Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) sets forth the terms and conditions by which Marken processes Personal Data for performance of the services agreed between Marken and the Client (the “Services”).
1. Marken and Client will process personal data in compliance with applicable local laws, enactments, regulations, orders, standards and other similar instruments, which may include the General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any other applicable law (collectively, the “Data Protection Laws”).
2. In this Agreement, the terms “data subject”, “personal data”, “processing”, “processor”, “controller”, “data concerning health”, “sensitive data” or “Protected Health Information (PHI)” are as defined in the Data Protection Laws and “Service Data” means any patient personal data, processed by Marken on Client’s behalf.
3. Marken and Client agree that:
- Client is the controller, or acts on behalf of the controller, and Marken acts as processor in relation to Service Data;
- Client will be solely responsible for determining the purposes for, and the manner in which, Service Data is processed, and Client will only require Marken to process Service Data which is necessary, accurate, adequate, relevant and is not excessive for the purposes of providing the Services;
- In the event that Marken or Client receive a request or complaint made by a data subject or authority/regulator under Data Protection Laws in relation to Service Data which prohibits Marken from processing Service Data or providing the Services, Marken shall not be deemed in breach of this Agreement for complying with a valid request, direction or order.
4. Marken will:
- only process Service Data in accordance with Client’s written instructions and only to the extent reasonably necessary for the performance of the Services;
- not disclose Service Data to any third party except as necessary for the performance of the Services, to comply with applicable laws or with Client’s prior consent;
- co-operate with Client to the extent applicable and reasonably necessary to enable Client to adequately discharge Client’s responsibility as a data controller under Data Protection Laws.
- implement appropriate technical and organizational measures to:
- protect Service Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, access, or processing; and
- restrict access to Service Data to personnel who require access to it in order for Marken to provide services to Client. Marken will ensure that any personnel who process Service Data are bound by reasonably appropriate data protection obligations and subject to a duty of confidence.
- promptly notify Client in writing of:
- any request or complaint made by a data subject or authority/regulator under Data Protection Laws in relation to or in connection with Service Data processed by Marken on Client’s behalf. Marken will co-operate with, and reasonably assist, Client in regard to any request or complaint received pursuant to any Data Protection Laws.
- any actual loss, accidental or unlawful destruction, damage and/or unauthorised disclosure, access or processing of Service Data, including reasonable details of the same.
- delete or return all Service Data processed by Marken on Client’s behalf in connection with this DPA, except as provided otherwise by law, regulation, on Client’s written instructions.
5. Client represents and warrants that:
- the legal grounds it relies on to process Service Data in accordance with Data Protection Laws, allows Marken (and its subcontractors) to legally (i) process Service Data in accordance with Marken’s provision of the Services to Client; and (ii) transfer and store Service Data outside of the jurisdiction where it was collected for the purposes of providing the Services or as part of Marken’s internal data storage procedures (where such personal data will be stored on servers located in Western Europe). Client acknowledges that where Client relies on consent as the applicable legal grounds for the processing of Service Data, Client has obtained valid, explicit, freely given consent for Marken to process his or her personal data, and data subjects will have been given all necessary information to allow them to make an informed, objective decision whether to allow Marken to process their personal data, including being advised that their personal data may be transferred to countries which may not have local data protection obligations as strict as the countries in which the Service Data originated.
- to the extent the Service Data contains (or would otherwise contain) PHI, each patient has provided a valid HIPAA authorization permitting the processing of his/her Protected Health Information for the purposes of providing the Services.
6. Client will not transmit or otherwise disclose any Service Data to Marken unless necessary for Marken to perform the Services.
7. Marken is reliant on Client for direction as to the extent to which Marken is entitled to use and process the Personal Data. Consequently, Marken will not be liable for any claim brought by a Data Subject arising from any action or omission by Marken, to the extent that such action or omission resulted directly from Client’s instructions.
8. In the event Client requests Marken to provide any report, record, listing, or outline relating to the Services that contains personal data (other than Marken employee or contractor data), Client has ensured there is a valid legal basis for the compilation and delivery of such report and that Client’s use of such reports will be in compliance with applicable laws.
9. Where Client processes personal data on Marken’s behalf, including without limitation employees, personnel, subcontractor personal data (“Marken Data”), Client shall ensure that (a) it has adequate security measures in place to protect Marken Data and (b) it shall not transfer Marken Data outside the jurisdiction in which it was collected without Marken’s consent. Client shall notify Marken of any data breach or suspected data breach affecting Marken Data as soon as it becomes aware of or suspects the data breach.
Updated May 2024
Understanding why we must adapt, continuously asking ourselves how we can change what matters is how we keep on delivering it.
Login and quick links