Data Protection

Objectives And Guiding Principles

The objective of these Data Protection Terms (“DPA”) is to establish the rules governing ccRDR-HCV’s collection, use, storage, protection, and disclosure of Customer-Patient Data on your behalf to provide the Services to you.
The guiding principles of this DPA are those found in applicable privacy laws, including the collection, use, and disclosure of the least amount of Personal Information necessary to provide the Services.

You hereby appoint ccRDR-HCV as your service provider for the purposes of providing you with the Services in accordance with the Terms, including this DPA, and we hereby accept such appointment.
ccRDR-HCV may collect Customer-Patient Data from you, your employees and representatives, and Validators as necessary for the purposes of providing the Services.
ccRDR-HCV acknowledge and agree that Customer-Patient Data shall remain in your control and that we acquire no independent right to the Customer Data.

Not use the Customer Data for any purpose other than as necessary to perform the Services,
Not disclose the Customer-Patient Data to any person except as necessary to provide the Services, as expressly permitted or instructed you or as required by applicable laws,
Use reasonable physical, organizational, and technological security measures in accordance with requirements of privacy laws to protect Customer-Patient Data against loss or theft and unauthorized access, use, or disclosure,
Restrict access to Customer-Patient Data to only those authorized employees and permitted agents and subcontractors that require access to such information to fulfill their job requirements and that are subject to obligations of confidentiality and data protection consistent with those of this DPA, and
Inform you as soon as practical after becoming aware of any unauthorized access to, or use or disclosure of, Customer-Patient Data (“Incident”), provide you with relevant particulars of the Incident, and work with you to take reasonable steps to contain and remediate the Incident.

ccRDR-HCV will work with you to promote and demonstrate compliance with privacy laws and this DPA.
ccRDR-HCV will provide reasonable information and cooperation to you and any regulatory or other governmental bodies or authorities with jurisdiction over you in connection with any investigations, audits, or inquiries.
ccRDR-HCV will provide reasonable information and documentation to you to allow you to verify our compliance with this DPA.
ccRDR-HCV will designate and identify to you an individual to be accountable for our compliance with this DPA.
ccRDR-HCV will not subcontract, assign or delegate to any third party our obligations with respect to the processing of Customer-Patient Data in connection with the Services without obtaining written contractual commitments of such third party substantially the same as those of this DPA.

ccRDR-HCV will refer all requests for access, correction or consent withdrawal, or variation to you and will provide reasonable assistance to you to allow you to respond to such requests in accordance with the requirements of privacy laws.
Retention and Destruction Of Customer-Patient Data
Upon termination of the Agreement or upon your request, ccRDR-HCV will delete your account and dispose of your Customer-Patient Data unless you ask us to return it or we are required to retain it to satisfy legal, regulatory, or audit requirements.

ccRDR-HCV will comply with privacy laws in providing the Services.
To the extent of any inconsistency between a provision in the Terms and in the DPA in respect of Customer-Patient Data, the provision in this DPA shall prevail.
This DPA shall survive termination of the Terms until the Customer-Patient Data is returned, disposed of, destroyed, or anonymized.