Information clause on the processing of personal data in contracts

How to use

Copy everything below this point and paste it into contracts with customers, suppliers or collaborators. It is designed to work as another clause of the same contract where you regulate the terms of the service

When to use

All contracts with suppliers or customers must include a data protection clause. This one specifically is for those case were we act as data processors – in other words: when we process data for other company.

Data protection

Information clause on the processing of personal data in contracts

1. The Parties inform each other that the personal data of the participants in this Contract, and those derived from the contractual relationship, will be treated by each of them as data controllers, with the purpose to manage the rights and obligations arising from this Agreement. In order to allow the exercise of rights in this matter, the Parties designate the addresses indicated in the heading of this document, as well as the following electronic addresses:
   1. By Legit.Health: [ DEFINE ].
   2. By [ DEFINE ]: [ DEFINE ].
2. In the execution of the Contract, Legit.Health will access and process on behalf of [DEFINE] personal data that is the responsibility of the latter, regarding whose treatment Legit.Health will be considered as the person in charge for the purposes of the applicable regulations. To these effects:
   1. The purpose and nature of the processing order is determined by the provisions of this Contract which, broadly speaking, regulates [ DEFINE ].
   2. The purpose of the treatment to be carried out by Legit.Health is the storage of information and the computerized management of the relations of [ DEFINE ] with its Users through the Software.
   3. Personal data includes, among others, [ DEFINE ]. For their part, the main categories of interested parties are [ DEFINE ].
3. Legit.Health must treat the data in accordance with the object and purpose of the Contract and always under the instructions that [ DEFINE ] provides and in any case will adopt organizational and technical measures that are consistent with the type of data that has been to treat, to the purposes and risks of the treatment and will carry out specific privacy actions from the design and by default on those treatments that must be carried out.
4. Legit.Health must follow the instructions that [ DEFINE ] provides, including with respect to data transfers to countries outside the European Economic Area or international organizations, unless it is obliged to do so by virtue of any European Union regulation. or of the legislation of any Member State that is applicable to it, in which case it is obliged to notify [ DEFINE ].
5. Legit.Health will refrain from applying or using the personal data accessed for purposes other than those described in the Contract nor will it communicate them, even for their conservation, to other people, unless said communication has been previously and expressly authorized by [ DEFINE ]. In the event that Legit.Health uses the data for different purposes, it will be considered as the controller in accordance with the provisions of the applicable regulations.
6. Legit.Health will collaborate, insofar as it is possible, with [ DEFINE ], so that it can attend to the requests it receives for the exercise of data protection rights.
7. Legit.Health will assist [ DEFINE ], upon request, to guarantee compliance with the obligations established in articles 32 to 36 of the GDPR, taking into account the nature of the treatment and the information to which it has access in execution of the Contract.
8. Legit.Health undertakes to keep secrecy regarding the personal data subject to treatment, and to maintain absolute confidentiality and reserve on any data that may be known on the occasion of the fulfillment of the services provided, guaranteeing that it will extend this obligation to all personnel. of your organization authorized to access the personal data object of [ DEFINE ]. This duty of secrecy and confidentiality will continue without any time limit.
9. Legit.Health will make available to [ DEFINE ], at its request, all the information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Client or another auditor authorized by him. For the above purposes, the audits or inspections will be carried out within the calendar and working hours of Legit.Health, and the Client must give sufficient advance notice, which will never be less than FIVE (5) business days.
10. To the extent that the Services are eminently technological and are provided remotely, through the Internet, the Parties agree that the audits or inspections that, if applicable, are held, will preferably be carried out by means telematics.
11. Subcontracting. For the execution of this contract, the person in charge of the treatment must subcontract the services of other providers that will have access to the personal data that is the object of this agreement, these being auxiliary services necessary for the normal operation of the services of the person in charge. Due to the foregoing, a detailed list of the subcontracted companies that will access the personal data of the Data Controller is attached, and which will be indicated below, this circumstance being expressly accepted by the Data Controller.
12. [ DEFINIR ], with address at [ DEFINIR ] (hereinafter, [ DEFINIR ]); company that has contractually committed to Legit.Health in the framework of content storage, load balancing and backup copies, that the treatment is carried out only in data centers located within the European Union.
13. If it is necessary to subcontract other additional services with respect to those indicated in this agreement, the Person in Charge of the treatment undertakes to notify the person in charge of the treatment in advance and in writing at least seven (7) days in advance, indicating the treatments that are intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its contact details. Subcontracting may be carried out if the data controller does not express his opposition within the established period.
14. Each subcontracted company, which will also have the status of data processor, is also obliged to comply with the obligations established in this agreement, as well as the instructions that, where appropriate, the data controller may expressly attribute to each Subprocessor. and that, in any case, will not exceed those expressly assumed by the person in charge of the treatment. In the event of non-compliance by the subcontracted company, the Subprocessor will continue to be fully responsible to the Data Controller in relation to compliance with the obligations, both being jointly and severally liable and directly to the Data Controller for any damages that may be caused.
15. Destruction of data. Once the existing contractual relationship between the Parties has ended, the personal data must be deleted or returned to [ DEFINE ], at its option, deleting as many copies of them as exist. In the event that [ DEFINE ] opts for the return of the data, the procedure will be carried out in accordance with the provisions of the Contract.

The foregoing, unless there is any regulation of the European Union and/or of any of the Member States that is applicable by virtue of which the conservation of personal data is required. In such a case, Legit.Health must proceed to return the data, guaranteeing [ DEFINE ] its preservation.

Document signature meaning

• Author: JD-003 Taig Mac Carthy
• Review: JD-005 Alfonso Medela / JD-004 María Diez
• Approval: JD-001 Andy Aguilar