Terms & Conditions
MintT SA - VAT No. BE0544.636.885
Registered office: Avenue Louise 251 - 1000 Brussels
Quai Paul Verlaine 2, bte 2 - 6000 Charleroi
BELGIUM
RPM Brussels
Tel: +32 (0)2 319 53 39
Email: contact@mintt.care
Website: https://mintt.odoo.com/
The services and equipment specified in the offer addressed to the Client and accepted by the latter (the "Offer") will be provided by MintT SA, a company incorporated under Belgian law with registered office at Avenue Louise 251, 1000 Brussels, Belgium, and registered with the Crossroads Bank for Enterprises under number 0544.636.885 ("MintT"), in accordance with these General Terms and Conditions. The Client's full contact details are set out in the Offer. The Client and MintT are hereinafter individually referred to as a "Party" and collectively as the "Parties".
1. Order of priority
In the event of a conflict between the provisions of the Agreement (comprising the Offer, these General Terms and Conditions and the annexes), the provisions that apply shall be determined according to the following order of priority: (a) Offer, (b) General Terms and Conditions and (c) annexes. For the purposes of the foregoing, an omission shall not in itself be considered to give rise to a conflict or inconsistency.
Any purchase order or similar document or contract issued by the Client (“Purchase Order”), whether existing or future, is deemed to be concluded in accordance with the terms of the Agreement (with or without reference to the Agreement) and is subject to the provisions of these General Terms and Conditions, even if such provisions are not expressly set out in, or are excluded by, the Purchase Order. No term of a Purchase Order shall apply to the Agreement, notwithstanding any statement to the contrary on the Purchase Order.
2. Purpose
2.1 MintT undertakes to provide the Client, who accepts, with the services and to lease and/or sell (as applicable) the equipment specified in the Offer, in accordance with the terms and conditions of these General Terms and Conditions.
2.2 The Client declares that it is familiar with the technical characteristics of the services and equipment and considers them suitable for its needs.
3. Grant of licence
3.1 MintT grants the Client, who accepts, a non-exclusive, personal, non-transferable, non-sublicensable right to use the services, including the MyISA dashboard (“Dashboard”) and the documentation, including the MyISA user guide, for the duration of the Agreement (“Licence”). The Licence is granted to the Client only and shall not be deemed to be granted to any subsidiary or affiliated company of the Client.
3.2 The Client must comply with any documentation containing procedures, guidelines and/or recommendations relating to the use of MintT’s services or equipment, and with any amendment thereto notified to it from time to time.
4. Usage restrictions
4.1 The Client undertakes that each authorised user shall keep a secure password confidential for their use of the services.
4.2 The Client may not, in connection with its use of the services, access, store, distribute or transmit viruses, or any illegal content or content that causes damage to any person or property. MintT reserves the right, without incurring any liability towards the Client, to remove - to the extent possible - any content that infringes the provisions of this Section 4.2.
4.3 The Client may not:
- (a) except where permitted by any applicable law, the application of which cannot be excluded by mutual agreement of the Parties:
- (i) and except to the extent expressly permitted under the Agreement, attempt to copy, modify, duplicate, create derivative works from, republish, download, display, transmit, or distribute all or part of the software made available as part of the services, in any form or format whatsoever; or
- (ii) attempt to decompile, disassemble, reverse engineer or otherwise reduce the software or any part thereof to a human-perceivable form; or
- (b) access all or part of the services in order to develop a product or service that competes with the services; or
- (c) use the services in order to provide services to third parties;
- (d) license, sell, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the services available to third parties;
- (e) attempt to obtain, or assist a third party in obtaining, access to the services otherwise than as provided for under the Agreement; or
- (f) use the services in a manner that could be contrary to the Belgian law of 21 March 2007 regulating the installation and use of surveillance cameras, or to the corresponding local law in any other country where the Client is established.
4.4 The Client shall make reasonable efforts to prevent any unauthorised access to or use of the services and, in the event of unauthorised access or use, shall promptly notify MintT.
4.5 If the Client’s use of the services does not comply with the Agreement, MintT may, at its sole discretion and without prejudice to its right to claim damages, disable the access in question or terminate the Agreement in accordance with Section 17.
4.6 Any APIs (Application Programming Interfaces) made available by MintT may, as applicable, be subject to additional terms of use or usage restrictions.
4.7 Where the Offer authorises interfacing or integration with a Third-Party Platform (as defined in Section 16 below), the data communicated by the services may not be used by the Third-Party Platform for the purpose of being correlated with other data or used for functions other than those directly provided by MintT’s services (unless expressly authorised in the Offer and subject to the additional remuneration specified in the Offer).
5. Fees – Revision of fees
5.1 In consideration for the services and equipment, the Client must pay MintT the total fees specified in the Offer, in accordance with Section 6. MintT is entitled to charge the Client, at the rates then in effect, for all reasonable additional costs (such as travel costs) incurred by MintT in installing, maintaining or modifying any equipment or service as a result of the Client’s failure to comply with its contractual obligations (including obligations relating to the supply of electricity or the adaptation of Covered Areas to the required conditions).
5.2 Unless expressly stated otherwise in the Offer, all fees and prices are expressed in euros (EUR) and exclusive of VAT and applicable taxes.
5.3 Applicable prices and fees may be adjusted by MintT at any time after the Initial Period, provided that the Client is informed at least three (3) months before the expiry of the Initial Period or the current Additional Period (as defined in Section 17), as applicable. In the event of a price increase (such increase applying only as from the following Additional Period), the Client has the right to terminate the Agreement at no additional cost, no later than one (1) month before the expiry of the Initial Period or the current Additional Period, as applicable.
5.4 Without prejudice to any other possible adjustment mechanisms, all prices and fees may be indexed annually in the month of the anniversary of the effective date of the Agreement specified in the Offer, according to the following formula:
New price = initial price x (new index / initial index)
If the Client is established in Belgium, the following formula applies instead of the formula above:
New price = (initial price) x (0.2 + 0.8 x (new index / initial index))
In the formulas: the initial index is the “Agoria Digital” wage cost index (national average) for the month preceding the month in which the Agreement takes effect; the new index is the “Agoria Digital” wage cost index (national average) for the month preceding the month of the Agreement’s anniversary.
6. Invoicing – Payment terms
6.1 Unless expressly stated otherwise in the Offer, the Client shall pay all invoiced amounts within 15 calendar days of the date of receipt of the invoice. Unless expressly stated otherwise in the Offer, fees are payable annually before the start of the relevant year.
6.2 Any dispute relating to all or part of an invoice must be sent to MintT by registered letter with acknowledgement of receipt within 15 calendar days of the date of receipt of the relevant invoice. After this period, the Client shall be irrevocably deemed to have accepted the invoiced amount. A dispute does not release the Client from its payment obligations in respect of undisputed amounts.
6.3 In the event of late payment, MintT shall be entitled, automatically and without prior notice of default, to interest of ten percent (10%) per annum on the unpaid sum, calculated pro rata temporis from the due date until the date of actual payment, with a minimum of EUR 150 and without prejudice to any other right or remedy under the Agreement or applicable law.
6.4 MintT may suspend or terminate the Agreement at its sole discretion, and without having to resort to judicial action, if the Client has not paid any amount due within 15 calendar days of written notification of such non-payment, without prejudice to MintT’s other rights or remedies under the Agreement or applicable law.
7. Equipment
7.1 Delivery
7.1.1 MintT shall use its best efforts to deliver the equipment to the Client in accordance with the delivery date agreed by the Parties. This delivery date is given for indicative purposes only and without commitment.
7.1.2 If a delivery delay is caused by an event of force majeure or by any act or omission of the Client, the delivery period shall be extended by a reasonable period depending on the circumstances.
7.1.3 MintT shall deliver the equipment to the Client at the address indicated in the Offer.
7.1.4 Immediately upon delivery of the equipment, the Client must inspect such equipment and notify MintT in writing without delay - and in any event no later than two (2) business days after delivery - of any claim for apparent defects and non-conformity in terms of specifications or quantity discrepancies. In the absence of such notification, all delivered equipment shall be deemed to conform to the applicable specifications and shall be deemed irrevocably accepted by the Client.
7.2 Installation
7.2.1 The Client undertakes to provide, at its own expense and cost, in the rooms within the Client’s premises where the sensors are (to be) installed (“Sensor-Covered Areas”), sufficient and suitable free space to enable their installation, in accordance with the reasonable requirements set by MintT. In particular, the Client is responsible for, without limitation, the following: sufficient space; power supply; network connection (local network with Internet access or direct Internet access); maintenance of temperature and humidity.
7.2.2 Where installation of the equipment is provided by MintT (or any person designated by MintT), as specified in the Offer, the Client must immediately inform MintT if any technical or other systems (water, gas, electricity, etc.) could be damaged during the installation of the equipment. Notwithstanding any provision to the contrary, MintT may not be held liable for damage arising from the Client’s failure to comply with its obligations.
7.2.3 Where installation of the equipment is carried out by the Client (or any person designated by the Client), the Client shall be responsible for all costs arising from the installation of the equipment (including installation costs and any damage to the equipment). MintT undertakes to:
- a) supply, configure and deliver the equipment for “plug and play” installation by the Client; and
- b) test and validate that the installed equipment is accessible from the Dashboard.
7.3 Title and ownership
Ownership of equipment purchased by the Client under the Agreement remains with MintT until the purchase price of the equipment has been paid in full. However, as from the date of delivery, the Client is responsible for all costs resulting from theft, loss, destruction or damage to the equipment. Ownership of equipment leased by the Client under the Agreement remains with MintT.
7.4 Uninstallation and return of equipment
Uninstallation and/or return of equipment shall be the exclusive responsibility of the Client (at MintT’s then-current rates), except for the return of items covered by the limited warranty set out below. All costs and liability for claims, delivery, loss or damage, including, where applicable, installation, uninstallation and storage, shall be borne by the Client until the equipment is returned to and in the possession of MintT.
7.5 Client obligations
In the event of purchase of equipment, the Client must allow MintT to access the Sensor-Covered Areas to inspect the equipment and to enable MintT to provide the Client with a maintenance or repair service for the equipment in accordance with Section 7.6, subject to reasonable prior notice and subject to the Client’s reasonable requirements regarding confidentiality, security, health and safety.
In the event of leasing of equipment, upon receipt of the equipment, the Client undertakes to: (i) keep the equipment in good condition and return it upon expiry or termination of the Agreement; (ii) not transfer, move or modify the equipment; (iii) not encumber the equipment with any security interest, lien or other charge; (iv) exercise reasonable and appropriate diligence in operating, using and maintaining the equipment and keep it in good working order; (v) be solely responsible for and assume all risks and pay or reimburse MintT for all costs arising from theft or any other loss, destruction or damage to the equipment, whatever the cause, until the equipment is returned to MintT; (vi) give MintT access to the Sensor-Covered Areas to inspect the equipment and enable it to provide maintenance or repair services on the equipment, subject to reasonable prior notice and subject to the Client’s reasonable requirements regarding confidentiality, security, health and safety; (vii) grant MintT access to the Sensor-Covered Areas to uninstall and recover the equipment where applicable; and (viii) maintain in force for the duration of the Agreement, at the Client’s expense, comprehensive and general insurance covering the equipment. Such insurance coverage shall be obtained from reputable insurance companies. Upon reasonable request from MintT, the Client undertakes to provide valid certificates of insurance.
7.6 Limited warranties
MintT warrants that, for a period of one year following the date of delivery of the equipment to the Client (in the case of purchase) or for the duration of the Agreement (in the case of leasing), unmodified equipment shall be free from defects in material, manufacture and design. If a defect in material, manufacture and/or design is reported to MintT during the aforementioned warranty period, MintT undertakes, at its discretion, to repair or replace the equipment or reimburse the Client for the defective equipment. In the event of repair or replacement, MintT shall fulfil its repair/replacement obligation within a reasonable period agreed by mutual consent.
No employee, representative, licensor or agent of MintT is authorised to make any amendments, extensions or additions to these limited warranties.
Subject to the foregoing provisions, the equipment is provided “as is”, and all other conditions, representations and warranties, express or implied, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose (even if communicated for that purpose), or arising from a course of dealing, usage, custom, or trade usage, are excluded to the fullest extent permitted by applicable law.
Any modification or alteration of the equipment may render the services unusable. MintT is not liable for any interruption of the services caused by the Client’s modification or alteration of the equipment.
7.7 Repair and replacement
In the event of equipment failure, the Client shall contact MintT at contact@mintt.care to obtain a return material authorisation (RMA) number. The replacement part may, at MintT’s discretion, be refurbished or replaced with similar products. MintT cannot guarantee that new replacement units will be provided.
8. MintT Platform and Dashboard – Accessibility and handling of any issues
8.1 MintT shall take all reasonable measures to make the services accessible to the Client 7 days a week, 24 hours a day, except in the event of scheduled or emergency maintenance, and without accepting any obligation of result in this respect.
8.2 MintT regularly maintains the MyISA platform and the Dashboard. To the extent possible, MintT shall inform the Client of any maintenance (scheduled or unscheduled) likely to affect the services, even where no interruption of service is expected.
8.3 Error reporting
MintT shall be available to receive reports of errors, defects or malfunctions of the services (“Error”) from 9:00 a.m. to 5:00 p.m. Belgian local time (CET), on each business day (“Normal Business Hours”). Errors experienced by the Client shall be reported by an Authorised Contact of the Client by email to support@mintt.care or via any other communication channel specified by MintT. Each Error report shall be accompanied or followed by sufficient information to enable MintT to reproduce and verify the Error. MintT shall use reasonable efforts to reproduce and verify the reported Errors and to provide either (a) a bug fix, patch or other modification or addition that, when made or added to the services, corrects an Error, or (b) a procedure or routine that, when followed in the regular operation of the service, eliminates the material negative effects of an Error on the Client (“Error Correction”), in accordance with the initial response times and other terms set out herein, depending on the severity of the Errors:
- “Severity 1” is an emergency production situation where the service is completely unusable or fails catastrophically and there is no workaround;
- “Severity 2” is a detrimental situation (with no workaround) where (a) performance degrades significantly, resulting in a severe impact on usage, (b) the service is usable but materially incomplete, or (c) one or more core functions or commands are inoperable;
- “Severity 3” is a situation in which the service is usable but does not provide a function in the most convenient manner; and
- “Severity 4” is a minor issue or a documentation error.
8.4 Error correction
Severity 1 Error. MintT shall use reasonable efforts to begin work verifying the Error within four (4) hours during Normal Business Hours following receipt of the Client’s Error report. Upon verification, MintT shall use commercially reasonable efforts to correct the error with an Error Correction within two (2) business days. MintT shall provide the Client with periodic reports (at mutually agreed times) on the status of the Error Correction.
Severity 2 Error. MintT shall use reasonable efforts to begin work verifying the Error within one (1) business day during Normal Business Hours following receipt of the Client’s Error report. Upon verification, MintT shall use commercially reasonable efforts to correct the error with an Error Correction within three (3) business days. MintT shall provide the Client with periodic reports (at mutually agreed times) on the status of the Error Correction.
Severity 3 Error. MintT shall use reasonable efforts to begin work verifying the Error within five (5) business days during Normal Business Hours following receipt of the Client’s Error report. Upon verification, MintT shall use commercially reasonable efforts to include the Error Correction in a subsequent update. MintT shall provide the Client with periodic reports (at mutually agreed times) on the status of the Error Correction.
Severity 4 Error. MintT shall consider the request to include an Error Correction in a subsequent update of the Software.
9. MintT’s obligations in connection with the services
9.1 MintT must, at its own expense, use all commercially reasonable efforts to correct any problem in the provision of the services, or provide the Client with another means of achieving the performance contemplated under the Agreement. This constitutes the Client’s sole and exclusive remedy in the event of a breach of this Section.
9.2 MintT does not warrant that the Client’s use of the services will be uninterrupted or error-free, nor that the services will meet the Client’s requirements.
9.3 MintT is not liable for delays, delivery failures or any other loss or damage resulting from the use of communications networks and facilities (such as the Internet).
9.4 MintT shall not be liable for incomplete, incorrect or non-conforming performance of the services caused by use of the services by the Client or by authorised users contrary to MintT’s instructions, or by modification or alteration of the services by any party other than MintT’s duly authorised providers or agents.
10. Client obligations
10.1 The Client undertakes to provide MintT with (i) all necessary cooperation in connection with the Agreement and (ii) the necessary access to the information required by MintT.
10.2 The Client is solely responsible for protecting its IT systems and bears full responsibility for all adverse consequences of erroneous, unlawful or unauthorised use of MintT’s network or platform and/or the services by itself or by third parties.
10.3 The Client shall ensure that authorised users use the services in accordance with the Agreement and shall be responsible for any breach by an authorised user.
10.4 The Client is solely responsible for obtaining and maintaining its network connections and telecommunications links from its systems to the services.
11. Limitation of liability
11.1 MintT’s obligations in connection with the provision of the services are obligations of means and not obligations of result.
11.2 MintT may not be held liable for interruptions of the services due to causes beyond its control, such as problems caused by the Client’s equipment or use contrary to the instructions for the services or equipment, attributable to the Client or to third parties.
11.3 Without prejudice to any more restrictive liability provisions set out in the Agreement, MintT shall in no event be liable for any loss of data, loss of revenue, loss of profits, damage to reputation, business interruption or any indirect, incidental, consequential, special, punitive, exemplary or other similar damages arising out of or relating to the Agreement, including the use of the services or equipment or the inability to use the same.
11.4 Without prejudice to any more restrictive liability provisions set out in the Agreement, and except in the case of death or personal injury, MintT’s maximum aggregate liability towards the Client arising out of or relating to the Agreement, including the use or inability to use the services and/or equipment, shall in no event exceed an amount equal to the total amounts actually paid by the Client to MintT under the Agreement for the relevant service and/or equipment during the 12 months immediately preceding the event giving rise to liability.
11.5 MintT further excludes any liability related to the use of the services and/or equipment in combination with any software, equipment, data and/or material not provided by MintT. In particular, MintT excludes any liability for data passing through Third-Party Platforms (as defined in Section 16 below).
11.6 The existence of more than one claim shall not have the effect of enlarging or extending the limits set out in this Section 11. The Client warrants that personal data has been collected in accordance with any directly applicable European Union regulation, including without limitation Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - “GDPR”), as well as any act derived from the GDPR, Belgian law and Belgian Royal Decree implementing the GDPR, including the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and (ii) any similar applicable legislation of countries located outside the European Union (“Privacy Law”). The Client further warrants that it is authorised by the Privacy Law to allow MintT to process such personal data. This includes, without limitation, the Client’s compliance with its obligations to process personal data on a valid legal basis and to provide the mandatory information required under the Privacy Law to data subjects. The Client further indemnifies MintT against any claim made by a data subject in connection with the services and the processing of the Client’s personal data.
11.7 Complaints must be reported by the Client to MintT within five calendar days of the occurrence of the incident. Upon expiry of this period, MintT may consider the Client’s claim inadmissible and MintT shall no longer have any obligation or liability with respect to such incident.
12. Indemnification
12.1 The Client shall defend, indemnify and hold harmless MintT, its officers, directors, employees, agents and subcontractors against claims, actions, proceedings, losses, damages, expenses and costs (including, without limitation, court costs and reasonable legal fees) arising from or in connection with the Client’s use of the services.
12.2 MintT shall provide reasonable cooperation to the Client in the defence and settlement of any claim, at the Client’s expense.
13. Ownership – Intellectual property rights
13.1 MintT’s services and equipment, the Dashboard, the ISA platform, the documentation, and the content of MintT’s websites are the property of MintT or its licensors and are protected by copyright, trademarks, database rights, rights in software and computer programs, trade secrets, and other intellectual, industrial and/or other property rights that may exist worldwide (“Intellectual Property Rights”). All Intellectual Property Rights developed by MintT in connection with the provision of the services to the Client are the exclusive property of MintT.
13.2 The right to use the services confers on the Client only a personal, non-assignable right to use the services, for a defined period, as specified in the Agreement.
14. Confidentiality
14.1 Any information disclosed by a Party (the “Disclosing Party”) to the other Party (the “Recipient”) of a technical, financial, legal, strategic or commercial nature that is not public, in connection with the negotiation or performance of the Agreement, shall be deemed to constitute “Confidential Information”, as shall any copy, analysis, synthesis or summary of Confidential Information. MintT’s Confidential Information includes, among other things, details of the services, the results of any performance testing of the services, software source and binary code, data models, algorithms, and anonymised data observed and generated by MintT during the performance of the Agreement.
14.2 Both during the term of the Agreement and after its termination or expiry (for as long as the Confidential Information remains confidential, and at a minimum for a period of five (5) years from the termination or expiry of the Agreement, regardless of the cause), the Recipient must keep confidential the Confidential Information of the Disclosing Party and, except where required by applicable law, (i) may not disclose the Disclosing Party’s Confidential Information to third parties without the Disclosing Party’s prior written consent, except to persons who necessarily need to know the Confidential Information to enable the Recipient to perform its obligations under the Agreement, and (ii) may not use the Disclosing Party’s Confidential Information for any purpose other than the performance of the Recipient’s obligations under the Agreement. The Client agrees that MintT may disclose certain Confidential Information of the Client to MintT’s subcontractors for the purposes of providing the services, where applicable.
14.3 The Recipient shall apply the same degree of protection that it applies to protect its own confidential information of a similar nature, but no less than a reasonable degree of protection, in order to prevent unauthorised disclosure, publication or dissemination of the Disclosing Party’s Confidential Information.
14.4 MintT is authorised to use the Client’s Confidential Information in order to provide the services. MintT is further authorised to use the Client’s anonymised Confidential Information in order to improve its services and/or software, for statistical and research and development purposes, and with a view to developing any other service and/or software (including for purposes of algorithm training, service adaptation and machine learning). The resulting information shall be deemed derived Confidential Information belonging to MintT. MintT may transfer anonymous data observed and generated during the performance of the Agreement to third parties, use it or commercialise it, provided that MintT does not breach its confidentiality obligations and that such data does not contain personal data. MintT has no obligation to transfer or disclose its Confidential Information to the Client. The Client has no rights in any resulting creations, software, data or observations.
14.5 The Recipient undertakes to immediately inform the Disclosing Party in the event that it becomes aware of any unlawful acquisition, use or disclosure of the Disclosing Party’s Confidential Information.
14.6 The Recipient is authorised to disclose the Disclosing Party’s Confidential Information to third parties to the extent required by law or a court order, provided that the Recipient (i) informs the Disclosing Party in writing beforehand (where permitted) and (ii) cooperates with the Disclosing Party in seeking to limit, prevent or lawfully avoid such disclosure, or to have such disclosure made subject to confidentiality obligations.
14.7 The Recipient undertakes, upon the Disclosing Party’s first request and at the latest by the date of termination of the contractual relationship, to immediately cease any use of the Confidential Information.
15. Protection of personal data
15.1 Personal data of the administrator of the MyISA platform
15.1.1 MintT processes, as controller, the personal data of the administrator of the MyISA platform (designated by the Client) for the purposes of managing and administering access to the MyISA platform. This processing is carried out on the basis of MintT’s legitimate interests (namely, performing its contractual obligations towards the Client and identifying and managing the administrator designated to manage the MyISA platform). Information on how MintT processes such personal data is included in Annex A – Administrator Information Notice, also available at https://mintt.care/legaldocs/NoticeAdmin-FR.
15.1.2 The Client undertakes to provide a copy of the content of Annex A – Administrator Information Notice to the administrator it designates internally to manage access to the MyISA platform and the services, as well as any update or amendment provided by MintT to the Client, where applicable.
15.2 Processing of personal data by MintT as processor, on behalf of the Client
15.2.1 In the course of performing the Agreement, MintT is required to process personal data on behalf of the Client and acts as processor, with the Client acting as controller.
15.2.2 Annex B – Data Processing Agreement contains the applicable contractual clauses, completed on the basis of the standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679, of 4 June 2021, of the European Parliament and of the Council (Commission Implementing Decision (EU) 2021/915). The Parties undertake to sign Annex B – Data Processing Agreement concurrently with the Agreement.
15.2.3 The Client warrants that personal data has been collected in accordance with any directly applicable European Union regulation, including without limitation Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - “GDPR”), as well as any act derived from the GDPR, Belgian law and Belgian Royal Decree implementing the GDPR, including the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and (ii) any similar applicable legislation of countries located outside the European Union (“Privacy Law”). The Client further warrants that it is authorised by the Privacy Law to allow MintT to process such personal data. This includes, without limitation, the Client’s compliance with its obligations to process personal data on a valid legal basis and to provide the mandatory information required under the Privacy Law to data subjects. The Client further indemnifies MintT against any claim made by a data subject in connection with the services and the processing of the Client’s personal data.
16. Third-party products
MintT’s products may contain or be accompanied by certain third-party products that are provided to the Client on terms different from those of the Agreement, or that require MintT to provide the Client with a separate terms of use agreement, certain notices and/or other related information. The Client’s use of a third-party product for which MintT may have identified a separate terms of use agreement, notices or other related information shall be subject to the terms and conditions contained therein. The Agreement does not apply to such third-party products. In addition, MintT may, via certain APIs (Application Programming Interfaces), enable the Client to integrate all or part of the services into a third-party management platform (“Third-Party Platform”).
17. Term and termination of the Agreement
17.1 The Agreement takes effect on the date specified in the Offer. Unless expressly stated otherwise in the Offer, the initial term of the Agreement is 36 months (the “Initial Period”). Upon expiry of the Initial Period, the Agreement is automatically renewed for successive periods of three (3) years (the “Additional Periods”) unless written notice is given by either Party to the other Party at least three (3) months before the expiry of the Initial Period or any current Additional Period, as applicable.
17.2 The Client has the right to terminate the Agreement in the event that the Client does not accept substantial changes to these General Terms and Conditions, notified to the Client by MintT at least thirty (30) calendar days before the announced effective date of such changes. The Client must notify MintT in writing, by registered mail, of its objections to the substantial changes to the General Terms and Conditions, together with its intention to terminate the Agreement, within thirty (30) calendar days of MintT’s notification of such changes. Section 5.3 applies in connection with any adjustment of fees.
17.3 The Client has the right to terminate the Agreement, without having to justify any particular reason, upon payment of compensation equivalent to six (6) months of service.
17.4 Either Party may terminate the Agreement without incurring any liability towards the other Party and without having to resort to judicial action:
- (a) if the other Party materially breaches a provision of the Agreement and (if such breach is capable of remedy) fails to remedy the breach within thirty (30) calendar days of written notice of the breach to that Party; or
- (b) in the event of a decision or order declaring the dissolution or bankruptcy of the other Party, or circumstances entitling a competent court to order the dissolution of the other Party; or
- (c) if the other Party ceases or threatens to cease its business activity.
17.5 Where the Agreement terminates for any reason whatsoever:
- (a) the Client shall return any leased equipment (as applicable); and
- (b) the Recipient shall delete all Confidential Information of the Disclosing Party (with written confirmation), except for routine back-ups and copies necessary for the defence of the Parties’ rights (which shall remain subject to the confidentiality obligations of the Agreement), no later than thirty (30) calendar days after the end of the Agreement.
17.6 The Client shall not be released from its obligation to pay all amounts due under the Agreement prior to the date of suspension, expiry or termination of the Agreement.
18. Reference
The Client authorises MintT to refer to the Client’s name in its client list. The Client further agrees that MintT may mention the fact that it uses MintT’s services in its marketing materials and on its websites. The Client grants MintT a non-exclusive, royalty-free licence to use the Client’s brand and logo in MintT’s marketing materials. MintT must comply with any reasonable written instructions given by the Client in relation to such use. This licence is granted to MintT for the duration of the Agreement only.
19. Miscellaneous
19.1 The Agreement is governed by and construed in accordance with Belgian law, without giving effect to any other choice-of-law rule or provision or conflict-of-laws rule (Belgian, foreign or international) that would result in the designation, as the applicable law, of the law of a jurisdiction other than Belgium.
19.2 Any dispute relating to the validity, interpretation, performance or termination of the Agreement and/or the services shall be subject to the exclusive jurisdiction of the French-speaking courts and tribunals of Brussels (Belgium).
19.3 The Agreement contains the entire agreement between the Parties with respect to the subject matter to which it refers and contains everything the Parties have negotiated and agreed in connection with this Agreement. It supersedes and cancels any agreement, communication, offer, proposal or correspondence, oral or written, previously exchanged or entered into between the Parties relating to the same subject matter. No amendment or modification of the Agreement shall take effect unless made in writing and signed by duly authorised representatives of the Parties.
19.4 Nothing in the Agreement is intended to create, or creates, a partnership between the Parties, or authorises either Party to act as agent of the other Party. Neither Party has the authority to act in the name of and on behalf of the other Party or otherwise to bind the other Party.
19.5 The Client may not, without MintT’s prior written consent, assign, transfer, obtain remuneration for, subcontract or otherwise monetise vis-à-vis third parties all or part of its rights or obligations under the Agreement.
19.6 MintT may, at any time, assign, transfer, obtain remuneration for, subcontract or otherwise monetise vis-à-vis third parties all or part of its rights or obligations under the Agreement. MintT may further subcontract the performance of its obligations under the Agreement, in which case MintT shall remain fully liable to the Client for the performance of the subcontracted portions of the services.
19.7 MintT is free to assign or transfer the Agreement, in whole or in part, or its rights and/or obligations under the Agreement, to its subsidiaries or to third parties, in the form and manner MintT deems appropriate. This paragraph applies to any type of transfer of rights or obligations under the Agreement, whether as an individual asset or as part of a transfer of a business as a going concern or a branch of activity, and in particular, without limitation, in the event of a merger, demerger, contribution of a business as a going concern or a branch of activity, liquidation, bankruptcy or transformation of MintT.
19.8 Any waiver of a right must be made expressly and in writing.
19.9 If any provision (or part of a provision) of the Agreement is declared invalid, unenforceable or unlawful by a competent court or administrative authority, the remaining provisions shall continue to apply. Where such an invalid, unlawful or unenforceable provision affects the entire nature of the Agreement, each Party shall endeavour to negotiate immediately and in good faith a legally valid replacement clause. If no agreement on such a provision is reached within thirty (30) days, each Party shall have the right to terminate the Agreement upon thirty (30) days’ written notice.
19.10 MintT may not be held liable for any delay or failure to perform any of its obligations under the Agreement resulting from an event of force majeure. If MintT is affected by an event of force majeure, it must notify the Client as soon as possible of the nature, severity and likely impact on MintT’s ability to perform its obligations under the Agreement. Notwithstanding the foregoing, MintT shall use all reasonable efforts to continue to perform its obligations under the Agreement for the duration of the event of force majeure.
Annexes
- A. Annex A – Administrator Information Notice
- B. Annex B – Data Processing Agreement
Annex A – Administrator Information Notice
MintT – Data Protection Information Notice for the Administrator of the MyISA Platform
1. Introduction. This data protection information notice (the “Notice”) is intended to inform you about how MintT SA (a company incorporated under Belgian law, with registered office at Avenue Louise 251, 1000 Brussels, registered with the Crossroads Bank for Enterprises under number 0544.636.885, “MintT”) processes certain personal data concerning you as administrator of the MyISA platform.
2. Controller. MintT is the controller for the processing of your personal data as described in this Notice.
3. Categories of personal data processed. The personal data collected and processed includes the following: last name, first name, employer’s name; username (email address) and password; access and modification logs; and access and modification rights.
4. Purposes of the processing. Personal data is processed for the purposes of managing and administering access to the MyISA platform (to the extent that you are the administrator designated by your employer).
5. Legal basis of the processing. MintT relies on its legitimate interests to carry out the processing (namely, performing its contractual obligations towards your employer and identifying and managing the administrator designated to manage the MyISA platform).
6. Transfer of your personal data to third parties. In general, MintT will not transfer your personal data to third parties, except for transfers (i) authorised by applicable law or (ii) mentioned in this section or elsewhere in this Notice. Personal data is transferred to external service providers and processors (in relation to data hosting) in respect of which MintT has taken appropriate measures to protect your personal data, in accordance with applicable legislation, and exclusively for the processing purposes described in this Notice. To the extent this involves the transfer of your personal data to countries outside the European Economic Area that are not considered by the European Commission to ensure an adequate level of protection of personal data, MintT shall ensure that measures are put in place in accordance with applicable legislation, such as the signing of the European Commission’s standard contractual clauses.
7. Security. MintT has implemented appropriate technical and organisational measures to protect your personal data against accidental or unauthorised destruction, loss, alteration, deterioration, use, access, disclosure or any other unlawful or unauthorised processing. To ensure this security, MintT uses, among other things, encryption of communications between servers.
8. Data retention period. MintT shall erase your personal data upon expiry of a maximum period of six months after (i) the end of your designation as administrator by your employer or (ii) the deactivation of the MyISA platform services within your employer’s establishment.
9. Your rights. You have the right to access your personal data, as collected and processed by MintT, and to request its rectification in the event of inaccuracy or its erasure in certain limited cases or where it is no longer necessary. In general, you also have the right to withdraw your consent at any time where processing is based on your consent. Such withdrawal of consent does not affect the lawfulness of processing based on consent carried out before such withdrawal. In certain cases, you also have the right to the portability of your personal data. You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the European Union of your habitual residence, place of work or place where the alleged infringement occurred, if you consider that the processing of personal data concerning you constitutes an infringement of applicable legislation. To exercise your rights, you need only (i) contact your employer, who will forward your request to MintT, or (ii) contact MintT by sending a written and signed request to MintT at the email address privacy@mintt.care or to the postal address MintT SA – Avenue Louise 251, 1000 Brussels, Belgium, together with a copy of your identity card or any other document proving that you are the data subject concerned.
10. Contact. MintT SA – Avenue Louise 251, 1000 Brussels, Belgium - Email: privacy@mintt.care.
Data Protection Officer (DPO): The Privacy Office, Hochstrasse 81, 4700 Eupen, Belgium - Email: DPO@mintt.care
Annex B – Data Processing Agreement
Contractual clauses between controllers and processors pursuant to Article 28(7) of the GDPR
Section I
Clause 1 - Purpose and scope
a) These standard contractual clauses (hereinafter the “clauses”) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
b) The controllers and processors listed in Annex I have accepted these clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
c) These clauses apply to the processing of personal data as described in Annex II.
d) Annexes I to IV form an integral part of the clauses.
e) These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.
f) The clauses alone are not sufficient to ensure compliance with obligations relating to international transfers pursuant to Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2 - Invariability of the clauses
a) The parties undertake not to modify the clauses, except to add information to the annexes or to update the information contained therein.
b) This does not prevent the parties from including the standard contractual clauses set out in these clauses in a broader contract, or from adding other clauses or additional safeguards, provided that they do not directly or indirectly contradict the clauses or detract from the fundamental rights and freedoms of data subjects.
Clause 3 - Interpretation
a) Where these clauses use terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in the relevant Regulation.
b) These clauses shall be read and interpreted in light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, respectively.
c) These clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that detracts from the fundamental freedoms or rights of data subjects.
Clause 4 - Hierarchy
In the event of a contradiction between these clauses and the provisions of related agreements between the parties existing at the time these clauses are agreed or entered into thereafter, these clauses shall prevail.
Section II - Obligations of the parties
Clause 6 - Description of the processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.
Clause 7 - Obligations of the parties
7.1. Instructions
a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Instructions may also be given by the controller subsequently throughout the duration of the processing of personal data. Such instructions shall always be documented.
b) The processor shall immediately inform the controller if, in its opinion, an instruction given by the controller constitutes a breach of Regulation (EU) 2016/679 or of other applicable Union or Member State data protection provisions.
7.2. Purpose limitation
The processor shall process personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.
7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex II.
7.4. Security of processing
a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of personal data. These measures include protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to such data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks for data subjects.
b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.5. Sensitive data
Where the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
7.6. Documentation and compliance
a) The parties shall be able to demonstrate compliance with these clauses.
b) The processor shall deal promptly and adequately with the controller’s requests regarding the processing of data under these clauses.
c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations set out in these clauses and stemming directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also allow for and contribute to audits of the processing activities covered by these clauses, at reasonable intervals or where there are indications of non-compliance. When deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
d) The controller may choose to conduct the audit itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
e) The parties shall make the information referred to in this clause, including the results of any audits, available to the competent supervisory authority/authorities on request.
7.7. Use of sub-processors
a) The processor has the controller’s general authorisation to engage sub-processors from an agreed list set out in Annex IV. The processor shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least one month in advance, thereby giving the controller sufficient time to object to such changes prior to the engagement of the sub-processor(s) concerned. The processor shall provide the controller with the information necessary to enable the controller to exercise its right to object.
b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the processor under these clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these clauses and Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
c) At the controller’s request, the processor shall provide a copy of the contract entered into with the sub-processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the processor may redact the text of the contract prior to sharing a copy.
d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations under its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
e) The processor shall agree with the sub-processor on a third-party beneficiary clause whereby - in the event the processor has factually disappeared, ceased to exist in law or become insolvent - the controller shall have the right to terminate the contract entered into with the sub-processor and to instruct the sub-processor to erase or return the personal data.
7.8. International transfers
a) Any transfer of data to a third country or an international organisation by the processor shall only be carried out on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject, and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
Clause 8 - Assistance to the controller
a) The processor shall promptly notify the controller of any request it has received from a data subject. It shall not itself respond to that request, unless authorised to do so by the controller.
b) The processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects exercising their rights, taking into account the nature of the processing. In fulfilling its obligations under points a) and b), the processor shall comply with the controller’s instructions.
c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall further assist the controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the processor:
- The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a “data protection impact assessment”) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- The obligation to consult the competent supervisory authority/authorities prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
- The obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
- The obligations set out in Article 32 of Regulation (EU) 2016/679.
d) The parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this clause, as well as the scope and extent of the assistance required.
Clause 9 - Notification of personal data breaches
In the event of a personal data breach, the processor shall cooperate with and assist the controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or Articles 34 and 35 of Regulation (EU) 2018/1725, as applicable, taking into account the nature of processing and the information available to the processor.
9.1. Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
a) in notifying the personal data breach to the competent supervisory authority/authorities, without undue delay after the controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b) in obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and shall at least include:
- the nature of the personal data, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay;
c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2. Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after becoming aware of it. Such notification shall contain at least:
a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects concerned and personal data records concerned);
b) the details of a contact point where more information concerning the personal data breach can be obtained;
c) its likely consequences and the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The parties shall set out in Annex III all other elements the processor must provide when assisting the controller in complying with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Section III - Final provisions
Clause 10 - Non-compliance with the clauses and termination
a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these clauses, the controller may instruct the processor to suspend the processing of personal data until it complies with these clauses or until the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with these clauses, for whatever reason.
b) The controller shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these clauses if:
- the processing of personal data by the processor has been suspended by the controller pursuant to point a) and compliance with these clauses is not restored within a reasonable time and, in any event, within one month of the suspension;
- the processor is in substantial or persistent breach of these clauses or of its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
- the processor fails to comply with a binding decision of a competent court or of the competent supervisory authority/authorities regarding its obligations under these clauses or under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
c) The processor shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1(b), the controller insists on compliance with its instructions.
d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or return all personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these clauses.
Annex I - List of parties
Controller: Identity and contact details of the controller and, where applicable, of the data protection officer, as set out in the Pre-Installation Form of the signed Offer.
Processor: MintT SA, a company incorporated under Belgian law with registered office at Avenue Louise 251, 1000 Brussels, Belgium, and registered with the Crossroads Bank for Enterprises under number 0544.636.885.
Data Protection Officer: The Privacy Office, Hochstrasse 81, 4700 Eupen, Belgium - Email: DPO@mintt.care
Name, role and contact details of the contact person: Sabine Mersch - TPO, sme@tpo.solutions
Annex II - Description of the processing
Categories of data subjects whose personal data is processed: Members of the Client’s personnel who are users of the interface, residents and/or patients, visitors.
Categories of personal data processed:
- Relating to members of the Client’s personnel who are users of the interface: last name, first name, professional email address, interface usage logs.
- Relating to residents and/or patients: 3D data.
- Relating to visitors: 3D data.
Sensitive data processed (where applicable) and the restrictions or safeguards applied, which fully take into account the nature of the data and the risks involved, such as, for example, strict purpose limitation, access restrictions (including access reserved solely for personnel who have undergone specialised training), the keeping of a data access log, restrictions applicable to further transfers, or additional security measures: Not applicable.
Nature of the processing: Capture of raw sensor data, transformation into 3D data, recording of 3D data, review for the purposes of moderation and annotation, provision to the client, anonymisation.
Purpose(s) for which the personal data is processed on behalf of the controller: Management and administration of user access, platform support and sensor maintenance, generation of 3D data, event detection, event notification, event moderation, verification of event moderation, alert notification, alert management, alert acknowledgement, intervention acknowledgement, real-time image viewing.
Duration of the processing: One month.
For processing by (sub-)processors, subject matter, nature and duration of the processing:
- Digital Ocean: Retention of 3D data and logs. Data is processed for a period of one month from capture.
- Ecritel: Retention of 3D data and logs in accordance with the HDS (Hébergeur de Données de Santé) standard. Data is processed for a period of one month from capture.
Annex III - Technical and organisational measures, including measures to ensure the security of data
1. Organisational control
The processor (MintT SA) has implemented and maintains appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and the accidental loss, destruction of, or damage to, personal data.
1.1. Policies and procedures — The processor has adopted and implemented information security policies and standards: compilation, updating and implementation of guidelines on the processing of personal data; the organisation has a security charter.
1.2. Awareness and training — All personnel (employees and subcontractors) undergo mandatory annual training on information security and data confidentiality: information sessions on data protection and security, regular dissemination of information on new processes, email reminders.
1.3. Human resources security — All personnel sign a confidentiality agreement (specific confidentiality clause in the employment contract).
1.4. Secure archiving — Archive management process, specific access arrangements, secure destruction of obsolete archives, access restricted to a specific department.
1.5. Data deletion/destruction — Secure destruction procedure including retention periods; secure removal of data from devices before disposal, repair or end of lease; use of audited or certified data-wiping software.
2. Logical access control
Access based on the principles of “least privilege” and “need to know”.
2.1. Policies and procedures — Access control policy (purpose, audience, objectives, procedures, consequences, security measures), reviewed at least once a year.
2.2. Data segregation — Data classification and labelling, marking of confidential documents, explicit notice on documents containing sensitive data (Article 9 GDPR), dedicated and isolated database servers.
2.3. User access management — Mandatory authentication, individual credentials, segregation of duties, immediate removal of access upon departure, annual review of access rights, administrator access reserved for qualified personnel.
2.4. Password management — Compliance with CNIL recommendations, changing of default passwords, complexity policy, specific policy for administrators, change upon departure or suspected compromise, separate account per application.
2.5. Vulnerability management — Automatic updates of critical systems, protection against SQL injection and script attacks, detection and prevention of attacks on critical systems.
2.6. Privacy controls — Consent obtained for non-essential cookies, no transmission of personal data via URL.
2.7. Asset management — Inventory and limitation of the number of components, monitoring and updates.
3. Access logging
3.1. Logging and monitoring — Logging system based on ANSSI recommendations, information to relevant staff representatives, regular review of logs, prohibition on using logs for other purposes.
4. Security incident management system
4.1. Policies and procedures — Procedures for notifying the data protection authority in the event of a breach.
4.2. Incident response — Incident response plan with clear roles and responsibilities, notification of the controller as soon as possible, assessment of any reported security event, application of CERT-FR measures in the event of an incident.
5. Disclosure control
5.1. Policies and procedures — Regular software updates and patch management.
5.2. Disclosure control — Automatic disconnection after inactivity, limited communication ports, up-to-date antivirus software, restricted administrator rights, secure processing of confidential data, anti-theft measures (marking, locking, encryption), IP protocols limited to those necessary.
5.3. Mobile devices — Mobile device management (MDM) framework, disabling of autorun, annual awareness training, controlled backup and synchronisation, hard drive encryption, automatic disconnection of smartphones, privacy screens in public places.
5.4. Operating system — Up-to-date operating systems, prompt installation of critical updates with weekly verification.
5.5. Network protection — Restricted Internet access, protected Wi-Fi network (WPA2), OTP authentication, VPN for remote access, filtering of inbound/outbound traffic, SSH or direct physical access, DMZ network for exposed servers, compliance with ANSSI recommendations (TLS, Wi-Fi).
5.6. Encryption — TLS protocol for all online exchanges and websites, no unsecured servers, encryption of removable media and mobile devices, encrypted messaging for sensitive documents (CNIL recommendations, factsheet 17), HTTPS for file transfers, separate channel for sending secrets, public-key algorithms, key management and certification, GNU Privacy Guard encryption solution (asymmetric cryptography).
6. IT business continuity management
6.1. Policies and procedures — Documented business continuity plan, identified responsible persons, compliance with SGDSN guidelines.
6.2. Backup — Data not stored on workstations, prohibition on using consumer cloud services as a backup tool, daily incremental backups and regular full backups, backup protection equivalent to that of the database, encryption of backups transmitted over the network, storage in multiple locations, regular restoration testing, redundant storage (RAID).
6.3. Continuity controls — Backup power supply for critical equipment.
7. Supply chain risk management
7.1. Policies and procedures — Register of maintenance work, security clauses in maintenance contracts, data processing agreement (DPA) defining the subject matter, duration and purpose of processing, confidentiality clauses and return/destruction of data at the end of the contract, obligations under Article 28 of the GDPR, verification of the geographic location of data, ongoing ISO 27001 certification process.
7.2. Security controls — Designated person responsible for managing third parties, verification of providers’ security policies prior to contracting, verification of data encryption, audit of transmissions and network security controls (logs, provisioning, authentication, privileged access management), verification of compliance with Article 28 of the GDPR.
8. Physical access control
8.1. Physical security controls — Intrusion alarms regularly checked, smoke detectors and fire equipment checked annually, secured keys and access codes, risk analysis by area, management and updating of the access list, supervision of visitors, protection of IT equipment (fire prevention, uninterruptible power supply, air conditioning, humidity control), annual maintenance, access restricted to authorised personnel, regular reassessment of access rights.
9. Purchase, development and maintenance of hardware and software
9.1. Application security — Automatic security updates, prohibition on downloading from unsafe sources, security checks on hardware and software, updates in the event of an identified critical vulnerability.
9.2. Secure software development — Secure software development lifecycle (SSDLC) incorporating privacy by design, minimisation of free-text fields, development/test environment separate from production using fictitious or anonymous data, data formats adapted to the retention period, creation of user profiles, consultation of CNIL recommendations on free-text entry fields, signing of executable code where applicable.
Annex IV - List of sub-processors
-
Digital Ocean LLC, a company incorporated and existing under the laws of the State of New York, with registered office at 101 Avenue of the Americas, 10th Floor, New York, NY 10013. Contact: https://www.digitalocean.com/support/. Description of processing: Data hosting.
-
Ecritel, a company incorporated and existing under French law, with registered office at 84 rue Villeneuve, 92110 Clichy, France, registered with the RCS Nanterre under company number 332 484 021, Siret 332 484 021 000 99. Contact: https://www.ecritel.fr/fr/solutions/ecritel-medical-hosting-hds/. Description of processing: Data hosting.