Data Processing Agreement

Glooko logo

Data Processing Agreement

Languages

GLOOKO STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

  1. The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  2. The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.
  3. These Clauses apply if the requirements stated in the Master Agreement is fulfilled and to the processing of personal data as specified in Annex II.
  4. Annexes I to IV are an integral part of the Clauses.
  5. These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  6. These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2

Invariability of the Clauses

  1. The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
  2. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

  1. Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
  3. These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5 – Optional

Docking clause

  1. Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
  2. Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
  3. The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.


SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7

Obligations of the Parties

7.1. Instructions

  1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
  2. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

  1. The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
  2. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

  1. The Parties shall be able to demonstrate compliance with these Clauses.
  2. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
  3. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
  4. The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
  5. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

  1. The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
  2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  3. At the controller’s request, the processor shall provide a copy of such a sub- processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
  4. The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
  5. The processor shall, where feasible, agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub- processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

  1. Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
  2. The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub- processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the controller

  1. The processor shall refer data subjects to contact the controller, in case the processor receives a data subject request. It shall not respond to the request itself, unless authorised to do so by the controller.
  2. The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
  3. In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
    1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
    2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
    3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
    4. the obligations in Article 32 Regulation (EU) 2016/679.
  4. The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

  1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
    1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the likely consequences of the personal data breach;
    3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

    3. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

  3. in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

  1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  2. the details of a contact point where more information concerning the personal data breach can be obtained;
  3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.


SECTION III – FINAL PROVISIONS

Clause 10

Non-compliance with the Clauses and termination

  1. Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the Master Agreement is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
  2. The controller shall be entitled to terminate the Master Agreement insofar as it concerns processing of personal data in accordance with these Clauses if:
    1. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
    2. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
    3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  3. The processor shall be entitled to terminate the Master Agreement insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
  4. Following termination of the Master Agreement, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. If the controller has not requested to have all the personal data processed on behalf of the controller returned within thirty (30) days from the termination of the Master Agreement, the processor shall be entitled to, in its sole discretion, delete the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I: LIST OF PARTIES

Controller(s):

  1. The Client (as identified in the Master Agreement or Order Form)

Processor(s):

  1. Glooko AB (as identified in the Master Agreement)


ANNEX II: DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data is processed
– Authorized Users
– Patients

Categories of personal data processed
For Authorized Users
– General information (name)
– Contact information (email address, telephone number)
– Usage information (username, password, access rights, audit logs)

For Patients
– General information (name, date of birth, gender)
– Contact information (postal address, email address, telephone number)
– Usage information (username, password)
– Health information (diabetes type, year of diabetes diagnoses, estimated partus, target range, weight, height, treatments)
– Device information (insulin pump, glucose meter and insulin pen serial number(s), doses, carbohydrates, settings, alarms)

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
– Data concerning health

For information regarding implemented safeguards, see Annex III

Nature of the processing

Collecting, analyzing, visualizing and otherwise processing the personal data in accordance with the Master Agreement.

Purpose(s) for which the personal data is processed on behalf of the controller

To enable the controller and its Authorized Users to use the Software and other Deliverables in accordance with the Master Agreement.

Duration of the processing

For the duration of the provisioning of the Software and other Deliverables according to the Master Agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex IV

Instructions under section 7.8 a) of the Clauses regarding international transfers
The standard contractual clauses for international transfers (the “SCCs”) in Annex V will apply if the processor transfers personal data outside the EEA, to a country not recognized by the European Commission as providing an adequate level of protection for personal data.


ANNEX III: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

  1. Purpose. This Annex describes Glooko’s security program, security certifications, and technical and organizational measures to protect (a) personal data processed by the processor on behalf of the controller from unauthorized use, access, disclosure, or theft and (b) the Software. As security threats shift and evolve, Glooko continues to update its security program and strategy to help protect personal data and the Software. As such, Glooko reserves the right to update this Annex from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Annex.
  2. Security Organization and Program. Glooko maintains a risk-based assessment security program. The framework for Glooko’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Software and confidentiality, integrity, and availability of personal data. Glooko’s security program is intended to be appropriate to the nature of the Software and the size and complexity of Glooko’s business operations. Glooko has a separate and dedicated information security team that manages Glooko’s security program. This team facilitates and supports independent audits and assessments performed by third parties. Glooko’s security framework includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with Glooko’s Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Glooko employees for their reference.
  3. Confidentiality. Glooko has controls in place to maintain the confidentiality of personal data in accordance with the Master Agreement. All Glooko employees and contract personnel are bound by Glooko’s internal policies regarding maintaining the confidentiality of personal data and are contractually obligated to comply with these obligations.
  4. People Security
    1. Employee Background Checks. Glooko performs background checks on all new employees at the time of hire in accordance with applicable local laws. Glooko currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, Glooko may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
    2. Employee Training. At least once (1) a year, all Glooko employees must complete a security and privacy training which covers Glooko’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Glooko’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees.
  5. Third Party Vendor Management
    1. Vendor Assessment. Glooko may use third party vendors to provide the Software. Glooko carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Glooko’s security requirements. Glooko periodically reviews each vendor in light of Glooko’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Glooko ensures that personal data is returned and/or deleted at the end of a vendor relationship.
    2. Vendor Agreements. Glooko enters into written agreements with all of its vendors which include confidentiality, privacy and, security obligations that provide an appropriate level of protection for personal data that these vendors may process.
  6. Architecture, Firewalls and Data Segregation. All network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Glooko logically separates its databases. The Glooko APIs are designed and built to identify and allow access only to and from the respective senders. These controls prevent customers from having access to other customers data.
  7. Physical Security. The data centers that host the Software are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Glooko headquarters and office spaces have a physical security program that manages visitors, building entrances, and overall office security.
  8. Security by Design. Glooko follows security by design principles when it designs the Software. Glooko also applies the Glooko Software Development Lifecycle (SDLC) standard to perform numerous security-related activities for the Software across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment.
  9. Access Controls
    1. Provisioning Access. To minimize the risk of data exposure, Glooko follows the principles of least privilege through a team-based-access-control model when provisioning system access. Glooko personnel are authorized to access personal data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. An employee’s access to personal data is removed upon termination of their employment. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. Glooko logs high risk actions and changes in the production environment. Glooko leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
    2. Password Controls. When an Authorized User logs into its account, Glooko hashes the credentials of the user before it is stored. Clients may also require its Authorized Users to add another layer of security to their account by using two-factor authentication (2FA).
  10. Change Management. Glooko has a formal change management process it follows to administer changes to the production environment for the Software, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Software. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable, system of record. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Software.
  11. Encryption. For the Software, (a) the databases that store personal data are encrypted using the Advanced Encryption Standard and (b) personal data is encrypted when in transit between Client’s software application and the Software using TLS v1.2
  12. Vulnerability Management. Glooko maintains controls and policies to mitigate the risk of security vulnerabilities to balance risk and the business/operational requirements. Glooko uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Glooko’s cloud infrastructure and corporate systems.
  13. Penetration Testing. Glooko performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated.
  14. Security Incident Management. Glooko maintains security incident management policies. Glooko’s Security Incident Response Team (T-SIRT) assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. Glooko retains its pertinent security logs.
  15. Resilience and Software Continuity. The Software use a variety of tools and mechanisms to achieve high availability and resiliency. For the Software, Glooko’s infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. Glooko also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Glooko is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
  16. Backups and Recovery. Glooko performs regular backups of personal data. Personal data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standards.


ANNEX IV: LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

  1. Name: Amazon Web Services EMEA SARL
    Address: 38 Avenue John F. Kennedy, L-1855, Luxembourg

    Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud service provider

  2. Name: Cegedim SA
    Address: 137 rue d’Aguesseau, 92100 Boulogne-Billancourt, France

    Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Cloud service provider (can be used for Clients located in France)

  3. Name: Pictime Groupe
    Address: Campus du Digital 61, rue de l’Harmonie – 59262 Sainghin-en-Mélantois, France

    Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Certified Health Data Host (can be used for Clients located in France and Germany)


ANNEX V: Standard Contractual Clauses for International Transfers (the “SCCs”)

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b)The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

1Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

Not applicable

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

Not applicable

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

2This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

Not applicable

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

Not applicable

Clause 15

Obligations of the data importer in case of access by public authorities

Not applicable

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the country as specified in the Master Agreement.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of the country as specified in the Master Agreement.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: The Glooko entity as specified in the Master Agreement

Address: As specified in the Master Agreement

Contact person’s name, position and contact details: Jesper Forster, Data Protection Officer. Glooko AB, Nellickevägen 20B412 63 Gothenburg, Sweden. Email: [email protected]

Activities relevant to the data transferred under these Clauses: Providing the Deliverables as specified in applicable Order Form

Signature and date: As specified in applicable Order Form according to the Master Agreement

Role (controller/processor): Processor

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Client (as specified in applicable Order Form)

Address: Client address (as specified in applicable Order Form)

Contact person’s name, position and contact details: Client address (as specified in applicable Order Form)

Activities relevant to the data transferred under these Clauses: To receive the Deliverables as specified in applicable Order Form

Signature and date: As specified in applicable Order Form according to the Master Agreement

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred
– Client’s Authorized Users)
– Patients

Categories of personal data transferred

Client’s Authorized Users
– General information (name)
– Contact information (email address, telephone number)
– Usage information (username, password, access rights, audit logs)

Patients
– General information (name, date of birth, gender)
– Contact information (postal address, email address, telephone number)
– Usage information (username, password)
– Health information (diabetes type, year of diabetes diagnoses, estimated partus, target range, weight, height, treatments)
– Device information (insulin pump, glucose meter and insulin pen serial number(s), doses, carbohydrates, settings, alarms)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
– Health information (diabetes type, year of diabetes diagnoses, estimated partus, target range, weight, height, treatments)

Access restrictions to personnel on a need-to-know basis (for both the processor and the controller)

Record of access to the data is logged

Data in transit and at rest are encrypted

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The personal data is stored by the processor, but can be accessed by the controller at any time (if e.g. the Deliverables consist of a software as a service). Personal data could in those instances be considered as transferred from the EEA to a third country.

Nature of the processing

Upload, compute, analyze, visualize, transfer and otherwise process personal data to enable Authorised Users to use the Deliverables.

Purpose(s) of the data transfer and further processing

The purpose of the data transfer is to enable the Client to use the Deliverables.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Processing is not time-limited and shall be performed for as long as the Deliverables are being provided or until the applicable data processing agreement is terminated.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Not applicable

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Not applicable

ANNEX III

LIST OF SUB-PROCESSORS

Not applicable