Do I as a company need a data processing agreement

Yes, if you as a company use the platform to collect and store information from participants, this is considered processing of personal data according to the GDPR.

In this context, Medtora acts as a data processor, while the company is the data controller. Therefore, a data processing agreement must be concluded in accordance with GDPR Article 28(3)

When creating a company profile, the data processing agreement is automatically made available and must be signed digitally. It is then saved on the company’s profile and serves as documentation of compliance with the GDPR.

The company’s responsibility regarding personal data

The company is obliged as a data controller to ensure that all personal data, including consents and associated responses, participant data, uploaded files and documents, are processed in accordance with applicable data protection regulations, the GDPR, and other relevant legislation for the processing of personal data.

This responsibility applies both before, during and after processing, including storage for up to 5 years after the purpose has ceased, unless other legislation, including e.g. MDR (Medical Device Regulation), GCP (Good Clinical Practice) or EHDS (European Health Data Space), prescribe a longer retention obligation or additional requirements for documentation and data security.