Last updated: 15.9.2023
This Data Processing Agreement (“Agreement”), is entered into by tech2people GmbH, c/o Kerbler Holding Parkring 12/1/23, A-1010 Vienna (“t2p” or “data processor“) and you or the entity you represent (“data controller”) and sets forth the terms under which the data processor will process personal data in connection with the data controller’s use of its services. Data processor and data controller are referred to in the following either together or singly as the “parties“ and the “party“.
1. Subject matter of the Agreement
- Abilitate – therapy companion is a specialised software solution for therapists (“abilitate”). It will be made available as a web application via the abilitate webpage, https://abilitate.at/. The software administers all the data stored by the data controller, its employees or agents. The provision of the services is governed by the abilitate – Terms of Service, available under the following link: https://abilitate.at/terms-of-service/.
- The services and the associated processing of personal data are described in the abilitate – Terms of Service. In the context of the provision of abilitate, the data processor shall process personal data for the described purposes on behalf of the data controller in accordance with this Agreement. This Agreement is to be considered a supplementary document to the abilitate – Terms of Service.
- Annexes A to C are attached to the Agreement and form an integral part of the Agreement.
- Annex A contains details about the processing and transfer of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing. The data processor may update the descriptions of processing from time to time to reflect new features, functionality or products comprised within the provided services (Sec 14).
- Annex B contains a list of sub-processors authorised by the data controller.
- Annex C contains technical and organisational measures implemented by the data processor.
- The Agreement shall take priority over any similar provisions contained in other agreements between the parties.
- The Agreement shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.
2. The obligations of the data controller
- The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State data protection provisions and the Agreement.
- The data controller shall be responsible, among other things, for providing privacy notices and ensuring that processing of personal data has a legal basis. In particular, the data controller obtained (or will obtain) all consents and rights necessary for the data processor to process personal data (including but not limited to any special categories of personal data) and provide the services pursuant to the abilitate – Terms of Service. This applies in particular to optional features and functionalities of the services such as analytics, research insights and recommendations, the use of anonymised and aggregated data, and research and development carried out by the data processor.
- The data controller shall ensure that it deletes or instructs the data processor to delete any data it has provided to the data processor under this Agreement if such data must be deleted in accordance with applicable data protection legislation.
- The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions can also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
- The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.
- The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review.
- The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.
5. Security of processing
- The data processor shall at least implement the technical and organisational measures specified in Annex C to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
- The technical and organisational measures are subject to technical progress and further development. The data processor may implement alternative adequate measures from time to time (Sec 14). In so doing, the security level of the defined measures must not be reduced.
6. Use of sub-processors
- The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
- The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Agreement without the prior general written authorisation of the data controller.
- The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The list of sub-processors already authorised by the data controller can be found in Annex B.
- Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, substantially the same data protection obligations as set out in the Agreement shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law.The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Agreement and the GDPR.
- A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Agreement are imposed on the sub-processor. Provisions on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.6. If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully responsible to the data controller as regards the fulfilment of the obligations of the sub-processor.
7. International transfers
- Personal data will be physically stored exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA).
- Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller or in order to fulfil a specific requirement under Union or Member State law to which the data processor is subject and shall always take place in compliance with Chapter V of the GDPR.
- The data controller agrees that where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller (Sec 6) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the data processor and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR (“SCC”), provided the conditions for the use of those SCC are met. These SCC are available under the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN
- Where the data controller is situated in a country outside the EU and the EEA and the relevant processing of personal data is not subject to the GDPR, the SCC shall be incorporated in this Agreement.
The SCC are modular, containing sections that relate to a specific type of entity or transfer. For the purpose of abilitate – Terms of Service and any transfer of personal data to third countries, only the modular sections in Module 4 (Processor-Controller) shall apply, in addition to all general sections, subject to the following:
- The optional clause 7 “Docking clause” shall not apply.
- The certification of deletion required by Clause 8.1(d) of the SCC will be provided upon your written request (Sec 10)
- The assistance the data processor is required to provide under Clause 8.2(b) of the SCC is that assistance required of the data processor under this Agreement (Sec 8).
- The audit described in Clause 8.3(b) of the SCC will be carried out in accordance with this Agreement (Sec 11).
- The optional paragraph in clause 11 (a) “Redress” shall not apply.
- Clause 14 and Clause 15 are not applicable.
- With regard to clause 17 “Governing Law”, the “Governing Law and Jurisdiction” Sec 16 of this Agreement Service shall apply.
- With regard to clause 18 “Choice of Forum and Jurisdiction”, any dispute arising from the SCC Sec 16 of this Agreement Service shall apply.
- With regard to Annex I A of the SCC. The data processor shall be the “data exporter” acting as a “processor” and the data controller shall be the “data importer” acting as a “controller”.
- With regard to Annex I B. “Description of the transfer” is provided in Annex A of this Agreement.
8. Assistance to the data controller
- The data processor shall promptly notify the data controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
- The data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations, the data processor shall comply with the controller’s instructions.
- Taking into account the nature of the processing and the information available to the data processor, the data processor shall assist the data controller in ensuring compliance with:
- the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
- the data controller’s obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
- the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
- the data controller’s obligations pursuant to Article 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.
9. Notification of personal data breach
- The data processor shall cooperate with and assist the data controller in complying with its obligations under Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to the data processor.
- In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.
- The data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority and, where applicable, in communicating the personal data breach to the data subject, meaning that the data processor is required to assist in obtaining the information listed below:
- The nature of the personal data including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
10. Erasure and return of data
- After the termination of the Agreement (Sec 13), the data processor shall within a reasonable time delete, anonymise or return to the data controller all personal data processed on behalf of the data controller.
- Retention period and retransfer of data are governed by the abilitate – Terms of Service (Sec 1).
- The data processor shall certify to the data controller that it has deleted all personal data processed on behalf of the data controller.
11. Audit and inspection
- The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this Agreement and allow for and contribute to audits, including inspections, at reasonable intervals, but not more than once every twelve months, or if there are indications of non-compliance. Audits may be conducted by the data controller or independent auditor mandated by the data controller, at the sole cost and expense of the data controller and with reasonable notice.
- The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.
Except where otherwise provided by mandatory law, liability under this Agreement shall be the same as under the abilitate – Terms of Service (Sec 1).
13. Term and termination
- The Agreement shall apply for the duration of the provision of personal data processing services (Sec 1). For the duration of the provision of personal data processing services, the Agreement cannot be terminated unless other agreement governing the provision of personal data processing services has been agreed between the parties.
- If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller (Sec 10).
14. Modification of the Agreement
Data processor may make changes to this Agreement (and any linked documents) from time to time. Data processor will provide at least 30 days’ advance notice for material changes to the Agreement by sending an email to the data controller’s email address.
Data controller’s continued use of the services (Sec 1) after such material change will constitute data controller’s consent to such changes.
15. Data Protection Point of Contact
- 1. The data controller shall contact data processor using the following contact point:
- Data Protection Officer at firstname.lastname@example.org with CC: email@example.com
- 2. The data processor shall inform the data controller of any changes to the contact points.
16. Final provisions
- This Agreement shall be governed by and construed in accordance with the laws of the Republic of Austria without regard to the UN Convention on the International Sale of Goods (CISG).
- The courts of Vienna, Republic of Austria, shall have exclusive jurisdiction over any dispute arising out of or in connection with this Agreement.
- Amendments and additions to this Agreement, including amendments to or a waiver of this written form requirement shall be made in writing.
- Should individual terms of this Agreement be or become invalid or unenforceable or in case this Agreement contains omissions, this shall not affect the validity of the remaining terms. Instead of the invalid, unenforceable or missing term, such valid and enforceable term shall be deemed to have been agreed upon between the parties which the parties would reasonably have agreed upon taking into account the economic purpose of this Agreement had they been aware at the conclusion of this Agreement that the relevant term was invalid, unenforceable or missing.
Annex A Description of the Processing Activities and Transfer
A.1. Processing includes the following categories of data subject:
- Data controller as a customer of the data processor
- Employees or agents of the data controller (referred to in the following together with the data processor either together or singly as the “users“ and the “user“)
- Patients or other clients of the data controller
A.2. The processing includes the following categories of personal data about data subjects:
- User data (e.g. name, e-mail address, telephone number, address), identifier associated with user account, payment and purchase data;
- Health and medical data (e.g. diagnosis, symptoms, therapy data such as limitations, functions and environment of the patient [ICF coding] and therapy diary), appointment data of the user’s patients, employees and agents;
- Files of any kind that the data controller or its employees or agents store in the system (e.g. reports, photos).
A.3. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
The nature of the processing (incl. transfer) is described in the abilitate – Terms of Service (Sec 1). It includes but is not limited to collection, structuring, storage, transmission, or otherwise making available personal data by automated means and in accordance with product and service functionalities.
A.4. The purpose(s) of the data processor’s processing of personal data on behalf of the data controller is:
- Provision of health or social care or treatment between the data controller as a health professional and its patients or clients
- Hosting, transmission, storage and display of personal data.
- Enabling the use of various features and functionalities of the services such as analytics, research insights and recommendations, as described in the abilitate – Terms of Service (Sec 1), including by enabling the use of anonymised and aggregated data
A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Agreement commence. Processing has the following duration:
The duration of the agreement is tied to the provision of personal data processing services (Sec 13).
A.6. Frequency of the transfer
A.7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data processor retains personal data for as long as required for its own legitimate purposes, in accordance with this Agreement. The criteria used to determine retention periods include:
- The duration of the provision of personal data processing services (Sec 1).
- Whether the data controller or its employees or agents modify or delete information during the duration of the Agreement
- Whether the data processor has a legal obligation to keep the data (for example, certain laws require it to keep records for a certain period of time)
- Whether retention is required by the data processors legal position (such as in regard to the enforcement of agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation).
A.8. Competent supervisory authority
The competent supervisory authority of the data processor as data exporter’s will be determined in accordance with the GDPR. The supervisory authority applicable to the data exporter in its EEA country of establishment is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, telephone: +43 1 52 152-0, e-mail: firstname.lastname@example.org, website: https://dsb.gv.at.
Annex B Authorised sub-processors
On commencement of the Agreement, the data controller authorises the engagement of the following sub-processors:
|One Microsoft Way, Redmond, WA 98052 USA
|Data Protection Officer at https://aka.ms/privacyresponse; see also Privacy in Azure https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy
|Cloud Service Provider
|Term of the Agreement (Sec 13)
Annex C Technical and Organisational Measures
The data processor shall ensure data security and provide a level of protection appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems.
In order to achieve this, the data processor shall at, at all times, maintain appropriate and sufficient technical and organisational security measures to protect personal data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
These measures shall include, but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation, and in particular at least the measures set out in the table below.
For more detailed information on the latest state-of-the-art measures adopted by our hosting provider, please refer to the following link: https://azure.microsoft.com/en-us/explore/security.
|Protection against unauthorised access to the data processing facilities and premises in which the processing of data takes place.
|Access control (electronic)
|Protection against unauthorised access to and use of data, software, data mediums (e.g. hard disk) and systems for processing of data (e.g. devices and other equipment) with certificate-based login, firewall, automatic blocking of intrusion attempts, continuous monitoring, 2-factor authentication.
|Data access control
|No unauthorised reading, copying, modification or removal of data within the system as technically implemented by a role-based system, e.g: Standard authorisation profiles on a need-to-know basis, standard authorisation allocation process, logging of all accesses to the personal data, so that processing operations actually carried out, such as in particular changes, queries and transfers, can be traced to the necessary extent with regard to their permissibility.
|If possible for the data processing operation, the primary identifiers are removed from within the data processing operation and saved elsewhere.
|Data classification scheme
|Based on legal obligations or self-assessment (secret/confidential/internal/public).
|Unauthorised reading, copying, modification or removal is not possible, as it is not intended by the system and is only possible with authorisation. All access (including reading) is logged. In the case of electronic transmission or transport, only encrypted.
|Determining whether and by whom personal data has been entered, modified or removed from data processing systems through logging.
|Availability and resilience
|Onsite and offsite backups (also encrypted using state-of-the-art encryption), UPS for uninterrupted power supply, data centre standards are maintained.
|Rapid recovery through full backups of all virtual machines in use and separate file and database backups.
|Established measures will be used to ensure that personal data processed on behalf of the data controller is logically separate to data processed on behalf of any other third party when at-rest.
|Data is not automatically deleted, but must be manually removed from the system when it is no longer needed, as it is not possible to automatically determine when data is no longer needed.
|Data Protection Management
|Continual monitoring of data protection risks and regular tests, assessments and evaluations of implemented technical and organisational measures.
|Data processor has designated a data protection officer
|Regular employee training courses
|Data processing control
|Strict selection of sub-processors (ISO-certified, ISMS)