Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by and between the Institution (“Controller”) and Virtual Phantoms, Inc., PO Box 5681, Albany, NY 12205-3590 USA (“Processor”):

1.1 The Processor shall Process Personal Data provided by the Controller only on behalf of and only on documented instructions from the Controller in accordance with Schedule 1 of this Data Processing Agreement and in accordance with the Terms of Use.

1.2 Capitalized terms used in this Data Processing Agreement or in Schedule 1 shall have the meaning as defined in the Terms of Use, or as follows:

“Data” shall mean Personal Data and Network Data.

“Individual User” shall mean the individual physician or medical physicists as well as other personnel of the Insti- tution that needs access to the Services for the perfor- mance of their job obligations.
“Institution” shall mean the institution, hospital or other legal entity having been registered online by an Individual User.

“Network Data” shall mean any data being extracted from the connected devices or sent by Individual Users and shall include any (analytical) result of the Services. Net- work Data shall be excluding Personal Data but including anonymized Personal Data.

“Personal Data” shall mean any information relating to an identified or identifiable natural person, including such personal data related to patients and employees of the Institution.

“Receiver” shall mean the receiver software being down- loaded by the Institution to its IT infrastructure.

2.1 The Controller shall be responsible for any Personal Data posted, submitted or otherwise disclosed by it and/or its Individual Users and verification of the identity of any other user such Personal Data is shared with and/or transferred to.

2.2 Personal Data being Processed by the Receiver and/or uploaded to the cloud-deployed database will not be stored, or will appear only in access records available only to Processor through proper user authentication.

In addition, the Processor and/or its affiliates may offer remote support services in connection with the Services and/or the Receiver. When using such remote support services, the Processor and/or its affiliates may get access to Data that contain Personal Data.

2.3 The Controller shall (and shall ensure that its Individual Users do) submit or otherwise disclose Personal Data to the Processor only to the extent there is a legal justification, i.e. the Controller has obtained prior voluntary informed consent from the individual concerned (a consent form can be provided on request) or the Institution can justify such submission by other valid legal ground for the processing of Personal Data in accordance with applicable law. If the Controller uses Receiver settings requiring such legal justification, the Controller is responsible to ensure such legal justification before changing the settings. If such legal justification does not exist, the Controller shall explicitly block the individuals concerned.

2.4 The Controller warrants that Personal Data disclosed to the Processor by the Controller and/or its Individual Users is Processed in accordance with applicable privacy, data protection and medical secrecy regulations and the Controller’s notifications with the competent data protection authority, if any. The Controller warrants that the submission and disclosure as well as the further Processing of Data are permitted. This applies in particular to the extent Data submitted or otherwise disclosed by the Controller and/or its Individual Users of VirtualDose contains any protected Personal Data or any other sensitive or confidential information.

2.5 In order to fulfil its obligations under this section 2 the Controller will be able to change the privacy settings of the Receiver in accordance with its local (legal) requirements. Upon request of the relevant data subject or any person entitled, the Controller shall immediately cease using VirtualDose based on settings permitting the use of Personal Data of such data subject and block such Personal Data for Processing by the Receiver. The Controller is responsible for the settings of the Receiver required to fulfil the aforementioned obligations. The settings will provide for the possibility to either blacklist several patients or to put a tag into the DICOM data file within each study.

2.6 If Controller actively transmits Data to the Receiver, this Section 2 applies accordingly and Controller shall anonymize such Data before sending, if Controller lacks a legal justification.

2.7 Physicians, medical physicists and other healthcare professionals are bound by medical confidentiality. Therefore, when using VirtualDose, the Controller is responsible for (a) anonymization of patient data according to applicable laws and regulations or (b) obtaining patient’s prior written release from medical confidentiality according to applicable laws and regulations, if required and to the extent admissible according to local laws.

2.8 The Controller shall be responsible for obtaining the consent of its employees or self-employed personnel for the Processing of Data containing information on employees (especially physicians and operators). The settings of the Receiver provide for the possibility to exclude Data containing information about such employees.

2.9 The Processor and the Controller shall co-operate with each other to promptly and effectively handle and solve enquiries, complaints, and claims relating to the Processing of Personal Data from any court, government official (including but not limited to any data protection or law enforcement agency), third parties or individuals (including but not limited to requests of the data subjects to access, rectify, erase or block Personal Data concerning them).

2.10 To the extent Services provide functionality to request the disclosure or submission of Data to Third-Party Solutions operated by Third-Party Providers (such as a “Open with/Open in/Send to” functionality), the Controller hereby instructs the Processor to disclose or submit the Data to the Third-Party Provider upon such request only. The Controller is only entitled to use such functionality if Controller has entered into a data processing agreement with such Third-Party Provider and ensures the legal justification to submit or disclose Data to such Third-Party Provider. The Processor only follows the foregoing instruction and is thereby not acting as a sub-processor to such Third-Party Provider.


Schedule 1: Data Processing Agreement

Article 1 Subject-matter, nature, purpose and duration of the processing

  1. This Schedule 1 supplements the DPA. It applies to the Processing of Personal Data by Processor on behalf of the Controller under the DPA and sets out the data protection obligations of the parties.
  2. Nature and purpose of Processing: Processor Processes Personal Data to the extent necessary to provide the Services specified and agreed in the Terms of Use.
  3. Processor and Controller are each responsible for their own compliance with the applicable data protection law. The Controller is solely responsible for the means by which the Processor acquired the Personal Data and the Controller shall only disclose Personal Data to the Processor for which a legal authorization is given and for which the Controller has a legal right of Processing.
  4. The duration of the Processing corresponds to the term of the agreement.

Article 2 Type of Personal Data and categories of data subjects

The types of Personal Data and categories of data subjects are laid out in Attachment 1.

Article 3 Instructions

  1. The Processor Processes Personal Data only on the basis of the Controller’s documented instructions. The DPA and the Terms of Use are the Controller’s complete and final documented instructions to Processor for the Processing of Personal Data.
  2. Any additional or alternate instructions (in particular Section 2.11 of the DPA) must be issued by the Controller in writing and are binding only upon written acknowledgement by Processor. Processor shall inform the Controller if, in Processor’s opinion, an instruction infringes the GDPR or the data protection provisions applicable to Processor. Processor is under no obligation to conduct a comprehensive legal review or to follow instructions prohibited by law.
  3. The Controller shall bear all additional costs incurred by Processor as a result of an additional or alternate instruction, unless the instruction is necessary to comply with statutory requirements applicable to Processor.

Article 4 Confidentiality

Processor warrants that persons authorized to Process the Personal Data are bound to continuing secrecy by contract or are under such a duty by law.

Article 5

Security of Processing

  1. Processor shall take all measures required pursuant to Article 32 GDPR.
  2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed, Processor shall implement technical and organizational measures as set out in Attachment TOM.
  3. The Controller and Processor agree that the implementation of the technical and organizational measures described in Attachment TOM ensures an appropriate level of safety in accordance with the GDPR and provides sufficient safeguards for the protection of the rights of the data subject.
  4. The technical and organizational measures described in Attachment TOM are subject to technical progress and further development and may be adjusted by Processor if appropriate, provided such adjustment does not result in a lower level of protection than that set forth in Attachment TOM.

Article 6 Assistance

  1. Taking into account the nature of the Processing as described in the Terms of Use and this DPA, Processor will assist the Controller upon request and at the Controller’s expense by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Articles 12 to 23 GDPR.
  2. Processor shall inform the Controller without undue delay about requests from data subjects to exercise their rights as per Articles 12 to 23 GDPR, in particular with regard to the right of access to Personal Data, right to rectification, right to erasure (‘right to be forgotten’), right to restriction of Processing, right to data portability, right to object or the right not to be subject to an automated individual decision-making.
  3. Taking into account the nature of the Processing as described in the Terms of Use and this DPA and the information available at Processor, Processor shall assist the Controller at the Controller’s expense in ensuring Controller’s own compliance with the obligations pursuant to Articles 32 (security of Processing), 33 (notification of Personal Data breach to the supervisory authority), 34 (communication of a Personal Data breach to the data subject), 35 (data protection impact assessment) and 36 (prior consultation) GDPR.

Article 7 Deletion

At the choice of the Controller all Personal Data of the Controller are to be deleted or returned after the end of the provision of Services relating to Processing. Controller hereby instructs Processor to delete all Personal Data of the Controller after the end of the provision of Services relating to Processing and to delete existing copies unless Union or Member State law requires storage of the Personal Data.

Article 8 Information and audit rights

  1. With regard to the Processing under the Terms of Use and the DPA, Processor shall upon the Controller’s written request make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.
  2. Processor shall allow for and contribute to Controller audits, including inspections (“audits”), with regard to the Processing under the main contract to demonstrate compliance with the obligations laid down in Article 28 GDPR. These audits may also be conducted by an independent third party auditor mandated by the Controller, provided that this auditor is acceptable for Processor and bound by confidentiality. The Controller shall request an audit with reasonable prior notice to Processor. Prior to an audit, the parties shall mutually agree on the scope, timing, and duration of the audit. The Controller shall reimburse Processor for any services incurred by Processor with regard to the audit at the then current Processor service rates, which shall be made available to the Controller upon request.
  3. The Controller shall promptly provide a written report to Processor containing a confidential summary of the scope and results of the audit. Irrespective hereof, Processor is entitled to use the report for its own purposes.

Attachment 1 Details of the Transfer

Categories of data subjects: The Personal Data transferred concern the following categories of data subjects:

  • Employees or suppliers of the Controller or the Controller’s group companies
  • Patients of the Controller or the Controller’s group companies

Types of Personal Data: The Personal Data transferred concern the following categories of data:

  • Employee data, including user name, access point IP address, and method of access.

Special categories of data: The Personal Data transferred concern the following special categories of data:

  • Pseudonymized data on health, biometrical data

Processing operations: The Personal Data transferred will be subject to the following basic Processing activities:

  • The type, subject matter of the Processing, nature and purpose of the Processing of Personal Data are further specified in the Terms of Use between the Controller and Virtual Phantoms, Inc., as the service provider of VirtualDose.
  • There is also a possibility of access to Personal Data during inspection and maintenance of automated procedures or data processing systems.

Attachment TOM
Technical and Organizational Measures (“Attachment TOM”)

  1. Pseudonymization

Processor separates personal data from the processed data so that it is not possible to link the processed data to an identified or identifiable person without additional information that is stored separately and securely.

  1. Confidentiality, Integrity, Availability and Resilience of Systems and Services
    a) Processor ensures confidentiality and integrity by taking the following measures:

System access control:

Access to data processing systems is only granted to authenticated users based on a role-based authorization concept using the following measures: Data encryption, individualized password assignment (at least 8 characters, regularly automatic expiration), password-protected screen savers in case of inactivity, intrusion detection systems and intrusion-prevention systems, regularly updated antivirus and spyware filters in the network and on the individual PCs and mobile devices.

Data access control:

Access to personal data is granted on the basis of a role-based authorization concept.

Data transmission control:

Processor secures electronic communication channels by setting up closed networks and data encryption procedures. If a physical data carrier transport takes place, verifiable transport processes are implemented that prevent unauthorized data access or logical loss. Data carriers are disposed of in accordance with data protection regulations.

  1. b) Processor ensures systems and services constant availability and reliability by taking the following measures:
    Processor ensures availability and resilience of systems and services by isolating critical IT and network components, by providing adequate backup and redundancy systems, using power redundancy systems, and regularly testing of systems and services. Test and live systems are kept completely separated.
  2. Availability and Access to Personal Data in the Event of an Incident
    Processor shall restore the availability of and access to personal data in the event of a physical or technical incident by taking the following measures:

Processor stores personal data in RAID systems and integrates redundant systems according to security marking. Processor uses systems for uninterruptible power supplies (e. g. UPS, batteries, generators) to secure the power supply in the data centers. Databases or data centers are mirrored in different physical locations.