Nom nom, cookies! We use cookies to give you the best online experience. By using our website, you agree to our use of cookies in accordance with our Privacy Policy.

Data Processing Agreement

 

 

Data Processing Agreement between Eurekos Systems ApS and SmartStart Health Ltd.

 

  1. The Parties

 

Eurekos Systems ApS

CVR-nr.: 40845488

Gøgevænget 5

3400 Hillerød

Denmark

(hereinafter "Eurekos")

 

and

 

SmartStart Health Ltd.

Company Reg. No.: 13696565

86-90 Paul Street

EC2A 4NE London

United Kingdom

(hereinafter "Customer")

 

(the Customer and Eurekos each referred to individually as a "Party" and collectively as the "Parties”)

 

have entered into the following Data Processing Agreement in connection with the Parties' simultaneous conclusion of a master agreement, such as a Software as a Service agreement or a partnership agreement, regulating the Services (as defined below) provided by Eurekos to the Customer (hereinafter the “Agreement").

  1. Background and purpose

    1. Eurekos is to carry out a range of tasks for the Customer as further described in the Agreement.
    2. As part of Data Processor's provision of Services (as defined below) to Data Controller under the Agreement, Eurekos will be processing personal data on behalf of the Customer.
    3. The Agreement and the Data Processing Agreement are interdependent and cannot be terminated separately, unless the processing of personal data ends prior to the termination of the Agreement, or the terms of separate termination are met.
    4. The purpose of the Data Processing Agreement  is set forth the terms for Eurekos’ processing of the Customer's personal data and to ensure compliance with Article 28 (3) of the GDPR (as defined below).
    5. In the event of any inconsistency between the contents of the Agreement or other previous agreements and the Data Processing Agreement regarding the processing of personal data, the Data Processing Agreement shall prevail irrespective of any previous agreements between the Parties.
       

  2. Definitions

    3.1 Terms defined in the Agreement shall have the same meaning when used in this Data Processing Agreement, unless otherwise expressly stated herein.
    3.2 In this Data Processing Agreement, unless the context otherwise requires
          1. "Agreement" has the meaning ascribed to it in clause 1.
          2. "Data Processing Agreement" means this data processing agreement, including Appendices.
          3. "Data Protection Act"  means Act no. 502 of 23 May 2018, on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information with the changes as amended, supplemented and/or modified from time to time.
          4. "Data Protection Legislation" means all applicable laws and rules governing the processing and protection of personal data throughout the European Economic Area (EEA) as amended, supplemented and/or modified from time to time, including without limitation the General Data Protection Regulation (as defined below), the Data Protection Act, the Uk Data Protection Act 2018 and other relevant national legislation and, where relevant, the guidelines and rules issued by the Danish Data Protection Agency or other competent supervisory authorities in the EEA (including the national supervisory authorities) and the UK.
           5. "General Data Protection Regulation" means "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)" as amended, supplemented and/or modified from time to time.
            6. "Services" means the services and supplies provided by Eurekos as provider to Customer as customer under the Agreement.

 

  1. The Customer's personal data

    4.1 The categories of data subjects, the purpose of the processing, the type of personal data processed by Data Processor and processing activities are described in Appendix 1 to this Data Processing Agreement.
     

  2. General provisions

    5.1 Each Party shall comply with all applicable requirements of the Data Protection Legislation in the performance of its respective obligations under the Agreement.
     

  3. Customer's rights and obligation

    6.1 To the extent that Eurekos processes any personal data on behalf of the Customer when performing its obligations under the Agreement, the Customer is the controller and Eurekos is the processor for the purpose of Data Protection Legislation. Nothing in this Agreement relieves the processor or the controller of its own direct responsibilities and liabilities under the Data Protection Legislation.
    6.2 The Customer is obliged to make decisions about the purposes and the means by which the processing of personal data takes place.
    6.3 The Customer shall ensure that the processing of personal data Eurekos is instructed to carry out is lawful, including that the processing is based on a legal basis pursuant to the Data Protection Legislation.  
     

  4. Eurekos' obligations

    7.1 Eurekos may only perform such processing of the Customer's personal data to the extent required for the purposes specified by this Data Processing Agreement and in accordance with the Data Protection Legislation.
         7.1.1 Eurekos may not process the Customer's personal data in any other way than specified in clause 7.1 without prior, explicit, written instructions from the Customer’s designated contacts.
         7.1.2 Eurekos may only process the personal data on documented instructions from the Customer, including as described in this Data Processing Agreement, unless required to do so by the European Union, UK or member state law to which Eurekos is subject. In that case Eurekos must notify the Customer of such legal requirement before the processing, unless the relevant law prohibits such notification on important grounds of public interests.
    7.2 If Eurekos is of the opinion that the Data Processing Agreement does not cover Eurekos’ processing of the Customer's personal data, or if the Customer’s instructions are, in the opinion of Eurekos, in non-compliance with the data protection legislation in force, Eurekos shall immediately notify the Customer thereof.
    7.3 Eurekos shall ensure that the persons it has authorised to access or process  personal data on behalf of the Customer under the Data Processing Agreement have either committed themselves to confidentiality or are subject to a proper statutory duty of confidentiality and that they only process personal data in compliance with the Agreement, the Data Processing Agreement and the Data Protection Legislation.
    7.4 Eurekos shall, upon request from the Customer, provide access to all necessary information in order for the Customer to ensure compliance with the obligations laid down in the Data Protection Legislation.
    7.5 Furthermore, Eurekos must allow and contribute to any supervisions and audits, including inspections, conducted by the Customer, an auditor authorized by the Customer or any supervisory authority.
     

  5. Eurekos’ security measures

    8.1 Taking into account the state of art, the costs of implementation and the nature, scope, context and purposes of the processing as well as risk of varying likelihood and severity of the rights and freedoms of natural personshave, Eurekos shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to prevent that the Customer's data as a result of Eurekos’ actions or omitments will not be:
    I)     accidentally or illegally destroyed, lost or alteration;
    II)    disclosed to unauthorized persons or misused, or
    III)   processed in contrary to Data Protection Legislation .
    8.2 The security measures implemented by Eurekos are specified in Appendix 2. Eurekos shall, upon request from the Customer, provide the Customer with access to all necessary information pertaining to the security measures implemented by Eurekos. 
        8.2.1 If an audit of Eurekos’ security measures shows material non-compliance, Eurekos shall promptly remedy such non-compliance within a reasonable time taking into consideration the actual risk and the possibilities of ensuring the necessary changes in Eurekos' security measures. If possible, temporary measures shall be implemented until final measures can be implemented.
     

  6. Assistance

    9.1 The Customer does not pay separately for the use of documentation provided by Eurekos, cf. Appendix 2.
    9.2The Customer or a third party appointed by the Customer, is entitled to make pre-announced inspections and/or audits at Eurekos’ premises during normal office hours in order to determine whether Eurekos complies with the Data Processing Agreement and Data Protection Legislation. Such inspections or audits shall be notified to Eurekos by at least 20 working days.
    9.3 Eurekos shall by means of appropriate technical and organisational measures, assist the Customer in complying with the Customer's obligations to respond to requests for the exercise of the data subjects' rights pursuant to the Data Protection Legislation. If Eurekos receives requests from the data subjects, Eurekos shall forward these requests to the Customer without undue delay. Eurekos shall not respond to requests from the data subjects without the prior and documented instructions of the Customer. 
    9.4 Eurekos shall apply and comply with the Data Protection Legislation and shall not perform its obligations under the Agreement and the Data Processing Agreement in such a way as to cause Customer to breach any of its obligations under Data Protection Legislation.
    9.5 Eurekos shall take into account the nature of processing and the information available to Eurekos and assist the Customer in complying with the Customer's obligations to:
    I)     implement appropriate technical and organisational measures;
    II)    carry out a data protection impact assessment if a type of processing activity is likely to result in a high risk to the rights and freedoms of natural persons, cf. Article 35 of the General Data Protection Regulation, and
    III)   consult the Data Protection Agency or other supervisory authority prior to processing where a data protection impact assessment under Article 35 of the General Data Protection Regulation indicates that the processing would result in a high risk in the absence of measures taken by Data Controller to mitigate the risk, cf. Article 36 of the General Data Protection Regulation.

 

  1. Return and deletion of the Customer's personal data

    10.1 Eurekos is obliged, pursuant to the Customer's written instructions, to delete or return the Customer's personal data to the Customer or a third party appointed by the Customer to the extent the Customer's personal data are in Eurekos’ possession or under Eurekos’ control.
    10.2 The Customer's personal data shall be provided to the Customer in a data format agreed in advance between the Parties or a standardized and well-established data format.
    10.3 The Customer's personal data shall be deleted from all media and - to the extent technically possible - from any backups. If deletion from backup is not technically possible, Eurekos must ensure restriction of access to and re-storing backups until such time where deletion is technically possible.
    10.4 On the expiry or termination of the Agreement, Eurekos shall cease to use, and shall ensure that its sub-contractors cease to use, the Customer Data and shall delete or return (at the Customers election) such personal data unless required by applicable law to store the personal data.
    10.5 At the request of the Customer, Eurekos shall document that deletion as described in clause 10.3 above has been carried out in accordance with the Customer's instructions.
     

  2. Use of sub-processors

    11.1 By accepting the terms of this Data Processing Agreement, the Customer authorises Eurekos to engage certain nominated sub-contractors to assist in providing the Services. The list of all sub-contractors who will assist Eurekos with processing of personal data in connection with the provision of the Services (hereinafter referred to as "Sub-Processors")  and the countries and facilities in which the personal data is processed is stated in Appendix 3.
    11.2 Any additions or changes to the list will be notified to the Customer. Notification shall be given no less than thirty (30) calendar days before the contemplated sub-processing is put into effect. If the Customer wishes to object to the sub-processing, the Customer shall state so in writing within ten (10) calendar days of receiving the before mentioned notification concerning additions or changes and Eurekos shall comply with the Customer's reasonable and justifiable objections to such changes. Absence of any objections from the Customer shall be considered as an authorisation of the sub-processing.
    11.3 Prior to Eurekos' use of Sub-Processor(s), Eurekos undertakes to enter into a sub-processing agreement with the Sub-Processor concerned, which at least imposes on the Sub-Processor the same minimum obligations as Eurekos has undertaken under this Data Processing Agreement.
    11.4 Unless otherwise specifically agreed and stated in the list of approved Sub-Processors in Appendix 3, all communication and control of Sub-Processors is performed through Eurekos, including in relation to requirements for audit, control and documentation.
    11.5 Eurekos is liable towards the Customer for the Sub-Processor's compliance with the obligations pursuant to this Data Processing Agreement.
     

  3. Transfer of personal data to third countries

    12.1 Eurekos may not without prior written consent transfer the Customer's data outside the EEA or the UK, unless such transfer is made to a Sub-Processor approved by the Customer, set out in Appendix 3. Any transfers of personal data outside the EEA or the UK must be based on a legal basis of the General Data Protection Regulation.
    12.2 Eurekos uses certain Sub-Processors located in Ukraine for support of it's IT-systems, including development and maintenance of the Services, and if necessary, third-level (technical) support via remote access (as set out in Appendix 3). An adequate protection for the transfer of personal data in such cases is ensured by the EU Commission Standard Contractual Clauses. By accepting the terms of this Data Processing Agreement, the Customer authorises Eurekos to enter into EU Commission Standard Contractual Clauses with such Sub-Processors located in Ukraine on the Customer's behalf.
     

  4. Duty of notification in case of a personal data breach

    13.1 If Eurekos becomes aware of any actual, suspected or threatened personal data breach, Eurekos shall immediately notify the Customer thereof in writing without undue delay and no later than twentyfour (24) hours after Eurekos became aware of such breach.
    13.2 Notification can be made via the standard form in Appendix 4. However, any notification shall comply with the current statutory requirements in force from time to time, but shall as a minimum include:
    I)     a description of the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    II)    information about the identity and contact information of the data protection officer or another point of contact where additional information may be obtained;
    III)   a description of the likely consequences of the personal data breach;
    IV)  a description of the measures proposed or commenced by Eurekos to mitigate potential adverse effects.
    13.3 If Eurekos is unable to provide all information at the same time, Eurekos may provide the Customer in phases without undue further delay.
    13.4 Eurekos shall document all relevant matters relating to any breach concerning the Customer's data, including the actual circumstances of the personal data breach, its effect and the remedial action taken.
    13.5 Eurekos shall provide the Customer full assistance in ensuring compliance with the Customer's obligations (i) to document any personal data breach, (ii) to notify the applicable supervisory authorit(y/ies) of any personal data breach, and (iii) to communicate such personal data breaches to the affected data subjects, if there is an obligation to do so, in accordance with Articles 33 and 34 of the General Data Protection Regulation.
    13.6 Eurekos' notification to the Customer of a personal data breach, does not imply any recognition of breach or fault on the part of Eurekos.
     

  5. Breach and liability

    14.1 All matters relating to default, liability and compensation are regulated in the Agreement.
     

  6. Payment and costs

    15.1 Each Party shall pay all costs related to the performance of the Party's own obligations pursuant to this Data Processing Agreement, unless otherwise agreed by the Parties.
     

  7. Commencement and termination

    16.1 This Data Processing Agreement remains in force as long as Eurekos processes personal data on behalf of the Customer.
     

  8. Signatures

    17.1 This Data Processing Agreement is signed in two (2) copies, of which each Party shall receive one (1) copy. The Parties are obliged to keep an electronic copy of the signed Data Processing Agreement.

 

 

Date: 18 May 2022                            Date: 18 May 2022

 

For Eurekos Systems ApS                  For SmartStart Health Ltd.

 

____________________________                        ____________________________

Christian Willumsen                           Melissa Holloway

CCO                                                      Founder & CEO

 

Appendix 1

CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA AND PROCESSING ACTIVITIES

This Appendix forms an integral part of the Data Processing Agreement and must be filled in by the Parties.

 

Schematic overview of categories of data subjects and types of personal data processed

Example 1

Category of data subjects:

Customer employees, contractor's or other professional third parties.

 

Purpose of the processing:

The purpose of the processing is to provide the Customer with the Services described in the Master Agreement.

 

The subject-matter of the processing:

The processing concerns non-sensitive personal data about a limited number of data subjects in well-known IT-systems with a approriate level of integrated security.

☒  Ordinary categories of personal data: name, e-mail and workplace. Furthermore, the personal data may comprise browser data, IP addresses and login location data.

 

Special categories of personal data (tick box): N/A

 

☐  Racial origin

☐  Ethnic origin

☐  Political opinions

☐  Religious belief

☐  Philosophical belief

☐  Trade union membership

 

☐ Genetic data

☐ Biometric data for the purpose of uniquely identifying natural person

☐  Data concerning health

☐  Data concerning sex life

☐  Data concerning sexual orientation

☐ CPR (Civil registration number)

☐  Personal data relating to criminal convictions and offence

 

 

Appendix 2

Security Measures

Information, including personal data, is one of Eurekos’ most valuable assets. Preserving the confidentiality, integrity and availability of information and personal data ("Information Security") is therefore essential to Eurekos

 

The purpose of the security measures implemented by Eurekos is to ensure:

  • Confidentiality: Ensuring that personal data is accessible only to those authorized to process the personal data.  
  • Integrity: Safeguarding the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorized users have access to Services, information and associated assets when required.

 

Eurekos has committed itself with ensuring compliance with all requirements under ISO27001 and ISO27701.

 

Organisation of Information Security

Eurekos ensures, inter alia, that:

  • Security issues are reviewed and progressed.
  • Security risk assessments are performed on a regular basis.
  • Effectiveness of Information Security is monitored.

Human Resource Security

Eurekos ensures, inter alia, that:

  • All employees and contractors work in accordance with all policies and procedures which includes information security specific requirements.

Access Control

Eurekos ensures, inter alia, that:

  • Employees, contractors, suppliers and anyone else follow a number of controls and procedures, which exist to limit access to confidential information.
  • An access control policy is in place.

Physical and Environmental Security

Eurekos ensures, inter alia, that controls and procedures exist to ensure adequate physical security, including:

  • Building and individual alarm systems.
  • Restricted access to the building and further restricted access within it.
  • Secure lockers, drawers, storage and safes.
  • Clear desk and clear screen policy.
  • A Physical and Environmental Security Policy.

Operations Security

Eurekos ensures, inter alia, that:

  • Operations are managed by multiple coherent Information Security policies and Change Management processes to ensure correct and secure operations of information processing facilities.

Communications Security

Eurekos ensures, inter alia, that:

  • Communication is controlled and managed by established procedures and guidelines.
  • Information Security Steering Group is established to ensure appropriate security measures and processes.

System Acquisition, Development and Maintenance

Eurekos ensures, inter alia, that:

  • Development policy provides guidelines to ensure processes, technical environments and processes for developing and implementing systems through secure coding and development practices.
  • Information Security requirements for mitigating the risks associated with supplier’s access to the company’s assets is documented.
  • An Information Security policy for supplier relationships has been prepared and implemented.

Information Security Incident Management

Eurekos ensures, inter alia, that:

  • Security incidents are maintained, updated and monitored.
  • Procedures for breach, GDPR and Security Incident Management has been prepared and implemented.

Compliance

Eurekos shall implement appropriate technical and organisational measures to protect personal data against the accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Eurekos. In particular Eurekos shall implement measures ensuring that:

  • Anyone managing and handling personal data understands that they are contractually obliged to follow good data protection practice.
  • Anyone managing and handling personal data is appropriately instructed to do so.
  • Everyone managing and handling personal data is appropriately supervised.

 

Appendix 3

Sub-processors

 

Eurekos may engage Sub-Processors within the EU/EEA as well as in third countries to provide the Customer with the Services.

The list of Sub-Processors engaged by Eurekos at any time is available on: https://eurekos.com/sub-processors/ 

 

 

 

 

 

 

Appendix 4

Standard form for notification on personal data breach

 

INSERT NAME AND CONTACT INFORMATION FOR THE DATA PROTECTION OFFICER OR ANOTHER POINT OF CONTACT

NAME:

E-MAIL

PHONE NO.:

 

TIME OF DETECTING THE INCIDENT:

DATE:        TIME:

TIME OF CLOSING THE INCIDENT:

DATE:         TIME:                                                                                              

INSET TIME OF THE INCIDENT

 

 

DESCRIBE THE CHARACTER OF THE PERSONAL DATA BREACH

 

 

DESCRIBE THE CAUSE OF THE PERSONAL DATA BREACH

 

 

INSERT THE PHYSICAL LOCATION OF THE INCIDENT

 

☐ Unauthorized disclosure of personal data?

☐ Unauthorized access to personal data

☐ Personal data is changed

☐ Personal data is destroyed

☐ Personal data is lost

 

Other things:

 

 

MARK THE TYPE OF INCIDENT

 

MARK THE TUPE OF PERSONAL DATA INVOLVED

☐ Regular personal data

☐ Confidential personal data

☐ Sensitive personal data

 

☐ Employees     

☐ Students          

 

 

Total number of data-subject involved:

☐ Customer’s employees

☐ [insert]

☐ Customer’s customer

☐ [insert]

MARK THE CATEGORY OF DATA SUBJECTS

 

 

 

DESCRIBE THE LIKELY CONSEQUENCES OF THE PERSONAL DATA BREACH

 

 

 

DESCRIBE THE MEASURES PROPOSED OR COMMENCED TO MITIGATE POTENTIAL ADVERSE EFFECTS A DESCRIPTION OF THE NATURE OF THE PERSONAL DATA BREACH