OPENMEDICAL AG Commissioned Processing Contract (CPC)
This Commissioned Processing Contract applies to data processing within the framework of the contractual relationship between the Client and openmedical AG, Pfeffingerstrasse 19, 4153 Reinach (the "Contractor"). The CPC shall apply to all activities in which personal data are processed by the Contractor, or by the agents commissioned by the Contractor, on behalf of the Client.
This agreement is intended to set out the data protection framework and the obligations of the contracting parties in this regard, which will continue to apply unchanged in the course of future commissioning.
In particular, the agreement takes into account the requirements and obligations pertaining to the handling of personal data pursuant to the provisions of the Federal Act on Data Protection (DSG) applicable in individual cases, the EU General Data Protection Regulation (GDPR), the other cantonal provisions of data protection law, and other provisions in the health sector, including professional secrecy.
1. Subject of the order
The Contractor shall carry out the transfer and processing of patient forms (Annex 1) and the dispatch of invitations to the Contractor's health record in accordance with the Client's instructions. This takes place in the systems of the Contractor and of the Client.
The Contractor shall provide the services for the Client on the basis of the GTC (in the currently valid form) or other contracts (hereinafter jointly referred to as the "Main Contracts") agreed between the Parties.
Within the framework of the Main Contracts, the Contractor receives access to personal data and processes it exclusively on behalf of and in accordance with the Client's instructions. The scope and purpose of the data processing by the Contractor are governed by the Main Contracts, provided that no special provisions arise from the following provisions. The Client is responsible for assessing the admissibility of data processing and disclosure.
Until the time of acceptance of the invitation to the health record, the processing of personal data is carried out by the Contractor as a commissioned processor and auxiliary of the Client. From the time of acceptance of the invitation and opening of the account, the Contractor shall become the data controller in accordance with applicable data protection law and shall process the personal data exclusively in accordance with its own data protection statements. By opening an account, the data subjects consent to the transfer of the data to the Contractor.
1.1 The provisions of this agreement shall apply to all activities related to the Main Contracts in which the Contractor and its employees or persons commissioned by the Contractor come into contact with personal data originating from the Client or collected for the Client.
1.2 The duration of this Contract corresponds to the term of the Main Contracts, provided that no special provisions arise from the following provisions.
1.3 All annexes form an integral part of this agreement.
1.4
2. Type and purpose of data collection, group of data subjects
2.1 The data processing takes the following forms: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available or transferring, comparison or linking, restriction, erasure or destruction of data, and any other processing that may be ordered by the Client from time to time.
2.2 In the context of the execution of the Main Contracts, the Contractor processes the following personal data:
- Employee data if entered on forms (company contact details);
- Patient information (contact details, age, gender, etc.)
- Treatment data and other medical data
Further details on the processed data and the purposes are set out in Annex 1.
The data is processed for the purpose of converting forms and encrypted transmission to the receiving target applications (e.g., practice software, hospital information system, laboratory information system, radiology information system, etc.). The form data is created by the responsible health service providers and employees in the Contractor's source system. A comparison is carried out as to whether a health record is already held by the Contractor for the patient. If not, an invitation is sent to the patient by the Contractor.
The Client is aware that the User lists for the mednet application can be viewed within the software in the form of contact lists, in order to be able to select the recipient of the data package within the mednet network.
2.3 The categories of persons affected by the processing are employees who work in the Client's organisation, patients whose medical forms are sent, and other persons (doctors, external consultants, etc.) whose data is on the forms or to whom the Client grants access to the application.
3. Obligations of the Contractor
3.1 The Contractor may only process personal data within the framework of the contractual agreement and in accordance with the Client's instructions; this also applies to the transfer of personal data to a third country or to an international organisation. If the Contractor is obliged by the law of Switzerland, to which it is subject, to further processing, it shall communicate these legal requirements to the Client prior to processing, unless the law in question prohibits such communication.
3.2 The processing of personal data by the Contractor shall be carried out in accordance with the statutory data protection regulations and the requirements of professional secrecy and the applicable confidentiality regulations. The Contractor guarantees the protection of the rights of the data subjects. The Contractor shall not use the data provided for processing for any other purposes, in particular, not for its own purposes. This does not apply to processing from the time of transfer to the health record at the patient's request and the associated responsibility of the Contractor from this time onwards.
3.3 The Contractor undertakes to maintain strict confidentiality during processing. The Contractor is aware that it and its employees in Switzerland are subject to the provisions of Art. 321 of the Criminal Code (StGB) (Switzerland) as auxiliaries and shall ensure that its employees are trained and obligated accordingly.
3.4 The persons employed by the Contractor in the processing of data are prohibited from collecting, processing or using personal data without authorisation. The Contractor shall oblige all persons entrusted by it with the processing and fulfilment of this agreement to maintain confidentiality and secrecy to an equivalent degree and shall take the necessary care to ensure compliance with this obligation. These obligations must be drafted in such a way that they remain in force even after termination of this agreement or the employment relationship between the employee and the Contractor. Upon request, the obligations are to be proved to the Client in an appropriate manner.
3.5 The Contractor must treat all information that becomes known through access to the aforementioned systems, programs and databases, as strictly confidential, even beyond the end of the contract, unless it has been released from confidentiality by the data subject or the Client.
3.6 The Contractor warrants that the persons employed by it for processing have been familiarised with the relevant provisions of data protection and this agreement before the start of processing. Appropriate training and awareness-raising measures must be repeated regularly and appropriately.
3.7 The Contractor shall process the data without guaranteeing the statutory retention and deletion periods. This means that the Client is responsible for ensuring compliant storage and deletion. The Contractor does not provide any services that guarantee the legally compliant storage of health or patient data.
3.8 The Contractor shall support the Client in complying with data protection obligations, in particular, in accordance with the GDPR and other applicable laws, taking into account the type of processing and the information available to it.
3.9 The Contractor shall support the Client with suitable technical and organisational measures in complying with its obligation to respond to requests to exercise the rights of data subjects.
3.10 If a data subject claims rights, such as the right of access, rectification or erasure with regard to their data, directly against the Contractor, the Contractor shall not respond independently but shall inform the Client immediately and await its instructions. In the course of the processing in the health record (mednet patient), the Contractor is the data controller and will act independently to do this.
3.11
The Contractor has appointed a Data Protection Officer:
Priverion GmbH, Europaallee 41, 8004 Zürich, hello@priverion.com
In case of doubt, the Client can directly contact the Data Protection Officer.
4. Technical and organisational measures
4.1 In its area of responsibility, the Contractor shall design its internal organisation in such a way that it meets the special requirements of data protection and the provisions of professional secrecy. It shall take all necessary technical and organisational measures to adequately protect the Client's data, in particular, at least the measures listed in Annex 2.
The Contractor reserves the right to change the security measures taken, whereby it shall ensure that there is no shortfall in the contractually agreed level of protection. The Contractor must immediately implement the changes necessary to maintain information security. The Client must be informed immediately of any changes. Significant changes must be agreed between the Parties.
4.2 The Contractor warrants that the data processed in the order will be strictly separated from other data.
4.3 Copies or duplicates shall not be made without the knowledge of the Client. Technically necessary temporary copies are excluded, insofar as there will be no resulting impairment to the data protection level agreed here, as well as in the case of transfer to the health record commissioned by the patient.
4.4 Dedicated data carriers that originate from the Client or are used for the Client are specially marked and are subject to ongoing management. They must be stored appropriately and must not be accessible to unauthorised persons.
5. Subcontracting relationships
5.1 The Client grants its consent to the use of subcontractors. At the time of conclusion of the contract, the subcontractors listed in Annex 3 will be appointed. The Contractor shall inform the Client at least 30 days in advance of the use of additional subcontractors. If the Client does not object to the use of the new subcontractor for data protection reasons within 30 days, the new subcontractor shall be deemed to have been approved.
5.2 The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When commissioning subcontractors, the Contractor shall require them to comply with the provisions of this agreement. The use of subcontractors in countries without an equivalent level of data protection, as well as the transfer of data to countries without an equivalent level of data protection, is prohibited unless the Client is based abroad and transfer abroad is therefore necessary. Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreement with its subcontractors.
5.3 The contractually agreed services shall be carried out by engaging the subcontractors named in Annex 3. The subcontractors are designated by name and address in Annex 3.
5.4 A subcontractual relationship within the meaning of this Section 5 shall not exist if the Contractor commissions third parties with services that are to be regarded as purely ancillary services. This includes, for example, postal, transportation and shipping services, cleaning services, telecommunications services with no specific connection to the service that the Contractor provides for the Client, and security services. The Contractor shall ensure the protection of the data by means of appropriate agreements with these service providers.
6. Notification obligations
6.1 In the event of malfunctions, suspicion of data protection violations or violation of contractual obligations of the Contractor, suspicion of security-related incidents or other irregularities in the processing of personal data by the Contractor, by persons employed by it in the context of the order, or by third parties, the Contractor shall immediately inform the Client in writing (whereby electronic communications shall suffice). The report of any breach of personal data protection shall contain at least the following information:
- A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and the approximate number of personal data records concerned
- The name and contact details of the Data Protection Officer or another contact point for further information
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed by the Contractor to remedy the data breach and, where appropriate, measures to mitigate its possible adverse effects
6.2 The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects, inform the Client thereof and request further instructions.
6.3 In addition, the Contractor is obliged to provide the Client with information at any time if the Client's data is affected by a breach in accordance with section 6.1.
6.4 Should the Client's data held by the Contractor be jeopardised by seizure or confiscation, by insolvency proceedings, or by other events or measures by third parties, the Contractor must inform the Client of this immediately, unless it is prohibited from doing so by a court or official order. In this context, the Contractor shall immediately inform all responsible bodies that the decision-making authority for the data lies exclusively with the Client as the "data controller" within the meaning of data protection law.
7. Right of instruction
7.1 The Contractor may only collect, process or use data within the framework of the Main Contracts and in accordance with the Client's instructions. If the Contractor is obliged by the law of Switzerland to which it is subject to further process data, it shall inform the Client of these legal requirements prior to processing.
7.2 The Client's instructions are initially set out in this agreement and may subsequently be amended, supplemented or replaced by the Client in writing (whereby electronic communications suffice) by means of individual instructions. The Client is entitled to issue appropriate instructions at any time. This includes instructions with regard to the authorisation for, deletion of and control of data. The persons entitled to issue instructions are the persons named in the course of registration with openmedical (GTC). In the event of a change or if the designated persons are prevented for a prolonged period, the successor or representative must be named to the contractual partner in writing (electronic communications suffice) without delay.
7.3 All instructions given shall be documented by both the Client and the Contractor. Instructions which go beyond the service agreed in the Main Contract are treated as a request for a change in service.
7.4 If the Contractor believes that an instruction from the Client violates data protection regulations, it must inform the Client of this immediately. The Contractor is entitled to refrain from implementing the relevant instructions until they are confirmed or amended by the Client. The Contractor may refuse to carry out an obviously unlawful instruction.
8. Client's right to monitor
8.1 The Client is entitled to monitor compliance with the provisions on data protection and the contractual agreement with the Contractor to an appropriate extent. For this purpose, it may, for example, obtain information from the Contractor, obtain test certificates from experts, certifications, or internal audits or, after timely coordination, personally inspect the Contractor's technical organisational measures during normal business hours or have them inspected by a competent third party, provided that the latter is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately interfere with the Contractor's operational processes. Tests without cause (data protection or information security incidents) which take longer than one working day are to be remunerated by the Client at the Contractor's usual daily and hourly rates.
8.2 At the Client's oral or written request, the Contractor is obliged to provide the Client within a reasonable period of time with all information and evidence necessary to carry out an inspection of the Contractor's technical and organisational measures.
8.3 The Client shall document the inspection result and inform the Contractor thereof. In the event of errors or irregularities that the Client finds, in particular, during the examination of order results, it must inform the Contractor immediately. If, during the inspection, facts are discovered whose nature requires changes to be made to the ordered procedure in order to avoid future problems, the Client shall inform the Contractor immediately of the necessary procedural changes.
8.4 Upon request, the Contractor shall provide the Client with evidence of the obligation of the employees pursuant to section 3.4.
9. Liability
Liability is regulated exclusively and conclusively in the Main Contracts.
10. Extraordinary right of termination
Insofar as a termination option is prescribed by law under the applicable data protection law, the Client may terminate this agreement in whole or in part without notice if the Contractor fails to fulfil its obligations under this agreement, violates provisions of the applicable data protection law, or is unable or unwilling to carry out an instruction of the Client. In the event of minor violations, the Client shall set the Contractor a reasonable period of time to remedy the violation.
11. Termination of a Main Contract
11.1 After the termination of one of the Main Contracts or at any time at the Client's request, the Contractor shall return to the Client all documents, data and data carriers provided to it or, at the Client's request, delete them, unless an obligation to store the personal data exists under the law of Switzerland. This also applies to any copies made by the Contractor. The Contractor shall provide documented proof that any data still available has been properly deleted.
11.2 After termination of the Main Contract, the Contractor shall delete the personal data within 90 days. Any further processing must be agreed with the Client.
11.3 The Client has the right to check the complete and contractual return or deletion of the data at the Contractor's premises in an appropriate manner.
11.4 The Contractor is obliged to treat the data that has become known in connection with the Main Contracts as confidential even after the Main Contracts have ended. This agreement shall remain valid beyond the end of the Main Contracts as long as the Contractor holds personal data that has been sent to it by the Client or that it has collected for the Client.
12. Final provisions
12.1 The Parties agree that the Contractor shall have no right of retention with regard to the data to be processed and the associated data.
12.1.1 The Contractor reserves the right to adjust the contractual conditions, including its services (openmedical products), prices and/or these GTC, at any time and without giving reasons. The same applies to any commissioned processing contracts ("CPC"s) concluded between the Parties. Changes will be announced to the User via their "mednet" or "mednet Patient" online account and on the website or in other suitable ways in electronic or other form and will come into force upon their publication. If the User does not accept the changes, they have the option of terminating the contractual relationship with openmedical within 30 days of being notified of the change in writing (formal signature) or via email to support@openmedical.swiss. Without written notification within this period, the changes shall be deemed to have been approved by the User.
12.2 The provisions in the Main Contracts are not affected by this agreement, insofar as they do not contradict it. In the event of a conflict, the provisions of this agreement shall expressly take precedence over the provisions in the Main Contracts.
12.3 Should individual parts of this agreement be or become invalid, the validity of the remaining parts of this agreement shall not be affected. Any provision that ceases to apply shall be replaced by a permissible or valid provision that comes as close as possible to the economic content or purpose pursued. The same procedure shall apply in the event of contractual omissions. Any interpretation of provisions must be made in accordance with the FADP and the accompanying standards, in particular, the Swiss and cantonal data protection laws, as amended.
12.4 Subject to mandatory applicable law, this CPC is subject to Swiss substantive law, to the exclusion of conflict of law rules and the Vienna Sales Convention (CISG).
12.5 For all disputes arising from the legal relationship between the Contractor and the Client, the courts at the headquarters of the Contractor have exclusive jurisdiction. Mandatory places of jurisdiction remain reserved. The Contractor reserves the right to assert its claims before the competent court at the Client's place of residence/business or before any other competent court.
openmedical AG Client
Annex 1 – Description of data processing
In particular, this includes the purpose of transmitting the data and converting the data to formats that enable transmission to other connected applications. It also includes the Contractor's invitation to the health record.
The relevant data entrusted to the Contractor by the Client over the term of the contract, or which the Contractor collects on behalf of the Client, shall be deleted immediately after the end of the Contract term.
Data subjects
The Contractor shall process relevant data from end customers (patients) of the Client, end customers of the Client's business customers, and internal or external employees of the Client.
Type of relevant data
- Personal and professional contact and identification data
- (Work) organisation data
- IT usage data
- Particularly sensitive personal data
- Special categories of personal data
Special legal confidentiality obligations
As an auxiliary of the Client, the Contractor processes relevant data which is also subject to professional secrecy, i.e., a special statutory duty of confidentiality.
Place of data processing or data access
The relevant data will be processed in Switzerland, unless the Client is located outside Switzerland. If this is the case, international transfers are possible here.
Disclosure of relevant data to subcontractors
Third parties have no access to the relevant data, and no relevant data will be processed by third parties or made known to third parties. If subcontractors have access to or process relevant data or are made aware of it, the scope of the processing is outlined within the agreed purpose.
Delegation to independent data controllers
The Client may (in particular, through forms in the applications) issue instructions ordering the Contractor to transfer data to other data controllers. The Client will be informed of this in the screens before the initiation of the transfer. The data may be transferred to, among other recipients, health service providers, health insurance companies and other service providers. However, this is only carried out upon instruction, i.e., confirmation of the relevant form or button in the application. The assessment of whether the transfer is permitted is the responsibility of the Client or the User of the application.
Other instructions
These instructions also include performing a comparison to check whether a health record is available for the patient, as well as making the record available to the patient for 21 days. If the patient sets up a health record, the data (also data within the framework of Chronic Disease Management) will be separated from the commissioned processing and then processed in accordance with the provisions of the health record and the Contract between the Contractor and the patient. If the patient does not create a record, the data will be deleted after 21 days. In principle, patient data will not be deleted from mednet until the requested deletion. As part of the Master Patient Information Service, we create linked IDs of patients in order to identify them in the various systems.
Use of anonymised data
The Contractor anonymises patient data and is entitled to provide this anonymous data to third parties (in particular, in connection with cardiac information and research).
Annex 2 – Technical and organisational
measures
https://openmedical.swiss/LegalResources/TOM_openmedical_AG_en.pdf
Annex 3 – Authorised
sub-service-providers
https://openmedical.swiss/LegalResources/ZSD_openmedical_AG_en.pdf