender Gesellschafter
info@thryve.health
mHealth Pioneers GmbH
Körtestraße 10
10967 Berlin