Legal & regulatory

Terms of use & legal details

Understand how moveUP leads in compliance and regulatory affairs.

Talk to our QARA team
hero image

Version 1 –SEP 2023

This Privacy Charter (“the Charter”) is entered into between:  

  • moveUP NV, a limited liability company (naamloze vennootschap – NV) under Belgian law, having its registered office at Kantersteen 47, 1000 Brussels and registered with the Crossroads Bank for Enterprises under number 0643.795.235, duly represented by Ciaran McCourt, CEO, hereinafter referred to as “moveUP”;

AND

  • The partner that incorporates moveUP’s services and application(s) within its operational healthcare provision framework, under the terms of the services agreement concluded between moveUP and partner, hereinafter referred to as “Partner”;

moveUP and Partner may be jointly referred to as the "Parties" and individually as a "Party".  

All capitalized terms used throughout this Charter will have the meaning assigned to them in Annex I, which constitutes an integral part of this Charter.

  1. GENERAL INTRODUCTION AND SUBJECT-MATTER  
  1. As a digital therapeutics company, moveUP supports life science organizations and healthcare professionals to implement advanced digital health pathways. The integrated suite of moveUP services and applications (collectively referred to as the "Solution"), provides comprehensive insights and bolsters clinical decision-making across the entire patient journey. By tailoring treatment and rehabilitation to each individual patient's needs, the Solution aims to contribute to a value-based healthcare. Furthermore, moveUP extends professional rehabilitation services through a dedicated team of healthcare professionals.
  1. Partner is an entity active in the healthcare sector that leverages the Solution of moveUP within its operational framework, integrating advanced digital therapeutics into its healthcare provision model. This partnership (the “Partnership”) is governed by a services agreement (the “Main Agreement”) that specifies the respective obligations and responsibilities of Parties in their professional relationship.  
  1. In the course of the Partnership, the Parties will engage in the processing and exchange of Personal Data. Parties therefore wish to enter into this Charter, with the aim to delineate their respective responsibilities with regards to the principles and obligations set out in applicable Data Protection Legislation, including the GDPR. This Charter supersedes and replaces any prior agreements or understandings between the Parties on this subject, including any prior data processing agreement(s) executed between the Parties pursuant to Article 28 of the GDPR.  
  1. DESCRIPTION OF PROCESSING ROLES AND ACTIVITIES
  1. Categories of Personal Data exchanged and processed by the Parties:  
  • Identification and contact data, such as first name, last name, home address, date of birth, gender, telephone number and e-mail address;
  • Healthcare information, such as symptoms, treatments, illnesses, medical background, lifestyle info of the patient;
  • Rehabilitation information, such as treatment plans, progress reports, patient feedback, and outcomes of therapeutic interventions.
  1. Categories of Data Subjects to whom the Personal Data relates:
  • Patients of the Partner
  • Where applicable: healthcare professionals employed or contracted by the Partner
  • Where applicable: other individuals involved in the patient's care, as required or permitted by law.
  1. Purposes of exchanging and processing Personal Data by the Parties:

The Parties warrant that they will only exchange and process the Personal Data to ensure the proper execution of the Partnership under the Main Agreement and in accordance with the provisions of this Charter. Processing for any other purposes requires a prior written agreement between the Parties.  

In particular, Parties will exchange and process Personal Data for the purposes of:

  • Providing and tailoring healthcare services to individual patients’ needs, including diagnosis, treatment, and rehabilitation;  
  • Monitoring patient progress and outcomes;  
  • Supporting clinical decision-making;  
  • Performing administrative tasks related to patient care and rehabilitation, such as scheduling appointments, calling patients to inform them about the Solution, managing patient records;  
  • Conducting research and development activities to improve the Solution and its applications, including by means of aggregated analytics, data-driven insights, reporting and occasional publications, at all times in line with and compatible with the primary processing purposes.
  1. Roles and responsibilities of Parties in relation to data protection:
  1. Where, pursuant to the Main Agreement, the Solution is leveraged by the Partner alongside concurrent rehabilitation services from moveUP, such that moveUP's dedicated personnel actively participates in the rehabilitation process of the Partner's patients (hereinafter referred to as "Scenario 1"), the Parties' roles and qualification under GDPR are as follows:
  • Both Parties act as Controllers, both determining the purposes and means of processing Personal Data.  
  1. Where, pursuant to the Main Agreement, the Solution is leveraged by the Partner without concurrent rehabilitation services from moveUP, such that moveUP's dedicated personnel does not participate in the rehabilitation process of the Partner's patients (hereinafter referred to as "Scenario 2"), the Parties' roles and qualification under GDPR are as follows:
  • moveUP acts as Processor. As the Processor, moveUP processes Personal Data on behalf of the Partner, in accordance with the instructions provided by the Partner and the terms of this Charter and the Main Agreement.
  • Partner acts as Controller. As the Controller, the Partner determines the purposes and means of processing Personal Data via the Solution, providing instructions to moveUP regarding the processing of such data in accordance with the terms of this Charter and the Main Agreement.
  • The additional provisions of Section 10 of this Charter shall apply to the processing activities occurring under this Scenario 2.
  1. The Parties agree to promptly inform each other of any changes that may affect their roles under the GDPR as set forth in this Section.
  1. For the avoidance of doubt, this Charter does not apply to the processing of Personal Data by a Party that occurs prior to, after or independent from the performance of the Partnership, such as processing activities pertaining to the provision of each Party’s respective independent services to the Data Subject. As such, without limitation, this Charter does not apply to the processing of Personal Data by moveUP for the purposes of creating user accounts for applications within the Solution, or delivering moveUP’s direct services to patients without instruction from or cooperation with Partner.  
  1. COMPLIANCE WITH LEGISLATION  
  1. Both Parties expressly undertake to comply with the provisions of the applicable Data Protection Legislation, including but not limited to the GDPR, and not to do or refrain from doing anything that may cause the other Party to breach the applicable Data Protection Legislation.
  1. Both Parties shall assist each other in complying with their obligations under the applicable Data Protection Legislation, taking into account the nature of the processing and the information available to it.
  1. TECHNICAL AND ORGANIZATIONAL MEASURES  
  1. During the term of this Charter, both Parties shall adopt and maintain appropriate technical and organisational measures in such a way that the processing and the technical set-up of the Application complies with the requirements of the applicable Data Protection Legislation and that the protection of the rights of the Data Subject is guaranteed. In particular, both Parties shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and taking into account the respective roles and responsibilities as set out in Section 2 of this Charter . When assessing an appropriate level of security, particular account shall be taken of the nature of processing and risks involved in processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the Personal Data transmitted, stored or otherwise processed.  
  1. Parties may engage (Sub)Processors to processes Personal Data for the purposes set out in this Charter. In any such case, Parties shall:
  • engage such (Sub)Processor only if it provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that its processing will meet the requirements of the applicable Data Protection Legislation;
  • ensure that the necessary contractual provisions are established in accordance with Data Protection Legislation, including as laid down in Article 28 of the GDPR.
  1. Each Party may reserve the right to, after prior written notification, suspend and/or terminate the Charter for an indefinite period of time if the other Party can no longer provide for technical and organisational measures commensurate with the processing risk. After such notification, both Parties shall ensure that they cooperate in good faith to address the concerns raised by the notifying Party.
  1. CONDUCT WITH REGARD TO NATIONAL PUBLIC BODIES AND JUDICIAL AUTHORITIES
  1. The Parties shall promptly notify each other of any request, order, investigation or subpoena addressed to them by a competent national governmental or judicial authority which involves the communication of the Personal Data processed by the Party or its (Sub)Processors or any data and/or information relating to such processing by the Party or their (Sub)Processors.
  1. DATA SUBJECTS’ RIGHTS
  1. If either Party receives a request or complaint from a Data Subject that pertains to a processing activity for which the other Party acts as Controller, it shall promptly notify the other Party in writing and forward the request or complaint without responding to it themselves, except as required by applicable law. The forwarding Party shall use reasonable efforts to ensure that the request or complaint is forwarded accurately and promptly but shall not be responsible for any errors or omissions in the forwarding process.
  1. Parties agree to provide any reasonable assistance and information requested by the other Party in relation to that Party’s obligation to process and manage a request or complaint from Data Subjects that relates to the subject matter of this Charter.  
  1. For the avoidance of doubt, the responsibility to manage a request or complaint from Data Subjects with respect to their rights in relation to the Personal Data processed pursuant to the Partnership and to communicate its decision to the Data Subject, shall at all times remain vested in the respective Party acting as Controller with regards to the request.  
  1. PERSONAL DATA BREACH
  1. In the event of a Personal Data Breach that relates to the subject matter of this Charter, the Party who has suffered the Personal Data Breach undertakes to notify the other Party promptly after it has become aware of such Personal Data Breach, if and to the extent such Personal Data Breach may affect the operations and/or processing activities (or any part thereof) that take place under control of the other Party. The notifying Party may redact any information included in its notification where necessary to protect its business secrets or other confidential information but shall provide a meaningful summary as to enable the other Party to assess the impact and/or potential adverse consequences of the Personal Data Breach on its own operations and/or processing activities.
  1. In any such event described in Article 7.1, the Parties shall ensure that they cooperate in good faith to mitigate the potential adverse consequences of such Personal Data Breach. For this purpose, the Parties shall in good faith agree upon a plan of action, taking into account each Party’s role, the requirements laid down by applicable Data Protection Legislation and the information and technical and organizational capacities at the disposal of each of the Parties.
  1. For the avoidance of doubt, the decision to notify the competent Supervisory Authority  and/or the impacted Data Subject(s) shall at all times remain the sole responsibility of the Party acting as Controller with regards to the Personal Data impacted by the Personal Data Breach.
  1. INTERNATIONAL TRANSFERS
  1. The Parties agree that Personal Data may be transferred to and/or kept by a recipient outside the European Economic Area (EEA) to countries for which an adequacy decision is adopted by the European Commission. If an adequacy decision is lacking, any such transfer shall be governed by the terms of an agreement containing standard contractual clauses as published in the European Commission Decision of 4 June 2021 (Decision 2021/914 (EU), or by other mechanisms provided by the GDPR.
  1. CONFIDENTIALITY  
  1. Both Parties undertake to treat the Personal Data and the processing thereof (including the terms of this Charter) with the utmost confidentiality. The Parties shall ensure confidentiality between themselves through measures that are no less restrictive than those used to protect their own confidential material, including Personal Data.  
  1. Each Party guarantees that any person authorised by them to process the Personal Data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.  
  1. ADDITIONAL OBLIGATIONS OF MOVEUP ACTING AS PROCESSOR 
  1. The provisions of this Section 10 shall be applicable solely if and to the extent Personal Data are being accessed and Processed by moveUP acting in the capacity of Processor, as set forth in Article 2.4.2 of this Charter. In the event of a conflict or inconsistency between this Section 10 and the other provisions of this Charter, the terms of this Section 10 shall prevail.
  1. moveUP acting as Processor shall Process Personal Data only on the basis of (i) the written instructions of the Partner acting as Controller and in any case in accordance with the Processing activities set out in Section 2 of this Charter, or (ii) legal obligations to which moveUP is subject. In the latter case, moveUP shall notify the Partner of such legal requirement prior to the Processing, unless legislation prohibits such notification for important reasons of public interest. The Partner may unilaterally make limited changes to the instructions. moveUP shall be consulted before any significant changes are made to the instructions and both Parties must agree to any changes affecting the main provisions of this Charter or the Main Agreement. moveUP shall promptly notify the Partner if it believes that an instruction violates applicable Data Protection Legislation.
  1. moveUP will, by implementing and/or using appropriate technical and organisational measures, assist the Partner insofar as this is possible and taking into account the nature of the Processing, in ensuring compliance with the respective obligations of the Partner pursuant to Articles 32 to 36 of the GDPR.
  1. moveUP shall make available to the Partner all reasonable information necessary and shall allow for audits, including inspections, by the Supervisory Authority(ies) under whose supervision the Partner is subject to verify moveUP’s compliance with this Charter and the Data Protection Legislation.

moveUP performs periodic internal and/or external audits and assessments to ensure compliance with relevant organizational and technical security measures. moveUP shall bear the costs of such audits. Certificates validating such audits and assessments are available on the moveUP website. Upon the Partner’s request, moveUP will provide relevant audit reports (with the omission of confidential information).

The Partner may conduct additional audits only if it can demonstrate justifiable grounds, and under the following circumstances:

  • Once every 5 years, for a maximum duration of 2 business days, within moveUP’s standard business hours; or
  • In response to an actual Personal Data Breach, only if such data breach has not been notified and if no remediation actions have been demonstrated; or  
  • If valid and relevant compliance certificates, which were in place at the inception of this agreement, are no longer available.

The Partner shall take all appropriate measures to minimize any impediments that such additional audit may cause to the day-to-day operation of moveUP or to the Solution and other services provided by moveUP. The Partner shall bear the cost of any additional audit within the meaning of this Article, unless the audit reveals that moveUP has manifestly failed to comply with this Charter and/or the Data Protection Legislation, in which case moveUP shall bear the cost of such audit.

  1. After termination of this Charter pursuant to Article 11.1 and in derogation of Article 11.2 of this Charter, moveUP shall, at the choice of Partner, delete or return all Personal Data to Partner, and deletes existing copies, unless applicable law requires further storage of the Personal Data. Notwithstanding, it is understood that moveUP may retain de-identified datasets for legitimate secondary research and development purposes, provided these datasets cannot be used to re-identify any individuals.
  1. DURATION OF PROCESSING  
  1. This Charter remains into effect for the duration of the Partnership. In the event of a breach of this Charter or of the provisions of applicable Data Protection Legislation by a Party, either Party may instruct the other Party to suspend the processing of Personal Data.  
  1. After termination of this Charter pursuant to Article 11.1 and without prejudice to Article 10.5 of this Charter, each Party, in its capacity as a Controller, is independently responsible for erasing data in accordance with its respective data retention policies, unless explicitly otherwise agreed between the Parties.
  1. LIABILITY FOR PROCESSING OF PERSONAL DATA
  1. Either Party is liable for the damage caused by processing Personal Data only where it has not complied with its obligations of this Charter or the applicable Data Protection Legislation.  
  1. A Party shall be liable (whether in contract or tort (including default) or in any way whatsoever in connection with this Charter, including liability for severe misconduct, for any proven failure attributable to it. The liability of the Parties for any failure under this Charter shall be limited to foreseeable, direct and personal damages, excluding consequential damages (even if advised of the possibility of such consequential damages or if the chance of such consequential damages was reasonably foreseeable), where "consequential damages" means: damage or loss which does not result directly and immediately from a contractual and/or non-contractual breach of contract, but instead indirectly and/or over time, including but not limited to loss of income, interruption or stagnation of business operations, increase in personnel costs and/or the cost of staff redundancies, damage consisting of or as a result of claims from third parties, lack of expected savings or benefits and loss of data, profit, time or income, loss of orders, loss of customers, increase in overhead costs, consequences of a strike, regardless of the causes thereof.  
  1. If it appears that both Parties are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing. In any event, the total liability of each Party per cause of damage is limited to € 50.000,00 per calendar year. In no event shall a Party be held liable if the Party can prove he is not responsible for the event or cause giving rise to the damage.
  1. AMENDMENTS TO THE CHARTER
  1. moveUP may amend this Charter at any time and undertakes to guarantee that any amendment shall be in accordance with applicable ethical principles and legislation, such as applicable Data Protection Legislation. Amendments will take effect thirty (30) days after publication by means of a written notification. If the Partner does not wish to accept the amendments to this Charter, the Partner has the right to terminate this Charter by registered letter at the latest on the date the amended terms become effective. This will have the consequence that moveUP can no longer offer the Solution to the Partner. After the effective date, the Partner will be deemed to have tacitly accepted the changes. The `Partner can always find the most recent version of this Charter on the moveUP website.
  1. MEDIATION AND JURISDICTION
  1. This Charter shall be interpreted under the laws of Belgium, and the rules on conflict of laws shall not apply.
  1. Each Party agrees that if the Data Subject brings a claim for damages against him under this Charter, it will accept the Data Subject's decision:
  • To submit the dispute to an independent person for mediation;
  • To submit the dispute to a competent court.
  1. The Parties agree that the choice of the Data Subject shall not affect the substantive or procedural rights of the Data Subject to seek redress in accordance with other provisions of applicable national or international law.
  1. Any dispute between the Parties over the terms of this Charter shall be submitted to the competent courts of Ghent.

Annex I: DEFINITIONS

For the purpose of this Charter, the following capitalized terms shall have the following meaning:

Controller

The natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data carried out under his authority;

Data Protection Legislation

Means all applicable data protection and privacy legislation, regulations and guidance including, without limitation the Regulation (EU) 2016/679 (“GDPR”) (as amended or re-enacted from time to time and including any replacement or subordinate legislation);  

Data Subject

An identified or identifiable natural person;  

Main Agreement
Shall have the meaning assigned to it in Article 1.2;

Partnership
Shall have the meaning assigned to it in Article 1.2;

Personal Data

Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Processor

A natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the Controller;

Solution

Shall have the meaning assigned to it in Article 1.1;

Supervisory Authority

An independent public authority which is established by a member state pursuant to Article 51 of the GDPR.

Privacy PolicyCookie PolicymoveUP & SafetyISO27001 certificateISO13485 certificatePrivacy Charter