PRIVACY POLICY & GLOBAL DATA PROCESSING ADDENDUM OF THE MSFAPP APPLICATION

This Global Data Processing Addendum (the “DPA”) is entered between Médecins sans Frontières Canada ( “MSF”) and Parsys Télémédecine (the “Service Provider”) (together the “Parties”, and each a “Party”).

1   DEFINITIONS

In this DPA, the following terms shall have the meanings set out below:

  • “Adequate Jurisdiction” means a jurisdiction that has been recognized by a decision of the European Commission as granting an adequate level of protection to personal data.
  • “Agreement” means any memorandum of understanding and agreement(s) entered into by the Parties pursuant to which Service Provider provides telemedicine services to MSF (“Services”) which involve the processing of Personal Data on behalf of MSF.
  • “Applicable Data Protection Legislation” means the General Data Processing Regulation 2016/679 (the “GDPR”) and any other applicable European Union and Member States’ legislation relating to Personal Data protection; the Personal Information Protection and Electronic Documents Act (Canada) and substantially similar provincial laws; the California Consumer Privacy Act of 2018 (the “CCPA”) and all other applicable federal, state, provincial, local and international laws, rules and regulations and governmental requirements governing the processing and security of Personal Data applicable to any Party to this DPA, as same may be amended, supplemented and interpreted by regulatory authorities and courts from time to time.
  • “De-identified Data” means any aggregated, statistical, anonymized and/or de-identified information derived or inferred from Personal Data.
  • “Data Subject” means any individual or other person whose Personal Data is processed by Service Provider in connection with the Agreement.
  • “Personal Data” means any information relating to or about an identified or identifiable Data Subject.
  • “Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to Personal Data.
  •  “process”, “processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, use, disclosure, retaining, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Restricted Transfer” means a transfer of Personal Data from MSF to Service Provider or an onward transfer of Personal Data between Service Provider and its Subprocessors or between two establishments of Service Provider or its Subprocessors, where such transfer would be prohibited by Applicable Data Protection Legislation (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Legislation) in the absence of the Standard Contractual Clauses to be entered into pursuant to section 14.
  • “Security Measures” means those technical and organizational measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and to ensure a level of security appropriate to the risk in place as same are described in Appendix 2.
  • “Standard Contractual Clauses” means the standard contractual clauses (Processors) adopted by the European Commission in Decision 2010/87/EU, as same may be amended, supplemented or replaced from time to time in accordance with Applicable Data Protection Legislation.
  •  “Subprocessor” means any Third Party or Service Provider’s affiliate that is directly or indirectly engaged by Service Provider to process Personal Data.
  • Supervisory Authoritymeans an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR or another privacy regulator, such as but not limited to the Office of the Privacy Commissioner (Canada).
  • “Third Country” means a country that is not part of the European Economic Area and that is not an Adequate Jurisdiction.
  • “Third Party” means a natural or legal person, public authority, agency or body other than a Data Subject, Service Provider, MSF and individuals who, under the direct authority of Service Provider or MSF, are authorized to process Personal Data.

2    COMPLIANCE

  • In addition to the terms of this DPA, Service Provider shall comply with (a) Applicable Data Protection Legislation; (b) privacy policies and other statements published by Service Provider regarding the privacy and security of Personal Data; (c) MSF’s policies and procedures pertaining to the security, use and disclosure of Personal Information that may be processed by Service Provider on behalf of MSF from time to time; and (d) all applicable industry standards concerning privacy, data protection, confidentiality or information security. Specifically, Service Provider will maintain ISO 27001 compliant status will only host Personal Data with hosting providers that maintain compliance with ANS Hébergement des Données de Santé (HDS) standards and as validated against the latest version of the applicable standard as it relates to the Services.

3   PROCESSING OF PERSONAL DATA

  •  MSF instructs Service Provider to process Personal Data as reasonably necessary for the provision of the Services in accordance with the Agreement, the whole as further described in Appendix 1.
  • Service Provider shall not process Personal Data other than on the relevant MSF’s documented instructions unless processing is required by applicable law to which Service Provider is subject, in which case Service Provider shall, to the extent permitted by applicable law, inform MSF of that legal requirement before the relevant processing of that Personal Data.
  • As between the Parties, Personal Data shall at all times be and remain the sole property of MSF, unless agreed otherwise in the Agreement.
  •  Service Provider shall ensure that all Personal Data processed on behalf of MSF is kept up to date, as appropriate, and ensure that any Personal Data that MSF indicates is inaccurate or incomplete is erased or rectified, in each case, in accordance with MSF’s instructions.
  •  Service Provider will inform MSF if, in Service Provider’s opinion, an instruction from MSF infringes the GDPR or other Applicable Data Protection Legislation.

4  RETENTION AND DELETION

  • Within thirty (30) days of the date of cessation of the Servicesor upon earlier written notice by MSF to Service Provider, the latter must (a) return a complete copy of all Personal Data to MSF by secure file transfer in such format as is reasonably notified by MSF to Service Provider; and (b) safely delete of all other copies of Personal Data processed by Service Provider and its Subprocessors.

5   DISCLOSURE TO GOVERNMENTAL AUTHORITIES

  • Service Provider shall maintain policies and procedures relating to disclosure of Personal Data to law enforcement agencies and/or other governmental authorities (“LEA”) and make them available to MSF upon request. Such policies and procedures shall, at a minimum, prohibit voluntary disclosures of Personal Data to LEAs without MSF’s written approval and shall prohibit disclosure of Personal Data to any LEA unless such disclosure is mandatory under applicable law.
  • Service Provider shall, prior to any proposed disclosure, immediately notify MSF of any order, demand, warrant, or any other document issued by any LEA with lawful authority to compel the production of Personal Data or any request or investigation by a Supervisory Authority or regulator (an “Order”). Service Provider shall promptly cooperate with MSF with respect to any Order and, in so doing, immediately provide MSF with the following information to allow it to respond to or challenge the Order as it deems fit: (a) the nature of the Order; (b) the type of the information being sought as part of the court order; (c) the name of the individual and/or entity issuing the Order; and (d) the date and time of the Order and any relevant deadlines to respond to or challenge the Order.

6    INTERNAL LIMITATION OF ACCESS TO INFORMATION

  • Service Provider shall ensure that access to Personal Data is strictly limited to its personnel on a need-to-know basis, as strictly necessary to perform its obligations under the Agreement, ensuring that all such personnel are subject to enforceable contractual or statutory obligations of confidentiality.

7    NO RE-IDENTIFICATION

  • If MSF provides Service Provider with De-identified Data or if MSF allows Service Provider to derive De-identified Data from the Personal Data, Service Provider shall not make any attempts at re-identifying the De-identified Data.
  • Without limiting the generality of the foregoing, Service Provider shall take all necessary measures to avoid the re-identification of the De-identified Data, including: (a) not bringing any other data in the environment of the De-identified Data in order to avoid increasing the risk of re-identification by linkage; (b) destroying any accidentally re-identified Personal Data and informing MSF of any cases of re-identified Personal Data; (c) not disclosing the De-identified Data to any Third Party, unless as authorized in writing by MSF.

8  RIGHTS OF DATA SUBJECTS

  •  Service Provider shall assist MSF by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of MSF’s obligations to respond to Data Subject requests under any Applicable Data Protection Legislation in respect of Personal Data (“Data Subject Request”).
  •  Service Provider shall (a) immediately notify MSF if it receives a Data Subject Request; and (b) not respond to that Data Subject Request, except on the documented instructions of MSF or as required by Applicable Data Protection Legislation, in which case Service Provider shall, to the extent permitted by Applicable Data Protection Legislation, inform MSF of that legal requirement before Service Provider responds to the request.

9    DEMONSTRATING COMPLIANCE & AUDIT RIGHTS

  •  Service Provider shall, at no cost to MSF and within five (5) working days (or any other agreed timeline) of receiving a request from MSF, send to MSF the documentation necessary for Service Provider to demonstrate its compliance with Applicable Data Protection Legislation.
  • Service Provider shall allow for and contribute to audits, including inspections of Service Provider’s premises.
  • Audits may be conducted on-site by MSF personnel or MSF’s contracted Third Party auditors or through surveys and interviews, at the option of MSF.
  • In the event Service Provider has any security audits or reviews of its own systems performed by Service Provider or a Third Party, including vulnerability and penetration assessments, it will give MSF notice of any findings that are likely to adversely impact the Personal Data, and will keep MSF timely informed of its remediation efforts.