DATA PROCESSING AGREEMENT GDPR

In [·], [·] of [·] of 2018.

BY AND BETWEEN

On the one side, HOSPITAL SANT JOAN DE DÉU, a legal entity incorporated according to the
laws of Spain, with registered office at Passeig Sant Joan de Déu, nº 2, 08950 Esplugues de
Llobregat (Barcelona), with Spanish Tax Identification Number R5800645C, represented by
Mrs. Natalia Pérez Neira, provided with Spanish National Identity Card number 38093823G,
duly empowered in her capacity as Financial Director (hereinafter, “[·]” or the “SANT JOAN
DE DÉU HOSPITAL”).

On the other side, Mr./Ms. [·], acting in the name and on behalf of [·], with corporate
domicile in [·], and Tax ID number [·], and registered in the Register of [·] under company
number [·] (hereinafter, the “Supplier” or the “Processor”).

Both Parties mutually acknowledge that they hold full legal standing and capacity to enter
into contract and undertake commitments, pursuant to the provisions of the present data
processing agreement GDPR (hereinafter, the “Agreement”),

DECLARE

I. That in the frame of the provision of services by the Processor to SANT JOAN DE DÉU
HOSPITAL, on the basis of article 28 of the Regulation (EU) 2016/679 of the European
Parliament and of the Advice on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (hereinafter, “GDPR”) the Processor will carry out a treatment at
the expense of the SANT JOAN DE DÉU HOSPITAL, responsible for the processing, to the
effects of being able to provide the above mentioned services.

II. That SANT JOAN DE DÉU HOSPITAL wants to ensure that the Processor offers sufficient
guarantees to apply technical and organizational appropriate measures, so that the
treatmento0f Personal Data is compliant with the requirements of the GDPR and
guarantees the protection of the particular rights.

III. That Processor declares that it knows and is in a position to comply with the
requirements of SANT JOAN DE DÉU HOSPITAL in relation to the present contract.

IV. That, for that purpose, both parties agree to execute this Agreement, in accordance
with the following

CLAUSES

1. Object.

1
1.1. The description -required in article 28.3 of the GDPR- of the processing of data is
detailed in Annex 1, without prejudice that in the future the Parties may wish to
update this description of the way in which they agree with each other.

1.2. The Services shall periodically analyze and introduce, in accordance with each other,
those rules, inclusions or deletions that may be considered useful or necessary for the
proper execution of the Services with the intention of improving the relationships and
efficiency of the Parts.

2. Term.

2.1. This Data Processing Agreement will take effect on the Effective Date and,
notwithstanding, will remain in effect until Processor finishes processing SANT JOAN DE
DÉU HOSPITAL’s Personal Data.

2.2. In case of the nature of the obligations presented in this Contract remains
undetermined or simply lasts longer, they shall remain in force until the validity of the
Contract expires in other respects.

3. Mutual Obligations.

3.1. SANT JOAN DE DÉU HOSPITAL shall comply adequately, and at all time, with provisions
contained in the GDPR, as well as in that regulation (national or supranational), that
will be able to be of application in every moment. Especially SANT JOAN DE DÉU
HOSPITAL is obligated to:

a) To provide the Personal Data and to inform to Processor of any variation that it
could affect their treatment;

b) Previously and during the term of this Contract, to comply with the GDPR by the
Processor, providing them with the instructions resulting therefrom; and

c) Supervise the treatment by the Processor, including the possibility of exercising the
right of audit and/or inspection referred to in clause 3.2.k) as follows.

3.2. The Processor shall fulfil properly, and in all moment, the provisions set forth in the
GDPR, as well as that regulations (national or supranational) that could be applicable in
each moment. Particularly, the Processor is compelled to:

a) To use the Personal Data, or those that it could gather at the expense of SANT
JOAN DE DÉU HOSPITAL, only for the purpose object of this Contract. Processor
must not, in any case, use the above mentioned Personal Data for own and / or
different ends.

b) To process only the Personal Data following SANT JOAN DE DÉU HOSPITAL’s
documented instructions and, in case of deeming that some instruction is not
compatible with GRGP, the Processor must inform to SANT JOAN DE DÉU HOSPITAL
in order to that this one take any measure deemed appropriate.

2
c) To keep a documentary record of all categories of the activities of process
performed carried out by SANT JOAN DE DÉU HOSPITAL in the context of this
Agreement.

d) Not to communicate the Personal Data to third parties, unless having express,
written authorization from SANT JOAN DE DÉU HOSPITAL to those legally admissible
cases.

e) To guarantee that the people authorized to process Personal Data have

commitment to respect the confidentiality to the same terms set forth below in
this Agreement.

f) To adopt all the appropriate technical and organizational measures in order to

guarantee a property security level adapted to the risk of the Personal Data
pursuant in accordance with the provisions of Article 32 of the GDPR and,
particularly but not limited, the following measures:

 Pseudonymisation measures and the encoding of personal data.

 The permanent required measures to guarantee the confidentiality, integrity,
availability and resilience of the data processing systems and services.
 In the case of incident, measures that will enable to restore the availability and
the access to the Personal Data in the fastest way.
 Measures that allows to verify, to assess and to value, on a regular basis, the
efficiency of the technical and organizational measures implemented to
guarantee the security of the process.

In any event, the Processor is compelled to justify annually to SANT JOAN DE DÉU
HOSPITAL of the compliance of the above measures by means of the delivery
certificates of compliance reported by an expert independent from recognized
prestige on the market.

g) To respect the conditions referred to the following clause six in relation to the
subcontracting;

h) To Assist SANT JOAN DE DÉU HOSPITAL in charge of processing, taking into account
the nature of the processing, through appropriate technical measures and
organizations, whenever possible, thereby they may comply with their obligation to
respond the requests for the exercise of rights of the interested parties, thus, the
rights of transparency, information, access, rectification and suppression (right to
forget), limitation of treatment, portability, opposition or not being the subject of
automated individualized decisions (including the elaboration of profiles), among
others that are specified in Chapter III of the GDPR.

If the Processor makes a request for the exercise of the rights specified in Chapter
III of the GDPR relating to the processing of data from this contract, it must inform
SANT JOAN DE DÉU HOSPITAL by e-mail at [email protected]. The
communication must be made immediately or, if any, the earliest working day
following the date of receipt of the request (in which case it must be less than 72
hours), together, if necessary, with other information that may be relevant for the
resolution of the request.

3
i) To collaborate, cooperate and actively assist SANT JOAN DE DÉU HOSPITAL in
complying with the obligations set out in article 32 (security of processing), 33
(Notification of a personal data breach to the supervisory authority) 34
(Communication of a personal data breach to the data subject), 35 (Data
protection impact assessment) and 36 (Prior consultation) of GDPR, taking into
account the nature of the treatment.

j) To notify SANT JOAN DE DÉU HOSPITAL any security breach related to personal data
without undue delay and, if not later than 24 hours after the Processor has
obtained the knowledge of it to the following mail address,
[email protected]. The notification shall be accompanied by the
necessary and relevant documentation so that it can be registered and
communicated to the competent supervisory authority.

In this regard, it will provide, at least, the following information:

(i) Description of the nature of a personal data security breach, including,

where possible, the categories and approximate number of interests
involved, and the categories and approximate number of personal data
records involved.

(ii) Name and contact of Data Processor Officer or other contact for further
information.

(iii) Description of the consequences of the personal data security breach.

(iv) Description of the measures taken or proposed to address the violation of

personal data security, including, if appropriate, measures taken to
mitigate possible negative effects.

(v) Any other information that the Spanish Data Protection Agency considers
should be included in the forms it recommends for reporting security
breaches.

If it is not possible to provide the information simultaneously, the information will be

provided gradually in the maximum 24-hour period.

It will responsible of the Processor to take the necessary actions to contain and
resolve the incident and will not inform SANT JOAN DE DÉU HOSPITAL afterwards.

SANT JOAN DE DÉU HOSPITAL, as responsible of the processing, will periodically

monitor the status of the resolution of the incident, and the Processor undertakes to
respond with the reports that are then requested.

k) At the choice of SANT JOAN DE DÉU HOSPITAL, to delete or return all the Personal
Data to SANT JOAN DE DÉU HOSPITAL after the end of the provision of services
relating to processing, and to delete all existing copies unless Union or Member
State law requires storage of the Personal Data, providing, if so requested by SANT
JOAN DE DÉU HOSPITAL, a certificate of compliance of the above signed by
authorized representatives of the Processor or by an independent third party of
recognized prestige.

4
 l) To make available to SANT JOAN DE DÉU HOSPITAL all information necessary to
demonstrate compliance with the obligations laid down in this clause and allow for
and contribute to audits, including inspections, conducted by the SANT JOAN DE
DÉU HOSPITAL or another auditor mandated by SANT JOAN DE DÉU HOSPITAL, who,
in any case, will have the right to perform as many audits and / or inspections as it
deems convenient to the Processor to verify compliance with this Contract, as well
as the rest of the provisions set forth in the GDPR, even after the provision of
services referred to in the Manifestations of this Contract;

m) Processor undertakes: a) it will establish all legal, organizational and technical

measures aimed at generating evidence of compliance with article 28 of the GDPR;
b) to make available to SANT JOAN DE DÉU HOSPITAL all the information necessary
to prove the fulfilment of the obligations established in this contract and in article
28 of the GDPR. This will enable and contribute to the performance of audits,
including inspections, by SANT JOAN DE DÉU HOSPITAL or by another auditor
authorized by SANT JOAN DE DÉU HOSPITAL who will be responsible for the audit.
In all cases, it shall have the right to carry out any audits and/or inspections
deemed appropriate by the Processor to verify the completion of this Contract, as
well as the remaining provisions of the GDPR, in order to provide the services
referred to in the Manifestations of this Contract and to complete them once they
have been completed;

n) To guarantee and to provide the necessary training regarding the protection of

personal data to the persons authorized to process Personal Data.

o) To designate, if appropriate, a data protection officer.

4. International Transfers.

4.1. The Processor may only process the Personal Data in servers located outside the
European Economic Area, or may only perform actions involving an international
transfer of personal data, prior express written consent of SANT JOAN DE DÉU
HOSPITAL, unless the Processor is contractually compelled to do so by virtue of
European law or of the Member States that is applied to the Processor. In any
exceptional case, the Processor shall forthwith inform SANT JOAN DE DÉU HOSPITAL
of that legal requirement before making the respective transfer, unless it is not
permitted for reasons of substantial public interest.

5. Confidentiality.

5.1. The Private Data will be treated by the Processor as Confidential Information. The
Processor undertakes to keep the disclosed Confidential Information strictly secret and
not to use them for any other purposes than those referred to the purpose of this
Agreement.

5.2. Furthermore, the Processor undertakes to make the Confidential Information only
available to those natural or legal persons who need the Confidential Information in
order to develop tasks for which the use of this information is strictly necessary. On
this matter, the Processor will warm the above mentioned natural or judicial persons of
his obligations with regard to the confidentiality, ensuring fulfillment of the same ones.

5
5.3. These obligations of confidentiality will carry on being in force after the termination of
this Agreement.

6. Subcontracting.
6.1 The Processor, may subcontract other processor (hereinafter, “Subprocessor”). In this
case, the Processor may inform the person responsible for the processing, in writing, of
its intention to provide information that clearly identifies which activity or processing
is being subcontracted, identifies the subcontractor and the date of the subcontract.
6.2 The Controller shall have a minimum of 15 days from the date of the return of this
communication to not authorize this subcontracting. The subcontracting may reach only
if the Controller does not have any objections.
6.3 The Subprocessor is obliged to comply with the obligations established in the present
document for the handling of the case and the instructions issued by the person
responsible. The Processor shall regulate the new relation under the same conditions
(instructions, obligations, security measures...) and the same formal requirements as
the agreement, regarding the proper handling of personal data and the guarantee of
the rights of the persons affected. In the event of non-compliance on the part of the
sub-clearance, the initial charge shall remain fully responsible to the person
responsible for the compliment of the obligations.

7. Representations and warranties.

7.1 SANT JOAN DE DÉU HOSPITAL declares and guarantees to the Processor that it has
adopted the necessary mechanisms provided for in the GDPR to preserve the
confidentiality, security and integrity of Personal Data, even though it takes into
account the status of the technique and the cost of its application to the risks and the
nature of Personal Data.

7.2 The Processor represents and guarantees that it has the specialized knowledge,
reliability and resources, for the implementation of technical and organizational
measures in order to fulfill the requirements of the GDPR, included the safety of the
treatment, necessary to comply with the obligations of this Agreement in relation to
the Personal Data.

8. Responsibility.

8.1. Each Party shall empower the other Party to pass on the costs, including all types of
compensation, sanctions and expenses, derived from claims of the affected persons,
due to negligence and / or lack of confidentiality, undue use and / or treatment of the
Personal Data, including expressly any amounts derived from the sanctions eventually
could be imposed by the corresponding competent authority (for instance, Data
Protection Authorities) for the non-compliance or defective fulfillment with the
regulations, provided that such costs are the result of a breach attributable to the
other Party.

In addition, each Party shall notify the other Party of the claims it receives so that it
may assume responsibility for the legal defense, and the Party to which the breach is

6
 attributable shall act at all times in a coordinated manner and preserving the image of
the other Party.

9. Jurisdiction and Law Applicable

9.1 The present Agreement will be subject to the provisions of the Spanish law. In the event
that any of the provisions of the present Contract continue to be declared ineffective,
following this original or surviving ineffectiveness, the remainder of the Contract shall
be valid. The clause declares ineffective will be replaced by an alternative clause
which the Parties decide to mutually agree and in writing, and which, from the point of
view of the rights or obligations which they have generated for them, has a meaning
similar to that to which it replaces.

9.2 The Parties agree expressly and voluntarily to resolve any differences that may arise in
the interpretation or supplementation of this Agreement by the Courts and Tribunals of
the city of Barcelona, expressly waiving any other dispute that may arise between
them.

IN WITNESS WHEREOF, the Parties have duly executed this Agreement by their
authorized representatives as of the date first written above.

_______________________________________ _______________________________________
Mrs. Natalia Pérez Neira Mr. [·]
SANT JOAN DE DÉU HOSPITAL [·]

7
 Annex I

1. Nature of the treatment

Collection Comparison Extraction [·]
Structuring Suppression Transmission [·]
Conservation Communication Interconnection [·]
Consultation Registration Limitation [·]
Dissemination Modification Destruction [·]

2. Purpose of the treatment

Payroll Submission of electronic communications
Personnel selection Destruction of information and/or
documentation
Training Transport and file of information and/or
documentation
Administrative management of Satisfaction and/or quality enquiries
patients and contact data of family
members
Clinical management of the patients Tax and administrative management of
donations.
Occupational risk preventions Others (specify)
Religious attention

3. Typology of data
Identify Data Employment data
Health Data Financial and insurance data
Data relating to infringement and Data relating to transactions in goods and
criminal offences. services.
Individuals characteristics data Commercial information
Social circumstances data Biometric data
Professional and academic data Religion and philosophical convictions
Data relating to management of Specials categories of data: racial and
visits or other non-economic data ethnic origin, political opinions, syndical
affiliation, sexual orientation/life
Genetic data Others (specify)

4. Affected parties
Employers Suppliers Solicitors
Candidates External partners Beneficiaries
Patients Owners and tenants Others (specify)
Users Shareholders
Potentials patients Donors