1.1. With regard to the processing of personal data (as mentioned in this annex) by the data processor on behalf of the data controller (“personal data”), the data controller is either the Practitioner or the Researcher (the “Controller”) and m-Path is the data processor (the “Processor”).
1.2. The data subjects are respectively the Clients and Participants who are the natural persons filling out the specific questionnaires.
1.3. This processing concerns the following categories of personal data (depending on the m-Path Services provided by the Processor): user identification information, connection codes, content data, sense data, pictures and audio.
1.4. Such processing will be carried out for the following purposes: to comply with the provisions of the Agreement, in particular to obtain consent from the Client or Participant, to transfer the results of the surveys and questionnaires to the Controller, and to perform analyses or store the User’s personal data.
1.5. The Processor will only process the personal data on the Controller’s written instructions, including in relation to the transfer of the personal data to a third country or an international organisation, unless required by Union or Member State law to which the Processor is subject, in which case the Processor will notify the Controller of such legal obligation prior to processing, unless such notification is prohibited by law for important reasons of public interest.
1.6. The Controller will ensure that its instructions always comply with applicable data protection laws and acknowledges that the Processor is not responsible to determine (i) which laws or regulations are applicable to the Controller's business and (ii) whether the Processor’s instruction(s) comply with applicable law. The Processor will inform the Controller if it becomes aware or reasonably believes that the Controller’s instructions infringe applicable data protection laws.
1.7. Unless the Controller is established in a third country, the m-Path Services shall be provided exclusively in the EU or EEA.
2.1. The Controller hereby grants the Processor a general authorisation to engage other processors (“sub-processor”). The Processor will in that case inform the Controller about the identity of these sub-processors, any changes thereto and any intended changes with respect to the addition or replacement of other sub-processors. A list of sub-processors can be found at https://m-path.io/LegalPage/legal.html.
2.2. The Controller may object to the appointment or replacement of other processors on reasonable grounds of which the Controller will inform the Processor in writing. If the Controller reasonably objects to the appointment or replacement of other processors and the Controller's objections cannot be resolved in a commercially acceptable manner within one (1) month, either Party may terminate this data processing agreement, without judicial intervention and without compensation, with effect from the date on which the appointment or replacement takes effect.
2.3. Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller the same data protection obligations as set out in the agreement between the Processor and Controller apply. The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.3.2. The Processor will only disclose or make available the personal data of the Controller to its employees or sub-processors who are directly involved in the performance of this agreement on a strict need-to-know basis.
3.3. The Processor will ensure that persons, subcontractors and any third parties authorised to process the Controller’s personal data on the Processor's behalf or at its request have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality.4.1. The Processor ensures that it provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The Processor takes all measures required by virtue of the Article 32 GDPR and complies with the conditions referred to in the Articles 28.2 and 28.4 GDPR for engaging a sub-processor. At the Controller's first request, the Processor will communicate these measures as well as such measures taken by its sub-processor to the Controller in writing without delay.
4.2. The Processor will inform the Controller immediately if, in its opinion, an instruction violates the GDPR or any other Union or Member State law provision on data protection. In this case, the Processor has the option of suspending the implementation of the instruction concerned until it is confirmed or amended by the Controller.
5.1. The Processor will make available to the Controller all information necessary to demonstrate compliance with the Article 28 GDPR and will allow audits including inspections, by the Controller or any other auditor authorized by the Controller and cooperate with them as meant in Article 7.
6.1. The Processor will, considering the nature of the processing, assist the Controller with appropriate technical and organizational measures, to the extent reasonably possible, to fulfil the obligation of the Controller to comply with requests for the exercise of the data subject's rights laid down in Chapter III GDPR.
6.2. The Processor will reasonably assist the Controller in complying with the obligations of the Articles 32 to 36 GDPR, to the extent reasonably possible, considering the nature of the processing and the information available to the Processor.
6.3. The Controller will inform the Processor in writing of the name and contact details of its data protection officer or the Controller's employee(s) responsible for data protection.
6.4. The Processor will inform the Controller immediately if, in its opinion, an instruction violates the GDPR or any other Union or Member State law provision on data protection. In this case, the Processor has the option of suspending the implementation of the instruction concerned until it is confirmed or amended by the Controller.
6.5. Additional Controller requests that fall outside the scope of such reasonable assistance will require prior written agreement of the Processor and the Controller, including agreement on any additional fees related to such requests.
7.1. The Controller has the right to have audits carried out by an independent third party who is bound to confidentiality to check compliance with all the points in this agreement. This audit only takes place after the Controller has requested, assesses and makes reasonable arguments to the similar audit reports available at the Processor, which justify an audit initiated by the Controller. Such an audit is justified when the similar audit reports present at the Processor give no or insufficient information about the compliance by the Processor to this agreement.
7.2. The Controller acknowledges and agrees that (i) the Processor will only provide existing documents as evidence in support of the audit, (ii) the audit cannot interfere with individual rights and data protection requirements under applicable data protection laws, (iii) if interviews are required, the Processor will have sole discretion to select its personnel to be interviewed.
7.3. The audit initiated by the Controller shall take place at the earliest one (1) month after prior notification by registered letter by the Controller. An audit can be carried out (i) no more than two (2) times per contract year, (ii) only on business days (between 9 a.m. and 6 p.m.) except Saturdays, Sundays, days which are a bank holiday in the country where the Processor is established, and days on which the Processor is collectively closed due to holidays, (iii) only in a manner that causes minimal disruption to the Processor's business and (iv) at the expense of the Controller.
7.4. Unless expressly agreed otherwise, the costs of the Processor and the time spent by its staff on an audit or on assisting the Controller in ensuring compliance with the obligations under the Articles 32 to 36 GDPR will be invoiced to the Controller at an hourly rate of 125 EUR per staff member.
8.1. The Processor will delete the above personal data immediately as soon as the provision of services to the Controller has ended. The Controller will have the right to object to such deletion. If the Controller wishes the personal data to be returned instead of being deleted, it must notify the Processor in writing at least five (5) days before the end of the provision of the services. In this case, the Processor will provide the personal data in the following file format immediately after the termination of the services: csv.
8.2. The Processor reserves the right not to delete the personal data if EU or Member State law requires storage of the personal data.
9.1. In the event of a data breach within the meaning of the Article 4.12 GDPR with respect to personal data processed by the Processor or its sub-processors within the scope of this agreement, the Processor will without undue delay inform the Controller and will provide all information necessary to enable the Controller to fulfil its obligations under the Articles 33 and 34 GDPR.
9.2. The Processor will immediately take all measures necessary to limit and remedy the breach and will assist the Controller, at its first request, and supervisory authorities in investigating the breach. These measures are taken in consultation with the Controller unless in cases of extreme urgency which require the immediate intervention of the Processor.
9.3. Unless required by law or expressly instructed in writing by the Controller, the Processor will not pass on any information regarding a personal data breach to any third party.
9.4. The Processor and its sub-processor will appoint among their staff a single point of contact who will be responsible for all communication between the Processor, the sub-processor and the Controller in the event of an incident which has led or may lead to an accidental or non-authorized destruction or loss, or a non-authorized access, alteration or transmission of the personal data processed on behalf of the Controller.
Use m-Path in different settings:
