Data Processing Agreement

What this is

When your practice uses Medq to manage patient appointment and administrative information, your practice is the Data Controller and Medq is the Data Processor. Article 28 GDPR requires the controller and processor to enter into a written contract setting out the rules for that processing. The DPA is that contract.

Who signs

Your practice (as Data Controller) and Medq (as Data Processor). The administrator who subscribes on behalf of your practice accepts the DPA at the same time as the Terms of Service. Practices that prefer a wet signature can download the PDF, sign it, and send it back.

When it takes effect

The DPA takes effect on the date your practice subscribes to the paid Service (or the date of signature where signed separately). It remains in effect for the duration of the Service Agreement, and certain obligations (such as deletion of data and confidentiality) survive termination.

What the DPA covers

In summary, the DPA addresses:

• Documented instructions: Medq processes patient data only on the documented instructions of the practice
• Confidentiality: personnel and sub-processors are bound by confidentiality obligations
• Security: technical and organisational measures as described in Annex 2
• Sub-processors: the list is published, and changes are notified at least 30 days in advance
• Assistance with rights: Medq helps the practice respond to data subject rights requests and consultations
• Breach notification: Medq notifies the practice within 48 hours of becoming aware of a personal data breach
• Return and deletion: data is returned or deleted within 30 days after termination
• Audit rights: the practice may audit, with 30 days' notice, once per year, at its cost