These Data Processing Terms (the “Data Processing Terms”) are incorporated in the PAROL Terms and Conditions (the “Parol Terms”). Your use of Parol is subject to the Terms which include these Data Processing Terms. These Data Processing Terms apply in relation to Your use of our Lite and Plus versions of the Parol platform.
We are Dikta Inc S.R.L., a private limited liability company (societate cu răspundere limitată) existing under the laws of Romania, having its registered office at 27 Frunzișului Street, District 4, Bucharest, Romania, registered with the Romanian Trade Registry under number J40/11619/2020 and having Sole Registration Number 43048037, acting as data processor for You in relation to the data processing activities conducted when you use our Services.
1. Interpretation
1.1. In these Data Processing Terms, capped terms shall have the meanings ascribed to them herein below or in the Parol Terms:
“Controller” refers to the entity which determines the purposes and means of a data processing activity. You are the Controller of the Personal Data and processing activities conducted in relation to Your use of the Services.
“Data Processor” refers to an entity which processes personal data in the name and on behalf of another entity, the Controller. We act as Data Processor for you in relation to the processing activities conducted in relation to Your use of the Services.
“Data Protection Authority” refers to the Romanian National Supervisory Authority for Personal Data Processing and to any other data protection authority with competence in relation to supervision of the processing of the Personal Data.
“Data Protection Legislation” means all privacy and data protection laws applicable to the Personal Data, including in particular the GDPR (as defined below), as supplemented by national data protection and privacy laws, all as amended from time to time, and the Romanian Law no. 190/2018 on measures implementing and applying the GDPR, as well as all laws and regulations made pursuant to and in relation to such legislation together with all codes of practice and other guidance on the foregoing issued by any relevant Data Protection Authority, all as amended from time to time.
“Data Subject” means a natural person who may be identified or is identifiable based on the Personal Data. This refers to Your patients, mainly, as well as to any other persons (except for You) who You use our Services for.
“Data Subject Request” refers to a request by a Data Subject which is grounded on the Data Subject’s rights pursuant to the applicable Data Protection Legislation, in particular those under art. 15-22 of the GDPR.
“EEA” means the European Economic Area.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Party” means either You, as Controller, or us as Data Processor, and refers to a Party to these Data Processing Terms.
“Personal Data” means the personal data that You include in Parol or is recorded by Parol when You use our Services. This concerns, for instance, names, age, gender, health data of Your patients or of Your personnel. It does not include See further details on what Personal Data includes in Annex 1 (Description of Processing Activities) hereto.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Sensitive Personal Data” means Personal Data including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Parol”, “Platform”, “Services”, “” will have the meanings set out in the Parol Terms.
1.2. Terms defined in the GDPR that are used in these Data Processing Terms will have the same meaning in this Agreement as in the GDPR. These Data Processing Terms will be interpreted in light of the provisions of the GDPR and in a way that does not conflict with the rights and obligations set out in the GDPR or in a way that prejudices the fundamental rights or freedoms of Data Subjects.
1.3. In case of conflict between the terms of these Data Processing Terms and those of the Parol Terms in relation to matters related to the processing and protection of the Personal Data, these Data Processing Terms will prevail.
2. Purpose and Scope
2.1. The purpose of these Data Processing Terms is to ensure compliance with Articles 28(3) and 28(4) of the GDPR of the processing of Personal Data carried out by us as Data Processor in the fulfilment of the services under the Parol Terms.
2.2. These Data Processing Terms apply to the processing of the Personal Data carried out by us as Data Processor, as described in Annex 1 hereto (which forms an integral part of these Data Processing Terms).
2.3. These Data Processing Terms are without prejudice to the respective obligations of each Party pursuant to the Data Protection Legislation. Each Party is solely responsible and liable for compliance with the requirements of the applicable Data Protection Legislation. By the acceptance of the Parol Terms and of these Data Processing Terms, You declare and warrant that the entry into these Data Processing Terms does not breach any laws applicable to You, in particular the Data Protection Legislation.
3. Obligations of the Parties
3.1. Instructions.
a) We as Data Processor will process the Personal Data only for the performance of the Services. Your actions when you use the Services as well as the configuration and structure of Parol represent Your processing instructions to us.
b) You may also provide us with further instructions throughout Your use of Parol. We reserve the right to inform you that any processing instruction that You give us is illegal or contrary to the Parol Terms and to refuse to carry out such instruction.
3.2. Purpose limitation.
a) We as Data Processor will process the Personal Data only for purposes related to the provision of the Parol platform to You and performance of our Services (as also detailed in Annex 1 hereto).
3.3. Duration of processing.
a) We will process the Personal Data only until You issue the medical notes for the patient who is the Data Subject. Once the medical note is issued, we delete the recording on the Platform and the Personal Data. This does not apply to, and we cannot be held liable for, the length of the period of time during which you retain the Personal Data.
3.4. Security of processing.
a) We as Data Processor implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access, or generally from Security Incidents.
b) Our staff members who have access to the Personal Data are subject to a strict duty of confidentiality in relation to the use of the Personal Data.
3.5. Documentation and compliance.
a) We as Data Processor are happy to take Your questions and requests for information regarding the processing of Personal Data under these Data Processing Terms to demonstrate compliance with the applicable data protection legislation. Please consult our Frequently Asked Questions (FAQ) before sending us a question or request as You may find the information You need there.
3.6. Sub-processing.
a) We as Data Processor rely on various sub-contractors to provide the Services, to whom we disclose the Personal Data and who are sub-processors of the Personal Data. We have entered into with such sub-processor written agreements containing data protection obligations to the extent applicable to the nature of the services provided by such sub-processor. You may find the list of the sub-processors currently appointed by us in Annex 1 hereto.
b) You agree that we have your general authorisation to appoint the sub-processors that we rely upon to perform the Services. We will post on Parol any intended change of sub-processors well in advance. If you do not agree with the proposed sub-processor, You may send us Your objections to the appointment of the proposed new sub-processor or terminate Your use of the Parol platform.
4. Assistance provided to the Controller
4.1. We will notify You as Controller of any request received from a Data Subject in relation to the processing of such Data Subject’s personal data and will provide reasonable efforts to assist You with answering such request to the extent of the processing activities conducted for the provision of the Parol platform and the performance of the Services.
4.2. We as Data Processor will also provide You with reasonable assistance to demonstrate the compliance of the Parol platform with the requirements of Data Protection Legislation and to assist You with complying with Your obligations under the Data Protection Legislation. You may exercise Your right to audit our processing activity for You by requesting, once a calendar year, our self-assessment report on our compliance with our obligations under these Data Processing Terms.
5. Restricted transfers and disclosures of the Personal Data.
5.1. We as Data Processor will process the Personal Data only within the EEA or in countries in respect of which the European Commission has issued adequacy decisions in relation to the level of protection and security of personal data in those countries.
5.2. Exceptionally, we may rely on sub-processors who are located outside the EEA to process or store the Personal Data or generally assist with the performance of the Services or in other cases permitted by the Data Protection Legislation. We will only do so provided that a transfer mechanism allowed by the Data Protection Legislation is in place and adequate safeguards for the protection of Personal Data are applied.
6. Management of Security Incidents.
6.1. We are applying state-of-the-art security measures in relation to the personal data used when we perform the Services and we rely on sub-processors who offer state-of-the-art security safeguards. However, we cannot exclude that Security Incidents occur.
6.2. In the event of a Security Incident, we as Data Processor shall cooperate with and assist You as Controller in complying with Your obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to us.
6.3. If the Security Incident relates to Personal Data processed by us as Data Processor, we will, upon becoming aware of the Security Incident, notify You as Controller without undue delay. We will provide You information required by the Data Protection Legislation to assist You with managing the Security Incident. Where and to the extent that it is not possible to provide all such information at the same time, we will provide the required information in phases, as soon as it becomes available.
7. Termination.
7.1. We as Data Processor will promptly inform You as Controller if we are unable to comply with Your instructions or with these Data Processing Terms for any reason whatsoever.
7.2. We may terminate our relationship and delivery of our Services with immediate effect, based on a notification addressed to You, if the processing of the Personal Data is deemed illegal under the applicable laws or under a court order or Data Protection Authority decision, and compliance with the Data Protection Legislation cannot be achieved with reasonable efforts. You will be entitled to restitution of amounts paid in advance for the Services determined pro rata with the period of time during which the Services are not available.
7.3. We may terminate our relationship and delivery of our Services with immediate effect and with no right of restitution of any amounts paid by You for our Services, based on a notification addressed to You, if we reasonably believe that the processing of Personal Data on Your behalf is illegal, or if we believe that You or Your instructions are in breach of the Data Protection Legislation or of the Parol Terms or of these Data Processing Terms.
8. Retention and deletion of the Personal Data.
8.1. We as Data Processor will delete the Personal Data received from You as soon as You generate the corresponding medical record notes and in any event the latest 30 days after the recording is made. We may delete the Personal Data sooner upon your reasonable request.
9. Miscellanea.
9.1. Responsibility. We as Data Processor cannot be held liable for the breach by You as Controller of the applicable Data Protection Legislation in relation to Your use of the Services.
9.2. Limitation of liability. Our liability in relation to these Data Processing Terms is subject to the limitation of liability set out in the Parol Terms.
ANNEX 1. DESCRIPTION OF PROCESSING ACTIVITIES.
Please find below the description of our data processing activities conducting when performing our Services. We are happy to provide further information as may be required.
Categories of Data Subjects whose personal data are processed:
We are processing on Your behalf the Personal Data of Your patients. We may process on Your behalf limited Personal Data of Your personnel if You decide to grant us access, during Your use of the Parol platform, to these data.
Categories of Personal Data Processed:
- We process on Your behalf the following categories of Personal Data:
- Patient identification code and consultation code (generated by You);
- Patient identification details (name);
- Patient personal characteristics (age, gender);
- Patients’ voice;
- Patients’ health data;
- Your personnel’s identification details (name, position).
Nature of processing:
We are collecting the Personal Data mentioned above when You access the Parol platform and use our Services. The Personal Data is collected while recording the conversations You have with Your patients and, as applicable, Your personnel involved in Your medical consultations.
We process the Personal Data by applying our speech-to-text technology and, subsequently, extracting the relevant information to generate the medical record notes for Your usage. We retain the Personal Data after the recording of the conversation with Your patient and until the moment when You generate the medical record notes, but no more than 30 days after the date of the recording. Once the medical record notes are generated, You can download or transfer them from the Parol platform to Your systems.
The Personal Data are recorded remotely, when You use the Parol platform, and are transferred in our data centres (held by one of our services providers in the EEA), where they are stored until deletion. The processing of the Personal Data is conducted relying on processing capabilities made available by our services providers in the EEA.
Purpose(s) for which Personal Data are Processed on behalf of the Controller:
We process the Personal Data for purposes related to the provision of the Parol platform to You and for the performance of our Services. In particular, we are processing the Personal Data (i) to record the medical consultations You have with Your patients and (ii) to generate the medical record notes in relation to Your medical consultations with Your patients.
Duration of processing:
We are processing the Personal Data from the recording of Your medical consultation with Your patients for a period of time up to 30 days, until the generation of the medical record notes and the expiry of the 30-day term, whichever comes sooner.
Our sub-processors
We rely, in order to provide the Parol platform and our Services, on the following sub-processors:
1. Sub-processor: Microsoft Azure
Address: 37/45 Quai du President Roosevelt, Issy-les-Moulineaux, 92130 France
Description of processing activity: hosting, back-up, data processing services (via rented GPU units).
Duration of processing: up to 30 days after the recording of the medical consultation.
2. Sub-processor: Cloud Craft SRL
Address: Bucharest, Romania
Description of processing activity: DevOps Services
Duration of processing: up to 30 days after the recording of the medical consultation.
3. Sub-processor: Andrei Avram PFA
Address: Craiova, Romania
Description of processing activity: AI Engineering Services
Duration of processing: up to 30 days after the recording of the medical consultation.
4. Sub-processor: SGO Webdevelopment SRL
Address: Bucharest, Romania
Description of processing activity: Back-End Development Services
Duration of processing: up to 30 days after the recording of the medical consultation.
Your rights and obligations as Controller
Your rights and obligations as Controller are set out in the Parol Terms, these Data Processing Terms and the Data Protection Legislation.