EU Data Processing Agreement

1. Parties and Background

1.1 Background

(A) The Controller has engaged the Processor to provide clinical decision support services ("Services") under a separate service agreement ("Principal Agreement").

(B) The provision of the Services involves the processing of personal data, including special category data (health data).

(C) The Parties wish to ensure that the processing of personal data complies with EU Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679.

(D) This DPA sets out the terms on which the Processor will process personal data on behalf of the Controller.

(E) Where personal data is transferred outside the EEA to countries without adequacy decisions, the European Commission's Standard Contractual Clauses (SCCs) shall apply.

2. Definitions

In this DPA:

• "EU Data Protection Laws" means Regulation (EU) 2016/679 (GDPR), the ePrivacy Directive 2002/58/EC, and any applicable EU Member State data protection legislation.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "EEA" means the European Economic Area (EU Member States plus Iceland, Liechtenstein, and Norway).
• "Supervisory Authority" means the competent data protection authority in the Controller's EU Member State.
• "SCCs" means the Standard Contractual Clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914.
• "Adequacy Decision" means a decision by the European Commission under Article 45 of the GDPR that a third country provides adequate protection.
• "Personal Data" has the meaning given in the GDPR.
• "Processing" has the meaning given in the GDPR and "Process" and "Processed" shall be construed accordingly.
• "Personal Data Breach" has the meaning given in the GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Transfer Impact Assessment" or "TIA" means an assessment of the laws and practices in the destination country as required following the Schrems II judgment.

3. Scope and Purpose

3.1 Scope

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.

3.2 Roles

The Parties acknowledge that:

• The Controller is the data controller of the Personal Data;
• The Processor is the data processor acting on behalf of the Controller;
• The Processor shall only Process Personal Data on documented instructions from the Controller.

3.3 Duration

This DPA shall remain in force for the duration of the Principal Agreement and for as long as the Processor continues to Process Personal Data on behalf of the Controller.

3.4 EU Representative

The Processor has appointed an EU Representative in accordance with Article 27 of the GDPR. Contact details are available in our EU GDPR Policy.

4. Processing Details (Annex I)

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law;
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes EU Data Protection Laws;
• Process Personal Data only to the extent necessary to provide the Services.

5.2 Confidentiality

The Processor shall ensure that persons authorised to Process the Personal Data:

• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Process the Personal Data only on instructions from the Controller.

5.3 Records

The Processor shall maintain records of Processing activities as required by Article 30(2) of the GDPR, including:

• Name and contact details of the Processor and each Controller;
• Categories of Processing carried out;
• International transfers and safeguards;
• Description of technical and organisational security measures.

6. Security Measures (Annex II)

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR:

6.1 Technical Measures

• Encryption: Personal Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Role-based access with principle of least privilege
• Authentication: Multi-factor authentication for all practitioner accounts
• Network security: Firewalls, intrusion detection, and DDoS protection
• Testing: Regular security testing and vulnerability assessments
• Backup: Encrypted backups with tested recovery procedures
• Data residency: Primary data storage in EU (Dublin) for EU customers

6.2 Organisational Measures

• Information security policies and procedures
• Staff training on data protection and security
• Access limited to personnel with legitimate need
• Regular access reviews
• Incident response procedures
• Business continuity planning

6.3 Pseudonymisation

Where technically feasible and appropriate, the Processor implements pseudonymisation measures to reduce risks to data subjects.

7. Sub-Processors

7.1 General Authorisation

The Controller provides general authorisation for the Processor to engage Sub-processors, subject to the requirements below.

7.2 Sub-Processor Requirements

The Processor shall:

• Maintain a list of Sub-processors available to the Controller upon request;
• Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA;
• Where Sub-processors are located outside the EEA, ensure SCCs or other appropriate transfer mechanisms are in place;
• Remain fully liable to the Controller for the performance of Sub-processors.

7.3 Changes to Sub-Processors

The Processor shall:

• Notify the Controller of any intended addition or replacement of Sub-processors;
• Provide at least 30 days' notice before engaging new Sub-processors;
• Consider in good faith any objections raised by the Controller;
• If the Controller objects and no resolution is reached, the Controller may terminate the affected Services.

7.4 Current Sub-Processors (Annex III)

The current list of approved Sub-processors includes:

• Cloud infrastructure providers
• AI language model providers
• SMS delivery services
• Email delivery services

Full details available upon request to legal@preconsult.ai

8. International Transfers (SCCs)

8.1 Data Residency

Primary Personal Data for EU/EEA customers shall be stored in the European Union (Dublin, Ireland) unless otherwise agreed in the Principal Agreement.

8.2 Transfer Mechanism

Where Personal Data is transferred outside the EEA to countries without an Adequacy Decision, the Processor shall ensure appropriate safeguards using the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

8.3 SCC Module Selection

For transfers under this DPA, the following SCC modules apply:

• Module Two: Controller to Processor (for transfers from Controller to Processor)
• Module Three: Processor to Processor (for onward transfers to Sub-processors)

8.4 SCC Incorporation

The SCCs are incorporated into this DPA by reference:

• The SCCs shall be deemed executed between the Parties;
• The Annexes to the SCCs are completed as set forth in this DPA;
• In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

8.5 Transfer Impact Assessment

In accordance with the Schrems II judgment (C-311/18), the Processor shall:

• Conduct and document a Transfer Impact Assessment (TIA) before any transfer to a third country;
• Assess whether the laws and practices in the destination country may impinge on the effectiveness of the SCCs;
• Implement supplementary measures where necessary;
• Make the TIA available to the Controller upon request.

8.6 Government Access Requests

If the Processor receives a legally binding request for disclosure of Personal Data from a government authority, the Processor shall:

• Notify the Controller promptly (unless legally prohibited);
• Challenge the request through available legal means;
• Minimise disclosure to the extent permitted by law;
• Redirect the authority to the Controller where possible.

8.7 Supplementary Measures

For transfers to third countries (including to Sub-processors in the United States), the Processor implements supplementary measures including:

• Strong encryption of data in transit and at rest using state-of-the-art algorithms;
• Pseudonymisation where technically feasible;
• Contractual commitments to challenge disproportionate government access requests;
• Transparency reporting on government access requests received;
• Use of providers participating in recognised frameworks (e.g., EU-US Data Privacy Framework where applicable).

9. Data Subject Rights

9.1 Assistance

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Articles 15-22 of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Notification obligation regarding rectification, erasure or restriction (Article 19)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22)

9.2 Notification

The Processor shall notify the Controller promptly (within 5 business days) upon receiving any request from a data subject, and shall not respond directly unless instructed by the Controller.

10. Data Breach Notification

10.1 Notification Obligations

Upon becoming aware of a Personal Data Breach, the Processor shall:

• Notify the Controller without undue delay (and in any event within 24 hours);
• Provide all reasonably available information about the breach;
• Cooperate with the Controller's investigation and response;
• Support the Controller in meeting Supervisory Authority notification requirements (72 hours under Article 33).

10.2 Information to Provide

The notification shall include (to the extent known):

• Description of the nature of the breach;
• Categories and approximate number of data subjects affected;
• Categories and approximate number of personal data records affected;
• Name and contact details of DPO or other contact point;
• Likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate adverse effects.

11. DPIA Assistance

The Processor shall provide reasonable assistance to the Controller with:

• Data Protection Impact Assessments (DPIAs) under Article 35 GDPR;
• Prior consultation with Supervisory Authorities under Article 36 GDPR;
• Compliance with the Controller's obligations under Articles 32-36 of the GDPR.

12. Audit Rights

12.1 Audit Access

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and allow for and contribute to audits and inspections.

12.2 Audit Conduct

The Controller (or its mandated auditor) may conduct audits, subject to:

• Reasonable advance notice (at least 30 days);
• Audits during normal business hours;
• Confidentiality obligations regarding Processor information;
• No more than one audit per 12-month period (except where required by a Supervisory Authority).

12.3 Alternative Evidence

The Processor may satisfy audit requirements by providing:

• Third-party audit reports or certifications (e.g., ISO 27001, SOC 2);
• Completed security questionnaires;
• Documentation of security practices and procedures.

13. Termination and Data Return

13.1 Upon Termination

Upon termination of the Principal Agreement, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a commonly used, machine-readable format; or
• Delete all Personal Data and certify such deletion in writing.

The Controller shall communicate its choice within 30 days of termination. If no choice is made, the Processor shall delete the Personal Data.

13.2 Retention Exceptions

The Processor may retain Personal Data where required by EU or Member State law, provided:

• The Controller is notified of the legal requirement;
• Processing is limited to the extent required by law;
• Appropriate security measures continue to apply.

14. Liability

14.1 GDPR Liability

Each Party's liability for damages resulting from a violation of the GDPR shall be determined in accordance with Article 82 GDPR.

14.2 Liability Cap

Subject to Article 82 GDPR, liability under this DPA shall be subject to the limitations set out in the Principal Agreement.

14.3 Indemnification

Each Party shall indemnify the other against losses arising from breaches of this DPA or EU Data Protection Laws attributable to the indemnifying Party.

15. SCC Annexes

The following information completes the Annexes to the European Commission's Standard Contractual Clauses: