AIDMED sp. z o.o. hereinafter referred to as the „Processor” and

Customer, hereinafter referred to as the „Data Administrator” or „Administrator”

1. Entrusting the processing of personal data

1.1 The Administrator entrusts the Processor, pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (hereinafter referred to as „GDPR”), with personal data for processing, on the terms and for the purpose specified in this Agreement.

1.2 The Processor undertakes to process the personal data entrusted to it in accordance with this Agreement, GDPR and other generally applicable laws that protect the rights of data subjects.

1.3 The Processor declares that it applies security measures that meet the requirements of GDPR. 

3. Scope and purpose of data processing

3.1 The Processor shall process personal data of the Administrator’s patients entrusted on the basis of this Agreement, including, without limitation: first and last name, email address, telephone number, date of birth, address and personal identification number.

3.2 The personal data entrusted by the Administrator shall be processed by the Processor solely for the purpose of enabling the Administrator to collect vital signs from its patients, display results and perform diagnosis. Processor may contact Administrator’s patients to provide technical assistance in case of issues.

3. Method of performance of the agreement for the processing of personal data

3.1 The Processor shall, in the processing of the entrusted personal data, commit to securing them by means of appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risks related to the processing of personal data, as referred to in Article 32 of the GDPR.

3.2 The Processor shall exercise due care in the processing of the entrusted personal data.

3.3 The Processor shall grant personal data processing authorizations to all persons who will process the entrusted data in order to implement this agreement.

3.4 The Processor shall ensure that the confidentiality of, (as referred to in Article 28(3)(b) of the GDPR) of the processed data by the persons whom the Processor authorizes to process personal data for the purpose of the performance of this agreement, both during their employment with the Processor and after its termination.

3.5 The Processor shall, upon termination of the provision of services related to processing at the discretion of the Administrator, erase or return to the Administrator any Personal Data and erase any existing copies thereof, unless the EU law mandates the retention of Personal Data.

3.6 Wherever possible, the Processor shall assist the Administrator to the extent necessary to comply with the obligation to respond to requests from the data subject and to comply with the obligations set out in Articles 32 to 36 of the GDPR.

3.7 Upon discovery of a personal data breach, the Processor shall, without undue delay, notify the Administrator of such breach within 48 hours.

4. Right of control

4.1 Pursuant to Art. 28 (3) (h) GDPR, the Administrator shall have the right to control whether the measures applied by the Processor in the processing and securing of the entrusted personal data meet the provisions of the contract.

4.2 The Administrator shall exercise the right of audit during the working hours of the Processor and at least 7 days in advance.

4.3 The processor shall be obliged to remove the deficiencies found during the audit within the deadline indicated by the Data Administrator, not longer than 7 days.

4.4. The Processor shall make available to the Administrator any information necessary to prove the fulfillment of the obligations set out in Article 28 of the GDPR.

5. Subcontracting

5.1 The transfer of the subcontracted data to a third country may only take place on the written order of the Data Administrator, unless such obligation is imposed on the Processor by the EU law or by the law of the Member State to which the Processor is subject. In such case, prior to the beginning of the processing, the Processor shall inform the Data

5.2 Administrator of this legal obligation, unless such law prohibits such information on account of an important public interest.

5.3 The subcontractor referred to in 5.1 of the Agreement shall meet the same guarantees and obligations as those imposed on the Processor in this Agreement.

5.4 The Processor shall be fully liable towards the Administrator for any failure to meet the subcontractor’s data protection obligations.

6. Responsibility of the Processor

6.1 The Processor shall be responsible for the provision or use of personal data in breach of the agreement, in particular, for the provision of personal data to unauthorized persons.

6.2 The Processor shall immediately notify the Data Administrator of any proceedings, in particular administrative or judicial, regarding the processing of the personal data specified in the agreement by the Processor, of any administrative decision or ruling regarding the processing of such data, addressed to the Processor, as well as of any planned, if known, or carried out audits and inspections regarding the processing of such personal data at the Processor, in particular by inspectors authorized by the Inspector General for the Protection of Personal Data / President of the Data Protection Authority. This paragraph shall only concern personal data entrusted by the Administrator. 

7. Duration of the agreement

7.1 This agreement is concluded for an indefinite period of time and shall terminate on the date of termination of the Subscription Services Agreement concluded between the Administrator and the Processor in connection with the use of the AIDMED SERVICES.

7.2 The agreement cannot be terminated separately; it remains in force as long as the agreement specified in 7.1.

7.3 The Administrator may terminate this agreement with immediate effect when the processor in spite of being obliged to remove the shortcomings identified during the audit, fails to remove them within the specified deadline; processes personal data in a way incompatible with the agreement; outsources the processing of personal data to another entity without the consent of the Administrator.

8. Principles of confidentiality

8.1 The Processor undertakes to keep confidential all information, data, materials, documents and personal data received from the Data Administrator and from persons cooperating with the Data Administrator, and data obtained in any other way, whether intentional or accidental, in oral, written or electronic form („confidential data”).

8.2 The Processor declares that in connection with the obligation to keep the Confidential Data confidential, it will not be used, disclosed or made available without the written consent of the Data Administrator for any purpose other than the performance of the Agreement, unless the necessity to disclose the information held results from applicable laws or the Agreement.

8.3 The Parties undertake to make every effort to ensure that the means of communication used to receive, transmit and store confidential data guarantee the protection of confidential data, in particular personal data entrusted for processing, against access by third parties who are not authorized to acquaint themselves with their contents.

9. Final Provisions

9.1 This Agreement has been concluded on the basis of remote communications means (Article 60 of the Civil Code Republic of Poland) .

9.2 In matters not regulated herein, the provisions of the Civil Code and GDPR shall apply.

9.3 The competent court for handling disputes arising from this Agreement shall be the competent court of the Processor.