Data Processing Agreement for Health Professionals
Purpose of this document
This document provides the contractual framework for the processing of personal data by Rosa on behalf of its professional customers. It is part of the agreement between you (as a health professional) and Rosa.
"Rosa" is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604. To communicate with Rosa about processing of personal data, or to exercise any of your rights described in this agreement, please send an email to firstname.lastname@example.org.
Data processing activities covered by this agreement
Your role as a data controller
You are considered as a data controller for the data processing activities covered by this agreement, because:
- These activities are primarily undertaken for your own professional needs;
- You make the decision to undertake these activities (by activating a functionality or starting to use a service); and
- You have the control over the information that is collected or recorded through these activities.
As a data controller, you are responsible for the processing activities covered by this agreement.
General obligation of Rosa as a data processor
Rosa must comply with some legal obligations imposed to it as a data processor, and must also help you to comply with some of your own obligations, in the manner described in this agreement.
Confidentiality obligation of Rosa
Rosa must make sure that its personnel and the contractors having access to personal data covered by this agreement, are bound by appropriate confidentiality obligations.
Security obligation of Rosa
Rosa must implement appropriate security measures to protect the personal data covered by this agreement against unauthorized access, modification or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.
The measures currently in place are described in the document: Technical and Organisational Security Measures
Rosa must evaluate these security measures from time to time and adapt them if needed, to take into account the evolutions of the risks, the technology and the costs associated with these measures.
You authorize Rosa to rely on services provided by other companies to perform the data processing activities covered by this agreement.
Rosa must select subcontractors that implement appropriate security measures. The agreement between Rosa and its subcontractors must be consistent with this agreement.
The list of subcontractors is available here.
Rosa will inform you if it changes a subcontractor or uses a new subcontractor. If you have any remarks about subcontractors, please contact Rosa.
Handling requests from patients
If Rosa receives a request or complaint from a patient about a data processing activity covered by this agreement, Rosa must notify you. You are responsible for handling the request.
On your request, Rosa will provide you with reasonable assistance and information that you need for answering a request from a patient.
Procedure in case of data breach
If you notice or suspect a breach of security, you must contact Rosa as soon as possible.
If Rosa notices a breach of security leading to the unauthorized access, modification or destruction of personal data covered by this agreement, Rosa must notify you as soon as possible.
In some circumstances determined by the data protection laws, you are obliged as a data controller to notify a data breach to the regulatory authority and to the affected persons. Rosa will help you comply with this obligation, depending on the circumstances:
- If Rosa believes that the data breach must be notified and it affects a large number of health professionals: then Rosa will notify the data breach to the regulatory authority and to the affected persons on your behalf.
- If Rosa believes that the data breach must not be notified or if the breach affects a small number of health professionals: then Rosa will only notify the affected health professionals, who may decide to notify the data breach to the regulatory authority and to the affected persons.
In either case, Rosa must keep you informed, to the best possible extent, about:
- the nature and extent of the data breach;
- the categories and estimated number of persons affected;
- the likely consequences of the breach;
- the measures taken by Rosa or advised by Rosa to mitigate the consequences of the breach;
- the decisions made by Rosa regarding a notification to the regulatory authorities and the affected persons.
Duration of the processing
You may instruct Rosa to delete personal data that you are responsible for, and that is no longer relevant for the intended purpose.
Rosa is not obliged to keep data that you are responsible for, for more than 30 days after the end date of your agreement with Rosa.
You acknowledge that sending emails to the main contact address mentioned in your account is a valid way for communicating with you about this agreement. You must keep that address up to date.
Modification of this data processing agreement
This agreement is valid as of 14 March 2022. Rosa may change this data processing agreement, but must announce in advance any material changes and the date on which they will become effective. The agreement between you and Rosa will be modified accordingly at that date. Any non-material change will be effective upon publication on our website.
Applicable law and disputes
This agreement is governed by Belgian law. In the unfortunate case of a dispute between you and Rosa that cannot be solved amicably, the competent courts of Brussels, French or Dutch section, will handle the dispute.