This Data Processing Agreement (“DPA”) forms a part of the Terms of Service or another agreement such as master subscription agreement entered between NurseBuddy and its customer identified in such agreement or the applicable signup form (“Customer”), in which case, it forms a part of such agreement (in either case, the “Agreement”).
By accepting the Agreement or by separately signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Controller Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Service under the Agreement, NurseBuddy may Process certain Personal Data (such terms defined below) on behalf of Customer. In such event NurseBuddy may be regarded as a Processor and the Customer as Controller under the applicable Data Protection Laws. Where NurseBuddy Processes such Personal Data as Processor on behalf of Customer the Parties agree to comply with the terms and conditions of this DPA in connection with such processing of Personal Data.
HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES
This DPA is part of the Agreement. By accepting the Agreement the Customer agrees to be bound to this DPA.
If the Customer entity signing this DPA has executed a signup form with NurseBuddy or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that signup form and applicable renewal signup forms, and the NurseBuddy entity that is party to such signup form is party to this DPA.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement including the GDPR.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws and is submitted as Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security Practices Datasheet” means NurseBuddy’s Security Practices Datasheet, as updated from time to time (see Exhibit A).
“NurseBuddy” means the NurseBuddy entity which is a party to this DPA being Loikka Design Ltd. (having the Finnish company registration number 2482476-8 and the address Pinninkatu 47, 33100 Tampere, Finland)
“Sub-processor” means any entity engaged by NurseBuddy to Process Personal Data in connection with the Service.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and NurseBuddy is the Processor. NurseBuddy may engage Sub-processors pursuant to the requirements set forth in Section 4 “Sub-processors” below.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Service and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 NurseBuddy’s Processing of Personal Data. As Customer’s Processor, NurseBuddy shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and other applicable agreements as necessary to provide NurseBuddy’s Service; (ii) Processing initiated by the Customer’s authorized users in their use of the Service; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). NurseBuddy acts on behalf of and on the instructions of Customer in carrying out the Purpose.
2.4 Details of the Processing. NurseBuddy will Process Customer’s Personal Data as long as this Agreement is valid and delete it according to Section 7. Personal Data includes all the information that Customer has recorded in NurseBuddy, concerning their employees, clients and contact persons for clients.
2.5 Transfer of personal data outside of the EEA. NurseBuddy Processes the Personal Data within the EEA. In the event NurseBuddy would transfer personal data outside of the EEA it shall notify the Customer of such transfer and the Customer may object such transfer by following the steps described in Section 4.3. Further, NurseBuddy take such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include, for instance, transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection (e.g. the Privacy Shield framework of the U.S.) for personal data or to a recipient that has executed the SCC adopted or approved by the European Commission. NurseBuddy agrees to execute applicable SCC approved by the European Commission if required by the Customer.
2.6 Assistance. As may be required by applicable Data Protection Laws, NurseBuddy shall assist the Customer in complying with its statutory obligations under applicable Data Protection Laws such as performing data protection impact assessments and consulting Supervisory Authority and provide the Customer with such information that may be required for showing compliance with the DPA and the applicable Data Protection laws.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Requests. NurseBuddy shall, to the extent legally permitted, promptly notify Customer if NurseBuddy receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, NurseBuddy shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. In addition, to the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, NurseBuddy shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent NurseBuddy is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. Customer shall be responsible for any costs arising from NurseBuddy’s provision of such assistance in accordance with NurseBuddy’s applicable rates, including any fees associated with provision of additional functionality.
4.1 Appointment of Sub-processors. Customer acknowledges and agrees that NurseBuddy may engage third-party Sub-processors in connection with the provision of the Service. As a condition to permitting a third-party Sub-processor to Process Personal Data, NurseBuddy will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Sub-processor Services provided by such Sub-processor.
4.2 List of Current Sub-processors and Notification of New Sub-processors. A current list of Sub-processors for the Service, including the identities of those Sub-processors and their country of location, is accessible in Exhibit B (“Sub-processor Lists”). Customer may receive notifications of new Sub-processors by sending an email request to firstname.lastname@example.org with the subject “Subscribe”, and if a Customer contact subscribes, NurseBuddy shall provide the subscriber with notification of new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Service.
4.3 Objection Right for New Sub-processors. Customer may reasonably object to NurseBuddy’s use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Personal Data) by notifying NurseBuddy promptly in writing within ten (10) business days after receipt of NurseBuddy’s notice in accordance with the mechanism set out in Section 4.2. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, NurseBuddy will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If NurseBuddy is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable Agreement by providing written notice to NurseBuddy.
4.4 Liability. NurseBuddy shall be liable for the acts and omissions of its Sub-processors to the same extent NurseBuddy would be liable if performing the Sub-processor Services, directly under the terms of this DPA.
5.1 Controls for the Protection of Customer Data. NurseBuddy shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security Practices Datasheet. NurseBuddy regularly monitors compliance with these measures. NurseBuddy will not materially decrease the overall security of the Service during a subscription term.
5.2 Customer Audits. Customer may contact NurseBuddy in accordance with the “Notices” Section of the Agreement to request an on-site audit of NurseBuddy’s procedures relevant to the protection of Personal Data, but only to the extent required under applicable Data Protection Law. Customer shall reimburse NurseBuddy for any time expended for any such on-site audit at the NurseBuddy’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and NurseBuddy shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by NurseBuddy. Customer shall promptly notify NurseBuddy with information regarding any non-compliance discovered during the course of an audit, and NurseBuddy shall use commercially reasonable efforts to address any confirmed non-compliance.
6. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
NurseBuddy maintains security incident management policies and procedures specified in the Security Practices Datasheet. NurseBuddy shall notify Customer of any breach relating to Personal Data (within the meaning of applicable Data Protection Law) of which NurseBuddy becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under applicable Data Protection Law or which NurseBuddy is required to notify to Customer under applicable Data Protection Law (a “Customer Data Incident”). NurseBuddy shall provide commercially reasonable cooperation and assistance in identifying the cause of such Customer Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within NurseBuddy’s control.
7. RETURN AND DELETION OF CUSTOMER DATA
Upon termination of the Service, NurseBuddy shall, upon Customer’s request, and subject to the limitations described in the Agreement and the Security Practices Datasheet, return all Customer Data and copies of such data to Customer or securely destroy them and demonstrate to the satisfaction of Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Customer Data. For clarification, depending on the Service plan purchased by Customer, Customer Data export may incur additional charge(s) and/or require purchase of a Service upgrade. NurseBuddy agrees to preserve the confidentiality of any retained Customer Data and will only actively Process such Customer Data after such date in order to comply with the laws it is subject to.
8. LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and NurseBuddy, whether in contract, tort or under any other theory of liability is limited to fifteen (15) percent of the sum paid by the Customer to NurseBuddy for the Service during the 12 months preceding the cause for the claim. Neither Party is liable for indirect damages, such as production loss, loss of profit, expected savings or cover purchases.
9. GOVERNING LAW
This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Finland.