The terms and expressions used herein shall bear the same meaning as assigned to them in the Agreement and GTC, unless the context clearly indicates or requires otherwise, or is herein defined:
Either Party to this Data Processing Agreement (“DPA”) may receive and/or process personal data obtained from the other Party, and, in particular, ER24 will receive personal data relating to the Client and/or Members from the Client. The Agreement, which includes the provisions hereof, sets out the terms that will govern the data processing conducted by either Party, as a processor of personal data, of the other Party, regarded as the controller.
1. INTERPRETATION AND CONTINUING EFFECT OF OTHER AGREEMENTS
1.1 Any clause in any existing or envisaged agreement(s) between the Parties (“Other Agreement(s)”) relating to the liability of the Parties for any breach of data protection obligations shall be interpreted as referring to a breach of the obligations set out in this DPA.
1.2 All other terms within the Other Agreement(s) between the Parties shall remain unchanged. If there is inconsistency between the terms of this DPA and any Other Agreement between the Parties, the terms of this DPA shall apply.
2. DEFINITIONS
In addition to any terms already defined in this DPA, the following words shall have the meanings given:
2.1 “controller” means the responsible party who alone, or in conjunction with others, determines the purpose of and means for processing of personal data;
2.2 “Data Protection Laws” means any applicable privacy and data protection laws, including (i) the South African Protection of Personal Information Act, No. 4 of 2013, (“POPIA”) once this act becomes effective, as may be amended from time to time; (ii) to the extent that it may be applicable, the European Union General Data Protection Regulation ((EU) 2016/679) (“GDPR”); (iii) to the extent that it may be applicable, Federal Law No. 2 of 2019 Concerning the Use of the Information and Communication Technology in the Area of Health (“ICT Health Law”), and (iv) any other laws, regulations and secondary legislation enacted from time to time in South Africa, Namibia, Switzerland or the United Arab Emirates or any other country applicable to ER24 relating to data protection, the use of information relating to individuals, the information rights of individuals and/or the processing of personal data. To the extent that any Data Protection Laws are not yet enacted in South Africa, the provisions of this DPA are to be read as if the Data Protection Laws are enacted, and shall be applied as being the data privacy requirements of ER24;
2.3 “data subject” means an individual who is the subject of personal data;
2.4 “personal data” has the meaning given to it in the Data Protection Laws, and generally means any information relating to an identified or identifiable natural person that is processed by the processor as a result of, or in connection with, the provision of the services under this DPA or any Other Agreement (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person);
2.5 “process” or “processing” means any operation, activity or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, receipt, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
2.6 “processor” means the party who processes personal data on behalf of the controller.
3. COMPLIANCE WITH DATA PROTECTION LAWS
3.1 Each Party shall comply with the Data Protection Laws as it applies to personal data processed under this DPA. This clause is in addition to, and does not relieve, remove, or replace a Party's obligations under the Data Protection Laws.
4. DATA PROCESSING
4.1 Although processing of personal data envisaged in this DPA will be in pursuit of legitimate business purposes, each Party remains responsible for establishing and maintaining the lawful basis for the processing of personal data by the other Party under this DPA.
4.2 A description of the data processing carried out by the Parties is set out in Schedule 1 to this DPA.
4.3 Either Party, acting as the processor of personal data, shall:
(a) process the personal data only on the other Party’s, as the controller, written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify the controller of that requirement before processing);
(b) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under this DPA;
(c) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, such measures in each case to be appropriate to the likelihood and severity of harm to data subjects that might result from the unauthorised, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures. Without limitation, the processor shall implement any and all specific technical and organisational measures required by ER24 and as set out in Schedule 3 to this DPA.
(d) ensure that persons engaged in the processing of personal data are bound by appropriate confidentiality obligations;
(e) keep a record of the processing it carries out, and ensure the same is accurate;
(f) comply promptly with any lawful request from the controller requesting access to, copies of, or the amendment, transfer or deletion of the personal data to the extent the same is necessary to allow the controller to fulfil its own obligations under the Data Protection Laws, including the controller's obligations arising in respect of a request from a data subject;
(g) notify the controller promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the personal data or to either Party's compliance with the Data Protection Laws as it relates to this DPA, and provide the controller with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication;
(h) notify the controller promptly if, in its opinion, an instruction from the controller infringes any Data Protection Laws (provided always that the controller acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or the processor is subject to legal requirements that would make it unlawful or otherwise impossible for the processor to act according to the controller’s instructions or to comply with Data Protection Laws;
(i) not permit any processing of the personal data processed by the processor under this DPA by any agent, sub-contractor, supplier, processor or other third party (“sub-processor”) without the prior written authorisation of the controller;
(j) ensure in each case that prior to the processing of any personal data by any sub-processor, terms equivalent to the terms set out in this DPA are included in a written contract between the processor and any sub-processor engaged in the processing of the personal data;
(k) subject always to the requirement of sub-clause 4.3(j) regarding a written contract, the controller hereby gives its prior written authorisation to the appointment by the processor of each of the sub-processors or categories of sub-processors (as the case may be) who will process personal data listed in Schedule 2 to this DPA, and to the extent this authorisation is in respect of a category of sub-processors, the processor shall inform the controller of any intended changes concerning the addition or replacement of other sub-processors;
(l) only transfer the personal data outside of a country border in the event that such action is required for the fulfilment of its rights and obligations as imposed by this DPA and provided that the prior written consent of the controller has been obtained in relation to such transfer. The processor will ensure that the transfer of any personal data across a country border complies with applicable Data Protection Laws, and that each of the following conditions are met: (i) it has provided appropriate safeguards in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any personal data that is transferred; and (iv) it complies with reasonable instructions notified to it in advance by the controller with respect to the transfer;
(m) inform the controller promptly (and in any event within one (1) business day) if any personal data processed under this DPA is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorised or unlawful processing including unauthorised or unlawful access or disclosure;
(n) inform the controller promptly (and in any event within three (3) business days) if it receives a request from a data subject for access to that person's personal data and shall:
• promptly provide the controller with reasonable co-operation and assistance in relation to such request; and
• not disclose the personal data to any data subject (or to any third party) other than at the request of the controller or as otherwise required under this DPA;
(o) provide reasonable assistance to the controller in responding to requests from data subjects and in assisting the controller to comply with its obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
(p) delete, destroy or return that personal data to the controller at the end of the duration of the processing as referred to in Schedule 1 to this DPA, and at that time delete or destroy existing copies;
(q) agrees to indemnify, defend, and hold the controller harmless from and against any claim, demand, loss, damage, cost or liability (including legal costs) arising out of or relating to the processor failing to comply with its obligations under this DPA. If permissible under applicable law, legal costs will be on an attorney and own client basis;
(r) subject to the requirements of commercial and/or client confidentiality, make available to the controller such information as is reasonably required to demonstrate compliance with this DPA and, subject to any other conditions set out in this DPA regarding audit, allow for and contribute to audits, including inspections, of compliance with this DPA conducted by the controller or a professional independent auditor engaged by the controller. The following requirements apply to any audit:
• the controller must give a minimum thirty (30) days’ notice of its intention to audit (or such shorter period of notice as it receives itself where an audit is mandated by its regulator);
• the controller may exercise the right to audit no more than once in any calendar year;
• commencement of the audit shall be subject to agreement with the processor of a scope of work for the audit at least ten (10) days in advance;
• the processor may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial and/or client confidentiality;
• the audit shall not include penetration testing, vulnerability scanning, or other security tests;
• the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the controller;
• any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by the controller prior to the audit; and
• the controller shall compensate the processor for its reasonable costs incurred in supporting any audit.
DATA PROCESSING AGREEMENT
SCHEDULE 1: DESCRIPTION OF PROCESSING
| Subject matter of the processing | The processing of personal data, mainly involving data relating to the physical or mental health, or the medical history of a Member, each Party’s business contact details, as are applicable, and to the extent necessary for the purposes of the performance of either Party's obligations and exercise of their rights under this DPA, including the performance of Services under the Agreement. |
| Duration of the processing | As the personal data shared between the Parties is limited to business contact details, the Parties give their explicit consent that such personal data may be retained beyond the duration of this DPA, unless the data subject specifically requests the deletion of such personal data. |
| Nature of the processing | Such processing as is necessary to enable either Party to comply with its obligations and exercise its rights under this DPA, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
| Purpose of the processing | The performance of either Party's obligations and exercise of its rights under this DPA, including the performance of Services required or requested by the Client for purposes of compliance with its statutory and/or contractual obligations. |
| Personal data types | Personal data provided to either Party to the other Party, including personal data provided directly by a data subject. The personal data processed under this DPA will include: name; address (physical and postal); email address; telephone number; fax number, and site GPS coordinates. |
| Categories of data subjects | Personal data related to employees, staff and/or directors of either Party. |
| Obligations and rights of the controller | As set out in this DPA. |
SCHEDULE 2: AUTHORISED SUB-PROCESSORS AND CATEGORIES OF SUB-PROCESSORS
Authorised sub-processor / category of sub-processor | Description of the processing carried out by the sub-processor / category of sub-processor |
Outsourced back-office service providers | Use of personal data in the provision of back-office services, such as IT support and electronic and postal mailing. |
Regulators | Use of personal data in communication with regulators relating to the services to ER24. |
ER24’s appointed third party service providers in relation to the Services specified in annexure A | Sharing of personal data in the provision of services to ER24. |
ER24’s appointed legal or transactional advisors | Sharing of personal data in the provision of services to ER24. |
SCHEDULE 3: TECHNICAL AND ORGANISATIONAL MEASURES
The organisational and technical security safeguards required for data processing, are:
1. Physical Access Control
1.1 Unauthorised persons shall be prevented from gaining physical access to premises, buildings or rooms where data processing systems are located which process personal data.
1.2 Minimum controls and measures for the data processor, required to meet the above requirements are:
a) Strict security procedures, access control mechanisms and other measures have been implemented and are maintained on a regular basis to prevent equipment and Data Centre facilities from being compromised.
b) Only authorised representatives may have access to systems and infrastructure within the Data Centre facilities.
c) Buildings and the Data Centre are secured through access control systems (e.g. smart card access systems).
d) The buildings, individual areas and surrounding premises are further protected by additional measures. These include, inter alia, specific access profiles, video surveillance, intruder alarm systems and smart card access control systems.
e) Access rights will be granted to authorised persons on an individual basis according to the System and Data Access Control. This also applies to visitor access.
f) Guests and visitors to Data Centre facilities must register their names at reception and must be accompanied by processor authorised personnel.
g) Processor and all third-party Data Centre providers are required to log the names and times of persons entering the private areas within the Data Centre.
2. System Access Control
2.1 Data processing systems used to provide the ICT applications and services are prevented from being used without authorisation.
2.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) Multiple authorisation levels are used to grant access to sensitive systems, including those storing and processing Personal Data.
b) Processes are in place to ensure that only authorised individuals have the appropriate authorisation to add, delete, or modify users.
c) All users accessing relevant applications have a unique identifier (User ID) and personalised User IDs are assigned for authentication.
d) Procedures are in place to ensure that requested system access changes are implemented only in accordance with set guidelines.
e) New access, changes to existing access or deletion of access will only be done after appropriate approval has been obtained.
f) When the role of a user changes, the related access and rights are changed as soon as can be reasonably expected.
g) When a person leaves the CLIENT, system access and related rights are revoked immediately.
h) A password policy is in place that prohibits the sharing of passwords, the process if a password is disclosed and requires:
• passwords are encrypted where it is stored or transmitted;
• passwords are changed regularly;
• default passwords must be changed at the time of installation;
• domain passwords are system forced to change every six months or more frequently;
• passwords are complex (upper case, lower case, numbers and special characters),
• minimum length 8 (eight) characters;
• administrative accounts and service accounts must have at least 8, preferably 14 or more, characters;
• each computer has a password-protected screensaver; and
• the change of passwords must be different from an authorised user’s last five (5) passwords.
i) Remote access (VPN) to the service delivery environment requires strong authentication mechanisms, such as two-factor authentication or further enhanced authentication.
j) Up-to-date licensed antivirus software is used at access points to the processor’s network and on all file servers and all workstations.
k) A processor Security Patch Management Policy is implemented and managed to ensure deployment of relevant security updates.
3. Data Access Control
3.1 Individuals who are entitled to use data processing systems will gain access only to personal data that they have a right to access. Personal data must not be read, copied, modified or removed without the necessary authorisation.
3.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) The processor's information security policy and standards govern the protection of personal, sensitive and confidential data and how data, including personal data is archived, deleted or destroyed.
b) Access to personal, confidential and sensitive information is granted on a need-to-know basis.
c) Employees or external third parties (further sub-processors) only have access to the information that they require to perform their duties.
d) The authorisation and permission concepts are documented and explains how, and which access, permissions, rights and authorisations are assigned.
e) Production servers are operated in a Data Centre with measures the same or more enhanced than specified physical security measures as specified herein.
f) Security measures that protect applications and related processing of personal, confidential and sensitive information, are regularly reviewed, tested and where required, improved.
g) Internal and external security checks and penetration tests are performed by the ICT systems regularly.
h) Installation of personal software (or other software that has not been approved) onto systems being used for any ICT application or service, are strictly prohibited.
4. Data Transmission Control
4.1 Personal data must not be read, copied, modified or removed without authorisation during transfer.
4.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) Protection of personal data is the same or more enhanced than confidential data, when transferred across the processor’s internal networks and as determined by the processor’s Information Security Policy.
b) Protection of personal data transferred between the controller and the processor, is the same or more advanced than the measures set out in this document, which applies to physical and network-based data transfers.
c) Data that is physically transferred or transported, will be encrypted.
5. Data Input Control
5.1 It will be possible to retrospectively examine and establish whether and by whom at the data importer and/or processor, personal data have been entered, modified or removed from data processing systems used to provide the ICT application and services.
5.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) Only authorised individuals can access personal data, as it is required during and to perform their work.
b) A logging system that logs the date, who performed what (input, modification and deletions).
c) System that prevents or blocks access to personal data by any individuals or other sub-processors to the greatest extent supported by the ICT Applications and Services.
6. Job Control
6.1 Personal and sensitive data being processed by a third party (processor) shall be processed solely in accordance with the protection measures set out herein and with explicit instructions of the Client.
6.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) Contracts between third party (sub-processor) and Client which include at a minimum organisational and technical measures in this Guideline.
b) Employees and contractual partners are contractually bound to respect the confidentiality of all personal data, including trade secrets of the ER24 affiliates and its partners.
c) The processor has an established data breach notification process in place and will notify the controller of all data breaches that have occurred as soon as it was detected.
7. Availability Control
7.1 Personal data shall be protected against accidental or unauthorised destruction or loss.
7.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) Backup processes to rapidly restore data and business-critical systems.
b) Monitoring and alerting measures that timely detect, alert and prevent against interruptions, destruction or loss.
c) Uninterrupted power supplies (UPS, batteries, generators, etc.) to ensure power availability to the Data Centre.
d) Contingency plans have been defined and implemented, together with business- and disaster recovery strategies for business-critical systems.
e) Contingency-, business-, disaster- and emergency processes and systems are regularly tested.
8. Data Integrity Control
8.1 Personal data will remain intact, complete, accurate and current during processing activities.
8.2 Minimum controls and measures required to meet the above and in place at the processor are:
a) The network and data processing facilities are protected from the public network by firewalls;
b) security monitoring centre and mechanisms;
c) up–to-date licensed antivirus software is used at access points to the Processor’s network and on all file servers and all workstations;
d) Security Patch Management and deployment of up-to-date security updates;
e) backup and recovery;
f) external and internal penetration testing; and
g) regular external audits to prove security measures.