image

GDPR Data Processing Agreement

Compliant with Regulation (EU) 2016/679 (General Data Protection Regulation)

GDPR Compliant EU Data Residency Standard Contractual Clauses

🇪🇺 EU Data Processing Architecture

EU Clinic/Patient → Cloudflare CDNReputed Tier III Data Center, Gravelines (France)Secure Database

All data remains within EU borders | GDPR compliant end-to-end encryption
⚠️ IMPORTANT GDPR NOTICE
By using OWNIT' cloud-based software services (including Clinic Management System or any SaaS solution that processes personal data of EU residents), you hereby acknowledge and agree that this GDPR Data Processing Agreement is automatically incorporated into your agreement with OWNIT. This DPA satisfies the requirements of Article 28 of the GDPR for a written contract between Controllers and Processors.
SECTION 1

1. Parties to This Agreement

Data Controller (Clinic/Healthcare Provider): The medical clinic, hospital, optical shop, dental practice, or any healthcare facility established in the European Union that uses OWNIT' services and determines the purposes and means of processing personal data of EU residents.

Data Processor (OWNIT): OWNIT, a software development and SaaS provider, acting as a Data Processor on behalf of the Controller. Processor handles personal data strictly according to Controller's instructions and this DPA.

EU Representative (if applicable): OWNIT has appointed an EU representative as required by Article 27 GDPR. Contact details available upon request at [email protected].

Effective Date: The date on which the Controller first accesses, uses, or subscribes to any OWNIT cloud-based service.

SECTION 2

2. Subject Matter & Duration of Processing

Subject Matter: Processing of personal data of EU residents as part of providing clinic management software, patient records management, appointment scheduling, prescription management, billing, inventory, and related healthcare administration services.

Duration: This DPA remains in effect for as long as the Controller uses any OWNIT cloud service that processes personal data of EU residents. Upon termination, all data will be handled according to Section 9 (Data Deletion & Return).

Nature & Purpose of Processing: Collecting, storing, organizing, retrieving, analyzing, backing up, and transmitting patient health information to facilitate clinic operations, medical record keeping, compliance reporting, and healthcare delivery optimization.

SECTION 3

3. Categories of Data Subjects & Types of Personal Data

Data Subjects Include:

  • Patients / Clients: Individuals receiving medical, optical, dental, or healthcare services from the Controller (including EU residents)
  • Employees & Staff: Healthcare providers, administrators, doctors, nurses, and support staff
  • Guardians & Legal Representatives: Individuals acting on behalf of patients
  • Third-Party Beneficiaries: Insurance providers, laboratories, and referral partners (as authorized)

Types of Personal Data Processed:

  • Special Categories of Data (Article 9 GDPR - Health Data): Medical history, diagnoses, treatment plans, prescriptions, eye examination records (sphere, cylinder, axis, ADD), lens specifications, clinical notes, laboratory results
  • Personal Identification Data: Name, address, date of birth, gender, national identification number (where applicable), contact details (phone, email)
  • Insurance & Financial Data: Insurance policy numbers, claim details, payment information, billing history
  • Appointment & Scheduling Data: Appointment times, reminders, cancellation history, no-show records
  • Technical Data: IP addresses, login logs, audit trails, access records (for security and compliance purposes)
Lawful Basis for Processing Health Data (Article 9 GDPR): Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, or treatment under Article 9(2)(h) GDPR, based on EU or Member State law or a contract with a health professional.
SECTION 4

4. Data Processor's Obligations (OWNIT)

4.1 Processing Only on Instructions

Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law. Processor shall immediately inform Controller if an instruction violates GDPR.

4.2 Confidentiality

Processor ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security of Processing (Article 32 GDPR)

Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymization and Encryption: AES-256 encryption for data at rest on Reputed Tier III Data Center, Gravelines servers; TLS 1.3 encryption for data in transit
  • Ongoing Confidentiality, Integrity, Availability, Resilience: Regular backup, disaster recovery, 99.9% uptime SLA
  • Restoration Availability: Daily backups with 30-day retention; ability to restore data promptly
  • Regular Testing: Quarterly penetration testing, vulnerability assessments, and security audits

4.4 Subprocessor Management (Article 28(2) & 28(4) GDPR)

Processor shall not engage another processor (subprocessor) without prior specific or general written authorization from Controller. Processor currently uses the following subprocessors:

  • Reputed Tier III Data Center, SAS (Gravelines, France): Primary data hosting - HDS certified, ISO 27001, GDPR compliant
  • Cloudflare, Inc.: CDN, DDoS protection, WAF (no personal data storage, only traffic routing)

Processor shall notify Controller of any intended changes regarding subprocessors at least 30 days in advance, allowing Controller reasonable time to object.

4.5 Data Subject Rights Assistance (Articles 12-23 GDPR)

Processor shall assist Controller in responding to data subject requests (right of access, rectification, erasure, restriction, portability, objection) by providing necessary information and technical capabilities.

4.6 Personal Data Breach Notification (Article 33 & 34 GDPR)

Processor shall notify Controller without undue delay (within 24 hours) after becoming aware of a personal data breach, providing:

  • Description of the breach including categories and approximate number of data subjects and records concerned
  • Contact point for more information
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

4.7 Data Protection Impact Assessment & Prior Consultation (Articles 35-36 GDPR)

Processor shall assist Controller with any Data Protection Impact Assessment (DPIA) or prior consultation with supervisory authorities, providing necessary documentation and technical expertise.

4.8 Deletion & Return of Data (Article 28(3)(g) GDPR)

At the end of processing services, Processor shall, at Controller's choice, delete or return all personal data to Controller and delete existing copies unless EU or Member State law requires storage.

4.9 Audit Rights (Article 28(3)(h) GDPR)

Processor shall make available to Controller all information necessary to demonstrate compliance with obligations, and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

SECTION 5

5. Data Controller's Obligations (Clinic/Healthcare Provider)

  • 5.1 Lawful Processing: Controller warrants that it has a lawful basis under GDPR Article 6 for processing personal data, and for processing special categories of data under Article 9 (including explicit patient consent or medical necessity).
  • 5.2 Transparency (Articles 13-14 GDPR): Controller shall provide data subjects with privacy notices explaining how their personal data is processed, including the fact that data is processed by OWNIT as a Data Processor.
  • 5.3 Data Subject Rights: Controller is responsible for responding to data subject access requests (DSARs) within the required 30-day timeframe. Processor will assist as needed.
  • 5.4 Data Protection Officer (DPO): Controller shall appoint a Data Protection Officer if required by Article 37 GDPR and provide Processor with DPO contact information.
  • 5.5 Record of Processing Activities (Article 30 GDPR): Controller shall maintain its own records of processing activities and provide to supervisory authority upon request.
  • 5.6 Lawful Instructions: Controller shall not instruct Processor to process personal data in any manner that would violate GDPR.
SECTION 6

6. Technical & Organizational Security Measures (Article 32 GDPR)

Reputed Tier III Data Center, Gravelines Data Center (France)

  • Location: Gravelines, France (EU Region)
  • Certifications: ISO 27001, ISO 27017, ISO 27018, HDS (French healthcare)
  • Physical Security: 24/7 monitoring, biometric access, CCTV
  • Resilience: N+1 power redundancy, multiple fiber routes

Cloudflare Global Edge

  • Function: DDoS mitigation, WAF, SSL/TLS termination
  • GDPR Compliance: Cloudflare GDPR compliant, DPA available
  • Data Storage: No personal data logged or cached
  • Encryption: TLS 1.3 end-to-end

Additional Security Measures

  • Data at Rest Encryption: AES-256 encryption
  • Data in Transit Encryption: TLS 1.3 minimum
  • Access Control: Role-based access, MFA, principle of least privilege
  • Audit Logging: Comprehensive logs of all access to personal data
  • Backup: Daily encrypted backups, 30-day retention, tested restoration quarterly
  • Business Continuity: Disaster recovery plan tested quarterly, RTO 4 hours, RPO 24 hours
  • Vulnerability Management: Weekly vulnerability scans, monthly patching, annual penetration testing
  • Employee Training: GDPR and data protection training for all personnel with access to personal data
SECTION 7

7. Data Transfers & EU Data Residency

Standard Contractual Clauses (SCCs)

For any transfer of personal data outside the European Economic Area (EEA), OWNIT implements the European Commission's Standard Contractual Clauses (SCCs) as per Implementing Decision (EU) 2021/914, Module 2 (Controller-to-Processor).

Current Data Residency Commitment: All personal data of EU residents processed by OWNIT is stored exclusively on Reputed Tier III Data Center, Gravelines (France) servers. No personal data is transferred or stored outside the European Union unless:

  • Controller provides explicit written authorization, OR
  • The transfer is to an Adequate Country (as determined by European Commission), OR
  • Appropriate safeguards (SCCs) are implemented
🇪🇺 EU Data Residency Guarantee: All clinic and patient data of EU residents is stored in the Reputed Tier III Data Center, Gravelines (France) data center. OWNIT does not transfer, replicate, or store any EU personal data outside EU borders unless required for technical support (anonymized logs only) with appropriate safeguards.
SECTION 8

8. Data Protection Impact Assessment (DPIA) & Prior Consultation

OWNIT has conducted a Data Protection Impact Assessment (DPIA) for its processing activities involving health data. Controller may request a copy of the DPIA summary for its own compliance purposes.

Controller agrees that the high-risk processing identified in the DPIA includes processing of special categories of data (health data) for medical diagnosis and treatment. Processor shall assist Controller in any prior consultation with supervisory authorities required under Article 36 GDPR.

SECTION 9

9. Data Deletion & Return (Article 28(3)(g) GDPR)

Upon termination of services or Controller's written request:

  • Processor shall, at Controller's choice, return all personal data to Controller in a structured, commonly used, machine-readable format (CSV, JSON, or XML) OR securely delete all personal data
  • Data deletion shall be completed within 30 days of termination (or 60 days for archived backups)
  • Processor shall provide written certification of data deletion within 14 days after completion
  • Deidentified data (data rendered anonymous with no ability to re-identify) may be retained by Processor for product improvement and analytics (does not constitute personal data under Article 4(1) GDPR)
SECTION 10

10. Personal Data Breach Notification (Article 33 & 34 GDPR)

In the event of a personal data breach, Processor shall:

  1. Notify Without Undue Delay (within 24 hours of discovery) via email to Controller's designated contact
  2. Provide at minimum:
    • Description of the breach (nature, categories, approximate number of data subjects and records)
    • Data Protection Officer or contact point for more information
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach, including mitigation efforts
  3. Document all breaches, their effects, and remedial actions taken
  4. Cooperate with Controller to notify affected data subjects and supervisory authorities (if required)
  5. Remediate the vulnerability that caused the breach

Note to Controller: Controller is responsible for notifying the supervisory authority within 72 hours of becoming aware of the breach (if required) and notifying affected data subjects without undue delay (Article 34).

SECTION 11

11. Audit Rights (Article 28(3)(h) GDPR)

Processor shall allow Controller or an auditor mandated by Controller to conduct audits, including inspections, to verify Processor's compliance with GDPR obligations under this DPA. Audit terms:

  • Controller may conduct an audit no more than once annually unless a data breach or compliance violation has occurred
  • Controller must provide at least 30 days written notice of any audit
  • Audits shall be conducted during normal business hours
  • Controller shall bear all costs of the audit unless the audit reveals material non-compliance by Processor
  • Processor shall make available all relevant documentation including security policies, audit logs, and compliance certifications
  • As an alternative to on-site audit, Processor may provide SOC 2 Type II report or equivalent third-party audit certification
SECTION 12

12. Liability & Indemnification (Article 82 GDPR)

Liability: Each party shall be liable for the damage it causes by violating GDPR. Processor shall be liable for damage caused by its processing where it has not complied with GDPR obligations specifically directed to processors.

Indemnification: Processor shall indemnify Controller against all claims, damages, and expenses (including reasonable legal fees) arising from Processor's breach of this DPA or violation of GDPR.

Limitation: Processor's total liability to Controller under this DPA shall not exceed the total fees paid by Controller to Processor in the 12 months preceding the claim, except where the damage results from Processor's willful misconduct or gross negligence.

SECTION 13

13. Data Protection Officer (DPO) Information

OWNIT DPO: (Appointed as required by Article 37 GDPR)

EU Representative (Article 27 GDPR): Available upon request for Controllers not established in the EU.

SECTION 14

14. Acceptance & Execution

By Using Our Services, You Accept This GDPR Data Processing Agreement

Use of any OWNIT cloud-based software that processes personal data of EU residents constitutes Controller's binding acceptance of all terms in this GDPR Data Processing Agreement. This DPA automatically becomes effective between OWNIT (Data Processor) and your Clinic/Healthcare Organization (Data Controller) upon first use of our services.

This DPA satisfies the requirements of Article 28(3) of the GDPR and forms an integral part of the agreement between Controller and Processor.

GDPR Data Processing Agreement

Compliant with Regulation (EU) 2016/679 (General Data Protection Regulation) - Article 28

For questions or to request a signed copy of this GDPR DPA, contact: [email protected]

Data Storage Location: Reputed Tier III Data Center, Gravelines, France (EU) | Traffic Routing: Cloudflare (no data storage) | SCCs Applied for any EEA transfers