Data Processing Agreement

Introduction

To ensure that the rules in force at any time on the processing of personal data are observed, including in particular the EU General Data Protection Regulation (GDPR) and related executive orders and instructions,
Research Consortium for Medical Imaging Analysis, org. no. 802523-4686 (hereinafter referred to as the “Data Processor”) and you ("Data Controller") have entered into the present data processing agreement (hereinafter referred to as the “Data Processing Agreement”). 

​

The Responsibility of the Data Processor

The Data Processor shall act only on the instructions of the Controller and only to the extent which is necessary to enable the Data Processor to meet his obligations according to the Data Processing Agreement. Thus, the Data Processing Agreement shall form part of the Controller’s instructions to the Data Processor.
The Data Processor undertakes at any time to meet the GDPR requirements as well as the Data Processor’s national statutory requirements regarding data processing and data security in connection with the data processing carried out on behalf of the Controller. 

​

Data Processing Instructions

The Data Processor shall only act according to these instructions from the Controller and only regarding the tasks listed below.

• Data Processor shall de-identify personal health information from the medical imaging data (DICOM files and PNG files) listed in next section

• Data Processor shall transfer de-identified medical imaging data via encrypted connections from Controller to Data Processor’s central data repository

• Data Processor shall safely store Controller’s data on behalf of Controller for the duration outlined in Data Processing Agreement on Data Processor’s servers located in Sweden

• Data Processor shall make the data available to Controller and individuals appointed by Controller

• In the event Data Processor shall manually process Controller’s data, all data processing will be performed at the RECOMIA office and by individuals appointed by Controller

• Data Processor shall make available data processing tools to Controller or individuals appointed by Controller

​

Technical and Organisational Security Measures

The Data Processor shall make the necessary technical and organisational security measures against accidental or illegal destruction, loss or deterioration of personal data and against disclosure thereof to unauthorised people, abuse or other types of use contrary to legislation. 
The Data Processor undertakes to observe the statutory requirements in force at any time regarding the processing of personal data. Consequently, data processing shall be carried out in accordance with the rules in force at any time about the processing of personal data, including in particular the EU General Data Protection Regulation (GDPR) and associated executive orders and instructions.
The Data Processor shall de-identify all data to remove information that can be used to directly or indirectly identify an individual. Reference is made to the ’Patient De-identification Policy’.
The Data Processor shall process information on behalf of the Controller and shall only act on instructions from the Controller, cf.  ’Data Processing Agreement’.

The Data Processor’s use of Sub-Data Processors

The Data Processor shall not be entitled to enter into agreements with a Sub-Data Processor about the processing of personal data covered by the present data processing agreement unless the Controller has accepted the conclusion of such agreement in writing. The Controller shall be entitled to stipulate conditions for such acceptance.
In the agreement with the Sub-Data Processor, the Data Processor shall ensure that the Sub-Data Processor is as a minimum able to meet the obligations undertaken by the Data Processor in the present Data Processing agreement regarding the processing and destruction of personal data carried out by the Sub-Data Processor.

Supervisory Authorities, Audits and Auditors’ Statements

At the request of the Controller, the Data Processor shall provide the Controller with sufficient information to enable him to check that the technical and organisational security measures mentioned above have been established. Furthermore, the Data Processor must be able to document that identified vulnerabilities are met through a risk-based assessment.  
If the Controller and/or relevant public authorities wants to carry out a physical inspection (audit) of the measures taken by the Data Processor under the Data Processing Agreement, the Data Processor undertakes – with a reasonable notice – to make time and resources available for the purpose. 

Obligation to Inform and Assist

The Data Processor undertakes to inform the Controller immediately and in writing about any deviation from the requirements in the Data Processing Agreement, for example:   

• any deviation from instructions provided 

• any deviation from the agreement regarding accessibility

• any suspicion of breach of confidentiality

• any suspicion of abuse, loss and deterioration of data

• any accidental or unauthorised disclosure of or access to the personal data processed according to the present Data Processing Agreement

The Data Processor shall assist the Controller in connection with the handling of any application from a registered person, including request for in-sight, correction, blocking or deletion of information if the relevant personal data is processed by the Data Processor.  

Effective Date and Term of the Agreement

The Data Processing Agreement shall become effective on the date the Data Processing Agreement has been approved by representatives of RECOMIA.

​

The Data Processing Agreement shall expire one year (365 days) after effective date, unless otherwise agreed by the parties.

​

Handling of Data after Expiry of the Agreement

The Controller shall inform the Data Processor when the data processing is to stop. The Data Processor shall then be obliged to delete all pseudonymized data.

​

Secrecy and Confidentiality

The Data Processor’s employees, cooperation partners, external consultants and temporary employees, etc., shall in connection with the processing of personal data be covered by the rules regarding secrecy which apply to employees in the public administration.
The Data Processor shall be obliged to inform their own employees, co-operators, external consultants and temporary employees, etc., about the extent of the secrecy and the consequences of a possible breach of the secrecy.  
The Data Processor shall treat the personal data in confidence and shall thus only be entitled to use the personal data as part of observing his own obligations according to the present Data Processing agreement and Instructions. 
Furthermore, the Data Processor undertakes to limit the access to personal data to the employees who need to process personal data in order to be able to meet the Data Processor’s obligations towards the Controller.  
The Data Processor’s obligations regarding secrecy and confidentiality shall apply also after expiry of the agreement. 

Transfer
The Data Processor shall not transfer his rights and obligations according to the present Data Processing Agreement without the prior consent of the Controller.  

​

Default

It shall be considered material default if the Data Processor does not observe the obligations in the Data Processing agreement, the statutory requirements in force at any time, and the requirements in the documents which appear from the Appendices to the Data Processing agreement. In this case, the Controller shall without any notice be entitled to cancel all current agreements about data processing carried out on his behalf.   
Regardless of such cancellation/termination of the agreement, the Data Processor shall, however, be obliged to provide data processing according to the present Data Processing agreement until data processing has been arranged with another data processor.
The Data Processor undertakes to release and defend the Controller from and against all claims, legal claims and any related liability, loss, penalties, costs and expenses as a consequence of the Data Processor’s violation of the Data Processing agreement or current legislation committed by the Data Processor, the Data Processor’s employees or representatives in connection with provision of the processing of personal data, implementation of the agreement, or as otherwise agreed between the parties.

​

Governing Law and Venue

The present Data Processing agreement, including any issue regarding the validity of the Data Processing agreement, shall be governed by Swedish law.  
In case of a dispute between the Parties in connection with the Data Processing agreement, the Parties shall with a positive, cooperative and responsible attitude attempt to start negotiations with a view to solving the dispute. 

Renegotiation

Either party shall be entitled to demand renegotiation of the Data Processing Agreement because of changed legislation, including entry into force of the EU regulation on the protection of personal data.

​

​