This Data Protection Agreement, (“DPA”) is made and entered into by and between:
(i) the Customer identified on an Order Form or, if not in the Order Form, the organisation using the Proximie Platform and Services (“Customer”); and
(ii) Proximie Limited, a company registered in England and Wales under company number 10509541, with a registered office at: 3rd Floor 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT (“Proximie”),
each a Party,and together the Parties.
Whereas, the Parties may have either entered into an agreement under which Proximie has agreed to provide, and Customer has agreed to receive, the Proximie Platform as a service (“Services Agreement”), or Proximie has entered into an agreement with a Third Party Entity under which Proximie has agreed to provide the Proximie Platform as a service to Customer (a “Master Services Agreement”). The Services Agreement and/or Master Services Agreement(s) are referred to as “Agreement” under this DPA, as applicable. Where an Agreement has been entered between the Parties, this DPA shall attach to and form part of the Agreement.
The Parties hereby agree as follows:
1. Scope of Agreement
The terms used in this DPA have the meanings set forth in this DPA..
This DPA governs the relationship between the Customer and Proximie with respect to the Processing of Customer Personal Data in connection with the Agreement(s), as applicable. Under this DPA, the Customer appoints Proximie as a Processor to Process the Customer Personal Data for the purposes described in Annex A to this DPA.
The Parties hereby agree to this DPA and undertake to comply with all its terms and conditions.
This DPA shall remain in force from the Effective Date until: (i) the expiration or termination of the Agreement; or (ii) if later, when Proximie ceases to process Customer Personal Data on behalf of the Customer under the Agreement(s), as applicable.
2. Definitions and Interpretation
In this DPA, the following terms have the meanings set out below:
2.1 “Adequate Country” means a country or territory that has been deemed to provide an adequate level of protection for Personal Data pursuant to Applicable Data Protection Law (including, without limitation, under Article 45(1) of the EU General Data Protection Regulation 2016/679 (“GDPR”)), and, shall include any member of the European Economic Area and/or the United Kingdom;
2.2 “Affiliate” means in relation to either Customer or Proximie, an entity that owns or controls, is owned or controlled by or is or under common control or ownership of such entity, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity;
2.3 “Applicable Data Protection Law” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data, including any amendment, supplement, update, modification to or re-enactment of such laws;
2.4 “Customer Personal Data ” means Personal Data Processed by Proximie in connection with the provision of the Proximie Platform (including the Services) to Customer, as described in Annex A, but excluding (for the avoidance of doubt) Proximie Personal Data;
2.5 “Documentation” means technical documentation provided or made available from time to time to Customer by Proximie regarding the Proximie Platform and/or Services, as applicable;
2.6 “Effective Date” means the earlier of: (i) the date of the Agreement; or (ii) the date on which Proximie first Processes Customer Personal Data in connection with the Services;
2.7 “Legal Process” means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national or federal laws or regulations or any other laws applicable to Proximie, any Proximie Affiliate or a Subprocessor in any Third Country;
2.8 “Order Form” means an ordering document specifying the Products and/or Services to be provided that is entered into between Proximie and Customer, which shall incorporate the Agreement;
2.9 “Products” means the Documentation and Proximie Platform;
2.10 “Proximie Personal Data” means Personal Data, including but not limited to business contact information, Processed by Proximie in connection with the Agreement for the purposes of administration, customer relationship management, invoicing or compliance by Proximie with its obligations under applicable laws, or as otherwise identified in its publicly accessible privacy notice (as updated from time to time), which is maintained on www.proximie.com;
2.11 “Proximie Platform” means the Proximie proprietary software in a managed cloud-hosted environment, any related software, applicable programming interfaces (APIs), and Proximie models or algorithms provided or made available to the Customer as a service in connection with the Agreement, and any improvements, modifications, derivative works, patches and Updates thereto.
2.12 “Public Body” means any local, regional, state, national or federal law enforcement authority, regulator, government department, agency or court in any Third Country;
2.13 “Services” means Support Services and/or additional implementation, enablement, training, or other professional services provided by or on behalf of Proximie, as may be set out in an Order Form;
2.14 “Standard Contractual Clauses” means standard contractual clauses for the transfer of Personal Data to Third Countries for use under Applicable Data Protection Law;
2.15 “Subprocessor” means any person (including any third party and any Proximie Affiliate, but excluding an employee or other agent of Proximie or any of its subcontractors) appointed by Proximie to Process Customer Personal Data;
2.16 “Supervisory Authority” means any local, state, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering and enforcing Applicable Data Protection Law;
2.17 “Third Country” means any country other than the countr(y)(ies) in which Customer, Healthcare Establishment(s) and Proximie are established that is not an Adequate Country;
2.18 “Third Party Entity” means a third party organisation or entity, including but not limited to, a medical device company, research institution, association or pharmaceutical company, who has entered into arrangements with Proximie and/or the Customer for the purposes of providing its products and/or services to the Customer using or in relation to the use of the Proximie software and related services;
2.19 “Updates” means general updates to the Products that Proximie may implement without requiring the payment of additional fees, subject always to ensuring that the Update does not reduce the level of functionality of the Products that are made available at the date of the Agreement, as applicable. Updates do not include new offerings that Proximie makes available for an additional charge.
2.20 The terms, “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Process(ing),” and “Processor” shall have the meaning given to those terms (or equivalent terms) under Applicable Data Protection Law. To the extent Applicable Data Protection Law does not define an aforementioned term (or any equivalent term), the meaning given by the General Data Protection Regulation (EU) 2016/679 shall apply.
2.21 The recitals to this DPA are provided for background purposes only, and do not create rights or obligations for or on either Party.
3.2 Each Party may collect and further Process Personal Data, and more specifically:
(ii) Processes Proximie Personal Data as a Controller;
3.2.2 As between the Parties, Customer Processes Customer Personal Data as a Controller, or as a Processor acting on behalf of an Affiliate or third party (“Healthcare Establishment”) as Controller (in which case, Customer warrants that it has entered into a data protection agreement with the Healthcare Establishment which is equivalent to and/or consistent with this DPA).
3.3.1 acknowledges that this DPA and the Agreement (including any Order Form), as applicable, constitute the complete instructions to Proximie regarding the Processing of Customer Personal Data;
3.3.2 shall, without prejudice to the generality of its obligations under clause 3.1, ensure it (or, as applicable, the relevant Healthcare Establishment) has taken all steps necessary under Applicable Data Protection Law to permit the Processing of Customer Personal Data by Proximie, including in particular that (i) its Processing instructions are lawful and do not conflict with any other contractual obligations owed by the Customer; (ii) it has obtained any consent or otherwise established any legal basis for the Processing required by Applicable Data Protection Law and (iii) it has provided adequate notice to its patients or other Data Subjects concerning the Processing, and further warrants and represents that its Processing instructions to Proximie and the terms of this DPA do not conflict with any agreement entered into by the Customer with a third party (including without limitation a Healthcare Establishment or Third Party Entity, as applicable). The Customer must inform Proximie immediately if it believes that the continued Processing of Customer Personal Data by Proximie may no longer be lawful, or conflicts with any agreement entered into by Customer with a third party.
3.4 Subject to clause 3.5, Proximie shall not Process Customer Personal Data other than as set out in this DPA or on the Customer’s documented instructions, unless Processing is required or permitted by applicable laws to which Proximie is subject, in which case Proximie will to the extent required and/or permitted by applicable law notify the Customer before undertaking the Processing of that Customer Personal Data.
3.5 Where from time to time Proximie has entered into a data protection agreement directly with the Healthcare Establishment (“Healthcare Establishment DPA”) then, to the extent that the scope of Personal Data Processing under that agreement is the same as under this DPA, the Healthcare Establishment DPA shall take precedence over this DPA and Proximie shall not be required to comply with any instruction from Customer under clause 3.4 which is inconsistent with instructions given under the Healthcare Establishment DPA.
4. Description of the Processing of Customer Personal Data
4.1 Annex A sets out a description of the Processing of Customer Personal Data by Proximie on behalf of the Customer. The Parties may agree in writing to amend or supplement Annex A from time to time, subject to the revised description being consistent with the terms of the Agreement.
5.1 Proximie will ensure that access is limited to those individuals who need to access the relevant Customer Personal Data, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
6.1 Proximie shall implement the technical and organisational security measures described in Annex B to its processing of Customer Personal Data, which are intended to ensure a level of security appropriate to the risk of Processing.
6.2 The Customer acknowledges that it is also responsible for the security of Customer Personal Data and in particular for: (i) using the Proximie Platform in accordance with the Agreement and the Documentation and any other applicable terms; (ii) taking complete responsibility for the use of the Proximie Platform by Customer personnel in a secure manner, and for their treatment of Customer Personal Data as confidential; (iii) determining whether the Proximie Platform (as may be described in the Agreement and the Documentation) is appropriate for the Customer’s specific use case; and (iv) determining whether and how to implement any optional or configurable security controls made available by Proximie.
6.3 Proximie shall on request provide reasonable assistance to the Customer in relation to its security obligations under Applicable Data Protection Law, taking into account the provisions of this clause 6, the nature of the Processing and information available to Proximie. Nothing in this clause 6.3 shall require the Customer to provide the Proximie Platform other than in accordance with the terms of the Agreement and the Documentation, except to the extent that configurations or modifications (which may be subject to additional costs) are agreed in writing by the Parties.
7.1 The Customer provides Proximie with a general authorization to appoint Subprocessors in accordance with this clause.
7.2 The Customer authorizes Proximie to appoint as Subprocessors:
7.2.1 those entities listed at https://proximie.com/privacy-notice/ as at the date of this DPA, and as updated in accordance with clause 7.3; and
7.2.2 each Proximie Affiliate.
7.3 Proximie will provide the Customer with at least ten (10) days’ prior notice of any appointment or replacement of a Subprocessor. The Customer may object to Proximie’s appointment or replacement of a Subprocessor prior to its appointment or replacement, provided such an objection is based on reasonable grounds relating to data protection. In such an event, Proximie will either not appoint, or replace, the Subprocessor or, if, in the sole opinion of Proximie, this is not reasonably commercially and technically possible, either Party may suspend or terminate the Agreement on notice (without prejudice to any fees incurred by the Customer prior to suspension or termination).
7.4 In relation to each Subprocessor appointed by Proximie under this clause 7, Proximie shall:
7.4.1 include terms in the contract between Proximie and the Subprocessor which offer materially the same level of protection as this DPA; and
7.4.2 remain fully liable to the Customer for the performance of the Subprocessor, subject always to any limitations on liability agreed under the Agreement or this DPA.
8.1 Proximie provides the Customer with a number of controls in relation to the Proximie Platform, as described in the Documentation. The Customer may use these controls as technical and organizational measures to assist it in connection with its obligations under Applicable Data Protection Law, including its obligations relating to responding to requests from Data Subjects.
8.2 Where the controls referred to in clause 8.1 are insufficient, and taking into account the nature of the Processing, Proximie will assist the Customer, insofar as this is reasonably possible, for the fulfilment of the Customer’s obligations to respond to requests to exercise Data Subject rights under Applicable Data Protection Law. Nothing in this clause 8.2 shall require the Customer to provide the Proximie Platform other than in accordance with the terms of the Agreement and the Documentation, except to the extent that configurations or modifications (which may be subject to additional costs) are agreed in writing by the Parties.
8.3 Proximie will:
8.3.1 redirect any Data Subject that sends Proximie such a request to the Customer; and
8.3.2 not respond to that request except on the documented instructions of the Customer or as required by applicable laws to which Proximie is subject, in which case Proximie will to the extent permitted by applicable laws inform the Customer of that legal requirement before Proximie responds to the request.
9. Personal Data Breach
9.1 Proximie will notify the Customer without undue delay upon Proximie becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to inform a Supervisory Authority or Data Subjects of the Personal Data Breach under Applicable Data Protection Law. Such information may be provided to Customer in phases, as it becomes available to Proximie.
9.2 Proximie shall provide any further reasonable assistance to the Customer in relation to its obligations concerning Personal Data Breaches, taking into account the nature of the Processing and information available to Proximie.
10.1 Proximie provides information about the Proximie Platform and its Processing of Personal Data via the Documentation. To the extent the foregoing is insufficient, Proximie will provide reasonable assistance with any data protection or privacy impact assessments, and consultations with Supervisory Authorities, which are required under Applicable Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Proximie.
11.1 Subject to clauses 11.2 and 11.3, Proximie will promptly, and in any event within thirty (30) working days of the date of cessation of any Services involving the Processing of Customer Personal Data, delete and procure the deletion of all copies of Customer Data. For the avoidance of doubt, deletion hereunder shall include anonymization (in line with Applicable Data Protection Law), destructions and/or rendering the Customer Personal Data inaccessible (as is technically feasible and/or standard industry practice).
11.2 Subject to clause 11.3, the Customer may by written advance notice to Proximie require Proximie to return a complete copy of all Customer Personal Data to the Customer in such format as is reasonably available to Proximie.
11.3 Proximie may archive and Process Customer Personal Data for the period and to the extent required and/or permitted by applicable laws (and always provided that Proximie will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring or permitting its storage).
11.4 The Customer acknowledges and understands that Proximie requires data generated from the use of the Proximie Platform in order to develop and train its algorithms, and to generally improve and develop its specialised products and services. The Customer authorizes such activities, subject to the remainder of this clause. With respect to Customer Personal Data, to the extent such activities fall outside of the scope of the Processing of Customer Personal Data authorized under this DPA (and as described in Annex A), Proximie shall utilize anonymized Customer Personal Data only, and for these purposes the Customer instructs and authorizes Proximie to securely anonymize Customer Personal Data.
12. Audit rights
12.1 On a regular basis Proximie will commission an independent audit to assess and document the appropriateness of its technical and organizational measures under this DPA, and will share a summary of the results of that audit and/or other related information reasonably required by a Customer on written request so that the Customer can verify Proximie’s compliance with this DPA. Any such information shall be considered Proximie’s confidential information and may be subject to Proximie’s further reasonable confidentiality requirements (including but not limited to execution of a separate non-disclosure agreement).
12.2 Should Proximie fail to commission an audit as described in clause 12.1 or to share those summary results as aforesaid, and should the Documentation not be sufficient for the Customer purposes set out in clause 12.1, then the Customer shall be entitled, at its own cost and expense, once a year, upon reasonable advance written notice and during regular business hours, to audit the appropriateness of Proximie’s technical and organizational measures itself or through the Customer’s authorized representative. If the Customer so decides to audit Proximie as aforesaid, the Customer shall provide Proximie with a written audit plan for Proximie’s approval (such approval not to be unreasonably withheld) with three (3) months’ advance written notice, and any/all aspects of such audit shall at all times be considered Proximie’s confidential information and may be subject to Proximie’s further reasonable confidentiality and other requirements (including but not limited to execution of a separate non-disclosure agreement).
12.3 Proximie shall also respond to any written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once (1) per year. Such responses shall be considered Proximie’s confidential information and may be subject to Proximie’s further reasonable confidentiality and other requirements (including but not limited to execution of a separate non-disclosure agreement).
13.1 The Customer agrees that Customer Personal Data may be Processed by a Subprocessor in any country, including any Third Country, to the extent such Processing is necessary to provide the Proximie Platform (including, without limitation, as required to provide maintenance or customer support, or for compliance or data security reasons), subject to Proximie implementing any appropriate safeguards which may be necessary in accordance with clause 13.2.
13.2 Where, in accordance with clause 13.1, Customer Personal Data is transferred to a Third Country, Proximie shall, to the extent required by Applicable Data Protection Law, enter into Standard Contractual Clauses with the relevant Subprocessor, and/or take such other steps as are required by Data Protection Laws to ensure a lawful transfer of Customer Personal Data.
13.3 Clause 13 is without prejudice to Proximie’s obligations in respect of Legal Processes, as set out in clause 14.
13.4 The Parties acknowledge that the Proximie Platform and Services allow Customer, Health Establishment(s) and their users (as applicable) to invite users to use and access the Proximie Platform from anywhere in the world (e.g. Customer users may invite a surgeon located in a Third Country to connect remotely to a session on the Proximie Platform in order to share her expertise). Notwithstanding anything to the contrary in this DPA and/or the Agreement, the Parties acknowledge and agree that use of and access to the Proximie Platform by such individual users does not constitute a breach of the requirements on, and obligations of, Proximie under this DPA and/or the Agreement, including any localization and access restriction requirements, and that as between the Parties, Customer is solely liable for ensuring that appropriate steps are taken to ensure any such transfer(s) of Customer Personal Data is/are compliant with applicable laws (including Data Protection Laws). For the avoidance of doubt, such users shall not constitute Subprocessors of Proximie hereunder.
14.1 If Proximie or a Proximie Affiliate receives a Legal Process requiring disclosure of Customer Personal Data to a Public Body (or receives notice that a third party Subprocessor has received such a notice):
14.1.1 Proximie or that Proximie Affiliate shall attempt, or shall use reasonable endeavours to require the third party Subprocessor to attempt, to redirect the Public Body issuing such Legal Process to request that Customer Personal Data directly from Customer; and
14.1.2 promptly notify Customer of the Legal Process, unless legally prohibited from doing so.
14.2 Where Proximie, a Proximie Affiliate or any third party Subprocessor is prohibited under applicable laws from taking the steps described in clauses 14.1.1 to 14.1.2 above, it shall instead use all reasonable efforts to challenge the Legal Process if, after careful assessment, it determines there are grounds for doing so.
14.3 In the absence of any such grounds, Proximie or Proximie Affiliate shall, or shall use reasonable endeavours to require the third party Subprocessor to: (i) make such disclosure; (ii) conduct such disclosure insofar as possible in compliance with Applicable Data Protection Law; and (iii) provide the minimum amount of Customer Personal Data permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
15.1 Subject to clause 15.2 Proximie’s liability to Customer under or in connection with this DPA (including, without limitation, for any breach of this DPA or of Applicable Data Protection Law) shall be subject to the limitations of liability set out in the Agreement between the Parties.
15.2 Where the Parties have not entered into an Agreement, Proximie’s total aggregate liability to Customer under or in connection with this DPA (including, without limitation, for any breach of this DPA or of Applicable Data Protection Law) shall be limited to the sum of fifty thousand US dollars (US $50,000), fifty thousand GBP (£50,000) or fifty thousand Euros (€50,000), depending on and in line with the currency in the jurisdiction of Customer. If none of those three currencies are used in Customer’s jurisdiction, then Proximie’s total aggregate liability to Customer under or in connection with this DPA (including, without limitation, for any breach of this DPA or of Applicable Data Protection Law) shall be limited to the sum of fifty thousand US dollars (US $50,000).
16. General Terms
16.1 Proximie may, to the extent permitted by applicable law, require Customer to reimburse Proximie for all costs (including internal and third party costs) which are reasonably and properly incurred by Proximie in the performance of Proximie’s obligations under clauses 6.3;8; 9.2; 10; and 11.2 of this DPA, where a Customer’s request for assistance under those clauses is, in the reasonable opinion of Proximie, disproportionate. Proximie may charge for internal resources at Proximie’s then current professional day rates as set by Proximie in Customer’s country of establishment from time to time.
16.2 With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA will prevail.
16.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
16.4 This DPA shall be governed by, and interpreted in accordance with, the laws of England and Wales and the Parties submit to the exclusive jurisdiction of the courts of England.
16.5 Where the Parties have not entered into an Agreement, the following shall apply.
16.6 All notices sent under this DPA shall be in writing (which shall include email) and shall be sent to the following recipients:
16.6.1 For Proximie: [email protected]
16.6.2 For Customer: the contact details notified by Customer to Proximie in writing from time to time.
16.7 The following terms of this DPA shall continue to apply, notwithstanding termination or expiry of this DPA, clauses 2, 11, 15, and 16.
16.8 This DPA constitutes the entire agreement and understanding between the Parties in respect of the matters dealt with herein and supersedes any previous agreement between the Parties relating to such matters. Each of the Parties acknowledges and agrees that in entering into this DPA it does not rely on, and shall have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) other than as expressly set out in this DPA. The only remedy available to any Party in respect of any such statement, representation, warranty or understanding shall be for breach of contract under the terms of this DPA. Nothing in this clause shall operate to exclude or limit any liability for fraud or fraudulent misrepresentation.
16.9 No waiver of any provision of this DPA shall be effective except to the extent made in writing and signed by an authorised representative of the waiving Party.
16.10 No failure or delay by any Party to exercise any right or remedy will operate as a waiver of it nor will any partial exercise preclude any further exercise of the same, or of some other right or remedy. All such rights and remedies are several and cumulative and not exclusive of each other.