Data Processing Addendum

This Data Processing Addendum ("DPA") is effective upon the earlier of your clicking “Accept” to the Terms and Conditions (the ‘Terms’) or your use of any of the Services and forms part of the Terms between HTP DIGITAL LTD through Panacea Platform (“Panacea”) and the entity entering the Terms as a Business Partner ("Business Partner").

This DPA is supplemental to the Terms and sets out the roles and obligations that apply when PANACEA processes Personal Data falling within the scope of the GDPR on behalf of Business Partner in the course of providing the Services.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.

1. Definitions

1.1 For the purposes of this DPA:

1. “EEA" means the European Economic Area.
2. "GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3. "Terms" means the terms and Conditions or other written or electronic agreement between PANACEA and Business Partner setting out the provision and use of the platform’s Services.
4. The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "Data Subject" have the meanings given to them in the GDPR.
5. “Platform” means the Platform operated by PANACEA, accessible from (LINK)

2. Applicability of DPA

2.1 Applicability.
This DPA will apply onwards to the extent that PANACEA processes Personal Data falling within the scope of the GDPR on behalf of Business Partner in the course of providing the Services.

2. Roles and Responsibilities

3.1 Roles of the Parties.
This DPA governs the services where PANACEA processes data on behalf of the Business Partner. To that extend and in relation to such services Business Partner is the Data Controller of the Personal Data described in Annex A and PANACEA shall process the Personal Data as a Data Processor acting on behalf of Business Partner.

3.2 Business Partner Processing of Personal Data.
Business Partner shall be responsible for: (a) Complying with all applicable laws relating to privacy and data protection in respect of its use of the Services, its processing of the Personal Data, and any processing instructions it issues to PANACEA; (b) Ensuring it has the right to transfer, or provide access to, the Personal Data to PANACEA for processing pursuant to the Terms and this DPA; and

3.3 PANACEA Processing of Personal Data.
PANACEA shall process the Personal Data for the purposes set out in Annex A and in accordance with the lawful, documented instructions of Business Partner (including the instructions of any users accessing the Platform’s Services on Business Partner 's behalf) as set out in the Terms, this DPA or otherwise in writing.

4. Security

4.1 Security
PANACEA shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (a "Security Incident").

4.2 Confidentiality obligations.
PANACEA shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.

4.3 Security Incidents.
Upon becoming aware of a Security Incident affecting Personal Data processed by PANACEA, PANACEA shall notify Business Partner without undue delay. PANACEA shall make reasonable efforts to identify the cause of the Security Incident and to take such steps as PANACEA deems necessary and reasonable to mitigate the effects of such Security Incident, to the extent such efforts are within PANACEA reasonable control. PANACEA shall make reasonable efforts to provide such information as Business Partner may reasonably require to enable Business Partner to fulfil any data breach reporting obligations under the GDPR.

5. Sub-processing

5.1 Sub-processors.
Business Partner agrees that PANACEA may engage PANACEA affiliates and third-party sub-processors (collectively, "Sub-processors") to process Personal Data on PANACEA behalf provided that:

1. PANACEA shall maintain an up-to-date list of Sub-processors which will be available upon request, and;
2. PANACEA imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by applicable data protection laws.

6. International Transfers

6.1 International transfers.
To the extent that PANACEA transfers any Personal Data originating from the EEA to a country that has not been designated by the European Commission as providing an adequate level of data protection, it shall put in place such measures as are necessary to ensure such transfer is in compliance with the GDPR. Business Partner authorizes transfers of Personal Data to such destinations outside of the EEA subject to such appropriate safeguards having been put in place.

7. Cooperation

7.1 Data subject rights.
PANACEA shall, taking into account the nature of the processing, provide reasonable assistance to Business Partner insofar as this is possible, to enable Business Partner to respond to requests from data subjects seeking to exercise their rights under the GDPR. In the event such request is made directly to PANACEA, PANACEA shall promptly inform Business Partner of the same.

7.2 Data protection impact assessments.
PANACEA shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Business Partner's obligation to carry out data protection impact assessments and prior consultations with supervisory authorities, to the extent required under the GDPR and to the extent Business Partner does not otherwise have access to the relevant information.

7.3 Provision of information and reports.
PANACEA shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this DPA by request to (email)

7.4. Audit.
Whilst it is the parties' intention ordinarily to rely on the provision of the documentation to verify PANACEA compliance with this DPA, PANACEA shall permit the Business Partner (or its appointed third-party auditors) to carry out an audit of PANACEA processing of Personal Data under the Terms following a Security Incident suffered by PANACEA, or upon the instruction of a data protection authority. Business Partner must give PANACEA reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to PANACEA operations. Any such audit shall be subject to PANACEA security and confidentiality terms and guidelines. If PANACEA declines to follow any instruction requested by Business Partner regarding audits, Business Partner is entitled to terminate this DPA and the Terms.

8. Return/Deletion of Data

8.1 Return or deletion of Personal Data.
Upon termination or expiry of the Terms, PANACEA shall delete or return to Business Partner the Personal Data (including copies) in PANACEA possession. This requirement shall not apply to the extent that PANACEA is required by applicable law to retain some or all of the Personal Data.

9. Miscellaneous

9.1 Except as amended by this DPA, the Terms will remain in full force and effect.

9.2 Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability set forth in the Terms.

9.3 If there is a conflict between this DPA and the Terms, in relation to data protection issues the DPA.

Annex A

Data Processing Description

This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.

Controller

The controller is: The entity entering into an agreement with PANACEA for the provision of services provided though the Platform, referred to as "Business Partner" in the DPA.

Processor

The processor is:
PANACEA, a company incorporated under the laws of the Republic of Cyprus, which provides services through the Platform as per the Terms and other related services ("Services") to the Business Partner.

Data subjects

The personal data to be processed concern the following categories of data subjects:

• Consumers and employees of the Business Partner: past, present and potential consumers and employees of the Business Partner located in the EEA whose Personal Data is submitted to the Services.
• Other EEA individuals whose Personal Data is submitted to or processed through the Services on behalf of the Business Partner.

Categories of data

The personal data to be processed concern the following categories of data:

• Contact information: such as names, email addresses, phone numbers, contact details
• Prescription and prescription history, data received though the national health system platform.
• Service information: such as details of the transactions undertaken through the platform, products/services purchased, date/time, payment amount/method, cancellation, refunds, communications with Business Partner etc.
• Any other information that clients have provided to the Business Partner which are processed through the Services, the extent of which is determined and controlled by the Business Partner or consumer in their sole discretion

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):
PANACEA may collect or process any special categories of data such as health related data necessary for the provision of its Services.

Processing operations

The personal data will be subject to the following basic processing activities:

• The provision, operation and delivery of the Services
• Any other purposes pursuant to Business Partner's Terms with PANACEA