Mercado Medic Nederland B.V.
Privacy statement (GDPR)
Met dit privacy statement informeren wij jou over hoe wij omgaan met persoonsgegevens.
- Wie is verantwoordelijk voor de verwerking van jouw gegevens? In dit privacy statement beschrijft Mercado Medic Nederland B.V. hoe zij als verwerkingsverantwoordelijke met jouw persoonsgegevens omgaat.
- Wat is een persoonsgegeven? Informatie over een geïdentificeerde of identificeerbare natuurlijke persoon is een persoonsgegeven. Of bepaalde informatie als een persoonsgegeven moet worden gekwalificeerd hangt er mede vanaf of Mercado Medic Nederland beschikt over wettige middelen waarvan redelijkerwijs mag worden aangenomen dat zij deze inzet om een betrokkene te identificeren.
- Persoonsgegevens die wij verwerken. Wij verwerken persoonsgegevens over jou omdat jij gegevens zelf aan ons verstrekt. Alleen deze persoonsgegevens worden gekoppeld aan een door ons geleverd product.
- Verwerking van gegevens van personen jonger dan 18 zal alleen gebeuren i.v.m. het eventueel afleveren op scholen en met toestemming van ouders.
- Verwerking: grondslagen en gerechtvaardigde belangen De verwerking van persoonsgegevens vindt plaats op basis van de volgende grondslagen uit artikel 6 van de Algemene Verordening Gegevensbescherming
- Doeleinden voor het verwerken van persoonsgegevens. Mercado Medic Nederland B.V. verwerkt jouw persoonsgegevens voor de hieronder genoemde doeleinden. Het cijfer achter ieder doel correspondeert met de grondslag genoemd in artikel 5 van dit privacy statement.
- Het opbouwen en onderhouden van de klantrelatie inclusief het onderhouden van een directe relatie tussen de verantwoordelijke, dealers, servicepartners. [grondslag: 2, 5].
- Het afhandelen van bestellingen (inclusief facturering), het verwerken in financiële administraties en logistieke afhandeling [grondslag: 2, 5].
- Het bieden van klantenservice inclusief service rondom het kopen van diensten en producten, het vervullen van garantieverplichtingen en productherroepingen voor onze eigen dienstverlening en die van dealers of servicepartners, het afhandelen van klachten en verzoeken [grondslag: 2, 3, 4 of 5].
- Het uitvoeren van marktonderzoek om onze bedrijfsvoering, merken, diensten en producten te verbeteren [grondslag: 5].
- Het communiceren met betrokkenen en het bieden van een loyaliteitsprogramma [grondslag: 1 of 5].
- Het meten van klanttevredenheid, het bieden van managementinformatie en het bepalen van de algehele bedrijfsstrategie [grondslag: 1 of 5].
- Het bieden van diensten op het internet en via app-functionaliteiten, inclusief het bieden van relevante commerciële berichten in deze apps [grondslag: 1, 2 of 5].
- Het voldoen aan wettelijke verplichtingen, beslechting van geschillen en handhaving van onze rechten en overeenkomsten [grondslag: 3, 4 of 5].
- Mercado Medic Nederland deelt jouw persoonsgegevens met derden in onder andere de volgende gevallen en met bijbehorende redenen. Het cijfer achter ieder doel correspondeert met de grondslag genoemd in artikel 5 van dit privacy statement:
- Als wij wettelijk verplicht of bevoegd zijn om persoonsgegevens aan derden te verstrekken [grondslag: 3];
- Als wij een vermoeden hebben van een schending van de rechten van derden, van strafbare feiten of van misbruik, kunnen wij persoonsgegevens verstrekken aan derden die daarbij een gerechtvaardigd belang hebben of aan instanties die het algemeen belang dienen. Dit kunnen ook handhavende autoriteiten zijn, zoals het Openbaar Ministerie of toezichthouders [grondslag: 3, 4 of 5];
- Voor bedrijfseconomische doeleinden (zoals de verkoop van bedrijfsactiviteiten of aandelen of een reorganisatie) [grondslag: 5].
- Hoe lang wij gegevens bewaren. Gegevens blijven in ons systeem staan gezien de levensduur van het product meer dan 10 jaar bedraagt. De MDR (European Medical Device) verplicht ons de gegevens te bewaren zolang het product wordt gebruikt.
- Jouw rechten, waaronder het recht om bezwaar te maken. Je hebt het recht om te weten welke persoonsgegevens wij van jou hebben vastgelegd en aan wie wij jouw persoonsgegevens hebben verstrekt. Hiervoor kun je contact met ons opnemen via de klantenservice.
- Naast het recht op inzage heb je met betrekking tot onze verwerking van jouw persoonsgegevens de volgende rechten:
- Het recht om jouw toestemming in te trekken, voor zover onze verwerking van jouw persoonsgegevens daarop is gebaseerd;
- Het recht om een klacht in te dienen bij de Autoriteit Persoonsgegevens;
- Het recht om jouw persoonsgegevens te (laten) rectificeren/corrigeren;
- Het recht op verwijdering van jouw persoonsgegevens;
- Het recht op beperking van de jou betreffende verwerking;
- Het absolute recht om bezwaar te maken tegen direct marketing;
- Beveiliging en bescherming van gegevens
- Mercado Medic Nederland past passende beveiligingsmaatregelen toe om misbruik, verlies, onbevoegde toegang, ongewenste openbaarmaking en ongeoorloofde wijziging zoveel mogelijk tegen te gaan. Mercado Medic Nederland heeft zowel technische als organisatorische maatregelen genomen om jouw persoonsgegevens te beveiligen. Deze beveiligingsmaatregelen worden periodiek herzien op basis van dreigingen.
- Voor vragen en/of opmerkingen met betrekking tot dit privacy statement kun je contact opnemen met:
Mercado Medic Nederland
Tel. +31 (0) 365219995
Hieronder volgt de Instruction for data processor agreement welke is opgesteld door ITS Nordic AB en verantwoordelijk voor onze data beveiliging.
INSTRUCTION FOR DATA PROCESSOR AGREEMENT
This DATA PROCESSOR AGREEMENT shall be used in cases where ITS Nordic AB is the Personal Data Processor. Who the Personal Data Controller and the personal Data Processor are respectively is determined from case to case. In general, it can be said, however, that in each situation within ITS Nordic AB’s hosting operations, when you store documentary materials that contain Personal data on behalf of another company, ITS Nordic AB is normally the Personal Data Processor . In each such case, a DATA PROCESSOR AGREEMENT shall be entered into. The Personal Data Controller’s responsibility is to ensure that such an agreement is entered into. Despite this, we recommend that you ensure that an agreement is entered into and that you make use of this agreement.
Who is what?
The Personal Data Controller is the one who alone or jointly with others determines the purposes and means for the processing of Personal data
The Personal Data Processor is the one who processes Personal data on behalf of the Personal Data Controller. In the Agreement, it is referred to as the Processor.
- Determine who the Personal Data Controller and the Personal Data Processor are. If you are operating as a Personal Data Controller with someone else, you shall instead use the confirmation form for common Personal Data Controller responsibilities. If ITS undertakes commitments which go beyond normal hosting activities, consultation should be sought with expertise to assess whether ITS is the Personal Data Processor or the Personal Data Controller.
- Fill in the details for each party in the fields highlighted in yellow in the DATA PROCESSOR AGREEMENT.
- Produce a copy of the agreement/s that will mean that you, as the Personal Data Processor, process Personal data on behalf of the Personal Data Controller and insert as an attachment (Appendix 1) to the DATA PROCESSOR AGREEMENT.
- Determine whether the instructions you have received are clear enough. If not, ask for clarification. Alternatively, insert the CONTROLLER instruction provided as Appendix 2 to this agreement.
- Sign the agreement
PERSONAL DATA PROCESSOR AGREEMENT
This Personal Data Processor Agreement (the “Agreement”) has been signed between
- Mercado Medic Nederland, and
- ITS Nordic AB, org. no. 556584-7448, Gårdsvägen 18, 169 70 Solna, (“The Processor”).
The Personal Data Controller and the Processor are referred to below individually as “Party” and collectively the “Parties”.
1.1 The Processor shall supply the Personal Data Controller with certain services in accordance with the service agreement entered into by the Parties.
1.2 The Assignment (as defined below) means that the Processor shall provide server space on behalf of the Personal data controller and assist the Personal Data Controller with various IT operations issues. The materials and documents that are stored on the Processor’s servers will contain Personal data (as per the definition below). The storage of personal data constitutes a form of personal data processing. The execution of the Assignment therefore means that the Processor will work with the processing of Personal Data.
1.3 The Processor will, for the processing of the Personal Data that follows from the Assignment, act as a Personal Data Processor to the Personal Data Controller for the processing of Personal data in accordance with the Assignment.
1.4 In view of the above, the Parties have entered into this Agreement.
In this Agreement, the following terms will be used, as defined, with their meanings indicated below.
“Data protection regulation”
Refers to the European Parliament’s and the Council’s Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural individuals with regard to the processing of Personal data and on the free flow of such data and the repeal of directive 95/46/EC.
Refers to such Personal data that the PROCESSOR processes on behalf of the Personal Data Controller in accordance with this Agreement. Personal Data includes such information that is personal data in accordance with the applicable Personal Data Act, which, when the Agreement was signed, includes all kinds of data that can directly or indirectly be attributed to a natural person who is alive.
The “Data Protection Act”
Refers to the applicable legislation or regulation concerning the processing of Personal Data, including but not limited to, the Personal Data Act (1998:204) and from the date on which it shall be applied, the European Parliament’s and the Council’s Regulation (EC) 2016/679 as of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as well as the repeal of Directive 95/46/EC, other Union law relating to the processing of Personal Data and the Regulatory authority’s applicable decisions, advice and recommendations.
Refers to the natural person to whom the Personal Data relates.
The “Regulatory authority”
Refers to the authority or authorities that act as (a) regulator (regulators) with regard to the processing of personal data in accordance with the Data Protection Act. At the time this Agreement was entered into, the Swedish Data Inspection Authority, the authority exercising such regulatory powers in Sweden.
The “Service agreement”
Refers to the agreement to which the Parties have entered into in respect of the Assignment.
Refers to the services provided by the PROCESSOR in accordance with the Service agreement.
3 THE PROCESSOR’S UNDERTAKINGS
3.1 The PROCESSOR shall only process personal data to the extent necessary for the execution of the Assignment, and only in accordance with the Personal Data Controllers written instructions provided at any time. The PROCESSOR may never process Personal Data for any other purposes than those for which the Personal Data Controller has provided instructions.
3.2 For details of the instructions, which the Personal Data Controller has provided to the PROCESSOR on entering into the Service agreement, see Appendix 2. The Personal Data Controller is entitled to adjust Appendix 2, and submit amended or additional instructions to the PROCESSOR. The Personal Data Controller shall, in good time and in a clear manner, inform the PROCESSOR of any such amendment. If the PROCESSOR determines that instructions are lacking and that these instructions are necessary to carry out the Assignment or the PROCESSOR’S undertakings in accordance with this Agreement, the PROCESSOR shall inform the Personal Data Controller of its point of view and wait for the Personal Data Controller’s further instructions.
3.3 In the event that the PROCESSOR processes Personal Data in addition to or in conflict with the Personal Data Controller’s instructions, due to requirements pursuant to Personal Data Legislation, the PROCESSOR shall undertake to inform the Personal Data Controller of the legal requirement before the Personal data is processed; unless such information is prohibited as it constitutes a substantial public interest.
3.4 The PROCESSOR shall inform the Personal Data Controller if the PROCESSOR is of the opinion that an instruction provided by the Personal Data Controller is contrary to prevailing Personal Data Legislation.
3.5 In the event that an authority, registered party or other third party requests information from the PROCESSOR that relates to the processing of Personal Data, the PROCESSOR shall, as soon as possible and at the latest within twenty-four (24) hours, refer this request to the Personal Data Controller. The PROCESSOR may only submit Personal Data or information concerning the processing of Personal data in accordance with the instructions from the Personal Data Controller or if the PROCESSOR is obliged to disclose the data in question in order to comply by law, regulation, judicial or other official decision or stock exchange regulation.
3.6 The PROCESSOR shall inform the Personal Data Controller, without undue delay after having received such knowledge of accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure or access to, Personal Data, or an attempt to do so. In the event of such, the PROCESSOR shall:
- provide the Personal Data Controller with a detailed account of what has happened;
- in consultation with the Personal Data Controller and at the expense of the Personal Data Controller take all reasonable measures to mitigate the consequences of the situation that has arisen; and
iii. as soon as possible after the situation has been dealt with, inform the Personal Data Controller of the measures to be taken to avoid similar situations from arising during the Agreement period (for a definition, see section 9 below).
3.7 The PROCESSOR shall - without unjustified delay - inform the Personal Data Controller in the event that the Regulatory Authority contacts the PROCESSOR regarding a situation that concerns or may have significance for the PROCESSORS processing of the Personal Data.
3.8 In order to avoid any misunderstandings, the PROCESSOR does not have the right to represent the Personal Data Controller vis-à-vis third parties with regard to the processing of Personal Data other than that resulting from this Agreement or following explicit instructions from the Personal Data Controller.
3.9 The PROCESSOR agrees to keep a record of all categories of processing that have been carried out on behalf of the Personal Data Controller in accordance with Article 30.2 a) - d) of the Data Protection Regulation; to take all necessary measures pursuant to Article 32 of the Data Protection Regulation, as well as assist the Personal Data Controller and to ensure that the obligations pursuant to Articles 32-36 of the Data Protection Regulation are carried into effect.
3.10 The PROCESSOR may not, in violation of any applicable law or regulation, transfer Personal data to third countries.
3.11 The PROCESSOR undertakes to comply with applicable Data protection legislation, to take into account the regulatory authority’s advice and recommendations as well as keep up to date on Data protection legislation. The PROCESSOR also undertakes to cooperate with the Regulatory authority in the exercise of its oversight with regard to the processing of personal data.
3.12 The PROCESSOR undertakes to ensure that employees and other persons who are given access to Personal Data are provided with information about how Personal data may be processed.
3.13 If the Assignment involves the PROCESSOR processing Personal Data that is subject to special regulation, for example, that relating to patient care, the PROCESSOR shall comply with such special regulation in the execution of the Assignment.
4 TECHNICAL AND ORGANISATIONAL MEASURES
4.1 The PROCESSOR undertakes to take appropriate technical and organisational measures to ensure that the PROCESSOR can live up to its obligations pursuant to this Agreement.
4.2 The PROCESSOR shall take appropriate technical and organisational measures to protect the Personal data. For example, the PROCESSOR shall limit access to Personal data to those persons who need access to perform their work duties relating to the Assignment.
4.3 The measures the PROCESSOR shall take in accordance with section 4.2 shall provide a level of security, which is adequate with regard to the technical possibilities available, what it costs to implement these measures, the special risks involved with the processing of Personal data and how sensitive the Personal data is.
4.4 Upon request from the Personal Data Controller, the PROCESSOR shall provide a list of the technical and organisational measures to be taken or that have been taken.
4.5 The PROCESSOR shall process personal data in such a way that it is possible to track all processing and to provide for a follow up.
4.6 The PROCESSOR shall assist the Personal Data Controller by using appropriate technical and organisational measures, in so far as this is possible, so that the Personal Data Controller can fulfil its obligations to respond to the request concerning the rights of the person registered in accordance with Chapter III of the Data Protection Regulation.
5.1 The Personal Data Controller has the right, itself or via a third party designated by the Personal Data Controller, to verify that the PROCESSOR is complying with that set forth in this Agreement and in the instructions issued by the Personal Data Controller. The PROCESSOR shall provide the Personal Data Controller with access to the information that the Personal Data Controller requires to be able to determine whether the PROCESSOR is complying with this Agreement, given instructions and the applicable Personal Data Legislation, and to ensure that the PROCESSOR is complying with its obligations pursuant to Article 28 of the Data Protection Regulation. The PROCESSOR shall also contribute to the audits, which include sanctions that are to be carried out by the Personal Data Controller or by any other auditor authorised by the Personal Data Controller.
5.2 The PROCESSOR has the right to equitable remuneration for the assistance that is required pursuant to section 5.1.
The PROCESSOR shall indemnify the Personal Data Controller in the event that the Personal Data Controller is caused damage that is attributable to the PROCESSOR’S processing of Personal data that is contrary to the instructions received from the Personal Data Controller or that is contrary to the instructions in this Agreement. The PROCESSOR is required to have a sufficient amount of insurance to cover the liabilities that may be payable in accordance with the Agreement. The PROCESSOR’S responsibility vis-à-vis the Personal Data Controller is limited, however, per calendar year, to an amount equivalent to 50 percent of the PROCESSOR’S remuneration received for the Assignment during the calendar year in which the event that caused any damage occurred. In order for compensation liability pursuant to this section (6) to arise, a written claim for compensation shall be received by the PROCESSOR as soon as possible after the Personal Data Controller has received notice of the incident that requires compensation, and in any case within three years from the same.
7.1 The PROCESSOR is not entitled to engage SUB-PROCESSORs without prior written consent from the Personal Data Controller.
7.2 If the PROCESSOR engages a SUB-PROCESSOR after obtaining prior written consent from the Personal Data Controller, the PROCESSOR is responsible for the work of the SUB-PROCESSOR and any compensation for the sub-PROCESSOR’S work shall be borne by the PROCESSOR unless otherwise agreed between the Parties.
7.3 If the PROCESSOR engages a SUB-PROCESSOR after having obtained the prior written consent of the Personal Data Controller, the Personal data shall only be processed by such a SUB-PROCESSOR provided that the PROCESSOR enters into a written agreement with the SUB-PROCESSOR, whereupon the SUB-PROCESSOR is imposed with the same obligations as those that are imposed upon the PROCESSOR in accordance with this Agreement and guarantees that appropriate technical and organisational measures are taken in such a way that the processing of Personal Data takes place in conformity with applicable Personal Data Legislation.
7.4 The PROCESSOR undertakes to inform the Personal Data Controller in the event that the PROCESSOR has the intention to change the SUB-PROCESSOR or enter into an agreement with another SUB-PROCESSOR.
7.5 The PROCESSOR shall, at the request of the Personal Data Controller, and without undue delay and in writing, inform the Personal Data Controller of the SUB-PROCESSORs the PROCESSOR has entered into an agreement with in accordance with section 7.3 above, as well as provide the Personal Data Controller with such information the Personal Data Controller asks for, and provide the Personal Data Controller with the opportunity to object to the engagement of a SUB-PROCESSOR.
7.6 In the event a SUB-PROCESSOR does not fulfil its obligations in accordance with such agreement entered into with the PROCESSOR and in accordance with section 7.3 above, the PROCESSOR is fully liable vis-à-vis the Personal Data Controller for the execution of the sub-PROCESSOR’S responsibilities.
8.1 The Parties undertake not to provide or disclose the Personal data or other data that Party has obtained because of this Agreement to third parties who are not subject to the same obligations as the PROCESSOR is pursuant to this Agreement.
8.2 Party shall ensure that employees and other persons whom are allowed access to the Personal data are subject to the obligation of professional secrecy in accordance with this Agreement.
8.3 The obligations set out in this section (8) do not include data that was already known to a Party at the time of receipt, data disclosed in accordance with the Personal Data Controller’s instructions or which Party is required to disclose by law, regulation, judicial or other official decision or stock exchange regulation. The PROCESSOR shall, without undue delay and in writing, inform the Personal Data Controller in the event that the PROCESSOR is required to disclose such information.
8.4 The obligation to observe confidentiality in this section (8) applies even after this Agreement has expired.
9 DURATION OF AGREEMENT AND TERMINATION
9.1 This Agreement shall come into effect when signed by both Parties and shall remain valid as long as the Agreement is in force between the Parties. At the time of the Service agreement’s termination, regardless of reason, this Agreement shall cease to apply between the Parties at any time without prior notice.
9.2 The Personal Data Controller has the right to terminate this Agreement with immediate effect if the PROCESSOR has materially failed to fulfil its obligations in accordance with this Agreement or fails to perform its obligations in accordance with this Agreement and has not within 60 days after written request referring thereto (including the description of the breach and, with reference to this section), rectified the breach if it is possible to rectify. If such termination of the Agreement occurs, the Service agreement is deemed to expire on the same day as the termination of the Agreement.
10 THE CONSEQUENCES OF THE AGREEMENT’S TERMINATION
Upon termination of the Agreement, for any reason, the PROCESSOR in accordance with the Personal Data Controller’s instruction, shall delete or alternatively return all Personal data to the Personal Data Controller, or to the entity the Personal Data Controller advises and thereafter delete
Existing copies, unless storage of the Personal data is required in accordance with Data Protection Legislation.
The PROCESSOR may neither transfer nor surrender its rights or obligations pursuant to this Agreement without the prior written consent of the Personal Data Controller. The Personal Data Controller may transfer or surrender its rights and/or obligations pursuant to this Agreement to such legal person who directly or indirectly controls or controlled by the Personal Data Controller.
12 AMENDMENTS AND ADDITIONS
Any amendments and/or additions to this Agreement, in order to be binding, shall be drawn up in writing and signed by authorised representatives of both Parties.
13 COMPLETE REGULATION
The Agreement constitutes the Parties’ complete regulation of all issues relating to this Agreement. All written or oral commitments and pledges that preceded the Agreement are replaced by the content of this Agreement.
Notifications, which according to the Agreement must be made in writing, or which Party otherwise considers are needed to verify the counterparty’s receipt of, shall be made to the Parties’ addresses specified below or later changed addresses.
To: Mercado Medic Nederland B.V.
Address: Nobelweg 22
3899 BN Zeewolde
To the PROCESSOR: ITS Nordic AB
Address: Gårdsvägen 18, 169 70 Solna
14.1 Notification shall be deemed to have been received by the receiving Party:
if sent by courier: upon delivery;
if sent by registered mail: two (2) days after the letter is handed over to the postal services;
if sent by email: at the time of dispatch, if receipt is confirmed by the receiving Party or if the sending Party has also sent the notification by registered mail on the same day.
14.2 Written confirmation indicating that the message has been communicated by courier or sent by registered letter shall constitute proof of receipt. Any change of address must be notified to the counter party in accordance with the prescribed manner in section 14.
15 INEFFECTIVENESS OF THE AGREEMENT
Should any provision of this Agreement or part thereof be found to be invalid, it shall not mean that the Agreement in its entirety is invalid; but to the extent that the invalidity materially influences Party’s benefit or performance in accordance with the Agreement, equitable adjustment of the Agreement shall take place.
In the interpretation of this Agreement, the Swedish Law shall apply and disputes shall be revised in accordance with the instructions stated in the Service Agreement.
This Agreement has been drawn up in duplicate, of which each of the parties having received a copy.
Place: Zeewolde Place: Solna
Date: March 20th 2018 Date: March, 20th 2018
Mercado medic Nederland ITS NORDIC AB
Jarko Berkley Henrik Welin