PreMO Data Processing Agreement
Last Updated: 25 Sep 2023
This page contains a copy of PreMO's Data Processing Agreement. We provide signed copies of this Data Processing Agreement on request to customers. To request a signed copy please email: email@example.com
1.1 "Personal Data," "Data Controller," "Data Processor," and "Data Subject" shall have the meanings ascribed to them under the EU General Data Protection Regulation 2016/679 ("GDPR").
2. PURPOSE, SCOPE AND RESPONSIBILITIES
2.1 PreMo shall process personal data solely in accordance with the terms specified in this Data Processing Agreement (DPA).
2.2 The optometrist (Customer) is the Data Controller of the patient data, while PreMo functions as the Data Processor, except where indicated in Section 2.9.
2.3 PreMo is obligated to process patient data solely for fulfilling the responsibilities outlined in the Agreement, following the Customer's lawful instructions and in compliance with Applicable Data Protection Laws.
2.4 The Customer shall ensure that their data processing instructions are compliant with applicable laws and regulations. The Customer holds sole responsibility for the accuracy, quality, and legality of the data provided.
2.5 Data processing actions conducted by PreMo shall be confined to those specifically detailed in the Agreement. Any expansion of this scope requires mutual consent.
2.6 PreMo shall promptly inform the Customer if an instruction violates Applicable Data Protection Laws, detailing the nature of the breach or potential breach.
2.7 This DPA remains effective until either the Agreement is terminated or PreMo ceases to process data for the Customer.
2.8 PreMo will not process financial data or other categories of Sensitive Data.
2.9 PreMo may also act as an independent Data Controller for specific legitimate business operations, detailed herein.
2.10 Exhibit 1 outlines the types, categories, and purposes of data processed by PreMo.
3. DATA PROCESSING
3.1 PreMo will exclusively process patient data for generating Myopia risk calculations and sending PDFs to parents. Additionally, certain specified legitimate business operations may require data processing, subject to the following conditions:
i) Post-market surveillance for medical device regulation compliance;
ii) Data anonymisation and aggregation for industrial sponsor evaluation;
iii) Data sharing with research partners upon obtaining consent.
4. OBLIGATIONS OF PreMO AS DATA PROCESSOR
4.1 PreMO warrants that it will:
i) Comply with Applicable Data Protection Law, including but not limited to the General Data Protection Regulation (GDPR), relevant to PreMO's obligations under this Agreement;
ii) Implement appropriate technical and organisational measures in accordance with industry best practices, such as secure data transmission and encrypted storage, to ensure that data processing meets the requirements of Applicable Data Protection Law and adequately protects the rights of the data subjects. All data will be stored in secure databases managed through Google Firestore, which will serve as a sub processor;
iii) Make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations outlined in this Data Processing Agreement (DPA). This includes, but is not limited to, records of data processing activities and security measures;
iv) Reasonably cooperate with any audits performed by the Data Controller or its independent auditor, at the Data Controller’s own expense and no more than once per year. Audits will include the examination of facilities, data storage, and processing activities under the control of PreMO.
5. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
5.1 PreMO shall implement and maintain, throughout the term of this DPA, appropriate technical and organisational security measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These measures shall include secure data transmission protocols and encrypted storage solutions. All data will be stored in Google Firestore, which serves as a subprocessor.
5.2 PreMO shall ensure compliance with minimum data security requirements, as specified in Exhibit 2. These requirements may be updated from time to time, provided that any updates do not degrade or diminish the overall security of the Services.
5.3 The Data Controller has evaluated the security measures implemented by PreMO and agrees that they provide an appropriate level of protection for Personal Data.
6.1 PreMO shall ensure that any personnel required to access Personal Data have committed to an obligation of confidentiality, or are under a statutory obligation of confidentiality.
6.2 PreMO shall ensure that personnel required to access Personal Data are informed of the confidential nature of such data and are trained in the security procedures applicable to the processing of or access to Personal Data.
6.3 The confidentiality obligations of PreMO's personnel shall survive the termination of their engagement and the term of this DPA.
7. ASSISTANCE TO THE DATA CONTROLLER
7.1 PreMO shall provide reasonable and timely assistance to the Data Controller, through appropriate technical and organisational measures, enabling them to respond to: (i) any request from a data subject to exercise any rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure, and data portability); and (ii) any other correspondence, enquiry, or complaint received from a data subject, regulator, or other third party concerning the processing of Personal Data.
7.2 PreMO shall assist the Data Controller with any data protection impact assessment required by Applicable Data Protection Law, and in consultations with regulatory authorities where necessary.
8.1 The Sub-processors currently approved by the Data Controller are listed at Exhibit 4. The Data Controller hereby gives a general authorisation for PreMO to engage additional Sub-processors, provided PreMO shall:
Maintain an up-to-date list of its Sub-processors at Exhibit 4 or any future website used by PreMO;
Provide at least 30 days prior notice to the Data Controller of any change to its Sub-processors, except in cases of emergency concerning Service availability or security;
Execute a written agreement obligating the Sub-processor to (i) protect Personal Data to the same extent required of PreMO under this Agreement; and (ii) comply with Applicable Data Protection Law.
8.2 If the Data Controller objects to a new Sub-processor within 30 days of receiving notice, both parties shall negotiate in good faith to find an alternative solution. If an alternative solution cannot be found, the Data Controller may terminate the Agreement with 30 days prior written notice.
8.3 PreMO shall be liable for the acts or omissions of its Sub-processors to the same extent as if PreMO were performing the services directly under the terms of this DPA.
9. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
9.1 The Data Controller acknowledges and agrees that PreMO may transfer Personal Data to its authorised Sub-processors in third countries, in compliance with EU Data Protection Law, UK Data Protection Law, and this DPA.
9.2 Any transfer of Personal Data from the EEA, Switzerland, or the United Kingdom to a Restricted Country will be subject to Standard Contractual Clauses and any other supplementary measures required for lawful data transfer.
9.3 If any Personal Data originates from a country with data transfer restrictions or prohibitions, and the Data Controller has informed PreMO of such, both parties shall ensure an appropriate transfer mechanism is in place before transferring or accessing data outside of that country.
10. OBLIGATIONS OF THE DATA CONTROLLER
10.1 The Data Controller and PreMO will be separately responsible for conforming with Applicable Data Protection Law relevant to their respective obligations under this Agreement.
10.2 The Data Controller shall inform PreMO in writing without undue delay following the Data Controller's discovery of a failure to comply with Applicable Data Protection Law in relation to the processing of Personal Data under this DPA.
10.3 The Data Controller shall be responsible for providing accurate and relevant contact details at the time of entering into this Agreement and thereafter to assist with PreMO's notification obligations.
10.4 The Data Controller represents and warrants that it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights required under Applicable Data Protection Law for PreMO to process Personal Data for the purposes of this Agreement.
11. NOTIFICATION OF DATA BREACH
11.1 PreMO shall notify the Data Controller in writing without undue delay and no later than 48 hours upon identifying any Data Breach affecting Personal Data processed under this Agreement.
11.2 The notification referred to in Section 10.1 will, to the extent possible:
a) Describe the nature of the Data Breach, including the categories and approximate number of data subjects concerned, and the categories and approximate volume of Personal Data impacted;
b) Provide PreMO's contact details where further information can be obtained;
c) Describe the likely consequences of the Data Breach; and
d) Describe the measures taken or proposed to be taken by PreMO to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
12. ADDITIONAL ASSIGNMENTS
12.1 In the event that tasks are assigned to PreMO, that are not an obligation under this DPA and extend beyond PreMO's statutory obligations, PreMO shall be entitled to charge the Data Controller for the additional resources, time, and material necessary to complete the task(s), unless such services are already included in the Services outlined in the Agreement.
12.2 PreMO will notify the Data Controller in advance of any additional charges and, to the extent possible, provide the Data Controller with a quote of the anticipated costs.
12.3 If the Data Controller does not agree to the costs, PreMO is under no obligation to carry out the additional assignment.
13. DELETION AND RETURN OF PERSONAL DATA
13.1 Upon the termination or expiration of the Agreement, PreMO will retain Data Controller's Data in a securely isolated account for 90 days, protected from any further processing. After the 90-day retention period concludes, PreMO will either delete all Personal Data or irreversibly anonymise it, unless legally required or permitted to retain such data.
13.2 At the Data Controller's request, PreMO shall certify in writing that all Personal Data has been destroyed or completely anonymised.
14. LAW ENFORCEMENT REQUESTS
14.1 If a court or law enforcement authority issues a demand for Personal Data, PreMO will first assess its legitimacy. If obligated to comply, PreMO will promptly notify the Data Controller and provide a copy of the request, unless legally prohibited from doing so.
14.2 PreMO will only cooperate with lawful requests and, when possible, will object to any such requests that are not legally justifiable. PreMO will not disclose more Personal Data than is strictly required to comply with the lawful request.
15. JURISDICTION-SPECIFIC TERMS
15.1 In the event that PreMO processes Personal Data originating from and protected by Applicable Data Protection Law in one of the specified jurisdictions, the terms laid out in Exhibit 3 (Jurisdiction Specific Terms) of this DPA will apply in addition to the terms herein.
16.1 The liability of each party for one or more breaches of this DPA shall be governed by the limitations and exclusions of liability set out in the Agreement.
17. LEGAL VENUE AND APPLICABLE LAW
17.1 This DPA shall be governed by the laws of the United Kingdom.
17.2 Any claim or dispute arising from or in connection with this DPA must be settled by the Courts of the United Kingdom as the court of first instance.
Data Processor: PreMO
Exhibit 1: Types, Categories, and Purposes of Data Processing
Types of Data:
Patient's first name and last name: Identification within the system.
Patient email: Exclusively for sending PDFs to parents.
Parental myopia status: Part of the risk calculation algorithm.
Sex: Part of the risk calculation algorithm.
Date of birth: Part of the risk calculation algorithm.
Ethnicity: Part of the risk calculation algorithm.
Left or right eye data: Part of the risk calculation algorithm.
Sphere, cylinder, and axis values: Part of the risk calculation algorithm.
Cycloplegic or non-cycloplegic data: Part of the risk calculation algorithm.
Axial length or keratometry value: Part of the risk calculation algorithm.
Identification Data: Includes patient's first name, last name, and email.
Health Data: Includes parental myopia status, left or right eye data, sphere, cylinder, axis values, cycloplegic or non-cycloplegic data, axial length or keratometry value.
Demographic Data: Includes sex, date of birth, and ethnicity.
Myopia Risk Calculations: Data used to compute risk factors related to Myopia for patients.
Communication: Sending PDFs to parents regarding Myopia risk.
System Operations: Data used for identification and efficient system functioning.
The Data Processor will retain and process the Personal Data for as long as the patient is present within the system, or for any longer period as may be required by applicable law or regulation. After this period, the Data Processor will either delete or anonymise the Personal Data, in accordance with the Data Controller's preference and applicable laws.
Exhibit 2: Minimum Security Requirements
This Exhibit details the security arrangements a protocols that PreMO implements to protect the data we process:
1. Access Control
1.1 Secure username and password protocols must be in place, integrated with Google Authentication.
1.2 Two-Factor Authentication (2FA) must be implemented for accessing sensitive or secure areas within Google Enterprise Suite, this includes, Firebase and Google Authentication.
2. Data Encryption
2.1 All Personal Data stored in Google Firestore must be encrypted during transmission and at rest.
2.2 Use Google’s Advanced Encryption Standard (AES) 256-bit encryption or equivalent for all data.
3.1 Use Google Enterprise's built-in firewall capabilities to protect against unauthorised access.
3.2 Regularly review and update firewall settings in line with Google's recommended best practices.
4. Data Backup
4.1 Daily automated backups of Personal Data must be configured within Google Firestore.
4.2 Backup data must also be encrypted and may be stored in Google's secure cloud storage solutions.
5. Physical Security
5.1 Utilise Google Enterprise’s data centres which are equipped with round-the-clock security personnel.
5.2 Ensure that only authorised personnel have access to Google Enterprise's admin console.
6. Security Audits
6.1 Conduct regular security audits within Google Enterprise and PreMO app, at least annually.
6.2 Audit logs from Google Firestore and Google Authentication must be reviewed and retained.
7. Incident Response Plan
7.1 Implement an incident response plan using Google Enterprise’s built-in incident management features.
7.2 Train staff on Google Enterprise's incident response features and protocols.
8. Subprocessor Security
8.1 Any Subprocessors, including Google Firestore, must meet these minimum security requirements.
8.2 Regularly review Google’s compliance reports and conduct audits when necessary.
9. Data Retention and Disposal
9.1 Personal Data in Google Firestore should be retained only for the period necessary to fulfil the purposes identified in this Agreement.
9.2 Utilise secure methods for data destruction within Google’s services.
10. Employee Training
10.1 All employees with access to Google Enterprise and the PreMO app must undergo security and privacy training. 10.2 Maintain records of training within Google Enterprise’s documentation features.
Exhibit 3: Jurisdiction-Specific Terms
1. United Kingdom
1.1 For Personal Data originating from the United Kingdom, PreMO shall adhere to the UK Data Protection Act 2018. 2.2 Any cross-border data transfers will be subjected to the adequacy decisions or Standard Contractual Clauses as per UK law.
Exhibit 4: List of Sub-processors
This Exhibit outlines the sub-processors engaged by PreMO for the processing of Personal Data under the terms of this Data Processing Agreement. Current Sub-processors:
Google Cloud Services
Purpose: Cloud Computing Services, Data Storage, Authentication
Data Types: Personal Data as required for providing the services, which may include names, email addresses, and usage data.
Safeguards: Encryption in transit and at rest, multi-factor authentication, ISO 27001 Certification.
Purpose: Email Communication Services
Data Types: Personal Data as required for sending emails, which may include names and email addresses.
Safeguards: Encryption in transit and at rest, compliance with GDPR and other data protection laws.