Data Sharing Charter

WHEREAS

  • Salvus Health is a digital health platform that connects patients with the best digital health solutions available in the market, via local pharmacies. In that context, Salvus Health offers various services to its clients.
  • The Parties have entered into a service agreement (“Service Agreement”) for the use of Salvus Health’s services, which consists of the provision of a digital cloud-based solution (“Services”).
  • The Parties jointly determine the purposes and means of the Processing and thereby act as Joint Controllers of the Processing Activities.
  • The Parties wish to conclude an agreement, as part of the Service Agreement, to regulate the processing and sharing of Personal Data (hereinafter the “Data Sharing Charter“) in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation“). This Data Sharing Charter contains the rights and obligations of both Salvus Health and the Pharmacy with respect to the sharing and processing of Personal Data.
  • By sharing Personal Data with Salvus Health, the Pharmacy agrees to this Data Sharing Charter.
  • Salvus Health may amend this Data Sharing Charter at any time. Amendments will take effect thirty (30) days after publication by means of a written notification. If you do not wish to accept the amendments to this Data Sharing Charter, you have the right to terminate this Data Sharing Charter by registered letter on the date the amended terms become effective. This will have the consequence that Salvus Health can no longer exchange Personal Data with you. After the effective date, you will be deemed to have tacitly accepted the changes. You can always find the most recent version of this Data Sharing Charter on the Salvus Health website.

 

Article 1 – Definitions 

For the purposes of this Data Sharing Charter, the following definitions shall apply:

1.1 “Confidential information” means any information disclosed in writing or in any material form to the other Party under this Data Sharing Charter which is or may be considered confidential by reason of the nature of the data or the nature of the circumstances on the basis of which it is intended to be disclosed such as, but not limited to, product information, customer lists, price lists and financial information;
1.2 “Controller” shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data carried out under his authority;
1.3 “Data Sharing Charter” means this Salvus Health Data Sharing Charter for the sharing and processing of personal data between Salvus Health and the Pharmacy in accordance with the provisions of the GDPR;
1.4 “Data Subjects” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.5 “Employee”: a person who is hired by an Employer and who has entered into or is employed under a contract of employment for the provision of employment services for remuneration or fixed compensation. An employee does not provide professional services as part of a self-employed activity. Agents, distributors, consultants, freelancers, (independent) (sub)contractors or other third parties are not regarded as Employees for the purposes of this Data Sharing Charter;
1.6 “Joint Controllers”: where two or more controllers jointly determine the purposes and means of the processing;
1.7 “Personal Data” means any information relating to a Data Subject;
1.8 “Personal Data Infringement”: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed;
1.9 “Processor” means any processor engaged by either Party as a subcontractor and who agrees to process Personal Data for and on behalf of either Party in accordance with this Data Sharing Charter;
1.10 “Security Measures”: those measures designed to protect Personal Data against accidental or unlawful destruction or loss, as well as unauthorised access, alteration or transmission;
1.11 “Third Party”: any party that is not a Data Subject, Salvus Health or the Pharmacy under this Data Sharing Charter, nor any person authorized to process Personal Data under the direct authority of Salvus Health or the Pharmacy;
1.12 “Services”: the services performed by Salvus Health in accordance with the Service Agreement and as explained in Preamble B;
1.13 “Supervisory authority” means an independent public body established by a Member State under Article 51 of the Regulation.

The meaning of all other terms used but not defined shall be the same as they have in the Service Agreement.

Article 2 –  Subject matter of the Data Sharing Charter

2.1 Parties wish to share and exchange certain Personal Data as described below, within the framework of the performance of the Services by Salvus Health.

2.2 Salvus Health performs the Services in accordance with the provisions of this Data Sharing Charter. Parties shall process and share the Personal Data in accordance with the provisions of this Data Sharing Charter.

2.3 Both Parties explicitly undertake to comply with the provisions of the relevant applicable data protection legislation, including but not limited to the Regulation, and not do or refrain from doing anything that may cause the other Party to violate the relevant and applicable privacy and data protection legislation.

2.4 Processing Activities. The exchange and transfer of Personal Data between Parties, relates to the Services provided by Salvus Health. Concerning the processing activities, Salvus Health has a dual role. Salvus Health manages and processes Personal Data of Data Subjects (i) as a processor for certain processing activities, where Salvus Health acts upon instruction of the Controller, as well (ii) as a controller for other processing activities, namely the creation and management of an account for the Data Subjects with Salvus Health.

2.5 Categories of Personal Data. The Personal Data that are processed and exchanged are: [add the relevant categories of Personal Data].

  • Identification data: personal identification data including inter alia: surname, first name, gender, and e-mail address, …
  • Data on the (physical and even – where appropriate – mental) condition of the person: state of sensation (such as illness, fatigue, anger, stress), alcohol intake, smoked or non-smoked, …
  • Medical records: data evidenced by measurements (such as blood pressure, heart rate, heart rhythm, blood oxygen saturation level, height, weight, BMI, pregnancy, blood group, belly circumference, ethnicity,…)
  • […]

2.6 Persons concerned. The Persons concerned are the visitors to and clients of the Pharmacy who choose to make use of the Services.

2.7 Purposes. Both Parties guarantee that they will only use the Personal Data for the proper performance of the Services, as part of the Service Agreement in accordance with the provisions of this Data Sharing Charter and the internal functioning of the Parties.

2.8 The Parties may and will only process the Personal Data resulting from a transfer or exchange that are mentioned in Article 2.5. In addition, Personal Data shall only be processed in the light of the purposes specified by the Parties in this Clause.

2.9 Both Parties undertake to take appropriate measures to ensure that the Personal Data are not used improperly or obtained by an unauthorized Third Party.

 

Article 3 – Duration of processing 

3.1 If the Service Agreement ends in accordance with Clause 10 – Term, Termination and Suspesion, this Data Sharing Charter shall also end.

3.2 In the event of a breach of this Data Sharing Charter or the applicable provisions of the Regulation, either Party may instruct the other Party to stop processing the Personal Data immediately.

3.3 If the Data Sharing Charter is terminated or if the Personal Data are no longer relevant for the performance of the Services, one Party shall, at the request of the other Party, delete all Personal Data or return them to the first Party, delete all existing copies and declare that it has done so, unless storage of the Personal Data is required by Union or Member State law.

Article 4 – Support

4.1 Compliance with legislation. One Party shall assist the other Party in fulfilling its obligations under the Regulation, taking into account the nature of the processing and the information available to it.

4.2 Infringement relating to Personal Data. In the event of a Personal Data Infringement that relates to the subject matter of the processing of this Data Sharing Charter, the Parties undertake to notify and inform each other immediately and without any delay about the Personal Data Infringement as soon as the Party facing the Personal Data Infringement becomes aware of this Personal Data Infringement.

4.3 This notification shall contain at least the following information:

a) The nature of the Infringement relating to Personal Data;
b) The categories of Personal Data concerned by the Infringement;
c) The categories of Persons concerned and, approximately, the number of Persons concerned;
d) The categories of data concerned and, approximately, the number of data;
e) The likely consequences of the Infringement in relation to Personal Data;
f) Measures proposed or taken to deal with the Personal Data Infringement, including, where appropriate, measures to mitigate any adverse consequences thereof.

4.4 If the affected Party facing a Personal Data Infringement uses a Processor, that Party will require the Processor to provide it with the same information as if a Personal Data Infringement occurs at the Processor. Such Party shall promptly communicate the information it receives from the Processor to the other Party.

4.5 The relevant Party and its Processor(s) shall designate a single point of contact among their Employees who shall be responsible for all communications between the Parties and the Processor in the event of an incident that results or may result in the accidental or unauthorized destruction or loss or unauthorized access, alteration or transmission of Personal Data processed on behalf of Salvus Health, regardless of whether such accidental or unauthorized destruction or loss results or may result in an Infringement of Personal Data.

4.6 The Parties, and if applicable the Processor(s), ensure that they cooperate in good faith to limit the possible adverse consequences of an Infringement in connection with Personal Data.

 

Article 5 – Information obligations

5.1 Pharmacy shall provide Salvus Health immediately upon simple request by Salvus Health, all information required by Salvus Health and at least the information determined by the provisions of this clause:

– All relevant data concerning its own corporate structure as well as accurate and up-to-date identification data on all Customer entities involved in the processing of Personal Data, including the location of their principal place of business;
– The aspects of the processing for which the Services of a Processor are used or intended to be used, as well as the identification data of a Processor including the location of its principal place of business. Pharmacy shall disclose to Salvus Health the agreement entered into with the Processor(s) that relates to or is relevant to the processing of Personal Data, unless such agreement with the Processor(s) contains Confidential Information, in which case it may remove such Confidential Information;
– Geographical data about the locations of the processing, including back-up facilities and options for destroying the data;
– The physical, organizational, technical, and logical Security measures that Pharmacy and its Processor(s) have put in place, as set forth in Article 7 of this Data Sharing Charter.

 

Article 6 – Right of data subjects

6.1 Taking into account the nature of the processing, both Parties guarantee to take appropriate technical and organizational measures in fulfilling their obligations under this Data Sharing Charter.

6.2 The following terms and conditions will apply to any request by Data Subjects concerning their rights regarding the processing by one of the Parties or its Processors of Personal Data relating to them:

• One Party shall promptly inform the other Party of any request by a Data Subject relating to Personal Data exchanged between the Parties;
• The Pharmacy will promptly comply with, and will require its Processor(s) to comply with, any request made by Salvus Health so that Salvus Health can comply with any request made by the Data Subject wishing to exercise any of its rights;
• The Pharmacy will ensure that both it and its Processor(s) have the required technical and organizational skills to block access to Personal Data and physically destroy the data without any possibility of retrieval if and when Salvus Health makes such a request;
• one Party shall, upon simple request of the other Party, provide all necessary support and information required by the other Party in order to defend its interests in any legal proceedings – judicial proceedings, arbitration or otherwise – brought against the other Party or its Employee for violation of the fundamental rights to privacy and protection of the Personal Data of Data Subjects.

 

Article 7 – Security measures

7.1 During the term of this Data Sharing Charter, the Parties will implement and maintain appropriate technical and organisational measures in such a way that the processing complies with the requirements of the Regulation and that the protection of the rights of the Data Subject is ensured.

7.2 The Parties will, inter alia, take technical and organisational measures against unauthorised or unlawful processing and regularly assess the suitability of the Security Measures and adjust them if necessary.

7.3 In particular, the Parties will take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the Regulation.

7.4 The assessment of an appropriate level of security shall in particular take into account the risks presented by the processing, in particular, by the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, the transmitted, stored or otherwise processed Personal Data.

7.5 Each Party may reserve the right to suspend and/or terminate the Service Agreement for an indefinite period of time if the other Party can no longer provide for technical and organisational measures appropriate to the processing risk.

 

Article 8 – International transfer

 

8.1 The Parties agree that Personal Data may only be transferred to and/or stored with the recipient outside the European Economic Area (EEA) in a country covered by an adequacy decision taken on an exceptional basis by the European Commission, and only to the extent necessary to comply with the obligations of this Data Sharing Charter in order to fulfil to this Data Sharing Charter substantial services. In the absence of an adequacy decision as referred to above, such transfer shall be governed by the terms of an agreement on the transfer of Personal Data containing standard contractual clauses as published in the European Commission Decision of 4 June 2021 (Decision 2021/914/EC on standard contractual clauses for the transfer of personal data to third countries) or by other mechanisms provided for by applicable data protection law.

8.2 The Parties shall inform each other prior to the international transfer of the Security measures and appropriate safeguards taken to ensure the protection of the Personal Data of the Data Subject in accordance with the Regulation.

 

Article 9 – Behaviour in relation to national public bodies and judicial authorities

9.1 The Parties shall immediately inform each other of any request, order, investigation, or subpoena made to a Party or its Processor by any competent national governmental or judicial authority which entails the communication of Personal Data processed by the Party or a Processor or any data and/or information relating to such processing by the Party concerned.

9.2 Without prejudice to Article 9.1 of this Data Sharing Charter, both Parties shall ensure that there are no obligations under applicable law that would make it impossible for either Party to comply with its obligations under this Data Sharing Charter.

 

Article 10 – Confidentiality

 

10.1 Each Party undertakes to treat the Personal Data and its processing with the utmost confidentiality. The Parties shall assure each other of the confidentiality by measures no less restrictive than those they use to protect their own confidential material, including Personal Data.

10.2 Each Party warrants that the Employees or Processors authorized to process the Personal Data have undertaken to maintain confidentiality or are bound by an appropriate legal obligation of confidentiality.

 

Article 11 – Liability

11.1 Without prejudice to the Service Agreement, a Party will only be liable for the damage caused by processing if it has not complied with the obligations of the Regulation or has acted contrary to this Data Sharing Charter.

11.2 A Party shall be liable in contract or wrongful act (including default) or in any way related to this Data Sharing Charter, including liability for gross negligence, for proven defects attributable to it. The Parties’ liability for any breach of this Data Sharing Charter shall be limited to foreseeable, direct, immediate and personal damages, to the exclusion of consequential damages (even if advised of the possibility of such consequential damages or if the possibility of such consequential damages was reasonably foreseeable), meaning “consequential damages”: damage or loss not arising directly and immediately from a contractual and/or extra-contractual breach of contract, but instead indirectly and/or over time, including, but not limited to, loss of income, interruption or stagnation of business operations, increase in personnel costs and/or redundancy costs, damage consisting of or resulting from claims by third parties, lack of expected savings or benefits and loss of data, profit, time or revenue, loss of orders, loss of customers, increase in overhead costs, consequences of a strike, regardless of its causes.

11.3 If it appears that both Parties are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and shall both pay compensation in proportion to their individual share of the responsibility for the damage caused by the processing.

11.4 In any case, Salvus Health’s total liability under this Data Sharing Charter shall be limited to the fees paid by Pharmacy to Salvus Health in accordance with the Service Agreement in the twelve months immediately preceding the earliest event that led to the liability and this per cause of damage.

 

Article 12 – Mediation and jurisdiction

12.1 This Data Sharing Charter shall be interpreted in accordance with the Regulation and any applicable Belgian implementing legislation.

12.2 Each Party agrees that if the Data Subject brings a claim for damages against him under this Data Sharing Charter, the Pharmacy will accept the Data Subject’s decision:
• To submit the dispute to an independent person for mediation;
• To submit the dispute to the courts in Belgium.

12.3 The Parties agree that the choice of the Data Subject is without prejudice to his/her material or procedural rights of redress in accordance with other provisions of applicable national or international law.

12.4 Any dispute between the Parties concerning the terms and conditions of this Data Sharing Charter shall be brought before the competent courts as provided for in the Service Agreement.

 

Article 13 – Termination of the Charter

 13.1 This Data Sharing Charter shall continue to apply as long as the Parties process Personal Data as Joint Controllers. If the Service Agreement is terminated, this Data Sharing Charter shall end as well.

13.2 In the event of a breach of this Data Sharing Charter or the Regulation, Salvus Health Pharmacy may order that the processing or sharing of the Personal Data be stopped immediately.

13.3 Each Party will not store the Personal Data longer than necessary to perform the Services for which the Personal Data is provided.