This GDPR Data Processing Agreement (“DPA”) is for hospitals, clinics, radiologists, dentists and other healthcare service providers entering into a Business-to-Business (B2B) relationship with ourselves where we are Data Processor or sub-processor and forms part of the Terms of Service available at http://cypherit.co.uk/gdpr/terms-of-service-b2b/ or such other location as the Terms of Service may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and Cypher Information Technology Ltd. (“Cypher IT”), pursuant to which Customer has accessed Cypher IT’s Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
This Data Processing Agreement (DPA) does not apply to Patients registered with an account on the ShareMyXray platform, who enter into a Business-to-Consumer (B2C) relationship directly with ourselves such that we are Data Controller for their Personal Data. For Patients’ Terms of Service refer to http://cypherit.co.uk/gdpr/terms-of-service-patients/
If the Customer entity entering into this DPA has executed an order form or statement of work with Cypher IT pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Services to Customer pursuant to the Agreement, Cypher IT may process personal data on behalf of Customer. Cypher IT agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
The parties agree that Customer is the data controller and that Cypher IT is its data processor in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Cypher IT pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Cypher IT’s websites (sharemyxray.online, bbrad.net or cypherit.co.uk), or through an Ordering Document provided by the Customer to Cypher IT, or as additionally described in the Agreement or the DPA. For VNA, Data Migration and bbRad Gateway Services, Cypher IT will not process any Patient Data except in receipt of specific support request from Customer to do so. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases, or until the support request is closed in the case of VNA, Data Migration and bbRad Gateway Services. Further details of the data processing are set out in Annex 1 below.
In respect of personal data processed in the course of providing the Application Services, Cypher IT:
- shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Cypher IT (from time to time);
- If Cypher IT is required to process the personal data for any other purpose provided by applicable law to which it is subject, Cypher IT will inform Customer of such requirement prior to the processing unless that law prohibits this;
- shall not validate the Data Protection legitimacy of Patient Data transfers initiated by the Customer, as Data Controller, on the ShareMyXray or bbRad Services platforms, and the Customer indemnifies Cypher IT of fines or costs of enforcement orders in respect of such Customer-initiated transfers; notwithstanding this, Cypher IT will notify Customer without undue delay if, in Cypher IT’s opinion, any other instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
- shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
- may hire other companies to provide limited services on its behalf, provided that Cypher IT complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Cypher IT has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Cypher IT remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Cypher IT transfers personal data will have entered into written agreements with Cypher IT requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer listed in Annex 1, bullet 5 ‘Sub-processors of Personal Data’. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing firstname.lastname@example.org. Cypher IT will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Cypher IT’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Cypher IT, terminate the Agreement.
- shall ensure that all Cypher IT personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
- at the Customer’s request (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data);
- when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA;
- at the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy personal data held;
- Cypher IT or its sub-processors may transfer personal data from the EEA to the US for the purposes of this DPA pursuant to the EU-US Privacy Shield provided that Cypher IT or sub-processors maintain certification under the EU-US Privacy Shield and EU General Data Protection Regulations (GDPR);
- shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Cypher IT in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Cypher IT is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Cypher IT of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Cypher IT’s IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Cypher IT’s IT system, data hosting sites or centers, or infrastructure will be permitted;
- If Cypher IT becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Cypher IT in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Cypher IT shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
- Cypher IT shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Annex 1 (Data Processing Agreement)
0. Subject Matter of the Processing
- Patient Data sent to, from or between ShareMyXray Customers; for bbRad, VNA or Data Migration Customers then Patient Data relating to specific support requests.
- Customer Personal Data, to maintain Provider’s normal business relations with the Customer and institutions it shares Patient Data with.
- Processing is compressing, encrypting and routing Patient Data, on instruction from the Customer as Data Controller, to share Patient Data between institutions.
1. Categories of data subject
- Patient Data including patients, non-patient clients and clinical trials.
- Customer Personal Data including person identifiable information regarding staff, suppliers, customers, agents and representatives.
2. Types of Personal Data
- Patient Data includes medical images, clinical reports, clinical request request details, names, addresses, dates of birth, patient identifiers and similar metadata.
- Customer Personal Data includes names, roles, contact details and, where they are also application users, browser/machine details of Customer’s staff, suppliers, agents, customers and representatives.
3. Purposes of processing
- To support the Customer as Data Controller to share its patients’ medical images and metadata between institutions.
4. Security measures for Patient Data and Customer Personal Data
- All Patient Data are always strong encrypted both in transit and at rest.
- Provider’s staff and agents have no access to Patient Data, unless specifically required for their role in accordance this Agreement.
- Provider’s global system system accounts do not give access to Patient data.
- Provider’s per-Customer system accounts that do give access to Patient Data may only be used upon request by the customer, if needed for the support request in question.
- Provider staff contracts specify this segregation of Patient Data unless required by both job role and support request, and identify breach of obligations as gross misconduct.
- Patient data (Studies) are deleted 30 days (or less) after last use.
- When a Patient’s study is deleted, the key used to derive anonymised Provider data for activity and accounting purposes is deleted, making Provider accounting data irreversible.
Customer Personal Data
- All Customer Personal Data are always strong encrypted both in transit and at rest.
- Provider’s staff and agents have no access to Customer Personal Data, unless specifically required for their role in accordance this Agreement.
- Emails are processed locally; upon download onto encrypted volumes they are immediately removed from email hosting service.
- Dormant Accounts, which may include Customer Personal Data, are deleted after 2 years.
- Business records and emails, which may include Customer Personal Data, are retained for duration of tax record keeping requirements, currently 6 years.
5. Sub-processors of Personal Data
Sub-processors with access to Patient Data
Suppliers handling only encrypted Patient Data but without access to that data – these are not sub-processors under GDPR but included for completeness.
- SolVPS (SolVPS)
- Interactive Web Solutions Ltd (iWebFTP)
Sub-processors handling Customer Personal Data:
- Zen Internet Ltd. Used for website and email accounts; they will have access to Customer email addresses and contact names only. Our DPA with them is
- Mailchimp. Used for sending emails to Customers; they will have access to Customer email addresses and contact names only. Our DPA with them is
- Drip. Used for sending emails to Customers; they will have access to Customer email addresses and contact names only. Our DPA with them is
- MixPanel. Used for application activity measurement, development and improvement; they will have access to Customer email addresses, city and browser/machine details. Our DPA with them is https://mixpanel.com/legal/dpa/