Data Processing Agreement (GDPR)

1. Parties and Role in Processing

Data Controller: the professional or client entity that contracts the IKI Health platform and decides the purposes and means of processing their patients'/clients' data.

Data Processor: IKI HEALTH GROUP S.L., which processes personal data on behalf of the Controller exclusively to provide the service described in the Terms and Conditions.

2. Purpose, Objective and Duration of the Assignment

This DPA aims to regulate the processing of personal data by IKI Health, on behalf of the Controller, with the sole purpose of providing the contracted SaaS platform services.

The assignment will have the same duration as the main contractual relationship; upon termination, IKI Health will delete or return the data to the Controller, except for blocked retention due to legal obligations.

3. Categories of Data Subjects and Data

Among others, data may be processed from: patients/clients of the Controller, end users of the platform, and Controller personnel who access it.

Data categories include identifying and contact data, and data related to habits, well-being, health and lifestyle, considered special categories of data under GDPR.

4. Obligations of the Processor (IKI Health)

IKI Health commits to:

  • Process personal data only following documented instructions from the Controller and for the purpose of providing the service.
  • Not use data for its own purposes, nor transfer it to third parties except authorized sub-processors or motivated legal requirement.
  • Ensure that persons authorized to process data commit in writing to maintain confidentiality and receive necessary training in data protection.
  • Implement appropriate technical and organizational measures to ensure confidentiality, integrity, availability and resilience of systems, according to the risk associated with health data.
  • Keep a record of processing activities corresponding to services provided as processor.
  • Notify the Controller, without undue delay and in any case within a maximum period of 48 hours, of any security breach of personal data of which it becomes aware, including the minimum information required by GDPR.
  • Assist the Controller in attending to requests for exercising data subjects' rights and in conducting impact assessments or prior consultations when appropriate.

5. Sub-processors

IKI Health may use technology providers (e.g., hosting services, communications, payment gateways) that act as sub-processors, selected for their GDPR compliance.

In these cases, IKI Health will sign with each sub-processor a contract imposing the same data protection obligations as those provided in this DPA; IKI Health will remain fully responsible to the Controller for the sub-processor's compliance with obligations.

6. Assistance to Controller and Data Subject Rights

IKI Health will assist the Controller, as far as possible and taking into account the nature of processing, so that it can fulfill its obligation to respond to requests for exercising rights of access, rectification, erasure, objection, restriction, portability and not to be subject to automated decisions.

When a data subject directly addresses a request for exercising rights to IKI Health relating to data processed on behalf of the Controller, IKI Health will communicate it to the Controller without undue delay and, in any case, within the following business day.

7. Data Destination at Service Termination

Upon completion of the service provision, IKI Health will delete or return to the Controller the personal data and, where appropriate, to another processor designated by the latter, as well as any medium containing them, unless there is a legal obligation to retain them.

In case of retention, data will remain duly blocked while legal responsibilities may arise.

8. Security Measures

IKI Health commits to maintaining technical and organizational security measures appropriate to the risk, which will include, at least:

  • Logical and physical access control to systems.
  • Pseudonymization and/or encryption of personal data, when appropriate.
  • Backups and mechanisms for rapid restoration of data availability in case of incident.
  • Regular verification, evaluation and assessment procedures of the effectiveness of implemented measures.
 tracker