Data Processing Agreement
The Client as named in the main agreement of which this data processing agreement forms a part.
and
The MedGuide Company B.V., trading under the name The MedGuide Company, registered in the Commercial Register of the Chamber of Commerce under number 76091465, with its registered office and principal place of business in (1013 AP) Amsterdam at Danzigerkade 227 B (hereinafter referred to as MedGuide or Processor), herein legally represented by its managing director, Mr. J.T. van der Kleij;
hereinafter jointly referred to as: Parties.
The Parties take the following into consideration:
And agree as follows:
and
The MedGuide Company B.V., trading under the name The MedGuide Company, registered in the Commercial Register of the Chamber of Commerce under number 76091465, with its registered office and principal place of business in (1013 AP) Amsterdam at Danzigerkade 227 B (hereinafter referred to as MedGuide or Processor), herein legally represented by its managing director, Mr. J.T. van der Kleij;
hereinafter jointly referred to as: Parties.
The Parties take the following into consideration:
- The Client, as the Data Controller for personal data under the General Data Protection Regulation (hereinafter referred to as: GDPR), is obliged to enter into a data processing agreement with the Processor;
- In the context of the work agreed upon between the parties as laid down in an agreement and to be executed by the Processor, the Processor will process personal data belonging to the Client on behalf of and as instructed by the Client, without being subject to the direct authority of the Client;
- In executing the work, the Processor will process personal data in accordance with the instructions and under the responsibility of the Client;
- The Client and the Processor have taken note of Article 32 of the GDPR in order to choose an appropriate level of protection;
- Additionally, other processing activities may be commissioned in writing by the Client to the Processor, which will be attached as an annex to this data processing agreement;
- The Processor will only carry out those data processing activities that have been commissioned in writing by the Client;
- If, by order of the Client, more or other personal data are processed or if processing is carried out differently than described in the applicable annex, this data processing agreement shall also apply to those processing activities and personal data.
And agree as follows:
Article 1. Definitions
Unless defined otherwise in this Agreement, the terms used have the meaning assigned to them in the General Data Protection Regulation (EU) 2016/679 (GDPR).
Article 2. Subject and scope of processing
- The Controller instructs the Processor to process personal data on its behalf, which instruction is hereby accepted by the Processor.
- The Controller remains the data controller within the meaning of the GDPR. The Processor has no independent authority over the personal data.
- The Processor shall process personal data solely on the basis of documented instructions from the Controller, unless processing is required by applicable law.
- If an instruction infringes the GDPR or other data protection legislation, the Processor shall inform the Controller without delay.
- The Processor shall process only the personal data and for the purposes as described in Appendix 1.
Article 3. Compliance with legislation
The Processor shall comply with the GDPR and all other applicable data protection legislation when processing personal data on behalf of the Controller.
Article 4. Liability
- The Processor is liable only for direct damage resulting from a culpable failure to comply with this DPA or the GDPR.
- Liability for indirect damage, consequential damage, loss of profit, loss of revenue, reputational damage or loss of data is excluded.
- The total liability of the Processor is limited to the amount paid out by its liability insurer.
- If no insurance payout is made, liability is limited to the total fees paid by the Controller in the twelve (12) months preceding the event.
- These limitations also apply to persons engaged by the Processor.
- The limitations do not apply in cases of intent or wilful misconduct by the Processor's management.
Article 5. Security measures and audits
- The Processor shall implement and maintain appropriate technical and organisational measures as required under Article 32 GDPR.
- These measures are aligned with recognised information security standards, including ISO 27001 and NEN 7510.
- Upon request, the Processor shall make available information necessary to demonstrate compliance.
- The Controller may conduct or commission an audit once per year. Audit costs are borne by the Controller, unless material non-compliance is established.
Article 6. Personal data breaches
- The Processor shall notify the Controller of a personal data breach without undue delay and no later than 48 hours after discovery.
- The Processor shall take all reasonable measures to mitigate and remediate the breach.
- Details of breach notification are set out in Appendix 2.
- Notification to supervisory authorities or data subjects shall be carried out exclusively by the Controller, with assistance from the Processor where required.
Article 7. Sub-processors
- The Processor may engage sub-processors only with the prior written consent of the Controller.
- Sub-processors must provide equivalent safeguards regarding data protection and information security.
- The Processor remains fully liable for compliance by its sub-processors.
Article 8. Confidentiality
- The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations.
- Confidentiality obligations survive termination of this DPA.
Article 9. Data subject rights
- If a data subject submits a request directly to the Processor, the Processor shall forward the request to the Controller without delay.
- The Processor shall reasonably assist the Controller in fulfilling its obligations towards data subjects.
Article 10. Final provisions
- This DPA is governed exclusively by Dutch law.
- Disputes shall be submitted to the competent court in the district where the Processor is established.
- This DPA enters into force upon signature and remains effective for the duration of the main agreement.
- In the event of inconsistencies between this English version and the Dutch version, the Dutch version shall prevail.
Appendix 1 - Description of Processing Activities
Processing activities
The Processor performs the following activities on behalf of the Controller:
- Analysing, prioritising and reporting pharmacotherapeutic issues for patients of the Controller by means of a pharmacotherapeutic analysis.
- Presenting results to the Controller via an online results dashboard.
- Making results available for export from the online dashboard by the Controller.
Data subjects
Patients of the Controller.
Categories of personal data
- Patient identification number
- Name
- Address
- City of residence
- Email address
- Telephone number
- Gender
- Age or date of birth
- Additional personal data strictly necessary for the performance of the services
Retention periods
Data Files
To avoid storing unnecessary client data on the MedGuide Platform servers, automatically supplied data files are deleted after 30 days, unless otherwise agreed.
Sub-processors within the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established within the European Economic Area:
Sub-processors outside the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established outside the European Economic Area:
To avoid storing unnecessary client data on the MedGuide Platform servers, automatically supplied data files are deleted after 30 days, unless otherwise agreed.
Sub-processors within the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established within the European Economic Area:
| Name | Address Details | Processing Operations | ||
|---|---|---|---|---|
| Microsoft Netherlands | Evert van Beekstraat 354, 1118 CZ Schiphol | MS Azure | ||
| MongoDB | Wilhelminakade 173, 3072 AP Rotterdam | Database |
Sub-processors outside the European Economic Area
The Client grants permission for the engagement of the following Sub-processors established outside the European Economic Area:
- Not applicable.
Appendix 2 - Personal Data Breach Notification by the Processor
Data breach notification
The Processor shall notify the Controller of a personal data breach within 48 hours after discovery. Updates will be provided as soon as available.
Breach notification form
This document was last updated on January 29, 2026.