MedRx DATA PROCESSING ADDENDUM
Last Revised: 12/15/2020
This Data Processing Addendum (hereinafter the “Addendum”) is entered into on the effective date of the Terms (as defined below) between
MedRx, Inc., a company incorporated in the United States of America whose registered office is at 1200 Starkey Rd Ste. 105, Largo, FL 33771 (“MedRx”), or if in EU DGS Diagnostics A/S, Audiometer Alle 1 5500 Middelfart, Denmark.
The customer of the MedRx Product and Services (“Customer”),
together the “parties”.
BACKGROUND AND SCOPE
MedRx and the Customer have agreed to enter into this Addendum to the Terms in relation to data processing whereby the Customer shall be the data controller and MedRx shall be a data processor in relation to all Customer Personal Information.
The definitions used in this Addendum are set out as Appendix 1.1.
The categories of Customer Personal Information to be processed by MedRx and the processing activities to be performed under this Addendum are set out in Appendix 1.2 to this Addendum.
OBLIGATIONS OF THE CUSTOMER AS DATA CONTROLLER
The Customer is responsible for the personal data which MedRx processes on behalf of the Customer.
It is the Customer’s responsibility to ensure that MedRx can process the personal data on behalf of the Customer in accordance with all applicable law and local rules. The Customer has the rights and obligations stated in this Addendum.
OBLIGATIONS OF MEDRX AS DATA PROCESSOR
MedRx agrees to:
- only process Customer Personal Information for and on behalf of the Customer, in accordance with the instructions set out below or as otherwise given by the Customer from time to time. MedRx shall notify the Customer if it is required by applicable law to process Customer Personal Information other than in accordance with those instructions, and shall inform the Customer of the relevant legal requirement before undertaking such processing (unless the relevant legal requirement prohibits the provision of such information on important grounds of public interest);
- ensure that those of its personnel who are involved in processing Customer Personal Information are bound by appropriate obligations of confidentiality;
- implement and maintain appropriate technical and organizational security measures to safeguard Customer Personal Information from unauthorized or unlawful processing or accidental loss, damage or destruction;
- taking into account the nature of the processing and the information available to MedRx, provide reasonable assistance to the Customer in ensuring compliance with its obligations under the GDPR in relation to security, data breach notification, data protection impact assessments and prior consultation with a supervisory authority and the fulfilment of data subject’s rights, where applicable from time to time;
- upon written request, make available to the Customer such records as the Customer may reasonably require from time to time to demonstrate compliance by MedRx with its obligations under this Addendum. In addition, MedRx agrees to permit an audit to be conducted of its facilities no more than once per year, by the Customer or the Customer’s representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out: (i) upon ten (10) business days’ prior, written notice to MedRx and during MedRx’s normal business hours; (ii) in a manner that causes minimal disruption to MedRx’s business and excludes from its scope any internal pricing information, information relating to other customers of MedRx or other MedRx’s own internal reports; and (iii) at the Customer’s own cost; and
- MedRx must assist the Customer with meeting the other obligations that may be incumbent on the Customer according to EU or EU Member State law, if applicable, where the assistance of the MedRx is implied, and where the assistance of the MedRx is necessary for the Customer to comply with its obligations. This includes, but is not limited to, upon request, to provide the Customer with all necessary information about a Security Breach (as defined below) and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.
- MedRx shall notify the Customer – and a supervisory authority, if applicable – without undue delay and in any event within 96 hours of becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Information (“Security Breach“). MedRx shall provide Customer information related to the Security Breach as is known to MedRx regarding the nature of the breach, the categories and approximate number of data subjects and records concerned.
- Nothing in this Addendum shall prevent either party from complying with any legal obligation imposed by a regulator or court. Each party shall however, where possible, discuss with the other party the appropriate response to any request from a regulator or court for disclosure of information.
- MedRx may not process or use the Customer’s personal data for any other purpose than provided for in this Addendum and hereby acknowledged and accepted by the Customer on the Customer’s specific written instructions, including the transfer of personal data to any third country or an international organization, unless MedRx is required to do so according to the European Union or member state law, if applicable. In that case, MedRx shall inform the Customer in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- If MedRx is subject to legislation of a third country, MedRx declares not to be aware of the mentioned legislation preventing MedRx from fulfilling the Agreement, and that MedRx will notify the Customer in writing without undue delay, if MedRx becomes aware of that such hindrance is present or will occur.
- MedRx can solely process personal data outside the scope of the instructions acknowledged by the Customer or otherwise instructed if this is required by mandatory EU law or national legislation. MedRx shall inform the Customer of such reason, unless such notification would be in breach of EU or EU Member state law.
- The Customer consents to MedRx engaging subcontractors listed to process the Customer Personal Information on its behalf (“Sub-processors“). MedRx shall ensure that Sub-processors are subject to contractual obligations which are the same as or equivalent to those imposed on MedRx under this Addendum. MedRx shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. In the event of the Customer objecting to such change, MedRx shall make reasonable efforts to address the Customer’s concerns (including making reasonable efforts to find an alternative Sub-processor).
- The Customer acknowledges and agrees that Customer Personal Information may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Service and MedRx’s other obligations under the Terms. MedRx shall implement a data transfer solution to ensure any such transfers are compliant with the GDPR.
- For the avoidance of doubt, where a Sub-processor fails to fulfil its obligations under any sub-contract, MedRx shall remain fully liable to the Customer for the fulfilment of its obligations under this Addendum.
TERM AND TERMINATION
- This Addendum shall commence on the effective date of your Terms and shall continue in full force and effect until the termination or expiration of the Terms between us. Within six (6) months of the termination of this Addendum, MedRx may delete the Customer Personal Information and delete any existing copies in its possession unless required to retain such Customer Personal Information under applicable law. The MedRx Solutions enable the Customer to securely export its Customer Personal Information at any time.
GOVERNING LAW AND MISCELLANOUS
This Addendum shall be governed by and construed in accordance with the internal laws of the State of New Jersey without giving effect to any choice or conflict of law provision or rule.
Any legal suit, action or proceeding arising out of, or related to, this Addendum shall be instituted exclusively in the federal courts of the United States or the courts of the State of New Jersey. You waive any and all objections to the exercise of jurisdiction over you by such courts and to venue in such courts.
The parties agree that this Addendum will be incorporated as an addendum to the Terms. To the extent of any conflict between this Addendum and the remaining sections of the Terms, this Addendum will prevail.
Appendix 1.1 – Definitions
Appendix 1.2 – Description of Information Processing
APPENDIX 1.1 – DEFINITIONS
In this Addendum, the following words and expressions shall have the meaning as set out below, if not otherwise defined in this Addendum:
“Customer Personal Information” means all Personal Information controlled by the Customer which is processed by MedRx in connection with the MedRx Products and Services.
“GDPR” Means the Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation).
“Personal Information” means any information relating to an identified or identifiable natural person, see article 4(1) of GDPR. If other confidential information than personal data is processed for the purpose of fulfilling the Addendum, any reference to “personal data” shall include such other confidential information.
“MedRx Products and Services” means any of the products and/or services provided by MedRx to the Customer pursuant to the Terms.
APPENDIX 1.2 – Description of Information Processing
The data processing activities carried out by MedRx under this Addendum are as follows:
Description of MedRx Products and Services:
Hearing testing and/or hearing screening services using tablet-based or hardware-based audiometers, website and/or web portal, including related data management, processing and analysis services
Subject-matter of Processing:
MedRx processes certain Customer Personal Information on behalf of its Customers in relation to hearing testing and/or hearing screening services. As described in detail in the MedRx Privacy Statement, the content of the Customer Personal Information may include contact information for the Customer, demographics of the Customer’s participants and their hearing test results data.
Duration of Processing and Deletion:
For the duration of the MedRx Solutions and/or Services to which this Addendum relates.
Nature and purpose of Processing:
To enable MedRx to provide the Customer with certain MedRx Solutions and/or Services in relation to hearing testing and/or hearing screening.
Types of Personal Information:
Customer Personal Information relating to Customers, provisioned users and Participants who access and use the MedRx Solutions and Services. Participant Personal Information may be collected by the Customer and provisioned users of the Service and may include, without limitation, audiograms, hearing screening results, personal contact information, demographic information, questionnaire information, location information, profile data, unique IDs, usage activity, transaction history, and online behavior and interest data. MedRx also collects information about visitors to it web properties.
Type of Sensitive Personal
Hearing test or screening result data, medical information
Categories of Information Subjects:
MedRx’s Customers, their provisioned end users of its Services, Participants, as well as visitors to MedRx’s web properties.