EHDS Guide | Model Contract for Data Processing

07. EHDS Guide | Model Contract for Data Processing

Model Contract for the processing of personal data within the EHDS framework

Section examples

Contracting parties: Between [data controller: company/public authority] and [data user: organization]

Subject matter: Processing of personal health data within the framework of the EHDS in accordance with the provisions of the GDPR and European regulations.

Obligations:

The data processor shall ensure compliance with all data protection requirements.
The data processor is trustworthy and receives regular training.
Access is only permitted to authorized persons.

Term & Termination: This contract shall take effect on [date] and may be terminated by either party with [X months‘] notice. Upon termination, all personal data must be deleted immediately or secured in accordance with the contractual agreements.

Ensuring data security: The data processor shall take technical and organizational measures that comply with the requirements of the GDPR to ensure the confidentiality, integrity, and availability of the data.

Transfer and disclosure: Data shall be processed exclusively within the scope of this contract and may only be disclosed to authorized bodies if the consent of the persons concerned has been obtained.

Obligations in the event of data protection incidents: In the event of a data protection incident, the data processor shall immediately inform the responsible body and assist in remedying the situation.

IMPORTANT INFORMATION: If data is provided via HDAB, the framework conditions of that respective HDAB apply!

Access via HDAB

Data holders must take several specific steps in order to access the Health Data Access Body and provide data to it. These steps may vary depending on the specific requirements of the respective national or EU-supported Health Data Access Body, but typically include the following:

Registration: Register your company or institution with the relevant Health Data Access Body. This can be done online via their platform or portal.
Submission of the application: Complete the formal application, which includes information about your company, the purpose of the data provision, and the specific data you wish to provide.
Data description and specification: Provide a detailed description of the data, including its origin, format, structure, and content. Ensure that a complete specification is provided to facilitate interoperability.
Compliance with standards and protocols: Comply with all necessary technical standards and protocols required for data exchange, such as APIs or data exchange formats.
Security and data protection measures: Detail the security measures and data protection strategies that have been implemented.Demonstrate that data is protected and privacy regulations are complied with (e.g., GDPR compliance).
Contractual agreement: Conclude all necessary contractual agreements, such as data processing agreements or terms of use.
Evaluation and approval: The Health Data Access Body will review the submitted information and may conduct an evaluation of the proposed data provision plans.If successful, you will receive approval or feedback with further instructions.
Technical connection: After approval, complete the technical integration to provide the data via the Body.This may include configuring interfaces and providing access points.
Use and monitoring: Once setup and data provisioning are complete, you can start using the access.Continuously monitor and manage access to ensure compliance with requirements.

Each Health Data Access Body may provide specific documentation or forms that detail the exact process and requirements. It is always advisable to check with the relevant authority or their official website for the latest guidelines and documentation.