Data processing agreement

This data processing agreement outlines the conditions that apply when you import data to eScan Academy, and as such request eScan Academy to process your data by making it available to other users registered to eScan Academy.​


To ensure that the rules in force at any time on the processing of personal data are observed, including in particular the EU General Data Protection Regulation (GDPR) and related executive orders and instructions, eScan Academy AB, org no. 556926-9573 (hereinafter referred to as the “Data Processor”) and you ("Data Controller") have entered into the present data processing agreement (hereinafter referred to as the “Data Processing Agreement”). 


The Responsibility of the Data Processor

The Data Processor shall act only on the instructions of the Controller and only to the extent which is necessary to enable the Data Processor to meet his obligations according to the Data Processing Agreement. Thus, the Data Processing Agreement shall form part of the Controller’s instructions to the Data Processor.
The Data Processor undertakes at any time to meet the GDPR requirements as well as the Data Processor’s national statutory requirements regarding data processing and data security in connection with the data processing carried out on behalf of the Controller.

Data Processing Instructions

  • The Data Processor shall only act according to these instructions from the Controller and only regarding the tasks listed below.

  • Data Processor shall de-identify personal health information from the medical imaging data (DICOM files, PNG files, and JPEG files)

  • Data Processor shall transfer de-identified medical imaging data via encrypted connections from Controller to Data Processor’s secure servers

  • Data Processor shall safely store Controller’s data for the duration outlined in Data Processing Agreement on Data Processor’s servers

  • Data Processor shall make the data available to Controller and to all other users registered to eScan Academy at data Processors sole discretion

  • Data Processor shall make available data processing tools (including but not limited to eScan Academy's online case editor and assignment dashboard) to Controller or all other users registered to eScan Academy at data Processors sole discretion

Technical and Organisational Security Measures

The Data Processor shall make the necessary technical and organisational security measures against accidental or illegal destruction, loss or deterioration of personal data and against disclosure thereof to unauthorized people, abuse or other types of use contrary to legislation. 
The Data Processor undertakes to observe the statutory requirements in force at any time regarding the processing of personal data. Consequently, data processing shall be carried out in accordance with the rules in force at any time about the processing of personal data, including in particular the EU General Data Protection Regulation (GDPR) and associated executive orders and instructions.
The Data Processor shall de-identify all data to remove information that can be used to directly or indirectly identify an individual. Reference is made to the ’Patient De-identification Policy’.
The Data Processor shall process information on behalf of the Controller and shall only act on instructions from the Controller, cf.  ’Data Processing Agreement’.

The Data Processor’s use of Sub-Data Processors

The Data Processor shall be entitled to enter into agreements with a Sub-Data Processor about the processing of data covered by the present data processing agreement. The Data Processor shall ensure that the Sub-Data Processor is as a minimum able to meet the obligations undertaken by the Data Processor in the present Data Processing agreement regarding the processing and destruction of personal data carried out by the Sub-Data Processor.

Supervisory Authorities, Audits and Auditors’ Statements

At the request of the Controller, the Data Processor shall provide the Controller with sufficient information to enable him to check that the technical and organisational security measures mentioned above have been established. Furthermore, the Data Processor must be able to document that identified vulnerabilities are met through a risk-based assessment.  
If the Controller and/or relevant public authorities wants to carry out a physical inspection (audit) of the measures taken by the Data Processor under the Data Processing Agreement, the Data Processor undertakes – with a reasonable notice – to make time and resources available for the purpose. 

Effective Date and Term of the Agreement

The Data Processing Agreement shall become effective when you import cases to eScan Academy servers. The Data Processing Agreement shall never expire, unless otherwise agreed in writing by the parties.​

Secrecy and Confidentiality

The Data Processor’s employees, cooperation partners, external consultants and temporary employees, etc., shall in connection with the processing of personal data be covered by the rules regarding secrecy which apply to employees in the public administration.
The Data Processor shall be obliged to inform their own employees, co-operators, external consultants and temporary employees, etc., about the extent of the secrecy and the consequences of a possible breach of the secrecy.  
The Data Processor shall treat the personal data in confidence and shall thus only be entitled to use the personal data as part of observing his own obligations according to the present Data Processing agreement and Instructions. 
Furthermore, the Data Processor undertakes to limit the access to personal data to the employees who need to process personal data in order to be able to meet the Data Processor’s obligations towards the Controller.  
The Data Processor’s obligations regarding secrecy and confidentiality shall apply also after expiry of the agreement. 



The Data Processor shall not transfer his rights and obligations according to the present Data Processing Agreement without the prior consent of the Controller.  


The Controller undertakes to release and defend the Data Processor from and against all claims, legal claims and any related liability, loss, penalties, costs and expenses as a consequence of the Controller's violation of the Data Processing agreement or current legislation committed by the Controller,

Governing Law and Venue

The present Data Processing agreement, including any issue regarding the validity of the Data Processing agreement, shall be governed by Swedish law.  
In case of a dispute between the Parties in connection with the Data Processing agreement, the Parties shall with a positive, cooperative and responsible attitude attempt to start negotiations with a view to solving the dispute. 



Either party shall be entitled to demand renegotiation of the Data Processing Agreement because of changed legislation, including entry into force of the EU regulation on the protection of personal data.