Cochlear Connected Care: Data Processing Agreement
This Connected Care Data Processing Agreement (including its Schedules and Appendices) (“DPA”) is entered into by Cochlear and Customer and supplements the Agreement. This DPA will be effective and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing agreement or addendum relating to the Services) from the DPA Effective Date.The DPA applies only to the extent of the specific Connected Care Services used by the Customer in Schedule 1
What’s changed:
- Overall reference to applicable Data Protection Laws, instead of just the EU GDPR;
- The addition of “distributors” in the definition of “Customers”;
- Addition of SmartNav processing type 3 and 4 in Schedule 1;
Addition of the Turkish addendum to the EU Standard Contractual Clauses.
TABLE OF CONTENTS
Main body:
- Section A: General
- Section B: Cochlear as Processor
- Section C: The Parties as Controllers or Joint Controllers
Schedule 1: Details of Processing
Schedule 2: List of Sub-processors
Schedule 3: Technical and Organisational Measures
Schedule 4: Standard Contractual Clauses
1. DEFINITIONS
“Adequate Country” means a country or territory that is recognised under the applicable Data Protection Laws as providing adequate protection of Personal Data.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means the terms and conditions of use or other written or electronic agreement between Cochlear and Customer for the provision of the Services by Cochlear.
“Cochlear Group” means Cochlear and its Affiliates engaged in the Processing of Personal Data.
“Connected Care Service” means one or more of the services set out in Schedule 1 and any other connected care services added by Cochlear to the Connected Care offerings from time to time.
“Customer” means the person and/or the entity the person represents entering into the Agreement.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, Turkey and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“De-identified Data” means data where all identifying information has been obscured or removed such that an individual cannot be identified from such data.
“DPA Effective Date” means the earlier of (i) the date on which Customer confirms its acceptance of this DPA to Cochlear or (ii) the date Customer commences or continues use of a Service after this DPA has been made available to Customer.
“Services” means a connected care Service.
“Standard Contractual Clauses” means the EU Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, which are hereby incorporated by reference into this DPA, as tailored and supplemented by the provisions in Schedule 4 of this DPA, including the UK, Swiss and Turkish Addendum, as and when applicable.
“Sub-processor” means any Processor engaged by Cochlear or a member of the Cochlear Group for the Processing of Personal Data under the Agreement.
“Technical and Organisational Measures” means the security controls described in Schedule 3, which may be updated by Cochlear from time-to-time.
“Third Countries” means any country which is outside the European Union, European Economic Area (EEA) UK, Switzerland and Turkey and which is not an Adequate Country.
The following terms shall have the meaning ascribed to them in the Data Protection Laws and Regulations: Controller, Joint Controller, Data Subject, Processing, Processor and Supervisory Authority. Personal Data shall have the meaning ascribed to it in the Data Protection Laws and Regulations:, to the extent that such data is Processed in connection with the Services. Personal Data Breach shall have the meaning ascribed to it in the Data Protection Laws and Regulations:, to the extent that such Personal Data Breach relates to Personal Data as defined in this DPA.
SECTION A: GENERAL
2. GENERAL
2.1. Agreement: This DPA reflects the parties’ agreement on the terms governing the processing of Personal Data in connection with the Data Protection Laws and Regulations.
2.2. Conflict. In the event of any conflict or inconsistency between the body of this DPA, any of its Schedules and the Standard Contractual Clauses in Schedule 4, the Standard Contractual Clauses shall prevail.
2.3. Status of Parties and Details of Processing. Schedule 1 (Details of Processing) specifies the status (Controller, Joint Controller or Processor) of each party for the different Processing activities relating to Services that Cochlear provides for its Connected Care solutions. It also specifies the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects in relation to that Service.
2.4. Cochlear as Processor. Where Cochlear processes Personal Data on behalf of Customer, each party shall comply with its obligations under Section B of this DPA.
2.5. The Parties as Controllers or Joint Controllers. Where the parties Process or share Personal Data as Controllers or Joint Controllers, each party shall comply with its applicable obligations under Section C of this DPA.
2.6. Liability. Subject to the following sentence, each party’s and each of their respective Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement. However, the Limitation of Liability shall be interpreted in such a way as to give the fullest effect possible to its terms while also not conflicting directly or indirectly with the Standard Contractual Clauses in a way that renders them ineffective as a valid and approved data transfer mechanism.
2.7. De-identified Data. Notwithstanding any other provision of this DPA, the Customer agrees Cochlear may de-identify Personal Data and then use and otherwise process De-Identified Data for (i) evaluating, improving and/or developing its products and services; (ii) developing new products and services; and (iii) conducting analytics and scientific research.
2.8. Changes in Law. In the event of changes to Data Protection Laws and Regulations following the DPA Effective Date that require changes to be made to this DPA for a party’s compliance with Data Protection Laws and Regulations, the parties agree to revisit the terms of this DPA and negotiate appropriate and necessary updates in good faith.
SECTION B: COCHLEAR AS PROCESSOR
When Cochlear is the Data Processor according to the Schedule 1:
3. PROCESSING OF PERSONAL DATA
3.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Cochlear is the Processor and that Cochlear or members of the Cochlear Group will engage Sub-processors pursuant to the requirements set out in Section 6 “Sub-processors” below.
3.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer’s instructions to Cochlear for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
3.3. Cochlear’s Processing of Personal Data. Cochlear shall Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and (ii) Processing initiated by Customer in its use of the Services.
3.4. Details of Processing. The subject-matter of Processing of Personal Data by Cochlear is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
3.5. General Assistance. Cochlear shall use commercially reasonable efforts to assist Customer as necessary to support Customer’s compliance with Data Protection Laws and Regulations and any requests from supervisory authorities related to records of data Processing activities.
4. RIGHTS OF DATA SUBJECTS
4.1. Data Subject Requests. Cochlear shall, to the extent legally permitted, promptly notify Customer if Cochlear receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure, data portability, or object to the Processing (“Data Subject Request”) to the extent that any such request relates to Personal Data. Cochlear shall provide reasonable assistance to Customer, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Cochlear shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Cochlear is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
5. COCHLEAR PERSONNEL
5.1. Confidentiality. Cochlear shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
5.2. Reliability. Cochlear shall take commercially reasonable steps to ensure the reliability of any Cochlear personnel engaged in the Processing of Personal Data.
5.3. Limitation of Access. Cochlear shall ensure that Cochlear’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
5.4. Data Protection Officer. The Cochlear Group has appointed a data protection officer who can be contacted at privacy@cochlear.com.
6. SUB-PROCESSORS
6.1. Appointment of Sub-processors. Customer acknowledges and agrees that (a) Cochlear’s Affiliates may be retained as Sub-processors; and (b) Cochlear and Cochlear’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services so long as Cochlear or the relevant Cochlear Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
6.2. List of current Sub-processors and Notification of New Sub-processors. Cochlear shall make available to Customer the current list of Sub-processors for the Services as identified in Schedule 2 to this DPA. Such Sub-processor lists shall include the identities of those Sub-processors and their country of location (“Sub-processor Lists”). Cochlear shall provide notification of a new Sub-processor(s) at least ten (10) business days before authorising any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
6.3. Objection Right for New Sub-processors. Customer may object to Cochlear’s use of a new Sub-processor by notifying Cochlear promptly in writing within ten (10) business days after receipt of Cochlear’s notice in accordance with the mechanism set out in Section 6.2. In the event Customer objects to a new Sub-processor, Cochlear will collaborate with Customer in good faith to evaluate alternatives. If the parties are unable to agree on the appointment of a Sub-processor, Customer may terminate its use of the Services without penalty.
6.4. Liability. Cochlear shall be liable for the acts and omissions of its Sub-processors to the same extent Cochlear would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set out in the Agreement.
7. SECURITY AND INCIDENT MANAGEMENT
7.1. Controls for the Protection of Personal Data. Cochlear shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set out in the Technical and Organisational Measures. Cochlear regularly monitors compliance with these measures. Cochlear will not materially decrease the overall security of the Services during a subscription term.
7.2. Incident Management and Notification. Cochlear maintains security incident management policies and procedures and shall, notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Cochlear or its Sub-processors of which Cochlear becomes aware (a “Data Incident”). Cochlear shall make reasonable efforts to identify the cause of such Data Incident and take those steps as Cochlear deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within Cochlear’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer.
8. TRANSFERS OF PERSONAL DATA.
8.1. Standard Contractual Clauses. The Customer acknowledges and accepts that the provision of Services will require the Processing of Personal Data by Cochlear and Sub-processors in Third Countries. The parties agree that Module 2 of the Standard Contractual Clauses (“Module 2”) are incorporated by reference into this DPA and apply, together with the additional terms in this Section 8 and as tailored and supplemented by the provisions in Schedule 4, in respect of that Processing. Cochlear will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of the ‘data exporter’.
8.2. Instructions. The parties agree that the terms of use for a Service, together with the Customer’s use of a Service in accordance with its terms of use constitutes Customer’s complete and final instructions to Cochlear in relation to the processing of Personal Data, and any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 8.1 of Module 2, Section 3.3 of this DPA is deemed an instruction by the Customer to Process Personal Data.
8.3. Appointment of new Sub-processors and List of current Sub-processors. Pursuant to Clause 9(a) of Module 2, Customer acknowledges and expressly agrees that (a) Cochlear’s Affiliates may be retained as Sub-processors; and (b) Cochlear and Cochlear’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Cochlear shall make available to Customer the current list of Sub-processors in accordance with Section 6.2 of this DPA.
8.4. Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to Clause 9(a) of Module 2, Customer acknowledges and expressly agrees that Cochlear may engage new Sub-processors as described in Sections 6.2 and 6.3 of the DPA.
8.5. Copies of Sub-processor Agreements. The parties agree that the copies of the Sub-processor agreements that must be provided by Cochlear to Customer pursuant to Clause 9(c) of Module 2 may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Cochlear beforehand; and, that such copies will be provided by Cochlear, in a manner to be determined in its discretion, only upon request by Customer.
8.6. Audits. The parties agree that the audits described in Clause 8.9 of Module 2 shall be carried out in accordance with the following specifications: Unless otherwise required by a Supervisory Authority of competent jurisdiction, the Customer may request an on-site audit by the Customer or an independent third party that enters into an appropriate confidentiality agreement with Cochlear in advance of the audit (at the Customer’s expense) of the procedures relevant to the protection of Personal Data. The Customer will give Cochlear at least thirty (30) days’ notice of any such on-site audit. Before the commencement of any such on-site audit, Customer and Cochlear shall mutually agree upon the scope, timing, and duration of the audit. Customer agrees that access will only be granted during business hours; no more than once annually; and to keep confidential any confidential information that by its nature should be confidential.
8.7. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of Module 2 shall be provided by Cochlear to Customer only upon Customer’s request.
9. RETURN AND DELETION OF PERSONAL DATA
9.1. Cochlear shall return Personal Data to Customer and, to the extent allowed by applicable law, delete Personal Data in accordance with the procedures and timeframes specified in Schedule 1 for each data Processing activity documented therein.
SECTION C: THE PARTIES AS CONTROLLERS OR JOINT CONTROLLERS
10. DEFINITIONS
10.1. The following definitions and rules of interpretation apply in this Section C:
“Agreed Purpose” has the meaning given to it in Section 14.1 in this Section C.
“Permitted Receiver” means any Affiliate of Customer or Cochlear, or any third party Processor appointed by either party (and in all cases to the extent required for the Processing of the Shared Personal Data), or each of the parties’ professional advisers, or a relevant supervisory authority or other regulator, or any other third party as may be agreed by the parties in writing from time to time.
“Shared Personal Data” means the Personal Data Processed by the parties as Joint Controllers as described in Schedule 1 (Details of Processing).
11. APPLICABLE PROVISIONS OF THIS SECTION C
11.1. The Parties as Independent Controllers. Where the parties Process Personal Data as independent Controllers, each party shall comply with Sections 12 and 13 below.
11.2. The Parties as Joint Controllers. Where the parties Process Personal Data as Joint Controllers, each party shall comply with its obligations under all of this Section C.
12. COMPLIANCE WITH DATA PROTECTION LAWS AND REGULATIONS
12.1. Each party shall comply with the obligations imposed on a Controller under the Data Protection Laws and Regulations as are applicable to its Processing of the Shared Personal Data.
13. TRANSFERS
13.1. Customer acknowledges and accepts that the provision of Services will require the Processing of Personal Data by Cochlear as Controller or Joint Controller as described in Schedule 1 (Details of Processing) and by Cochlear’s Processors in Third Countries. The parties agree that Module 1 of the Standard Contractual Clauses are incorporated by reference into this DPA and apply, as tailored and supplemented by the provisions in Schedule 4, in respect of that Processing (where Cochlear has the role of Controller or Joint Controller in relation to such Processing). Cochlear will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of the ‘data exporter’.
14. PURPOSE
14.1. Each party shall Process Shared Personal Data in connection with the relevant purposes described in Schedule 1 (Details of Processing) (“Agreed Purpose”).
15. PARTICULAR OBLIGATIONS REGARDING DATA SHARING
15.1. Each party shall:
15.1.1. ensure that all Permitted Receivers are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Section C;
15.1.2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data;
15.1.3. maintain Processing records in compliance with Data Protection Laws and Regulations.
16. PERSONAL DATA BREACHES
16.1. Any party that discovers a Personal Data Breach relating to Shared Personal Data shall inform the relevant point of contact at the other party specified at the start of this DPA without undue delay.
16.2. Where a Personal Data Breach relating to Shared Personal Data occurs, the parties shall co-operate in addressing it in an appropriate and timely manner, including by deciding whether notification to the supervisory authority, and/or communication to data subjects are required under Data Protection Laws and Regulations.
17. DATA SUBJECTS’ RIGHTS AND NOTIFICATION TO SUPERVISORY AUTHORITIES
17.1. Any party that receives a Data Subject Request (the “informing party”) which relates directly or indirectly to the Processing of Shared Personal Data shall contact the relevant point of contact at the other party (the “assisting party”) specified at the start of this DPA as soon as possible and in any event within three (3) business days of receipt of the request providing a copy of the Data Subject Request and reasonable details of the circumstances giving rise to the request. The parties agree to provide reasonable assistance as is necessary to each other to enable them to comply with Data Subject Requests and to respond to any other queries or complaints from Data Subjects.
17.2. In addition to providing the information referred to in Section 17.1, the informing party shall inform the assisting party if it intends to disclose Shared Personal Data in response to a Data Subject Request and will provide the assisting party with the opportunity to respond before the Shared Personal Data is disclosed in response to a Data Subject Request.
17.3. Any party that receives correspondence from a supervisory authority or other data protection regulator which relates to the Processing of Shared Personal Data shall contact the relevant point of contact at the other party specified at the start of this DPA as soon as possible and in any event within three (3) business days of receipt of the request. The parties agree to provide reasonable assistance as is necessary to each other to enable them to respond to and comply with the correspondence from the supervisory authority or other data protection regulator.
18. DATA RETENTION AND DELETION
18.1. Each party shall retain the Shared Personal Data in accordance with their respective data retention policies.
Schedule 1 – Details of Processing for Connected Care Services
In this Schedule 1:
“Clinician” means a healthcare professional employed by a customer.
“Cochlear” refers to either Cochlear Limited or one of its Affiliates, as applicable.
“Customer” means a clinic, hospital or distributor.
“Patient” means a person under the care of a clinician
1. Professional account to authenticate Customer prior to accessing a service
| Processing type: Customer staff – Professional account creation and management | |
|---|---|
| Subject matter of Processing: Customer staffs’ professional account to log in to relevant Cochlear Services |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Customer staff (such as a clinician, surgeon) |
| Categories of personal data | Name, phone, email, clinic, country, language preference, profession, username, password |
| Special categories of personal data | None |
| Duration of Processing | For as long as the staff member has a user account with Cochlear in connection with the Services |
2. SmartNav
|
Processing type 1: Patient implant registration |
|
|---|---|
| Subject matter of Processing: If the surgeon elects the option to register the implant with Cochlear, the implant registration will be processed for warranty activation purposes. |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name date of birth |
| Special categories of personal data | Patient device information - serial number(s) of device(s), date of surgery, clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | To complete the registration process |
|
Processing type 2: Surgical and treatment purposes |
|
| Subject matter of Processing: Processing to provide wireless, real-time, actionable intraoperative insights to support the navigation of electrode insertion, and (where a surgeon elects to do so) to transfer intraoperative data to a patient’s clinician, to update the clinician about the outcome of the surgery and provide the clinician with a baseline to program patients’ device(s) to improve hearing outcomes. |
|
| Cochlear status | Processor |
| Customer Status | Independent Controller (the clinic or the hospital, as applicable) |
| Categories of data subjects | Patients |
| Categories of personal data | Name, date of birth |
| Special categories of personal data | Surgical procedure and outcome information |
| Duration of Processing | 90 days from the date of surgery |
|
Processing type 3: Storage and retrieval of patient’s surgical session (Session Archive) |
|
| Subject matter of Processing: If a Customer requests Cochlear enable this capability, processing to securely store and make available for retrieval each patient’s surgical session. |
|
| Cochlear status | Processor |
| Customer Status | Independent Controller (the clinic or the hospital, as applicable) |
| Categories of data subjects | Patients and Professionals |
| Categories of personal data | Name, date of birth(patient) |
| Special categories of personal data | Surgical procedure and outcome information, patient device information, serial number of device(s), date of surgery, clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | For as long as Session Archive is enabled and Nucleus SmartNav is used by Customer. |
|
Processing type 4: Support of SmartNav app (Troubleshooting and diagnostics file) |
|
| Subject matter of Processing: If the surgeon elects the option to send a Troubleshooting and diagnostics file to Cochlear, processing to investigate and resolve a user issue with the Nucleus SmartNav System. |
|
| Cochlear status | Processor |
| Customer Status | Independent Controller (the clinic or the hospital, as applicable) |
| Categories of data subjects | Patients and Professionals |
| Categories of personal data | Name, date of birth (patient) |
| Special categories of personal data | Surgical procedure and outcome information, patient device information, serial number of device(s), date of surgery, clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | 90 days from the date of submission |
3. Cochlear Link
| Processing type 1: Patient device registration/account management | |
|---|---|
| Subject matter of Processing: Surgeon or clinician may register a patient’s implant with Cochlear through Cochlear’s registration cards or online via mCP. When a clinician subsequently performs fitting and adjustments in a “mapping session” of the sound processor, the sound processor will automatically be registered to the patient’s account with Cochlear via Cochlear Link. |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name, phone, email, address, date of birth, gender |
| Special categories of personal data | Patient device information – serial numbers of device(s), date of surgery, activation date, clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
|
Processing type 2: Synchronisation of patient cdx file |
|
| Subject matter of Processing: The Cochlear Link application installed locally on Customer’s IT environment communicates with Cochlear’s cloud database. When a clinician completes a mapping session with the patient, the patient file is exported as a cdx file and uploaded to Cochlear’s cloud. This processing allows data to be transmitted to Cochlear to facilitate service and repair of a patient’s sound processor. Additionally, where enabled, if a patient is treated by more than one clinic, each clinic will have access to the up-to-date cdx file via Cochlear Link, at the request of the Customer |
|
| Cochlear status | Joint Controller |
| Customer Status | Joint Controller |
| Categories of data subjects | Patients |
| Categories of personal data | Name, date of birth |
| Special categories of personal data | Intraoperative data (from surgery), implant make, model & serial number, MAP files, audiogram and patient notes |
| Duration of Processing | For as long as the Cochlear Link service is used by Customer |
4. my Cochlear Professional (mCP) Registration & Service Requests
| Processing type 1: Patient account creation/device registration/services/support | |
|---|---|
| Subject matter of Processing: Cochlear Processes Personal Data when a patient account is created (either by the patient or by a clinician on the patient’s behalf), and when a clinician registers a patient’s device with Cochlear. This information is received by Cochlear for patient account management, for warranty activation purposes for the Cochlear devices, and as a precursor to providing any service or support that is requested (as described under service and support below) |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name, phone, email, address, date of birth, gender |
| Special categories of personal data | Patient device information serial number(s) of device(s), date of surgery, activation date, clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
|
Processing type 2: Service and support |
|
| Subject matter of Processing: A request for service or support can be sent by a clinician to Cochlear via mCP, this may include a MAP. Cochlear will provide service and support as requested by the clinician on behalf of the patient. If provided, Cochlear may use the MAP to program the patient’s sound processor. |
|
| Cochlear status | Joint Controller |
| Customer Status | Joint Controller |
| Categories of data subjects | Patients |
| Categories of personal data | Patient name, phone, email, address, date of birth |
| Special categories of personal data | Patient device information (e.g., serial number), service/support request details, MAP |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
5. Remote Check (accessed via mCP)
| Processing type 1: Patient account creation/management and analysis | |
|---|---|
| Subject matter of Processing: Patient requires Cochlear’s Nucleus Smart App to use Remote Check. The patient downloads Nucleus Smart App, creates an online Cochlear account, logs in and pairs their sound processor to the App. If the patient’s clinician determines the patient is suitable for enrolment in Remote Check and the patient agrees, the clinician will enrol them via mCP and Cochlear notifies the patient in the app that their clinician has enrolled them for Remote Check. The patient decides whether to run the Remote Check diagnostic tests at home and whether to share this information with their clinician (as described under data sharing with clinics below). |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name, phone, email, address, date of birth, username, password |
| Special categories of personal data | None |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
|
Processing type 2: Data sharing with clinics |
|
| Subject matter of Processing: If the patient enables data sharing with their clinic, the results of the Remote Check diagnostic tests are shared with the patient’s clinician. The clinician reviews the results of the tests and decides whether or not the patient needs to come into the clinic for a check-up. The patient can unenroll from Remote Check or choose to disable sharing with their clinic. There is no integration between mCP or Remote Check and the patient’s electronic medical record held by their clinic. Clinicians have the option to independently export the raw results of the Remote Check via mCP for their own records. |
|
| Cochlear status |
Independent Controller |
| Customer Status | Independent Controller |
| Categories of data subjects | Patients |
| Categories of personal data | Name, date of birth |
| Special categories of personal data | Remote Check diagnostic test results - implant site images, audiogram, questionnaires, impedance checks, speech in noise, hardware health & hearing usage data. |
| Duration of Processing | For as long as the patient has a user account with Cochlear. |
|
Processing type 3: Clinic notifications to patients |
|
| Subject matter of Processing: The Clinician will record their decision (whether or not the patient needs to come into the clinic for a check-up) in Remote Check and also write a few lines to the patient. The patient will receive a notification in Nucleus Smart App, including the Clinician’s notes to the patient, informing them of whether a visit to the clinic is required. |
|
| Cochlear status |
Processor |
| Customer Status | Controller |
| Categories of data subjects | Patients |
| Categories of personal data | See special categories below |
| Special categories of personal data | The clinician’s decision about the patient and their accompanying notes to the patient |
| Duration of Processing | The notes will be available and accessible until the patient directs Cochlear to stop sharing data with the Customer |
6. Remote Assist (CI)
| Processing type 1: Patient account creation/management | |
|---|---|
| Subject matter of Processing: Patient requires Cochlear’s Nucleus Smart App to use Remote Assist, the patient downloads Nucleus Smart App, creates an online Cochlear account, logs in and pairs their sound processor to the App. In addition, the patient’s device must already be registered with Cochlear and the patient already associated to their clinic. |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name, phone, email, clinic, country, language preference, profession, username, password |
| Special categories of personal data | Serial numbers of device(s), date of surgery, activation date(s), clinic or hospital, surgeon and/or audiologist |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
| Processing type 2: Remote Assist session | |
| Subject matter of processing | Cochlear does not process any personal data from the Remote Assist session |
7. Remote Assist (Acoustics)
| Processing type 1: Patient account creation/management | |
|---|---|
| Subject matter of Processing: Patient requires Cochlear’s Baha Smart App to use Remote Assist. The patient downloads Baha Smart App, creates an online Cochlear account, logs in and pairs their sound processor to the App. In addition, the patient must be associated to their clinic (for example via their device being registered with Cochlear), this enables the clinician to select the patient for a Remote Assist session. |
|
| Cochlear status | Independent Controller |
| Customer Status | None for this Processing by Cochlear. Customer may be an independent Controller for its own, separate Processing |
| Categories of data subjects | Patients |
| Categories of personal data | Name, phone, email, address, date of birth, username, password |
| Special categories of personal data | Patient device information - serial number of device(s), activation date(s), clinic or hospital, audiologist, App ID |
| Duration of Processing | For as long as the patient has a user account with Cochlear |
| Processing type 2: Remote Assist session | |
| Subject matter of processing | Cochlear does not process any personal data from the Remote Assist session |
8. Fitting Software
Cochlear’s range of fitting software: Custom Sound Pro, Baha Fitting Software and Osia Fitting Software are on premise applications with patient personal data stored locally in Customer’s IT environment. Personal Data is not Processed by Cochlear.
Schedule 2 – List of Sub-processors
| Name of sub-processor | Salesforce |
|---|---|
| Nature of services/processing | Cochlear’s Customer Relationship Management and support ticket tracking system |
| Storage Location(s) | Germany |
| Name of sub-processor | Amazon |
|---|---|
| Nature of services/processing | Amazon Web Services are used for Cochlear’s cloud infrastructure including Cochlear’s storage of clinical data |
| Storage Location(s) | Ireland. |
| Name of sub-processor | Vonage |
|---|---|
| Nature of services/processing | Telecommunications provider to connect patients and Customer for Remote Assist IP addresses are processed for the purposes of Customer support |
| Location(s) of sub-processing | European Economic Area (including the UK) |
| Name of sub-processor | Cochlear Affiliates |
|---|---|
| Nature of services/processing | Cochlear staff access to operate, manage and support the services, troubleshooting and system maintenance and upgrades, and to maintain corporate records of sales, complaints and other customer interactions, directly or with the support of dedicated service partners acting as sub-sub-processors. |
| Location(s) of sub-processing | Anywhere Cochlear Affiliates operate, including in Australia (corporate headquarters) and Malaysia (customer support) |
Schedule 3 – Technical and Organisational Measures
Access Control in a Physical Sense
Cochlear shall take reasonable measures to prevent unauthorised persons from gaining access to data processing systems for processing and/or using Customer data by implementing physical controls including:
- an access control system (ID reader, magnetic card, chip card);
- keys;
- door locking (electric door openers etc.);
- security staff; and
- surveillance facilities (alarm system, Closed Circuit Television (CCTV) monitor)
Access Control to the IT System
Cochlear shall take reasonable measures to prevent data processing systems from being used without authorisation by implementing:
- strong password procedures (incl. special characters, minimum length, frequent change of passwords);
- two-factor authentication for remote access to internal IT systems; and
- automatic blocking (e.g. password or timeout).
Access control to Personal Data
Cochlear shall ensure that persons authorised to use the data processing system have only access to the data, which they are authorised to access. We also employ the following access controls:
- differentiated access rights (profiles, roles, transactions and objects);
- reports on access used;
- access levels and access controls;
- log monitoring and alerting systems;
- change control procedures; and
- audit trails.
Transmission Control
Cochlear shall ensure that Personal Data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport. To this end Cochlear shall implement:
- encryption/tunnelling (VPN = Virtual Private Network);
- login/password access control;
- logging; and
- transport security.
Availability control
Cochlear shall ensure that Personal Data is reasonably protected against accidental destruction or loss by implementing, as appropriate:
- backup procedures;
- mirroring of hard disks, e.g. RAID technology;
- uninterruptible power supply (UPS);
- remote storage;
- anti-virus and firewall systems; and
- disaster recovery plan.
Separation Control
Cochlear shall ensure that Personal Data collected for different purposes can be processed separately by implementing:
- segregation of functions (production/testing)
Schedule 4 – Standard Contractual Clauses
STANDARD CONTRACTUAL CLAUSES
Modules 1 and 2 of the Standard Contractual Clauses are incorporated by reference into this DPA and apply (as applicable) pursuant to Sections 8 and 13 of this DPA and as tailored and supplemented by the provisions in this Schedule 4 below. The Standard Contractual Clauses apply as follows in respect of Processing in Third Countries:
| Module 2 of the Standard Contractual Clauses | Where Cochlear has the role of Processor |
| Module 1 of the Standard Contractual Clauses | Where Cochlear has the role of Controller or Joint Controller |
Schedule 1 (Details of Processing) specifies the status (Controller, Joint Controller or Processor) of each party for the different Processing activities relating to Services that Cochlear provides for its Connected Care solutions.
With respect to the EU Standard Contractual Clauses 2021:
1. Optional Clause 7 is not used.
2. The optional second paragraph of Clause 11(a) is not used.
3. In respect to Clause 17 Governing Law: Option 1 is selected and the governing law is that of Ireland.
4. In respect to Clause 18 Choice of forum and jurisdiction: The courts of Ireland shall resolve any disputes arising from these Clauses.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
| Data exporter | |
|---|---|
| Name: | Customer (as defined in the Agreement) |
| Address: | Customer’s address (as stated in the Agreement) |
| Activities relevant to the data transferred under these Clauses: | As described in Schedule 1 |
| By entering into the Agreement (which this DPA forms a part of) the data exporter will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below. | |
| Role (controller/processor): | Controller |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
| Data importer | |
|---|---|
| Name: | Cochlear Limited in its name and on behalf of its affiliated companies |
| Address: | 1 University Avenue, Macquarie University NSW 2109 Australia |
| Activities relevant to the data transferred under these Clauses: | As described in Schedule 1 |
| By entering into the Agreement (which this DPA forms a part of) the data importer will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below. | |
| Role (controller/processor): | As described in Schedule 1 |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As described in Schedule 1.
Categories of personal data transferred
As described in Schedule 1.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As described in Schedules 1 and 3.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
As described in Schedule 1.
Nature of the processing
As described in Schedule 1.
Purpose(s) of the data transfer and further processing
As described in Schedule 1.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As described in Schedule 1.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in Schedule 2.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the Data Protection Laws and Regulations.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measures implemented are described in Schedule 3.
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Those sub-processors listed in Schedule 2.
UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (v B1.0)
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
By entering into the Agreement (which this DPA forms a part of), the Parties agree to the format of this Part 1: Tables set out below.
Table 1: Parties
The start date of this Addendum is the same as the start date of the Addendum EU SCCs. The Parties’ details are as set out in Annex I.A of this Schedule 4 above.
Table 2: Selected SCCs, Modules and Selected Clauses
The Addendum EU SCCs are the version of the Approved EU SCCs incorporated into this DPA (as tailored and supplemented by the provisions at the start of this Schedule 4 above) which this Addendum is appended to, including the Appendix Information (as defined below).
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out at the start of this Schedule 4 above.
Table 4: Ending this Addendum when the Approved Addendum Changes
Neither Party may end this Addendum as set out in Section 19.
Alternative Part 2 Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Switzerland Addendum to the EU Commission Standard Contractual Clauses1
This Addendum applies to and is a part of the Clauses.
The Parties agree that the following provisions shall apply with respect to data transfers that are governed by Switzerland’s Federal Act on Data Protection (“FADP”), e.g. personal data transferred by a data exporter from Switzerland to a data importer outside of Switzerland (including personal data located in Switzerland that a data exporter makes accessible to the data importer) (the “Swiss Personal Data”):
(i) Reference to the competent supervisory authority in Annex I.C under Clause 13 shall be deemed to refer to the Federal Data Protection and Information Commissioner (“FDPIC”);
(ii) References to Member State(s), the EU and the EEA shall be deemed to include Switzerland;
(iii) The list of data subjects and categories of data indicated in Annex I.B to the Clauses shall not be deemed to restrict the application of the Clauses to the Swiss Personal Data;
(iv) References to (articles in) the EU General Data Protection Regulation 2016/679 shall be deemed to refer to (equivalent articles in) the FADP;
(v) Where the Clauses use terms that are defined in the EU General Data Protection Regulation 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP; and
(vi) Until such date as the revised FADP enters into force in Switzerland (removing FADP protection for data pertaining to legal entities), the term “personal data” shall be deemed to include information relating to an identified or identifiable legal entity.
1This Addendum applies Option 1 as described in FDPIC’s recognition of the EU Commission Standard Contractual Clauses dated 27 August 2021.
Turkish Standard Contractual Clauses Addendum
This Addendum applies to and is a part of the Connected Care Data Processing Agreement.
Personal data transfers by a data exporter from Turkey to a data importer outside of Turkey (including personal data located in Turkey that a data exporter makes accessible to the data importer) (the “Turkish Personal Data”) are governed by the Turkish Law on Protection of Personal Data No. 6698 of 7 April 2016 as amended on March 12th 2024 (“Turkish DPA”) and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Regulation") published in the Official Gazette on 10 July 2024. Module 1 and Module 2 of the Turkish Standard Contractual Clauses apply to the transfer from the Turkish data controller to the data controllers and processors abroad respectively by reference, whereby:
- Option 1 in art. 8 applies,
- Optional wording in art. 10.a) is retained,
- In art. 16 the obligation to notify the authority is with the data exporter,
- The information required in Annex I, II and III to the Turkish Standard Contractual Clauses is provided for above in the Schedule 4 of this Connected Care Data Processing Agreement
Reference to the competent supervisory authority shall be deemed to refer to the Turkish data protection authority, Kişisel Verileri Koruma Kurumu.
Publication date: 22/01/2025
D1966753 V3 2024-08