Guides
Back to EVAL Apps
Start typing to search…

GDPR Data Protection Agreement

A legally binding contract that establishes the roles and responsibilities of the Data Processor (EVAL Health) in safeguarding Personal Data on behalf of the Data Controller (Client), as required by GDPR Article 28.

This Data Processing Agreement (“DPA”) serves as the Standard Reference Document for the digital addendum executed between the parties via the EVAL Health platform or subscription purchase process. This DPA is incorporated by reference into the digital acceptance record.

The Data Controller (Controller): The Covered Entity and client of EVAL Health, as identified in the Order Form, Account Profile, or underlying Service Agreement.

AND

The Data Processor (Processor): EVAL Health

  • Legal Name: EVAL Health, LLC / St. Paul, Minnesota, 55129, USA
  • Contact Person: Tim Michalski / [email protected]

1. Definitions and Interpretation

1.1. GDPR Terms

Terms used in this DPA shall have the meanings assigned to them in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), including Personal Data, Special Category Data, Processing, Controller, Processor, Supervisory Authority, and Data Subject.

1.2. Controller/Processor

The Data Controller is the entity that determines the purposes and means of the Processing of Personal Data. The Data Processor is EVAL Health, which Processes Personal Data on behalf of the Controller.

1.3. Service Agreement

The agreement between the Controller and the Processor under which the Processor provides the EVAL Health services.

1.4. Standard Contractual Clauses (SCCs)

The standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and adopted by the European Commission Decision 2021/914.

2. Details of Processing (Article 28(3))

This section fulfills the requirement to document the subject matter and duration of processing.

2.1. Subject Matter and Duration

The subject matter is the Processing of Personal Data to provide the EVAL Health electronic assessment and patient data management platform to the Controller. The duration of Processing is for the term of the Service Agreement.

2.2. Nature and Purpose

The Processor's Processing activities involve the electronic collection, hosting, storage, maintenance, retrieval, and transmission of assessment data, necessary to enable the Controller to provide healthcare services, patient screening, and clinical monitoring.

2.3. Data Processed

  • Categories of Data Subjects: Patients and clients of the Controller.
  • Categories of Personal Data (General): Name, contact details (phone, email, address), date of birth, and unique patient identifiers/tokens.
  • Categories of Personal Data (Special Category Data): Health data, including assessment answers, clinical notes, diagnosis data, and treatment plan details.

2.4. Documented Instructions

The Processor shall Process Personal Data strictly on the documented instructions of the Controller (as defined by the Service Agreement and this DPA), unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Processor Obligations (Article 28)

The Processor shall:

3.1. Confidentiality

Ensure that all persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security of Processing (Article 32)

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The parties agree that the following measures are in place:

  • Encryption: Encryption of Personal Data in transit (using TLS 1.2 or higher) and at rest (using AES-256 or equivalent standards).
  • Access Control: Strict role-based access control (RBAC) ensuring only authorized personnel have access to Personal Data, enforced via Multi-Factor Authentication (MFA).
  • Resilience: Use of redundant cloud infrastructure (AWS) to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • Restoration: Automated backup systems to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • Testing: Regular vulnerability scanning and penetration testing to evaluate the effectiveness of technical and organisational measures.

3.3. Subprocessing (Article 28(2) & (4))

  • Authorization: The Controller grants a general authorization for the Processor to engage sub-processors. The current list of sub-processors is available at https://learn.eval.health/docs/data-sub-processors#/.
  • Changes: The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors (e.g., via email or dashboard update). The Controller may object to such changes in writing within fourteen (14) days of receipt of notice. If no objection is received within this period, the changes are deemed accepted.
  • Objection Resolution: If the Controller objects to a new sub-processor on reasonable data protection grounds and the parties cannot find a mutually acceptable solution within a reasonable time, the Controller may terminate the portion of the Services that cannot be provided without the new sub-processor.
  • Obligations: The Processor shall ensure that any sub-processor it engages is bound by a written contract that imposes the same data protection obligations as those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.

3.4. Data Subject Rights Assistance (Article 28(3)(e))

  • Assistance: Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject’s rights under GDPR (e.g., access, rectification, erasure, restriction of processing, data portability, and objection).
  • Direct Requests: If the Processor receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Controller, the Processor shall not respond to that request (except to acknowledge receipt) and shall immediately notify the Controller.
  • Patient Portal Exception: Notwithstanding the foregoing, if a Data Subject has established a personal account with the Processor (e.g., a "Patient Portal"), the Processor may respond directly to the Data Subject regarding the management, deletion, or modification of the Data Subject's own personal account data, provided such actions do not delete the Controller's independent copy of the Personal Data unless authorized.

3.5. Breach Notification (Article 33)

The Processor shall notify the Controller without undue delay (and in no case later than 24 hours) upon becoming aware of a Personal Data Breach to allow the Controller to meet its mandatory reporting deadlines. The notification shall, at a minimum, include the information required under Article 33(3) of the GDPR.

3.6. DPIA and Consultation Assistance (Article 28(3)(f))

The Processor shall provide reasonable assistance to the Controller with regard to:

  • Conducting Data Protection Impact Assessments (DPIAs).
  • Consultation with the Supervisory Authority (Articles 35 and 36).

3.7. Audit and Compliance Demonstration (Article 28(3)(h))

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or another auditor mandated by the Controller. Audits shall be conducted during normal business hours, upon reasonable prior notice, and at the Controller’s expense, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.

4. International Data Transfers (Chapter V)

4.1. SCC Incorporation

As the Processing involves the transfer of Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to a third country (the United States) not subject to an adequacy decision, the parties agree to abide by the Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914, which are hereby incorporated by reference as if fully set forth herein.

4.2. SCC Specifications

For the purposes of the incorporated SCCs:

  • Module: Module Two (Controller-to-Processor) applies.
  • Clause 7 (Docking): Is not included.
  • Clause 9 (Subprocessors): Option 2 (General Written Authorization) applies, as detailed in Section 3.3 of this DPA.
  • Clause 11 (Redress): The optional language is not included.
  • Clause 17 (Governing Law): The laws of the Republic of Ireland shall govern.
  • Clause 18 (Forum): The courts of the Republic of Ireland shall have jurisdiction.
  • Competent Supervisory Authority: The Data Protection Commission (DPC) of Ireland.
  • Annex I (A, B, C): The details are as set forth in Section 2 of this DPA.
  • Annex II (Security): The technical and organisational measures are as set forth in Section 3.2 of this DPA.

4.3. UK Addendum

For transfers of Personal Data originating solely in the UK, the parties agree that the UK International Data Transfer Addendum to the EU SCCs (Version B1.0), issued by the UK Information Commissioner’s Office, is incorporated by reference. The information required for Tables 1–3 is set forth in this DPA, and for Table 4, the Importer (Processor) may not be audited by the Exporter's (Controller's) auditors except as required by law or agreed in Section 3.7. The parties agree that the laws of England and Wales shall govern the UK Addendum.

4.4. Swiss Transfers

For transfers of Personal Data originating in Switzerland, the EU SCCs shall apply with the following modifications: (a) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP); (b) references to "Member State" shall include Switzerland; and (c) the competent supervisory authority shall be the Federal Data Protection and Information Commissioner (FDPIC).

4.5. Impact Assessment Assistance

The Processor shall provide reasonable assistance to the Controller with the completion of any Transfer Impact Assessment (TIA) required under EU law (Schrems II), or Privacy Impact Assessment (PIA) required under Canadian law (e.g., Quebec Law 25) or other applicable global privacy laws, by providing necessary technical and organizational information regarding the Processor's data protection practices and the laws of the importing country.

4.6. Global Adherence

Where the Controller processes Personal Data from a jurisdiction outside the EEA and UK that has enacted a data protection law based on the principles of the GDPR (e.g., Canada's PIPEDA/Law 25, Brazil's LGPD, Switzerland's FADP), the parties agree that, unless prohibited by local law, the obligations of the Processor under this DPA shall apply to such Personal Data.

5. US State Privacy Laws (CCPA/CPRA & Others)

5.1. Service Provider Designation

To the extent that the Controller is subject to US State Privacy Laws (such as the California Consumer Privacy Act "CCPA" or California Privacy Rights Act "CPRA"), the Processor is acting as a "Service Provider" (or equivalent term).

5.2. Prohibitions

The Processor is prohibited from: (a) Selling or Sharing Personal Data (as defined by CCPA/CPRA); (b) Retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Service Agreement; and (c) Combining Personal Data with other personal data that it receives from or on behalf of another person or collects from its own interaction with the consumer, except as permitted by applicable law.

6. Term and Termination

6.1. Term

This DPA shall commence upon the date the Controller first transmits or provides Personal Data to the Processor and shall continue until the termination of the Service Agreement.

6.2. Obligations Upon Termination (Article 28(3)(g))

Upon termination of the Service Agreement, the Processor shall, at the choice of the Controller, either:

  • Return all Personal Data to the Controller; or
  • Destroy all Personal Data and certify in writing to the Controller that it has done so.
  • The Processor may retain Personal Data only as required by Union or Member State law.

7. Miscellaneous

7.1. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Service Agreement. In no event shall EVAL Health’s liability under this DPA exceed the liability caps agreed upon in the Service Agreement, except where such limitation is strictly prohibited by applicable Data Protection Laws.

7.2. Order of Precedence

In the event of any conflict between this DPA and the Service Agreement, the terms of this DPA shall prevail to the extent necessary to comply with applicable Data Protection Laws.

7.3. Notices

All notices required under this DPA (specifically including Breach Notifications) shall be in writing. Notices to the Processor shall be sent to the contact identified in the Preamble. Notices to the Controller shall be sent to the administrative email address associated with the Controller's EVAL Health account.

7.4. Severability

If any provision of this DPA is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of this DPA shall remain in full force and effect.

7.5. Governing Law

Except for the EU SCCs (Section 4.2) which are governed by the laws of the Republic of Ireland, and the UK Addendum (Section 4.3) which is governed by the laws of England and Wales, this DPA shall be governed by the laws stipulated in the Service Agreement.

Updated about 2 months ago