Data Processing Addendum
This Data Processing Addendum (“DPA”) applies when GrayCyan LLC (“GrayCyan”) processes personal data that is subject to the General Data Protection Regulation (GDPR) on behalf of an organization or person (“Subscriber”) who has subscribed to GrayCyan’s clinic management platform (the “Services”).
• “GDPR”means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• “Personal Data” means any information relating to an identified natural person or which can be used (directly or indirectly) to identify a natural person, such as name, address, email address, username, credit card, billing information, health information or other like information.
• “Process” or “Processing” means the collection, use, storage, disclosure, erasure or destruction of Personal Data, or any other operation or set of operations performed on Personal Data, whether or not by automated means.
1. Roles. The Subscriber will act as the “Controller”, being the party who determines the purposes and means of the Processing of Personal Data. GrayCyan will act as the “Processor” being the service provider who Processes Personal Data on behalf of the Subscriber. Each party will comply with the provisions of the GDPR that apply to its role as Controller or Processor, respectively.
2. Purpose and Duration of Processing. Each party will Process Personal Data only as necessary for the provision and use of the Services, and for as long as the Subscriber has a valid paid subscription to the Services.
3. Categories of Personal Data. The categories of Personal Data to be Processed will be determined by the Subscriber, but may include: name, address, email address, telephone number, health insurance information, billing information and data concerning health. The categories of individuals whose Personal Data may be processed are: employees, contractors and patients of the Subscriber.
o respond to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by GrayCyan; provided however, that GrayCyan will not respond directly to any individual; and
o meet the Subscriber’s legal obligations with respect to breach notification, data protection impact assessments, or the cooperation or prior consultation with a supervisory authority with respect to Personal Data Processed by GrayCyan; * upon request of the Subscriber, either delete or return Personal Data after completion of Services relating to the Processing, subject to any legal or regulatory obligations to maintain or store the Personal Data; and * provide the Subscriber with all information necessary to demonstrate GrayCyan’s compliance with the GDPR, and contribute to audits or inspections to be conducted by or on behalf of the Subscriber no more than once in any calendar year, unless an additional audit is required by the GDPR or regulatory authority, or is reasonably necessary due to genuine concerns regarding GrayCyan’s compliance with this DPA. The Subscriber will provide reasonable advance notice of any audit and will abide by GrayCyan’s reasonable security requirements. GrayCyan may charge for any time expended for such audit or inspection at GrayCyan’s then-current hourly rates.