Search
Close this search box.
Search
Subscriber Log In

1. Definitions

a. “Adequate Country” means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.
b. “Agreement” means the agreement between the Customer and Supplier governing the provision of the Licensed Products and Services.
c. “Agreement Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Agreement in connection with the Licensed Products and Services. Such information pertains to the following categories of Data Subjects;
i. The Customer’s employees, contractors and representatives;
ii. Personal Data made available to the Customer by Supplier through the licenced products, which may include personal data relating to healthcare professionals;
d. “Customer Personal Data” means Personal Data that is processed by Supplier on behalf of the Customer under the Agreement in connection with the Licensed Products and Services.
e. “Data Protection Law” means all applicable laws governing the handling of Personal Data, including without limitation EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”), the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Law”) and all applicable and enacted laws in the United States such as the California Consumer Privacy Act (“CCPA”) including as modified by the California Privacy Rights Act.
f. “Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject” and “Supervisory Authority” have the meanings given to under Data Protection Law.
g. “Process, Processing and Processed” means any operation or set of operations which is performed on Personal Date or on subsets thereof, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
h. “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
i. “Purpose” means the provision of Licensed Products and Services by Supplier to the Customer.
j. “Restricted Transfer” means a transfer of Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect the Personal Data for the transfer to be lawful under Data Protection Law.
k. “EU Standard Contractual Clauses” means the standard contractual clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
l. “UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” or “UK Addendum” means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

2. Role of the Parties

a. Each Party is an independent Controller of the Agreement Personal Data that it processes under this Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Law.
b. Supplier shall process Customer Personal Data on behalf of the Customer. The parties agree that Supplier shall be a Processor and the Customer shall be a Controller of Customer Personal Data.

3. Obligations of the Parties

3.1 Agreement Personal Data

a. Each Party will:

i. process Agreement Personal Data in accordance with its respective obligations under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;
ii. provide information to Data Subjects as required under Data Protection Law to ensure sufficient transparency of the Processing of Agreement Personal Data;
iii. implement appropriate technical and organisational measures to protect Agreement Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction;
iv. provide the other Party with reasonable details of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority relating to its processing of Agreement Personal Data, and act reasonably in co-operating with the other Party in respect of its response to the same;
v. act reasonably in providing such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law;
vi. process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the parties, the parties will collaborate to honour such objections or opt-out requests;
vii. ensure that any person who is authorised to process Agreement Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);
viii. enter into a written agreement with any Processor used to process Agreement Personal Data containing data protection obligations that provide at least the same level of protection for Agreement Personal Data as those in these Data Protection Terms and in accordance with Data Protection Law. Supplier may disclose Agreement Personal Data for (i) security, fraud detection, fraud modelling and related purposes; and (ii) the provision of website, application, development, cloud hosting, maintenance and other services for Supplier. Supplier will limit Agreement Personal Data provided to only what is reasonably necessary;
ix. remain responsible for such Processor compliance with the obligations contained in these Data Protection Terms and for any acts or omissions of any such Processors that cause the Party to breach any of its obligations under these Data Protection Terms;
x. notify the other Party without undue delay, but in any event within forty-eight (48) hours of suffering a Personal Data Breach concerning Agreement Personal Data. Both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay;
xi. to the extent that Agreement Personal Data related to individuals in the European Economic Area (“EEA”), EU or the UK, not transfer any personal data received from the other Party outside of the EEA, EU or the UK unless;
• the transfer is to an Adequate Country;
• there are appropriate safeguards in place pursuant to Article 46 GDPR;
• Binding corporate rules are in place; or
• one of the derogations for specific situations in Article 49 GDPR applies to the transfer.
b. A Party that has made Agreement Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to: (i) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such Agreement Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and (ii) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such Agreement Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.

3.2 Customer Personal Data
a. If Supplier Processes any Customer Personal Data in connection with the Agreement, Supplier will;
i. only Process Customer Personal Data on the written instructions of the Customer, including with regard to transfers of personal data to a third country or international organisation, and otherwise as necessary to perform its obligations under the Agreement or as required by any applicable law (provided that Supplier first informs the Customer of that legal requirement before processing unless that law prohibits this on important grounds of public interest);
ii. ensure that any person who is authorised to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);maintain all appropriate technical and organisational measures to ensure security of Customer Personal Data including protection against unauthorised or unlawful Processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction or damage and so that the Processing of Customer Personal Data shall meet the requirements of Data Protection Law and ensure the protection of the rights of Data Subjects. At all times, such measures shall ensure compliance with industry standard security and Data Protection Law;
iii. taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the Data Subject’s personal data; (for the avoidance of doubt, Supplier will only assist and enable the Customer to meet the Customer’s obligations to satisfy Data Subjects’ rights, but Supplier will not respond directly to Data Subjects);
iv. not engage any Sub-processor or transfer and/or disclose any Customer Personal Data to any Sub-processor or third-party service provider, without the general written authorisation of the Customer. Supplier will enter into a written agreement with all authorised Sub-processors containing obligations which provide at least the same level of protection as those set out in these Data Protection Terms and Supplier shall remain liable to the Customer for the performance of that Sub-processor. Supplier may disclose Customer Personal Data to Sub-processors for (i) security, fraud detection, fraud modelling and related purposes; and (ii) the provision of website, application, development, cloud hosting, maintenance and other services for Supplier, provided that Supplier will limit Customer Personal Data provided to what is reasonably necessary;
v. to the extent applicable, participate in, and provide all reasonable assistance with, a privacy impact assessment, a data protection impact assessment or prior consultation including under Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the GDPR in respect of the new type of processing proposed, in accordance with Data Protection Law;
vi. at the choice of Customer, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and deletes existing copies unless applicable law requires storage of the personal data;
vii. make available to Customer all information necessary to demonstrate compliance with these Data Protection Terms and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
viii. notify Customer without undue delay, but in any event within forty-eight (48) hours of suffering a Personal Data Breach concerning Customer Personal Data. Supplier shall cooperate with the Customer in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits Supplier from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the Customer so long as Supplier provides notification to the Customer without undue delay;
ix. to the extent that the processing of Customer Personal Data is subject to the CCPA, not: (i) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Licensed Products and Services, or as otherwise permitted by the Data Protection Law; (ii) combine Customer Personal Data with personal data relating to other customers or individuals (except as permitted by Data Protection Law); or (iii) sell or share (as those terms are defined by Data Protection Law) Customer Personal Data.

4. International Transfers

4.1 Agreement Personal Data
a. To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows;
i. in Clause 7, the optional docking clause applies;
ii. in Clause 11, the optional language is deleted;
iii. in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law of the Netherlands
iv. The information contained in the table in Annex 1 of these Data Protection Terms shall populate the Appendix to the EU Standard Contractual Clauses accordingly
b. To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which are incorporated herein by reference and as follows;
i. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these Data Protection Terms and Table 4 will be deemed completed by selecting “neither party”;
ii. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

4.2 Customer Personal Data
a. To the extent that Supplier’s processing of Customer Personal Data constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby conclude Module 2 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows;
i. in Clause 7, the optional docking clause applies;
ii. in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with Annex 2 of these Data Protection Terms;
iii. in Clause 11, the optional language is deleted;
iv. in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be determined by Customer
v. The information contained in the table in Annex 1 of these Data Protection Terms shall populate the Appendix to the EU Standard Contractual Clauses accordingly.
b. To the extent that Supplier’s processing of Customer Personal Data constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which are incorporated herein by reference and as follows;
i. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these Data Protection Terms and Table 4 will be deemed completed by selecting “neither party”;
ii. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

5. Limitation of Liability

To the extent that the Customer has an entitlement under Data Protection Law to claim from Supplier compensation paid by the Customer to a Data Subject as a result of a breach of Data Protection Law to which Supplier contributed, Supplier shall be liable only for such amount as it relates to its responsibility for any damage caused to the relevant Data Subject.

Annex 1 Standard Contractual Clauses Information

Data Exporter Data Importer SCCs Module Categories of data subjects whose personal data is transferred Categories of personal data transferred Sensitive data transferred The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) Nature of the processing Purpose(s) of the data transfer and further processing The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Supplier Customer Module 1 Personal Data made available to Customer by Supplier through the licenced products, such as;

– Investor relations or media contacts

– Drug company contacts

– Clinical trial investigators and personnel

– Contact information from company websites and direct submissions

Personal data shall include name, business phone number, business email address, job title N/A Continuous for the duration of the Agreement To provide the services pursuant to the Agreement Made available to Customer in the content of the Licensed Products and Services For the duration of the Agreement