JavaScript is required

Data Processing Agreement

This Data Processing Agreement forms an integral part of the agreement between the Customer (the Controller) and The MedGuide Company B.V., established at Danzigerkade 227B, 1013 AP Amsterdam, the Netherlands (the Processor).

Article 1. Definitions

Unless defined otherwise in this Agreement, the terms used have the meaning assigned to them in the General Data Protection Regulation (EU) 2016/679 (GDPR).

Article 2. Subject and scope of processing

  1. The Controller instructs the Processor to process personal data on its behalf, which instruction is hereby accepted by the Processor.
  2. The Controller remains the data controller within the meaning of the GDPR. The Processor has no independent authority over the personal data.
  3. The Processor shall process personal data solely on the basis of documented instructions from the Controller, unless processing is required by applicable law.
  4. If an instruction infringes the GDPR or other data protection legislation, the Processor shall inform the Controller without delay.
  5. The Processor shall process only the personal data and for the purposes as described in Appendix 1.

Article 3. Compliance with legislation

The Processor shall comply with the GDPR and all other applicable data protection legislation when processing personal data on behalf of the Controller.

Article 4. Liability

  1. The Processor is liable only for direct damage resulting from a culpable failure to comply with this DPA or the GDPR.
  2. Liability for indirect damage, consequential damage, loss of profit, loss of revenue, reputational damage or loss of data is excluded.
  3. The total liability of the Processor is limited to the amount paid out by its liability insurer.
  4. If no insurance payout is made, liability is limited to the total fees paid by the Controller in the twelve (12) months preceding the event.
  5. These limitations also apply to persons engaged by the Processor.
  6. The limitations do not apply in cases of intent or wilful misconduct by the Processor's management.

Article 5. Security measures and audits

  1. The Processor shall implement and maintain appropriate technical and organisational measures as required under Article 32 GDPR.
  2. These measures are aligned with recognised information security standards, including ISO 27001 and NEN 7510.
  3. Upon request, the Processor shall make available information necessary to demonstrate compliance.
  4. The Controller may conduct or commission an audit once per year. Audit costs are borne by the Controller, unless material non-compliance is established.

Article 6. Personal data breaches

  1. The Processor shall notify the Controller of a personal data breach without undue delay and no later than 48 hours after discovery.
  2. The Processor shall take all reasonable measures to mitigate and remediate the breach.
  3. Details of breach notification are set out in Appendix 2.
  4. Notification to supervisory authorities or data subjects shall be carried out exclusively by the Controller, with assistance from the Processor where required.

Article 7. Sub-processors

  1. The Processor may engage sub-processors only with the prior written consent of the Controller.
  2. Sub-processors must provide equivalent safeguards regarding data protection and information security.
  3. The Processor remains fully liable for compliance by its sub-processors.

Article 8. Confidentiality

  1. The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations.
  2. Confidentiality obligations survive termination of this DPA.

Article 9. Data subject rights

  1. If a data subject submits a request directly to the Processor, the Processor shall forward the request to the Controller without delay.
  2. The Processor shall reasonably assist the Controller in fulfilling its obligations towards data subjects.

Article 10. Final provisions

  1. This DPA is governed exclusively by Dutch law.
  2. Disputes shall be submitted to the competent court in the district where the Processor is established.
  3. This DPA enters into force upon signature and remains effective for the duration of the main agreement.
  4. In the event of inconsistencies between this English version and the Dutch version, the Dutch version shall prevail.

Appendix 1 - Description of Processing Activities

Processing activities

The Processor performs the following activities on behalf of the Controller:
  • Analysing, prioritising and reporting pharmacotherapeutic issues for patients of the Controller by means of a pharmacotherapeutic analysis.
  • Presenting results to the Controller via an online results dashboard.
  • Making results available for export from the online dashboard by the Controller.

Data subjects

Patients of the Controller.

Categories of personal data

  • Patient identification number
  • Name
  • Address
  • City of residence
  • Email address
  • Telephone number
  • Gender
  • Age or date of birth
  • Additional personal data strictly necessary for the performance of the services
The Controller shall ensure that no more personal data are provided than strictly necessary.

Retention periods

Data Files
To avoid storing unnecessary client data on the MedGuide Platform servers, automatically supplied data files are deleted after 30 days, unless otherwise agreed.

Sub-processors within the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established within the European Economic Area:
NameAddress DetailsProcessing Operations
Microsoft NetherlandsEvert van Beekstraat 354, 1118 CZ SchipholMS Azure
MongoDBWilhelminakade 173, 3072 AP RotterdamDatabase

Sub-processors outside the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established outside the European Economic Area:
  • Not applicable.

Appendix 2 - Personal Data Breach Notification by the Processor

Data breach notification

The Processor shall notify the Controller of a personal data breach within 48 hours after discovery. Updates will be provided as soon as available.

Breach notification form

1. Contact Persons

Processor contact person

Name
Jan van der Kleij
Function
Security Officer
Phone number
+31 (0)6-53838654
Email address
security@themedguidecompany.com

2. Is this a follow-up to a previous notification?

3. If 'yes' was answered to the previous question: what is the date of the original notification?

4. If 'yes' was answered to question 2: what is the purpose of the follow-up notification?

Check the correct option.

5. When choosing option B for question 4: what is the reason for the withdrawal?

6. Provide a summary of the incident in which the personal data breach occurred.

7. How many individuals' personal data are involved in the breach?

8. Describe the group of people whose personal data are involved in the breach.

9. When did the breach occur?

Choose the correct option and enter the date(s).

10. When was the breach discovered?

11. What is the nature of the breach?

Check the correct option(s). Note: multiple answers possible.

12. Which types of personal data are involved?

Check the correct option(s). Note: multiple answers possible.

13. What consequences can the breach have for the privacy of the data subject?

Check the correct option(s). Note: multiple answers possible.

14. What technical and organizational measures has your organization taken to address the breach and to prevent further breaches?

15. When was the data breach reported to the Client?

16. What means was used to make the report?

Check the correct option.

17. Have the personal data been encrypted, hashed, or otherwise made unintelligible or inaccessible to unauthorized parties?

Check the correct option.

18. If the personal data have been wholly or partially made unintelligible or inaccessible, in what way was this done?

19. In your opinion, is this report complete?

Check the correct option.

20. Conclusion

21. The form was received by the Client on

This document was last updated on January 29, 2026.