This document provides the contractual framework for the processing of personal data by Rosa on behalf of its professional customers. It is part of the agreement between you (as a health professional) and Rosa.
"Rosa" is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604. To communicate with Rosa about processing of personal data, or to exercise any of your rights described in this agreement, please send an email to gdpr@rosa.be.
The personal data processing activities of Rosa are listed and described in the Rosa Privacy Policy. This agreement only covers the activities in the category “Information that Rosa processes as a data processor on behalf, and under the instructions, of health professionals”.
You are considered as a data controller for the data processing activities covered by this agreement, because:
As a data controller, you are responsible for the processing activities covered by this agreement.
As a data processor, Rosa processes personal data covered by this agreement on your behalf, for the categories of data, categories of persons and purposes that are described, for each activity, in the Rosa Privacy Policy. Rosa may not process personal data covered by this agreement for other purposes.
Rosa must comply with some legal obligations imposed to it as a data processor, and must also help you to comply with some of your own obligations, in the manner described in this agreement.
Rosa must treat the personal data covered by this agreement as confidential. Rosa may only disclose personal data to third parties if the disclosure is foreseen in the Rosa Privacy Policy or in this agreement, if it is required by the law or if you authorize Rosa to disclose it.
Rosa must make sure that its personnel and the contractors having access to personal data covered by this agreement, are bound by appropriate confidentiality obligations.
Rosa must implement appropriate security measures to protect the personal data covered by this agreement against unauthorized access, modification or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.
The measures currently in place are described in the document: Technical and Organisational Security Measures
Rosa must evaluate these security measures from time to time and adapt them if needed, to take into account the evolutions of the risks, the technology and the costs associated with these measures.
You authorize Rosa to rely on services provided by other companies to perform the data processing activities covered by this agreement.
Rosa must select subcontractors that implement appropriate security measures. The agreement between Rosa and its subcontractors must be consistent with this agreement.
The list of subcontractors is available here.
Rosa will inform you if it changes a subcontractor or uses a new subcontractor. If you have any remarks about subcontractors, please contact Rosa.
If Rosa receives a request or complaint from a patient about a data processing activity covered by this agreement, Rosa must notify you. You are responsible for handling the request.
On your request, Rosa will provide you with reasonable assistance and information that you need for answering a request from a patient.
If you notice or suspect a breach of security, you must contact Rosa as soon as possible.
If Rosa notices a breach of security leading to the unauthorized access, modification or destruction of personal data covered by this agreement, Rosa must notify you as soon as possible.
In some circumstances determined by the data protection laws, you are obliged as a data controller to notify a data breach to the regulatory authority and to the affected persons. Rosa will help you comply with this obligation, depending on the circumstances:
In either case, Rosa must keep you informed, to the best possible extent, about:
Rosa will keep personal data covered by this agreement as long as it is needed for the purpose of the relevant activity. Standard duration of storage may be determined in the Rosa Privacy Policy for certain activities.
You may instruct Rosa to delete personal data that you are responsible for, and that is no longer relevant for the intended purpose.
Rosa is not obliged to keep data that you are responsible for, for more than 30 days after the end date of your agreement with Rosa.
You acknowledge that sending emails to the main contact address mentioned in your account is a valid way for communicating with you about this agreement. You must keep that address up to date.
This agreement is valid as of 14 March 2022. Rosa may change this data processing agreement, but must announce in advance any material changes and the date on which they will become effective. The agreement between you and Rosa will be modified accordingly at that date. Any non-material change will be effective upon publication on our website.
This agreement is governed by Belgian law. In the unfortunate case of a dispute between you and Rosa that cannot be solved amicably, the competent courts of Brussels, French or Dutch section, will handle the dispute.