EKO DATA SECURITY OFFICER: Jason Tugman
This GDPR Data Processing Addendum (“DPA”) is entered into by and between the undersigned customer (“Customer”) and Eko Devices, Inc., a Delaware corporation, having its principal place of business at 1212 Broadway Suite 100, Oakland, CA 94612 (“Eko”) and is effective as of the last date appearing on the signature block below (the “Effective Date”). Customer and Eko are referred to herein collectively, as the “Parties” and individually, as a “Party.”
In the course of providing services (“the Services”) to Customer described in and pursuant to the Master Services Agreement (“Underlying Agreement”) between the Parties, Eko may Process Personal Data as identified in the Attachments. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in the Underlying Agreement (including any existing data processing addendum to the Underlying Agreement). However, this DPA will control over any conflicting terms set forth in the Underlying Agreement.
I. Definitions.
II. Status of Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data that Customer transmits to Eko, Customer is the Data Exporter and a Controller, Eko is a Data Importer, Processor, and a Controller. Eko may engage Sub-Processors pursuant to the requirements set forth below. This DPA incorporates and is intended to comply with the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 pursuant to Regulation (EU) 2016/679.
III. Purpose and Scope. The subject-matter of Processing of Personal Data, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data to be Processed, the Sub-Processors, and categories of Data Subjects subject to Processing under this DPA are specified in the Attachments. When Eko is functioning as a Processor, Eko shall process the Personal Data only for the purpose(s) and duration set forth in Attachment A, unless on further instructions from Customer.
IV. Controller-to-Processor Transfers. The following terms apply to Controller-Processor Transfers:
a. Customer Obligations.
b. Eko Obligations.
c. Onward Transfers. Eko shall only disclose the Personal Data to a Third Party on documented instructions from Customer. Personal Data may only be disclosed to a Third Party located outside the European Union (in the same country as Eko or in another third country, hereinafter “Onward Transfer”) if the Third Party is or agrees to be bound by the Standard Contractual Clauses, under the appropriate Module, or if:
Any Onward Transfer is subject to compliance by Eko with all the other safeguards under this DPA, in particular, purpose limitation.
d. Sub-Processors.
e. Documentation.
f. Data Protection Impact Assessment. Upon Customer’s request, Eko shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a Data Protection Impact Assessment (“DPIA”) related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Eko. Eko shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section, to the extent required under the GDPR. To the extent legally permitted, Customer shall be responsible for any costs arising from Eko’s provision of such assistance.
V. Controller-to-Controller Transfers. The following terms apply to Controller-to-Controller transfers:
a. Customer Obligations.
i. Customer represents and warrants that, during transmission, it shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a Personal Data Breach.
b. Eko Obligations.
i. Eko shall Process the Personal Data only for the specific purpose(s) of the transfer, as set forth in Attachment B. Notwithstanding the foregoing, Eko may only Process Personal Data for another purpose not identified in Attachment B where:
ii. Unless the Data Subject already possesses the information, including when such information is provided by Customer, or providing the information would be impossible or would involve a disproportionate effort for Eko, Eko shall inform Data Subjects of:
iii. Eko shall retain the Personal Data for no longer than necessary for the purpose(s) for which it is Processed. Eko shall put into place appropriate technical and organizational measures to ensure compliance with this obligation, including erasure or anonymization of Personal Data, where appropriate, and all back-ups at the end of the retention period.
iv. With state of the art, costs of implementation, the nature, scope, context, and purpose(s) of Processing and the risks to Data Subjects in mind, Eko shall maintain appropriate technical and organizational measures for protection of the security (including protection against a Personal Data Breach), confidentiality and integrity of Personal Data, including, at minimum, those set forth in Attachment C.
v. Eko shall ensure that persons authorized to process the Personal Data on behalf of Eko (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training on their responsibilities, (iii) are granted minimum necessary access to Personal Data for the implementation, management, and monitoring of the Underlying Agreement; and (iv) have executed written confidentiality agreements.
vi. Eko shall notify Customer without undue delay if Eko becomes actually aware of a Personal Data Breach. Eko shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. If a Personal Data Breach of which Eko is aware is likely to result in a risk to the rights and freedoms of natural persons, Eko shall, without undue delay, notify both Customer and the competent Supervisory Authority pursuant to Section XI.
vii. Eko shall, where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, notify without undue delay the Data Subjects concerned. This notification should include the information set forth in Section XI unless Eko has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or the notification would involve disproportionate efforts for Eko, in which case Eko shall instead issue a public communication.
viii. Eko shall, in the event of a Personal Data Breach, document all relevant facts and keep a record of effects and any remedial action taken.
ix. Eko shall ensure that any person acting under its authority, including a Processor, Processes the Personal Data only on its instruction.
c. Obligations of the Parties.
i. Either Party shall, upon request of a Data Subject, make a copy of this Agreement, including the Attachments, available to Data Subjects free of charge. To the extent necessary to protect business secrets or other confidential information, either Party may redact part of this Agreement prior to sharing a copy with the Data Subject, but shall provide a meaningful summary where the Data Subject would not otherwise be able to understand the content of this Agreement or exercise their rights. Upon request of a Data Subject, either Party shall provide, to the extent possible and without revealing the redacted information, the reason for any redaction.
ii. If either Party becomes aware that the Personal Data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
iii. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. Each Party shall take every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purpose(s) of the Processing, is erased or rectified without undue delay.
iv. Each Party shall ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of Processing.
d. Data Subject Rights.
i. Eko shall respond to requests from Data Subjects relating to the Processing of Personal Data and the exercise of their rights under this DPA without undue delay and, at the latest, within one (1) month of receipt of the inquiry or request. Eko shall take appropriate measures to facilitate such inquiries, requests and the exercise of Data Subject rights. Eko shall respond to Data Subject requests in an intelligible and easily accessible form, using clear and plain language.
ii. Upon request by the Data Subject, Eko shall, free of charge:
iii. Eko shall cease Processing Personal Data for direct marketing purpose(s) where a Data Subject objects to it.
iv. Eko shall not make a decision based solely on the automated Processing of the Personal Data transferred (hereinafter, an “automated decision”), which would produce legal effects concerning the Data Subject or similarly significantly affect the Data Subject, unless with the explicit consent of the Data Subject or if authorized to do so under the laws of the country of destination, provided that such laws provide suitable measures to safeguard the Data Subject’s rights and legitimate interests. Where necessary in cooperation with Customer, Eko shall:
v. Eko may, where requests from a Data Subject are excessive or repetitive, charge a reasonable fee, taking into account the administrative costs of granting the Data Subject’s request, or refuse to act on the request.
vi. Eko may refuse a Data Subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect of the objectives listed in Article 23(1) of Regulation (EU) 2016/279. Eko shall inform the Data Subject of the reasons for the refusal and the possibility of lodging a complaint with the competent Supervisory Authority and/or seeking judicial redress.
e. Onward Transfers. Eko shall not disclose Personal Data to a Third Party located outside the EU unless the Third Party is or agrees to be bound by the Standard Contractual Clauses, under the appropriate Module, or if:
i. The Onward Transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covered the Onward Transfer;
ii. The Third Party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the Processing in question;
iii. The Third Party enters into a binding instrument with Eko ensuring the same level of data protection as under this DPA, and Eko provides a copy of these safeguards to Customer;
iv. The Onward Transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings;
v. The Onward Transfer is necessary in order to protect the vital interest of the Data Subject or of another natural person; or
vi. Where none of the other conditions apply, Eko has obtained the explicit consent of the Data Subject for an Onward Transfer in a specific situation, after having informed the Data Subject of the purposes(s) of the transfer, the identity of the recipient and the possible risks of such transfer to the Data Subject due to the lack of appropriate data protection safeguards. In the event Eko makes use of this condition, Eko shall inform Customer and, upon Customer’s request, shall transmit a copy of the information provided to the Data Subject.
Any Onward Transfer is subject to compliance by Eko with all the other safeguards under this DPA, in particular, purpose limitation.
f. Documentation.
i. Each Party shall be able to demonstrate compliance with its obligations under this DPA.
ii. Eko shall keep appropriate documentation of the Processing activities carried out under its responsibility.
iii. Eko shall make documentation available to the competent Supervisory Authority upon request.
VI. Sensitive Data. Where the transfer of Personal Data from Customer to Eko reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“Sensitive Data”), Eko shall apply the specific restrictions and/or additional safeguards set forth in the Attachments.
VII. Supervision.
a. The Supervisory Authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 with regards to the Processing of Personal Data under the Underlying Agreement and this DPA will act as competent Supervisory Authority.
b. Eko agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory Authority in any procedures aimed at ensuring compliance with this DPA. In particular, Eko agrees to respond to inquiries, submit to audits and comply with the measures adopted by the Supervisory Authority, including remedial and compensatory measures. Eko shall provide the Supervisory Authority with written confirmation that any necessary actions have been taken.
VIII. Liability.
a. Each Party shall be liable to the other for any damages it causes the other Party by any breach of this Agreement.
b. Eko shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages Eko or its Sub-Processor causes the Data Subject by breaching the third-party beneficiary rights under this DPA.
c. With respect to Controller-Processor Transfers ONLY, and notwithstanding paragraph (b) of this Section, Customer shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages Customer or Eko (or its Sub-Processor) causes the Data Subject by breaching the third-party beneficiary rights under this DPA. This is without prejudice to the liability of Customer.
d. With respect to Controller-Processor Transfers ONLY, the Parties agree that if Customer is held liable under this DPA for damages caused by Eko (or its Sub-Processor), Customer shall be entitled to indemnification from Eko for the part of the compensation corresponding to Eko’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA, all responsible Parties will be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e) of this Section, the liable Party shall be entitled to indemnification from the other Party for the compensation relating to their responsibility for the damage.
g. Eko will not invoke the conduct of a Sub-Processor to avoid its own liability.
IX. Redress.
a. Eko shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. Eko shall promptly address any complaints it receives from a Data Subject.
b. In the case of a dispute between a Data Subject and one of the Parties regarding compliance with this DPA, that Party shall use its best efforts to resolve the issue amicably and in a timely fashion. Each Party shall keep the other Party informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the Data Subject invokes a third-party beneficiary right pursuant to this DPA, Eko shall accept the decision of the Data Subject to:
d. The Parties accept that the Data Subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. Eko shall abide by a decision that is binding under the applicable EU or Member State law;
f. Eko agrees that the choice made by the Data Subject will not prejudice their substantive and procedural rights to seek remedies in accordance with applicable laws.
X. Data Transfer. Customer hereby consents to the transfer of Personal Data to, and the Processing of Personal Data in, the United States of America. When making such transfers, Eko shall ensure appropriate protection is in place to safeguard the Personal Data transferred in connection with the Underlying Agreement and this DPA.
XI. Breach.
a. In the event of a Personal Data Breach concerning Personal Data Processed by Eko under this DPA, Eko shall take appropriate measures to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
b. In the event of a Personal Data Breach concerning Personal Data Processed by Eko that is likely to result in a risk to the rights and freedoms of natural persons, Eko shall, without undue delay, notify Customer and the competent Supervisory Authority. Such notification shall at least:
c. With respect to Controller-Processor Transfers, Eko shall cooperate and assist Customer to enable Customer to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent Supervisory Authority and the affected Data Subjects, taking into account the nature of Processing and the information available to Eko.
d. With respect to Controller-Controller Transfers and in the event of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of natural persons, Eko shall notify, without undue delay, the Data Subjects of the Personal Data Breach and its nature, if necessary, in cooperation with Customer. This notification must include the information referred to in paragraph (b), points i. to iv., unless Eko has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts, in which case Eko shall issue a public communication. Eko shall document all relevant facts relating to the Personal Data Breach, including its effects and any remedial action taken, and keep a record thereof.
XII. Local Laws.
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the Processing of Personal Data by Eko, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent Eko from fulfilling its obligations under the Underlying Agreement or this DPA.
b. The Parties declare that in providing the warranty in paragraph (a) of this Section, they have taken due account in particular of the following elements:
XIII. Request from Public Authority; Notification.
a. Eko shall notify Customer and, where possible, the Data Subject, promptly if it:
b. If Eko is prohibited from notifying Customer and/or the Data Subject under the laws of the country of destination, Eko agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Eko agrees to document its best efforts in order to be able to demonstrate them on request of Customer.
c. Where permissible under the laws of the country of destination, Eko agrees to provide Customer, at regular intervals for the duration of the Underlying Agreement and this DPA, with as much relevant information as possible on the requests received (in particular, the number of requests, type of data requested, requesting authority, and whether requests have been challenged and the outcome of such challenges).
d. Eko shall preserve the information pursuant to paragraphs (a) to (c) for the duration of the Underlying Agreement and this DPA and make it available to the competent Supervisory Authority on request.
e. Eko shall promptly notify Customer where it is unable to comply with this Section.
f. Eko shall review the legality of the public authority request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Eko shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Eko shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. Eko shall not disclose the Personal Data requested until required to do so under applicable procedural rules.
g. Eko agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to Customer.
h. Eko shall provide the minimum amount of information necessary when responding to a request for disclosure, based on a reasonable interpretation of the request.
XIV. Third-party Beneficiaries.
a. Data Subjects may invoke and enforce the provisions of this DPA, as third-party beneficiaries, against Customer and Eko with the following exceptions:
b. Paragraph (a) is without prejudice to rights of Data Subjects under Regulation (EU) 2016/679.
XV. Non-Compliance and Termination.
a. Eko shall promptly inform Customer if it is unable to comply with this DPA, for whatever reason.
b. In the event Eko is in breach or is unable to comply with the terms of this DPA, Customer shall suspend the transfer of Personal Data to Eko until compliance is again ensured or this DPA and the Underlying Agreement are terminated.
c. Customer shall be entitled to terminate the Underlying Agreement and this DPA, insofar as it concerns the Processing of Personal Data under this DPA, where:
d. Personal Data that has been transferred prior to the termination of the Underlying Agreement and this DPA must, at the option of Customer, be immediately returned to Customer or deleted in its entirety. Copies of the Personal Data must also be immediately returned or deleted. Until the Personal Data is deleted or returned, Eko shall continue to ensure compliance with this DPA. In the event that local laws applicable to Eko prevent the return or destruction of Personal Data, Eko will continue to protect the Personal Data in accordance with this DPA and will only Process the Personal Data to the extent and for as long as required under that applicable law.
e. Either Party may revoke its agreement to be bound by this DPA where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of Personal Data to which this DPA applies, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the Personal Data is transferred.
XVI. Severability. All rights and restrictions contained herein may be exercised and shall be applicable and binding only to the extent that they do not violate any applicable laws and are intended to be limited to the extent necessary so that they will not render this DPA illegal, invalid or unenforceable. If any term of this DPA shall be held to be illegal, invalid or unenforceable by a court of competent jurisdiction, it is the intention of the Parties that the remaining terms hereof shall constitute their agreement with respect to the subject matter hereof, and all such remaining terms shall remain in full force and effect.
XVII. Governing Law; Forum.
a. This DPA shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the EU Member State where Customer is located at the time of the data transfer.
b. Any dispute arising from this DPA shall be resolved by the courts of the EU Member State where Customer is located at the time of the data transfer.
c. A Data Subject may also bring legal proceedings against Customer or Eko before the courts of the EU Member State in which the Data Subject has habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
XVIII. Order of Precedence. This DPA does not include GDPR requirements that are already required by HIPAA—this DPA shall be considered together with the Business Associate Agreement and, where GDPR is implicated, both shall form a part of the Underlying Agreement. In the event of a conflict between the Business Associate Agreement and the DPA, the requirement that is most protective of individual privacy shall prevail. Nothing in this DPA reduces Eko’s obligations under the Underlying Agreement or the Business Associate Agreement. In the event of any conflict or inconsistency between this DPA and the standard clauses of the Underlying Agreement, the Underlying Agreement shall prevail.
Attachment A
This Attachment A includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
CONTROLLER-TO-PROCESSOR PROCESSING
Parties:
Data Exporter (Customer):
Name: The name of Customer is the name provided upon creating an account in the Eko.
Customer’s Address and Contact Details are those Customer provided at the time Customer’s Eko Device(s) were ordered. To update Customer’s contact details, please contact Eko at contact@Ekohealth.com.
Role: Processor
Data Importer (Eko):
Name: _____Eko Devices, Inc._________
Address: ___1212 Broadway___________
______________Suite 100________________
____________Oakland, CA 9461_________
Contact: Jason Tugman
Eko Director of Information Technology & Data Security Officer
Privacy@ekohealth.com
Role: Processor
Subject matter and duration of the Processing of Personal Data
Subject Matter: Eko collects the following data: heart sounds, lung sounds, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, and geographic location of data acquisition.
Duration of Processing: Personal Data processing shall not exceed the duration of Personal Data retention described below.
The nature and purpose of the Processing of Customer Personal Data
The software is provided in order to:
The types of Customer Personal Data to be Processed
Eko will process account information, physiologic and usage date, and data pertaining to support inquiries.
The types of Sensitive Data to be Processed (if applicable) and applied restrictions or safeguards
Eko will process special categories of Personal Data including data concerning the health of the patient. Eko has implemented and shall maintain all reasonable and necessary technical and physical security controls to protect these data. Specific information on these protections is listed in Attachment C Description of Security Controls section of this document.
The categories of Data Subject to whom the Personal Data relates
Personal Data relates to patients.
The period for which Personal Data will be retained
We store your Personal Data for as long as the account is maintained and up to five (5) years after the account is closed. At the end of this five-year period, we may remove the Personal Data from the Eko databases and will request that our business partners remove the associated Personal Data from their databases. When we delete any information, it will be deleted from the active database, but may remain in our archives. However, once we disclose Personal Data to third parties, we may not be able to access that Personal Data any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Data other than as described should be directed to privacy@ekohealth.com. We retain anonymized data indefinitely.
Eko’s activities relevant to the Personal Data Processed under this DPA
Where permitted by law, Eko uses Personal Data to:
Customer’s activities relevant to the Personal Data Processed under this DPA
Where permitted by law, the Customer uses Personal Data to:
SUB-PROCESSORS
Customer has authorized the use of the following Sub-Processors:
*EKO DOES NOT EXPORT CUSTOMER DATA. Customer’s use of the Service to export data outside the U.S. does not constitute an export by Eko.
Attachment B
This Attachment B includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
CONTROLLER-TO-CONTROLLER PROCESSING
Parties:
Data Exporter (Customer):
Name: The name of Customer is the name provided upon creating an account in the Eko Services.
Customer’s Address and Contact Details are those Customer provided at the time Customer’s Eko Device(s) were ordered. To update Customer’s contact details, please contact Eko at contact@ekohealth.com.
Role: Controller
Name: _____Eko Devices, Inc._________
Address: ___1212 Broadway___________
______________Suite 100________________
_________Oakland, CA 9461___________
Contact: Jason Tugman
Eko Director of Information Technology & Data Security Officer
privacy@ekohealth.com
Role: Controller
Subject matter, duration, and frequency of the Processing of Personal Data
Subject Matter: Eko collects the following data: heart sounds, lung sounds, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, and geographic location of data acquisition.
Duration of Processing: Personal Data processing shall not exceed the duration of Personal Data retention described below.
The nature and purpose of the Processing of Customer Personal Data
The software is provided in order to:
The types of Customer Personal Data to be Processed
Eko will process account information, physiologic and usage date, and data pertaining to support inquiries.
The types of Sensitive Data to be Processed (if applicable) and applied restrictions or safeguards
Eko will process special categories of Personal Data including data concerning the health of the patient. Eko has implemented and shall maintain all reasonable and necessary technical and physical security controls to protect these data. Specific information on these protections is listed in Attachment C Description of Security Controls section of this document.
The categories of Data Subject to whom the Personal Data relates
Personal Data relates to patients.
The period for which Personal Data will be retained
Eko retains Personal Data for as long as an account is active and for up to five (5) years after the account is closed.
Eko’s activities relevant to the Personal Data Processed under this DPA
Where permitted by law, Eko uses Personal Data to:
Customer’s activities relevant to the Personal Data Processed under this DPA
Where permitted by law, the Customer uses Personal Data to:
Attachment C
DESCRIPTION OF SECURITY CONTROLS
SUPERVISORY AUTHORITY
The competent Supervisory Authority under the Underlying Agreement and this DPA shall be the Supervisory Authority as defined in the EU GDPR.