Skip to content

Data Processing Agreement for Health Professionals

Introduction 

This document (the Data Processing Agreement or DPA) provides the contractual framework for the processing of personal data by Rosa on behalf of its professional customers. It is part of the agreement between You (being a Client under the Terms of Service for Health Professionals) and Rosa (the Agreement). 

“Rosa” is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604. To communicate with Rosa about processing of personal data, or to exercise any of Your rights described in this DPA, please send an email to gdpr@rosa.be

Each party must comply with all applicable privacy laws which include privacy and data protection laws that operate in Belgium, including, without limitation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) in relation to any collection, use, storage, disclosure and other processing activity of personal data in connection with this DPA.

Data processing activities covered by this DPA

The personal data processing activities of Rosa are listed and described in the Rosa Privacy Policy. This agreement only covers the activities in the category “Information that Rosa processes as a data processor on behalf, and under the instructions, of health professionals”.

Your role as a data controller

You are considered as a data controller for the data processing activities covered by this DPA, because:

  • These activities are primarily undertaken for Your own professional needs;
  • You make the decision to undertake these activities (by activating a functionality or starting to use a service) and You determine the purpose and means of the processing; and
  • You have the control over the information that is collected or recorded through these activities. 

As a data controller, You are responsible for the processing activities covered by this DPA, including, but not limited to, ensuring that You have a valid legal basis for the processing activities covered by this DPA and that Your Users (if any) and Your patients (or other data subjects, if any) are informed about these processing activities. You agree to provide Rosa with the instructions and documentation as necessary to enable Rosa to carry out its obligations as a data processor.

General obligation of Rosa as a data processor

As a data processor, Rosa processes personal data covered by this DPA on Your behalf as necessary to perform the Agreement and in accordance with Your documented instructions, for the categories of data, categories of data subjects and purposes that are described, for each data processing activity, in the section “Personal data that Rosa processes as a data processor on behalf, and under the instructions, of health professionals” in Rosa Privacy Policy. Rosa shall not process personal data covered by this DPA for other purposes. 

Rosa shall immediately inform You if, in its opinion, an instruction infringes the GDPR or another applicable data protection law.

Where and as necessary and upon the terms and conditions of this DPA (if any), Rosa shall assist You in ensuring compliance with Your obligations pursuant to articles 32 to 36 of the GDPR, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the GDPR, taking into account the nature of the processing and the information available to Rosa. To the extent legally permitted, Rosa may charge You for any reasonable costs arising from its provision of such assistance. 

In addition, at the request of authorized administrative and judicial authorities, Rosa may communicate personal data that it processes on Your behalf in order to comply with its legal obligations. In such cases, and where legally permitted to do so, Rosa undertakes to inform You of this communication.

 

Confidentiality obligation of Rosa

Rosa must treat the personal data covered by this DPA as confidential. Rosa may only disclose personal data to third parties if the disclosure is foreseen in the Rosa Privacy Policy or in this DPA, if it is required by the law or if You authorize Rosa to disclose it. 

Rosa must make sure that its personnel and any third party having access to personal data covered by this DPA, are bound by appropriate confidentiality obligations.

 

Security obligation of Rosa

Rosa must implement appropriate security measures to protect the personal data covered by this DPA against unauthorized access, modification or destruction and accidental or unlawful loss. Rosa relies on technologies or services of its subcontractors for parts of these measures. 

The measures currently in place are described in the document: Technical and Organisational Security Measures

Rosa must evaluate these security measures from time to time and adapt them if needed, to take into account the evolutions of the risks, the technology and the costs associated with these measures.

 

Using subcontractors

You authorize Rosa to rely on services provided by other companies to perform the data processing activities covered by this DPA.

Rosa must select subcontractors that implement appropriate security measures. The agreement between Rosa and its subcontractors must be consistent with this DPA. 

The list of Rosa’s subcontractors acting as data processors is available here.

Rosa will inform You if it changes a data processor or uses a new data processor to give You the opportunity to object to such changes within 30 days after receipt of the notification. If You have any objections about Rosa’s intent to appoint a new data processor, please contact Rosa by email, it being understood that You can only object to such appointment in writing and on reasonable and evidenced grounds. After discussion and in the absence of agreement between You and Rosa within 30 days, You may terminate the Agreement. In the absence of any such objection, You will be deemed to have approved and accepted this new data processor. 

Subject to the limitation of liability clause set forth in this DPA, Rosa shall remain fully liable to You for the performance of its data processors’ obligations under the GDPR. 

 

Transferring personal data

Rosa shall only transfer personal data to a country outside of the European Economic Area (EEA) on the basis of a personal data transfer mechanism that complies with the provisions of the GDPR: (1) an adequacy decision, (2) appropriate safeguards (including standard contractual clauses as adopted by the European Commission or binding corporate rules), (3) derogations permitted by the GDPR in specific situations and after You have given Your prior written consent for the transfer. 

Handling requests from data subjects to lodge a complaint or exercise their rights under the GDPR

If Rosa receives a request or complaint from a data subject about a data processing activity covered by this DPA, Rosa will notify You without undue delay. Unless otherwise agreed by the parties, You are responsible for handling and answering such requests. 

On Your request, Rosa will provide You with reasonable assistance and information that You need to respond to a request from a data subject or to handle a complaint. The parties shall cooperate and endeavor in good faith to achieve a mutually satisfactory answer to the request or resolution to the complaint. To the extent legally permitted, Rosa may charge You for any reasonable costs arising from its provision of such assistance.

 

Procedure in case of data breach

If a party notices or suspects a personal data breach or a breach of security in relation to a data processing activity covered by this DPA, it must inform the other party without undue delay. The parties shall cooperate to investigate and, where applicable, mitigate the risks associated with the incident and Rosa shall assist You to comply with Your obligations under article 33 GDPR and, where applicable 34 GDPR and shall reasonably cooperate with any investigations. 

In any case, Rosa will keep You informed, to the best possible extent, about:

  • the nature and extent of the data breach;
  • the categories and estimated number of data subjects affected; 
  • the details of a contact point where more information concerning the data breach can be obtained;
  • the (alleged) cause and the date on which the data breach occurred (if no exact date is known, the period within which the data breach occurred),
  • the likely consequences of the breach;
  • the measures taken by Rosa or advised by Rosa to mitigate the consequences of the breach;
  • the decisions made by Rosa regarding a notification to the regulatory authorities and the affected data subjects. 

Where and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

Unless otherwise agreed by the parties, You are responsible for reporting (if applicable) any data breaches to the supervisory authorities and the data subjects in accordance with applicable laws.

Audit rights

Rosa shall make available to You, in confidence, all relevant information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted at Your expense, by an independent auditor mandated by You. Auditors shall not be a competitor of Rosa and shall be bound by confidentiality obligations. Audits and inspections shall take place during Rosa’s normal business hours, at a time as agreed in advance between the parties and shall not unreasonably interfere with Rosa’s business activities. Any such audit may not take place more than once every contract year (unless the audit is conducted in response to a request from a supervisory authority) and shall be subject to at least thirty (30) days prior written notice. 

Both You and Your auditors shall keep the information disclosed in the context of an audit confidential and shall only use it for the purpose of verifying Rosa’s compliance with this DPA. 

The findings of the audit will be assessed by the parties in mutual consultation and, will (if necessary) lead to the implementation of adjustments by one of the parties or by both Parties jointly, as far as this is reasonable in the context of the performance of the Agreement.

Liability

Rosa's liability to You arising under this DPA, is subject to the limitations and exclusions set forth in the Agreement. Rosa shall in any event only be liable under this DPA if it has failed to comply with its specific obligations under the GDPR, or acted outside or in breach of Your lawful instructions.

Duration of the processing

This DPA will remain in full force and effect as long as the Agreement remains in effect, or Rosa retains any personal data related to the Agreement in its possession.

Unless otherwise agreed by the parties, Rosa will keep personal data for the duration of the Agreement. 

You may instruct Rosa to delete personal data prior to the termination of the Agreement that You are responsible for, and that is no longer relevant for the intended purpose.  

Upon termination of the Agreement, Rosa shall, within 30 days, delete or return all the personal data to You and delete existing copies, unless Union or Belgian law require longer storage of the personal data.

 

Communications

You acknowledge that sending emails to the main contact address mentioned in Your Rosa Account is a valid way for communicating with You about this DPA. You must keep that address up to date. 

Modification of this DPA

This DPA is valid as of 17 April 2025. Changes have been made to the previous version to enhance compliance with the GDPR. Rosa may change this DPA, but must announce in advance any material changes and the date on which they will become effective. The Agreement between You and Rosa will be modified accordingly at that date. Any non-material change will be effective upon publication on our website.

Applicable law and disputes

This DPA will be governed by, and construed in accordance with, the laws and other miscellaneous clauses applicable to the Agreement. In the unfortunate case of a dispute between You and Rosa that cannot be solved amicably, the competent courts of Brussels, French or Dutch section, will handle the dispute. 

Miscellaneous

In the case of conflict or ambiguity between any provision contained in this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement will remain in full force and effect.

Terms not defined in this DPA but defined in the GDPR, shall have the same meaning as in the GDPR. 

If any of the provisions of this DPA, is determined to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions of the DPA shall not be affected and the invalid, illegal or unenforceable provision shall automatically be replaced by a clause the effect of which comes as close as possible to that of the invalid, illegal or unenforceable provision.