General Terms and Conditions
and Information

The following General Terms and Conditions (hereinafter referred to as “GTC”) apply to all business relationships between

DPV Analytics GmbH

represented by the managing directors Dr. Stephan Kranz and Dr. Philip Nölling, Schloßstrasse 12, 22041 Hamburg, VAT ID No.: DE320954971
Company headquarters: Hamburg, Register court: Hamburg Local Court, Register number: HRB 153940

– referred to as “DPV” in Parts A and B –

and the customer

– referred to as “Purchaser” in Part A and “Company” in Part B –

and jointly referred to as “Parties” in the version valid at the time of conclusion of the contract.

The contractor processes personal data on behalf of the client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (‘GDPR’). This data processing agreement (‘Agreement’) specifies the data protection obligations of the contracting parties arising from the order data processing described in the main agreement. This Agreement applies to all activities related to the main agreement in which employees of the contractor or third parties commissioned by the contractor may come into contact with personal data provided by the client.

§ 1 Definitions

1.1 Personal data is all information provided by the client that relates to an identified or identifiable natural person (‘data subject’); A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (Art. 4 No. 1 GDPR).

1.2 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distributing or otherwise making available, aligning or combining, restricting, erasing or destroying (Art. 4 No. 2 GDPR).

1.3 Instructions are all instructions given by the client to the contractor requesting the contractor to process personal data. The instructions are initially specified in the main contract and may subsequently be amended, supplemented or replaced by the client through individual instructions (‘individual instructions’).

1.4 The contractor’s external data protection officer is Prof. Dr. Christian Rauda, lawyer and specialist in information technology law, GRAEF Rechtsanwälte Digital PartG mbB, Jungfrauenthal 8, 20149 Hamburg.

 

§ 2 Subject matter of the contract, responsibility

The contractor offers the client the evaluation and medical assessment of long-term ECGs, which are transmitted to the contractor. The contractor processes the personal data on behalf of the client. The client is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the legality of the transfer of personal data to the contractor and the legality of the processing thereof (‘controller’ within the meaning of Art. 4 No. 7 GDPR).

§ 3 Duration

The duration of this contract corresponds to the term of the main contract. The right to extraordinary termination remains unaffected by this.

§ 4 Scope, type and purpose of the intended processing of personal data

The scope, type and purpose of the processing of personal data by the contractor on behalf of the client are specifically described in the main contract and the service description.

 

§ 5 Type of data

The following types/categories of data are subject to processing (list/description of data categories):

Patient data
Health data

§ 6 Group of data subjects

The group of data subjects whose personal data is processed includes:

The client’s patients
§ 7 Correction, deletion, blocking and disclosure of data

7.1 The client may at any time during and after the termination of this contract or the main contract request the correction, deletion, blocking and disclosure of personal data within the scope of a lawful individual instruction.

7.2 The client shall determine the measures for the surrender of the data carriers provided and/or the deletion of the stored personal data after termination of the contract either contractually or by individual instruction.

 

§ 8 Technical and organisational measures

8.1 The contractor shall take technical and organisational measures to adequately protect personal data against misuse and loss in accordance with the requirements of Articles 24 and 32 of the GDPR. This includes, in particular, where appropriate

– preventing unauthorised persons from accessing data processing equipment used to process

and use personal data (access control),

– preventing data processing systems from being used by unauthorised persons (access control),

– ensuring that those authorised to use a data processing system can only

access the data to which they have access authorisation and that personal data

cannot be read, copied, modified or removed without authorisation during and after processing

(access control),

– to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which locations a transfer of personal data by data transmission facilities is intended (transfer control),

– ensure that it is possible to subsequently check and determine whether and by whom personal data has been entered, modified or removed from data processing systems (input control),

– ensure that personal data can only be processed in accordance with the client’s instructions (order control),

– ensuring that personal data is protected against accidental destruction or loss (availability control),

– ensuring that data collected for different purposes can be processed separately (separation control),

– pseudonymisation and encryption of personal data,

– the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to processing on a permanent basis,

– the ability to quickly restore the availability of personal data and access to it in the event of a physical or technical incident,

– a procedure for regularly reviewing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

8.2 The technical and organisational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be compromised. Significant changes that could impair the integrity, confidentiality or availability of personal data must be documented.

 

§ 9 Instructions

9.1 The client has the right to issue individual instructions to the contractor at any time regarding the type, scope and procedure of the processing of personal data. Individual instructions must be given in writing.

9.2 The contractor may only process personal data within the scope of the main contract, this contract and individual instructions, unless the contractor is obliged to process the personal data under Union law or the law of the Member States.

9.3 Provisions regarding any compensation for additional expenses incurred by the contractor as a result of individual instructions from the client remain unaffected.

9.4 The contractor must inform the client of any exceptions to the obligation to follow instructions based on the law applicable to the contractor, unless this law prohibits such notification due to an important public interest.

 

§ 10 Other obligations of the contractor

10.1 The contractor shall appoint a data protection officer, where required by law, who can perform his duties in accordance with Articles 37, 38 and 39 of the GDPR. The contractor’s contact details shall be provided to the client upon request for the purpose of direct contact.

10.2 The contractor shall ensure that employees involved in the processing of personal data are bound to data secrecy (Article 29 GDPR) and have been instructed in the protective provisions of the GDPR. Data secrecy shall continue to apply even after the termination of the activity.

10.3 The contractor shall inform the client in the event of serious disruptions to operations, suspected data breaches or other irregularities in the processing of personal data. This also applies to any control measures and actions taken by the supervisory authority in accordance with Articles 51-59 GDPR or investigations in accordance with Articles 83 and 84 GDPR.

10.4 It is known that, pursuant to Art. 33 GDPR, the contractor may be subject to information obligations in the event of unlawful transmission or acquisition of certain personal data. Therefore, such incidents must be reported to the client immediately, regardless of the cause. The contractor’s report to the client must include the following information in particular:

– A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned and the approximate number of personal data records concerned;

– A description of the measures taken or proposed by the contractor to remedy the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

The contractor shall take appropriate measures to secure the data and to mitigate any possible adverse consequences for those affected.

10.5 The contractor is obliged to provide the client with information at any time if its data and documents are affected by a personal data breach. The contractor shall destroy material in accordance with data protection regulations on the basis of an individual order from the client at the client’s expense. In special cases, to be determined in writing by the client, the material shall be stored or handed over.

 

§ 11 Rights and obligations of the client

11.1 The client is solely responsible for assessing the permissibility of the processing of personal data and for safeguarding the rights of the data subjects.

11.2 The client must inform the contractor immediately and in full in writing if it discovers errors or irregularities with regard to data protection provisions when checking the order results.

11.3 The obligation to maintain the processing directory in accordance with Art. 30 GDPR lies with the client.

11.4 The client is responsible for the information obligations resulting from Art. 33 GDPR.

§ 12 Requests from data subjects

12.1 If the client is obliged under applicable data protection laws to provide information to an individual about the processing of their personal data, the contractor shall, to the extent necessary, assist the client in providing this information, provided that the client has requested the contractor to do so in writing.

12.2 The contractor shall inform the client if data subjects assert their rights as data subjects against the contractor.

 

§ 13 Cooperation with the supervisory authority

The client and the contractor, and their representatives where applicable, shall cooperate with the supervisory authority in the performance of its tasks upon request.

§ 14 Control obligations of the client

Before commencing data processing and thereafter at regular intervals, the client shall satisfy itself of the technical and organisational measures taken by the contractor and shall document the results. For this purpose, it may obtain self-disclosure from the contractor or have an audit carried out at its own expense. In the event of an audit, the client shall also bear the costs of the contractor’s employees who are required to participate in the audit.

 

§ 15 Subcontractors

15.1 The commissioning of subcontractors is possible within the scope of this contract and the activities specified in §§ 3, 4, 5, 6, provided that the contractor ensures that the subcontractor assumes the obligations arising from this contract towards the contractor. In particular, the requirements for confidentiality, data protection and data security specified in this contract apply.

15.2 The client shall be granted control and inspection rights in accordance with § 14. Upon written request, the client shall be entitled to obtain information from the contractor about the essential content of the contract and the implementation of the subcontractor’s data protection obligations, if necessary also by inspecting the relevant contract documents.

15.3 The subcontractors commissioned by the contractor are listed in Appendix 2. The contractor is entitled to commission further subcontractors, provided that they meet the requirements of Sections 15.1 and 15.2 and the contractor informs the client thereof and the client does not object in writing within seven days.

§ 16 Confidentiality obligation

The contractor is obliged to maintain confidentiality when processing personal data. The contractor undertakes to observe the same confidentiality rules as those incumbent on the client. The client is obliged to inform the contractor in writing of any special confidentiality rules.

 

§ 17 General provisions, duty to provide information, written form clause, choice of law

17.1 If personal data held by the contractor is at risk due to seizure or confiscation, insolvency or composition proceedings, or other events or measures taken by third parties, the contractor must inform the client immediately. The contractor shall immediately inform all parties responsible in this context that the sovereignty and ownership of the personal data lies exclusively with the client as the ‘controller’ within the meaning of the GDPR.

17.2 The processing of personal data shall take place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special requirements of Articles 44, 45 and 46 GDPR are met. Insofar as the processing is carried out by a third party named in Appendix A, the client hereby gives its consent.

17.3 Amendments and additions to this contract and all its components – including any assurances made by the contractor – require a written agreement and an express reference to the fact that this is an amendment or addition to this contract. This also applies to any waiver of this formal requirement.

17.4 German law shall apply, with the exception of conflict of laws provisions.

17.5 The place of jurisdiction shall be the place of jurisdiction resulting from the main contract, provided that this is in the Federal Republic of Germany. Otherwise, the exclusive place of jurisdiction shall be the registered office of the contractor.

 

Appendix A to the AVV: List of subcontractors

ÜBAG Cardiologicum Hamburg GbR 2. Team Viewer Germany GmbH 3. Zoho Corporation GmbH 4. IONOS SE 5. Viakom GmbH 6. Microsoft Ireland Operations Ltd.
As of: 15 November 2024

1. Conclusion of contract and contract information
   The presentation and advertising of services in the online shop do not constitute a binding offer to conclude a contract, but serve to enable the customer to submit a binding offer to conclude a contract.
   DPV will confirm receipt of the order in writing. Such confirmation does not constitute a binding acceptance of the order unless, in addition to confirming receipt, acceptance is also declared.
   DPV stores the contractual provisions, including the General Terms and Conditions, upon conclusion of the contract in compliance with data protection regulations and sends them to the customer after the order has been placed in the form of a web link or by email.
   The customer can view the contract text in their user account in the online shop, provided that the customer has set up a user account before sending the order. The order data is stored in the DPV system and can be viewed and accessed by the customer using their access data in the password-protected user account and stored in a reproducible form.
   The contract is concluded in German. The customer must ensure that the email address provided for order processing is correct so that emails can be received at this address. In particular, when using spam filters, the customer must ensure that all emails sent by DPV or third parties commissioned with order processing can be delivered.
2. Contract content and services provided
   DPV evaluates ECG data from smart devices such as watches, scales and thermometers. The evaluation is carried out by medical technicians or doctors who are specially trained in the rhythmological evaluation of data. However, the evaluation does not constitute a medical service. The evaluation is not a medical diagnosis, but rather a possible suspicion. The evaluation is for informational purposes only and is neither suitable nor intended for decision-making in acute situations or for real-time monitoring of vital functions. Under no circumstances does our evaluation replace a personal medical diagnosis, consultation, care or treatment.
3. Right of withdrawal
   You have the right to withdraw from this contract within fourteen days without giving any reason.
   The withdrawal period is fourteen days from the date of conclusion of the contract.
   To exercise your right of withdrawal, you must inform us (DPV Analytics GmbH, Schloßstrasse 12, 22041 Hamburg, service@myritmo.de) of your decision to withdraw from this contract by means of a clear statement (e.g. a letter sent by post or an email). You can use the attached sample withdrawal form for this purpose, but this is not mandatory.
   You can fill out and submit the sample withdrawal form. If you make use of this option, we will immediately send you (e.g. by e-mail) a confirmation of receipt of such a revocation.
   To meet the revocation deadline, it is sufficient for you to send your notification of exercising your right of revocation before the revocation period expires. Consequences of revocation
   If you revoke this contract, we shall reimburse you for all payments we have received from you, including delivery costs (with the exception of additional costs resulting from your choice of a type of delivery other than the cheapest standard delivery offered by us), immediately and at the latest within fourteen days of the day on which we receive notification of your revocation of this contract. We will use the same means of payment for this refund as you used for the original transaction, unless expressly agreed otherwise with you; in no event will you be charged for this refund. If you have requested that the services should begin during the withdrawal period, you shall pay us a reasonable amount corresponding to the proportion of the services already provided up to the time you notify us of the exercise of the right of withdrawal with regard to this contract in comparison to the total scope of the services provided for in the contract. You must return or hand over the goods to us immediately and in any case no later than fourteen days from the day on which you notify us of the cancellation of this contract. The deadline is met if you send the goods before the expiry of the fourteen-day period. Sample cancellation form
   (If you wish to cancel the contract, please fill out this form and send it back. )To
   DPV Analytics GmbH, Schloßstrasse 12, 22041 Hamburg, service@myritmo.de– I/we (*) hereby withdraw from the contract concluded by me/us (*) for the purchase of the following goods (*)/the provision of the following service (*)
   – Ordered on (*)/received on (*)
   – Name of consumer(s)
   – Address of consumer(s)
   – Signature of consumer(s) (only for paper notifications)
   – Date
   __________
   (*) Delete as applicable
4. Delivery, delivery period and delay in delivery
   Unless otherwise agreed between the parties, borrowed devices/hardware (‘equipment’) shall be sent by post to the delivery address specified by the customer. The delivery address specified by the customer when placing the order in the online shop shall be decisive.
5. Transport damage and default of acceptance
   In the event of equipment with obvious transport damage, the customer is requested to report this defect to the delivery agent as soon as possible and to contact DPV immediately.
6. Prices, shipping costs and terms of payment
   Unless otherwise stated in the offer, the prices quoted are total prices. The total prices quoted are in EURO and are gross prices including the statutory value added tax applicable on the date of invoicing and, if applicable, plus any delivery and shipping costs. The amount of any delivery and shipping costs incurred is specified separately in the respective service descriptions.
   The customer can choose to pay by credit card, SEPA direct debit or PayPal.
   The customer will be redirected to the relevant pages to enter their payment details. Payment is made automatically via the respective payment service providers.
7. Liability for defects
   DPV is liable for defects in accordance with statutory provisions.
8. Liability for damages
   With regard to the services provided, DPV, its legal representatives and its vicarious agents shall be liable without limitation in cases of intent or gross negligence, as well as for damages resulting from injury to life, limb or health and in accordance with the Product Liability Act.
   In the event of a slightly negligent breach of obligations, the fulfilment of which is essential for the proper execution of the contract and on the observance of which the contractual partner may regularly rely (cardinal obligations), liability shall be limited to the foreseeable damage typical for this type of contract.
   Otherwise, any liability on the part of DPV is excluded.
9. Ownership of equipment
   DPV retains ownership of the equipment provided at all times. The customer shall return the equipment after the agreed service has been performed.
10. Data protection
    DPV collects and stores the customer’s data necessary for business transactions. DPV complies with the statutory provisions when processing the customer’s personal data. DPV is entitled to transfer this data to third parties commissioned with the execution of the order, insofar as this is necessary for the fulfilment of the contract. Further details can be found in the data protection information.
    The customer can request information about the data stored about them at any time.
11. Customer service
    Customer service for questions, praise, complaints or other issues is available on weekdays from 9:00 a.m. to 4:00 p.m. by calling +49 40 350313-31 or by emailing service@dpv-analytics.com.

Scope of application
These terms and conditions also apply to all future transactions between the parties, insofar as these are legal transactions of a related nature. Conflicting or deviating terms and conditions of the companies will only be recognised if their validity has been expressly agreed to in writing by DPV.

Offer and conclusion of contract
The presentation and advertising of services in the online shop do not constitute a binding offer to conclude a contract, but serve to submit a binding offer to conclude a contract. If an order is to be regarded as an offer in accordance with Section 145 of the German Civil Code (BGB), it may be accepted by DPV within two weeks.

Scope of services
DPV shall provide the company with the ECG devices ritmo (‘ritmo’) listed with serial numbers in the appendix to the offer, as well as the charging cradles and connection cables necessary for charging and data upload, for an indefinite period of time for their intended use. Long-term ECG data can be recorded with ritmo. After the measurement data has been uploaded via the website portal.dpv-analytics.com and analysed by the DPV Diagnostic Centre, the medically validated result is made available to the company for download or transfer to its practice management system (PVS) (provided that the practice management system has a corresponding interface).

System requirements
A computer with a Windows 7 or higher operating system with 64-bit (x64) operating system, a processor speed of at least 1 gigahertz (1 GHz) with at least 2 GB RAM, at least 20 GB of available storage space, a Direct X-9 graphics card with WDDM 1.0 or higher driver, and a USB 1.1 port or higher. The Internet connection should have an upload speed of at least 25 MB/s.

Documents provided
DPV reserves the property rights and copyrights to all documents provided to the companies in connection with the order placement, including those in electronic form, such as calculations, drawings, etc. These documents may not be made accessible to third parties unless DPV gives the companies express written consent to do so.

 

Remuneration and payment
Remuneration depends on whether the company opts for a ‘per-use model’ or a ‘flat-fee model’.
With the flat-fee model, the company pays DPV a monthly flat rate for each ritmo provided, which covers all ECG evaluations during the month.
With the per-use model, the company pays DPV a monthly flat fee for each ritmo provided as a basic fee. In addition, there is a remuneration per diagnosis.
The single patch electrodes developed for ritmo are remunerated separately and charged at cost price.
Unless otherwise agreed in writing, all prices are ex Hamburg, excluding shipping and plus VAT at the applicable rate. Shipping costs are invoiced separately.
Remuneration is invoiced on a monthly basis. Payment of remuneration must primarily be made by credit card or SEPA direct debit. Payment by bank transfer to the account specified on the invoice requires the consent of DPV. Discounts are not permitted.
Unless a fixed price has been agreed, we reserve the right to make reasonable price changes due to changes in wage, material and distribution costs for deliveries made 3 months or more after conclusion of the contract.

Rights of retention
The companies are only authorised to exercise a right of retention insofar as a counterclaim is based on the same contractual relationship.

Term and delivery time
This agreement may be terminated by either party with one (1) month’s notice. Notwithstanding the termination, DPV Analytics may demand the respective usage fee until the ECG device in question is returned if the return takes place later than seven days after the termination of the contract.
The start of the delivery period specified by DPV for the ritmo is subject to the timely and proper fulfilment of the company’s obligations. The right to plead non-performance of the contract is reserved.
If the company is in default of acceptance or culpably violates other obligations to cooperate, DPV is entitled to demand compensation for the damage incurred in this respect, including any additional expenses. Further claims are reserved. If the above conditions are met, the risk of accidental loss or accidental deterioration of the equipment shall pass to the company that is in default of acceptance or payment at the time.
DPV shall be liable for a maximum of 15% of the order value in the event of default not caused by it intentionally or through gross negligence.
Further legal claims and rights of the companies due to default remain unaffected.

Ownership and return
DPV retains ownership of the ritmo at all times. This also applies to all future deliveries, even if DPV does not always expressly refer to this.
The company is obliged to treat the ritmo with care. The company must notify DPV immediately in writing if the ritmo is seized or subject to other interventions by third parties. If the third party is unable to reimburse DPV for the judicial and extrajudicial costs of a lawsuit in accordance with Section 771 of the German Code of Civil Procedure (ZPO), the company shall be liable for the loss incurred.
The ritmo shall be returned after termination of the contract by returning the ECG devices to DPV Analytics or to any other address specified by DPV Analytics (the ‘return location’). The company shall bear the costs of the return shipment. If a ritmo is returned in a condition that indicates that the user has not fulfilled their maintenance obligations, they shall also pay compensation for the time required to carry out the necessary repairs. The repairs shall be carried out by DPV Analytics, and the costs shall be borne by the company.

Warranty and notification of defects as well as recourse
Claims for defects shall become time-barred 12 months after the service has been provided. The statutory limitation period shall apply to claims for damages in cases of intent and gross negligence as well as in cases of injury to life, limb and health resulting from an intentional or grossly negligent breach of duty or a breach of cardinal obligations.
The company’s recourse claims against DPV shall only exist to the extent that the company has not made any agreements that go beyond the legally binding claims for defects.

Data protection and order processing
DPV processes data on behalf of the company. The provisions of the order processing agreement, which forms part of this agreement as an annex, shall apply. The company is responsible for obtaining the necessary consent from patients. The information in the appendix is provided for this purpose, but without any liability for its legal accuracy.

Final provisions
These General Terms and Conditions and the contractual relationship between the parties are governed by the law of the Federal Republic of Germany, excluding international uniform law, in particular the UN Convention on Contracts for the International Sale of Goods.

 

The exclusive place of jurisdiction for all disputes arising from this contract is Hamburg.

Appendix: Patient information and consent

Your ECG data will be evaluated by DPV Analytics GmbH, Schloßstraße 12, 22041 Hamburg, (‘DPV’) as a contract processor.

DPV is a company founded by doctors. Below, we provide information about what happens to your ECG data and what rights you have in this regard.

The ECG data collected using the ‘recorder’ attached to the skin is entered directly into DPV’s CE-certified IT system via a USB interface and diagnosed by DPV. All DPV employees are subject to confidentiality obligations and are instructed accordingly. DPV uses ECG data in pseudonymised and anonymised form for its own research to develop and improve its services. We store the ECG data as medical records for a period of ten (10) years, unless a longer statutory retention period applies. The data is not used by DPV for automated decision-making.

You may have rights with regard to your data in accordance with Art. 15 (information), Art. 16 (correction), Art. 17 (deletion), Art. 18 (restriction of processing), Art. 20 (data portability), Art. 21 (right to object) and Art. 77 (right to lodge a complaint with a supervisory authority) of the EU General Data Protection Regulation (GDPR).

I hereby consent to the processing of health data as part of the analysis of my EGK data. I can revoke my consent at any time.

 

Appendix: Order processing agreement