Applying to all use of OssDsign’s Customer Communication Platform
“Account” means a user account for an individual User of the CCP Service.
“Agreement” means the agreement between OssDsign and the Customer, entered into by the User on behalf of the Customer, regarding the Customer’s use, through the User, of the CCP Service.
“CCP Service” means the latest version of OssDsign’s Customer Communication Platform.
“Customer” means a corporation or other legal entity, e.g. a hospital or clinic, which uses the CCP Service through one or more Users.
“DPT” means the Data Processing Terms attached hereto as Appendix 1.
“OssDsign” means the company OssDsign AB, corporate identification number 556841-7546, Virdings Allé 2, 754 50 Uppsala, Sweden.
“Party” or “Parties” means OssDsign and the Customer or, when applicable, OssDsign and the User.
“Products” means the OssDsign products that the Customer may purchase from OssDsign through the CCP Service.
“User” means a person who is authorized by the Customer to use the CCP Service, on behalf of the Customer, and who has an Account connected to the Customer.
3. OSSDSIGN'S PROVISION OF THE CCP SERVICE
The CCP Service is an online communication platform that enables communication between OssDsign, the User and the Customer (through the User). The CCP Service is offered ‘as-is’. OssDsign does not guarantee the accuracy or timeliness of information available from the CCP Service and gives no warranties, guarantees or conditions. OssDsign reserves its rights to, without prior notification, at any time and for any reason make changes to the CCP Service or the method of providing it.
4. USE OF THE CCP SERVICE
Upon request by the Customer, OssDsign will invite persons appointed by the Customer to register with the CCP Service and accordingly create an Account and become a User. Such Account is personal for the User but always connected to the specific Customer that has appointed the User as a user of the CCP Service on behalf of the Customer. A User may be appointed by and use the CCP Service on behalf of several Customers, but this requires the User to have a separate Account connected to each such Customer (for example a surgeon working for more than one hospital can set up and use several Accounts).
In its use of the CCP Service, the User will always be considered to act on behalf of the Customer connected to the Account that the User is logged into. The User is responsible for its authorization to act and use the CCP Service accordingly and shall immediately terminate its Account connected to that Customer should its authorization to use the CCP Service on behalf of a Customer be terminated.
The User understands and accepts that any content (e.g. written text) that the User uploads in the CCP Service may become available to other Users and is solely responsible that the content may be uploaded and made available accordingly. The User may not upload personal identification numbers in fields that contain free text.
The User shall ensure that login information, security methods and other information provided by OssDsign for access to the CCP Service are handled confidentially and shall notify OssDsign immediately in the event of unauthorized access to such information. The User may not, and nor may the Customer, assign User’s Account or login details to the CCP Service to any other person. Should access to the CCP Service be needed for such other person, the Customer shall instead request OssDsign to appoint that person to register with the CCP Service.
The User may not copy, reverse engineer, decompile or disassemble code that is included in the CCP Service. The User shall further ensure that all data which is imported to the CCP Service by the User is free from viruses, trojans, worms or other malicious code and that the data otherwise cannot interfere with the CCP Service.
5. TERMINATION OF ACCOUNT
The User may terminate its Account by contacting OssDsign. The Customer may terminate all Users’ Accounts connected to the Customer by contacting OssDsign.
If an Account is inactive for more than one (1) year, OssDsign may deactivate the Account. The User and/or Customer may reactivate the Account by contacting OssDsign within 180 days from the deactivation, otherwise the Account may be terminated.
Upon termination of an Account, OssDsign will delete the Account and the User’s access to the Account will immediately cease.
6. INTELLECTUAL PROPERTY RIGHTS AND RIGHTS TO DATA
Any and all rights, including intellectual property rights, to the CCP Service shall remain the sole and exclusive property of OssDsign or third parties.
The Customer retains ownership of all data uploaded to the CCP Service by the User on behalf of the Customer, but assigns to OssDsign a right to use that data to provide the CCP Service and any Products ordered via that service to the Customer. The Customer further assigns to OssDsign a right to, for an indefinite time, freely store, use and aggregate such data (e.g. uploaded CT-scans) after such data has been anonymized by OssDsign. Such anonymized data will be the sole property of OssDsign.
7. PROCESSING OF PERSONAL DATA
8. LIMITATION OF LIABILITY
The Customer shall bear full responsibility for, and OssDsign shall at not times be liable for, its use, through the User, of the CCP Service, including but not limited to the results thereby intended or achieved. It is at all times the Customer’s sole responsibility to ensure that it has the full and lawful right to use the CCP Service, including to transfer submitted data to the CCP Service, and the Customer shall indemnify and hold OssDsign harmless for and against any claims due to the Customer’s deficiency herein.
OssDsign undertakes no responsibility to restore data should there be any loss of data either on the Customer’s or OssDsign’s side and the Customer is thus responsible for back up of its data. OssDsign shall further at no times be liable for any special, indirect, incidental, consequential damage or loss of any kind, regardless of how it was caused and including but not limited to, loss of profit, loss of reputation or goodwill, loss of production, loss of business or business opportunities, loss of revenues or anticipated savings, or loss or corruption of data or information.
Notices under the Agreement shall be provided by sending such notices through the CCP Service, to the other Party’s address or email address as provided from time-to-time. The Customer shall therefore keep updated its user profile in the CCP Service with any changes to its email address.
11. GOVERNING LAW AND DISPUTES
APPENDIX 1 - DATA PROCESSING TERMS
These data processing terms (the “DPT”) apply to the processing of personal data as a result of the Agreement and form part of the Agreement. In case of conflict between the main body of the Agreement and these DPT, these DPT shall take precedence in relation to the processing of personal data under these DPT.
1.1 Applicable Data Protection Law (as defined below) sets out that when a data processor processes personal data on behalf of a data controller or another data processor, such relationship shall be governed by a contract. These DPT have been established to comply with the requirements on such contract and shall apply only when OssDsign acts as data processor on behalf of Customer in Customer’s capacity of data controller.
1.2 Terms used herein shall have the same meaning as set out elsewhere in the Agreement and as set out in Applicable Data Protection Law, Applicable Data Protection Law meaning in these DPT any and all data protection laws and regulations applicable from time to time on the processing of personal data under these DPT (including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR)).
2. Term of these DPT
2.1 These DPT shall apply as soon as and as long as OssDsign processes personal data on behalf of the Customer.
2.2 Upon termination of the Agreement or when OssDsign otherwise stops processing personal data on behalf of the Customer, OssDsign shall, at the request of the Customer and in accordance with the Customer's instructions, delete or urgently return all personal data subject to these DPT to the Customer, unless legislation imposed upon OssDsign (such as Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices requiring OssDsign to ensure adequate follow-up in relation to patient outcome and traceability) prevents it from returning or destroying all or part of the personal data .
3. Processing of personal data
3.1.1 The Customer is responsible for that the processing of personal data hereunder is in accordance with Applicable Data Protection Law, including, but not limited to, ensuring that OssDsign do not process other categories of personal data than those specified in the appendix "Processing Instructions" as well as ensuring a legal basis applicable to the processing, taking appropriate measures to inform data subjects about relevant processing of personal data and facilitating the exercise of data subjects’ rights in relation to such processing.
3.2 Customer’s instructions
3.2.1 OssDsign, and any person authorized to perform work on its behalf, may only process personal data on behalf of the Customer in accordance with the Customer’s written instructions, such instructions being set out in these DPT including the appendix “Processing Instructions”, unless required to act otherwise by Applicable Data Protection Law; in such a case, OssDsign shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before the processing commences.
3.2.2 Changes to the written instructions, including for the avoidance of doubt, these DPT and the appendix "Processing Instructions", must be documented in writing and agreed by OssDsign, with the exception of written instructions that the Customer during the contract period is required to provide in order to comply with Applicable Data Protection Law. OssDsign shall be entitled to reasonable compensation, in accordance with OssDsign’s current price list, for changes to the written instructions.
3.2.3 If the Customer requests amendments to the written instructions and OssDsign informs the Customer within reasonable time that OssDsign has reasonable grounds for opposing the Customer's amended instructions in order to comply with Applicable Data Protection Law, any Party shall have the right to immediately terminate the Agreement, including for the sake of clarity these DPT, by giving the other Party written notice to that effect.
3.2.4 OssDsign shall immediately inform the Customer if, in its opinion, an instruction is in breach of Applicable Data Protection Law and await further instructions. The Customer shall then provide OssDsign with necessary instructions within reasonable time. If the Customer does not provide such instructions, OssDsign may take necessary measures to ensure compliance with Applicable Data Protection Law. For the avoidance of doubt, this does not affect the Customer’s responsibility under Applicable Data Protection Law and the Agreement, including these DPT.
3.3 Obligation to assist Customer
3.3.1 Taking into account the nature of the processing, OssDsign shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising data subject's rights under Applicable Data Protection Law.
3.3.2 Taking into account the nature of the processing and the information available to OssDsign, OssDsign shall also assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Applicable Data Protection Law, including (where applicable) its obligations to (i) implement appropriate technical and organisational measures, (ii) notify personal data breaches to the supervisory authority, (iii) inform data subjects of personal data breaches, (iv) carry out data protection impact assessments, and (v) carry out prior consultation with the supervisory authority.
3.3.3 OssDsign shall be entitled to reasonable compensation for the assistance provided by OssDsign to the Customer in accordance with this clause 3.3 unless otherwise agreed in writing.
3.4 Disclosure of personal data
3.4.1 OssDsign shall ensure that persons authorized to process, on behalf of OssDsign, the personal data processed under these DPT, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4.2 OssDsign must not disclose personal data that is subject to processing under these DPT and that is considered confidential, unless otherwise required by law or court or government order. OssDsign shall notify the Customer in such cases, unless prohibited by law or court or government order. If a data subject requests to exercising data subject's rights under Applicable Data Protection Law, OssDsign shall refer data subject to the Customer. In accordance with clause 3.3, OssDsign shall assist the Customer in answering such request.
3.4.3 According to Applicable Data Protection Law, OssDsign and its representatives must cooperate with the data protection authority when so requested by the data protection authority. OssDsign shall notify the Customer without undue delay of any requests from the data protection authority or other supervising authority that relates to the processing of personal data under these DPT. OssDsign may not represent the Customer or act on behalf of the Customer for such requests. OssDsign shall be entitled to reasonable compensation for such requested assistance, which relates to the processing of the Customer's personal data.
4. Security of processing
4.1.1 OssDsign shall implement appropriate technical and organizational measures required by Applicable Data Protection Law, as set out in the appendix "Processing Instructions" or otherwise stated in the Agreement to protect the processing of personal data against personal data breaches ("Security Measures").
4.1.2 OssDsign shall adhere to the Security Measures and its own safety regulations. OssDsign may, after entering into the Agreement, amend its own safety regulations provided that the amendment does not violate Applicable Data Protection Law.
4.2 Reporting of personal data breaches
4.2.1 OssDsign shall notify the Customer without undue delay after becoming aware of a personal data breach.
4.2.2 Such notification must, taking into account the nature of the processing and the information available to OssDsign:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of personal data subjects concerned and the categories and approximate number of personal data records concerned;
(b) describe the likely consequences of the personal data breach; and
(c) describe the measures taken or proposed to be taken by OssDsign to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.2.3 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4.2.4 If the Customer, in violation of Applicable Data Protection Law, do not inform data subject of a personal data breach and the data protection authority orders OssDsign to address the shortcoming, the Customer shall reimburse OssDsign's costs to comply with the order of the data protection authority.
5.1.2 In case OssDsign uses sub-processors, data processing agreements shall be concluded between OssDsign and such sub-processor. Such data processing agreement shall ensure that the sub-processor undertakes the same obligations regarding protection of personal data as set forth in these DPT and shall provide sufficient guarantees that the sub-processor will perform appropriate technical and organisational measures in a manner that ensures that the processing complies with Applicable Data Protection Law. If OssDsign uses sub-processors, OssDsign shall be fully responsible, with the limitations set out in the Agreement and these DPT, for the acts and omissions of such sub-processors in relation to the Customer.
6. Processing of personal data in countries outside EU/EEA
OssDsign may process personal data in a country outside of the EU/EEA unless otherwise agreed. OssDsign shall then ensure that such processing at all times complies with Applicable Data Protection Law. This may e.g. be achieved by establishing a binding agreement, in accordance with the applicable EU Commission Model Contracts for the transfer of personal data to third countries, between OssDsign and any sub-processors. Processing in a country outside the EU/EEA may also take place on the basis of a valid adequacy decision or on the basis of binding corporate rules that have been approved by the relevant supervisory authorities, to the extent OssDsign and the relevant sub-processors have adopted the same binding corporate rules.
7. Information and audits
7.1 OssDsign shall, in addition to what is set out in the Agreement, provide the Customer with any information required to show that the requirements on processors under Applicable Data Protection Law have been performed, as well as to allow and contribute to audits, including inspections carried out by the Customer or by an auditor appointed by the Customer. If the Customer wishes to carry out an inspection, the Customer shall inform OssDsign about this given reasonable notice in advance and at the same time specify the content and extent of the inspection. The reasonable costs incurred by OssDsign in connection with carrying out such audit may be charged to the Customer. An inspection may only be carried out if an audit under Applicable Data Protection Law cannot be accomplished through OssDsign's supplying of information.
7.2 OssDsign shall immediately inform the Customer if OssDsign considers that information, including any inspections, pursuant to clause 7.1, is not required or in violation of Applicable Data Protection Law.
7.3 An audit according to clause 7.1 requires that the Customer or auditor appointed by the Customer meet required confidentiality obligations and complies with OssDsign’s security measures of the site where the inspection is to be carried out and that the inspection is carried out with no risk to OssDsign’s business or the protection of other customers' information. Information gathered as part of the audit must be deleted after completion of the inspection or when it is no longer needed for the purpose of the audit.
8. Limitation of liability
8.1 The Customer shall indemnify and hold OssDsign harmless from any and all damages, claims, losses, costs and expenses of any kind brought by a third party (including supervisory authorities) against OssDsign which is attributable to OssDsign’s processing of personal data under these DPT, unless and to the extent OssDsign has processed personal data in breach of its obligations as processor under these DPT, Applicable Data Protection Law or the Customer’s written instructions as set out in clause 3.2.
8.2 OssDsign shall indemnify and hold the Customer harmless from any and all damages, claims, losses, costs and expenses of any kind brought by a third party (including supervisory authorities) against the Customer which is attributable to OssDsign’s processing of personal data under these DPT, if and to the extent OssDsign has processed personal data in breach of its obligations as processor under these DPT, Applicable Data Protection Law or the Customer’s written instructions as set out in clause 3.2. Unless acting with intent or through gross negligence, OssDsign's total liability under these DPT and during the full term of the Agreement shall for each calendar year be limited to the order value for the last 12 months.
8.3 The limitation of liability pursuant to this clause 8 shall continue to apply after the Agreement has otherwise been terminated.
8.4 A Party subject to claim by data subject shall, within a reasonable time, inform the other Party in writing of such claims when it is likely according to the first Party that claims against the other Party, according to clauses 8.1 and 8.2, may be brought. The first Party shall make available to the other Party relevant documentation of data subject and the first Party and allow the other Party to provide its suggestion in the matter. A Party must claim damages from the other Party in accordance with this clause 8 no later than two (2) years after being held liable for damages to data subject.