“Adequate Country”
means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.
“Agreement”
means the agreement between the Customer and Supplier governing the provision of the Licensed Products and Services.
“Agreement Personal Data”
means any Personal Data that is provided or made available by a Party (or on behalf of a Party) to the other Party (or to any third-party vendor acting on behalf of the other Party) under the Agreement in connection with the Licensed Products and Services, in respect of which each Party is a Controller or Business.
“Customer Personal Data”
means Personal Data that is processed by Supplier on behalf of the Customer under the Agreement in connection with the Licensed Products and Services, in respect of which the Supplier is a Processor (or, as the case may be, a Sub-processor) or Service Provider.
“Data Protection Law”
means all applicable laws governing the handling of Personal Data, including without limitation (1) EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”); and (2) the UK Data Protection Act 2018 and the UK GDPR as defined in the 2018 Act (together, “UK Data Protection Law”); (3) the Swiss Federal Act on Data Protection 2020 (“FADP” or “Swiss Data Protection Law”); (4) the US Data Protection Laws, in each case as amended, extended or re-enacted from time to time.
“EU Standard Contractual Clauses”
means the standard contractual clauses (“SCCs”) for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
“Controller”, “Processor”, “Business”, “Service Provider”, “Process”, “Processed”, “Processing” “Sub-processor”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority”
have the meanings given under Data Protection Law. In the event that any of these terms are defined differently in applicable Data Protection Laws, relevant to the processing of Personal Data under the Agreement, the equivalent terms will apply in each jurisdiction.
“Personal Data”
means any information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including without limitation any information that qualifies as “personal information” or “personal data” under Data Protection Law.
“Restricted Transfer”
means a transfer of Agreement Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect Personal Data for the transfer to be lawful under Data Protection Law.
“Licensed Products and Services”
means the Licensed Products and Services referred to in the Agreement.
“UK Addendum”
means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“US Data Protection Laws”
means US state laws governing the processing of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.
2.1 Each Party is an independent Controller or Business of the Agreement Personal Data that it processes under the Agreement.
2.2 Supplier shall process Customer Personal Data on behalf of the Customer. The parties agree that Supplier shall be a Processor (or, as the case may be, a Sub-processor) or Service Provider, and the Customer is a Controller (or, as the case may be, a Processor) or Business (or a Service Provider) of Customer Personal Data.
2.3 The information in Annex 1 of these Data Protection Terms contains the applicable scope of processing pursuant to the Licensed Products and Services.
Agreement Personal Data
3.1 Each Party will in respect of Agreement Personal Data:
(a) process Agreement Personal Data in accordance with obligations that apply to it as a Controller or Business under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;
(b) provide such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law, including in the event of a Personal Data Breach;
(c) notify the other Party, and provide the other Party with such information, cooperation and assistance as the other Party may reasonably request, if it:
(i) receives any enquiry, complaint, notice or other communication from any Supervisory Authority that names or otherwise identifies or concerns the other Party; or
(ii) suffers a Personal Data Breach and wishes to name or otherwise identify the other Party in a notification of such breach to a Supervisory Authority or a Data Subject.
(d) process its own requests for Data Subjects to exercise their rights, and will cooperate with the other Party to honour any such rights requests (in particular any objections or opt-out requests) that have been received by the other Party, and which relate to Agreement Personal Data that has been shared between the Parties;
(e) ensure that any person who is authorized to process Agreement Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.2 A Party that has made Agreement Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to:
(a) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such Agreement Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and
(b) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such Agreement Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.
Customer Personal Data
3.3 In respect of its Processing of Customer Personal Data, Supplier will:
(a) only process the Customer Personal Data on the documented instructions of the Customer, including with regard to transfers of personal data to a third country or international organization, and otherwise as necessary to perform its obligations under the Agreement or as required by any applicable law (provided that Supplier first informs the Customer of that legal requirement before processing, unless that law prohibits this on important grounds of public interest);
(b) ensure that any person who is authorized to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);
(c) maintain all appropriate technical and organizational measures to ensure security of Customer Personal Data including protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction or damage and so that the processing of the Customer Personal Data shall meet the requirements of Data Protection Law and ensure the protection of the rights of Data Subjects. At all times, such measures shall ensure compliance with industry standard security and Data Protection Law. Supplier’s current technical and organizational measures are described here. Customer acknowledges that the Security Measures are subject to technical progress and development and that Supplier may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security applied to Customer Personal Data;
(d) taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising applicable Data Subjects’ rights, including, without limitation, right to access, rectification, erasure and portability of Data Subjects’ Personal Data; (for the avoidance of doubt, Supplier will only assist and enable the Customer to meet the Customer’s obligations to satisfy Data Subjects’ rights, but Supplier will not respond directly to Data Subjects);
(e) use Sub-processors referenced in Annex 2 to process Customer Personal Data. Customer grants Supplier general authorization to engage additional Sub-processors in accordance with Annex 2. Supplier will enter into a written agreement with all authorized Sub-processors containing obligations which provide at least the same level of protection as those set out in Clause 3.3. of these Data Protection Terms. Supplier shall remain liable to the Customer for the performance of Sub-processors;
(f) to the extent applicable, provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with a Supervisory Authority pursuant to obligations under Data Protection Laws;
(g) at the choice of Customer, delete or return all Customer Personal Data after the end of the provision of Licensed Products and Services relating to the processing, and deletes existing copies unless applicable law requires continued storage of Customer Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with this clause 3.3 and allow for and contribute to audits, including inspections, conducted by Customer or an independent third-party auditor mandated by Customer, subject to and in accordance with the following:
(i) the appointment of any independent third-party auditor shall be at Customer’s cost and subject to the Supplier (1) approving the identity of the independent auditor (not to be unreasonably withheld, conditioned, or delayed) and (2) the auditor entering into a confidentiality agreement with the Supplier in a form that is to Supplier’s reasonable satisfaction;
(ii) Customer will notify the Supplier at least 30 days in advance of its intention to carry out an audit;
(iii) audits will be conducted no more frequently than once per calendar year (except that additional audits shall be permitted where a previous audit has revealed material non-compliance by Supplier with this Clause 3.3 and/or where Supplier has suffered a Personal Data Breach affecting Customer Personal Data), during normal business hours (i.e. 09:00 – 17:00 local time) and in a manner that minimizes disruption to Supplier’s business;
(iv) Customer will maintain audit reports and other information obtained during the course of an audit in the strictest confidence, and shall only use such reports and information to evaluate the Supplier’s compliance with this Clause 3.3; and
(v) each Party will bear its own costs in relation to such audits.
(i) notify Customer without undue delay, but in any event within forty-eight (48) hours of identifying a Personal Data Breach with respect to Customer Personal Data. Supplier shall reasonably cooperate with the Customer in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits Supplier from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the Customer so long as Supplier provides notification to the Customer without undue delay;
(j) to the extent that Suppliers processing of Customer Personal Data is subject to US Data Protection Law, not:
(i) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Licensed Products and Services, or as otherwise required or permitted by US Data Protection Law;
(ii) combine Customer Personal Data with Personal Data received from customers or individuals (except as required or permitted by US Data Protection Law); or
(iii) sell or share (as those terms are defined by US Data Protection Law) Customer Personal Data.
Agreement Personal Data
4.1 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby are deemed to conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:
(a) in Clause 7, the optional docking clause applies;
(b) in Clause 11, the optional language is deleted;
(c) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;
(d) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;
(e) the information contained in Annex 1 and Annex 3 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate Annexes to the EU Standard Contractual Clauses (For the avoidance of doubt, where Customer is the importer, Customer will implement security measures consistent with those implemented by Supplier pursuant to Annex 3);
4.2 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK Addendum, which is incorporated herein by reference and as follows:
(a) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Agreement together with the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;
(b) where applicable, the elections made in Clause 4.2 of these Data Protection Terms shall apply;
(c) any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
4.3 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under Swiss Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:
(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(c) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.
(d) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
Customer Personal Data
4.4 To the extent that Supplier’s processing of Customer Personal Data constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby are deemed to conclude Module 2 or 3 (as applicable) of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:
(a) in Clause 7, the optional docking clause applies;
(b) in Clause 9, Option 2 applies and changes to Sub-processors will be notified in accordance with Annex 2 of these Data Protection terms;
(c) in Clause 11, the optional language is deleted;
(d) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;
(e) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;
(f) The information contained in Annex 1, Annex 2 and Annex 3 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate the Appendix to the EU Standard Contractual Clauses.
4.5 To the extent that Supplier’s processing of Customer Personal Data constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK Addendum, which is incorporated herein by reference and as follows:
(a) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Agreement together with the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;
(b) where applicable, the elections made in Clause 4.4 of these Data Protection Terms shall apply; and
(c) any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
4.6 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under Swiss Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:
(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(c) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.
(d) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
To the extent that the Customer has an entitlement under Data Protection Law to claim from Supplier compensation paid by the Customer to a Data Subject as a result of a breach of Data Protection Law to which Supplier contributed, Supplier shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant Data Subject.
| Processing Activity | Status of the Parties | Categories of Personal Data Processed | Categories of Data Subjects | Categories of Sensitive Data Processed | Frequency of Transfer | Applicable SCCs Module |
| Administration, Product Support, Enabling Product Access and Service Improvement
Customer discloses Personal Data to Supplier to provide, operate, improve analyze, personalize and maintain the Licensed Products and Services, including when Customer contacts Supplier for product support.
|
Customer is a Controller (Exporter).
Supplier is a Controller (Importer). |
Product account registration information, business contact information. | Customer’s employees, contractors and personnel or representatives with access to or responsible for purchasing the Licensed Products and Services (“End Users”). | N/A | Continuous | Module 1 |
| Product Content
Personal Data made available to Customer by Supplier through subscription product content.
|
Customer is a Controller (Importer).
Supplier is a Controller (Exporter). |
Contact and profile information collated from publicly available sources and databases; institution, government, and NGO websites (such as hospital or medical society websites); public news sources; and other readily available public resources. | Healthcare professionals, medical, scientific and healthcare staff, clinical study investigators, academic experts, authors and other relevant professionals. | N/A | Continuous | Module 1 |
| End User Data – Subscription & SaaS Products
End Users store on or upload Personal Data to subscription and SaaS products (“End User Data”).
|
Customer is a Controller (Exporter).
Supplier is a Processor (Importer). |
As determined by Customer or End User. Personal Data may include business contact and profile information. | As determined by Customer or End User. Data subjects may include Customer employees and personnel, Customer’s clients and other relevant personnel. | N/A | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller) |
| End User Data – Trialscope Disclose SaaS Product
End Users upload Personal Data to the Trialscope Disclose SaaS Product. |
Customer is a Controller (Exporter).
Supplier is a Processor (Importer). |
As determined by Customer or End User. Personal Data may include business contact and profile information. Personal Data may also include data relating to individuals’ health and clinical study details. | As determined by Customer or End User. Data subjects may include Customer employees and personnel, clinical study personnel, healthcare professionals and clinical study participants. | As determined by Customer or End User. Personal Data may include health information derived from an individual’s participation in a clinical study. | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller) |
| Licensed Data – Instant Health Data (“IHD”) Platform
Customers license Real-World Data that constitutes or contains Personal Data from Supplier or a third-party for use in the IHD platform. |
Customer is a Controller (Exporter).
Supplier is a Processor (Importer). |
Personal Data may include patient ID, treatment location information, disease information, therapy information, genetic data, adverse events, service requests, questions and complaints, assigned medical devices, diagnoses, treatment, lab values, insurance provider details. | Patients who are the subject of the Licensed Data. | Sensitive data may include disease information, therapy information, genetic data, adverse events, service requests, questions and complaints, assigned medical devices, diagnoses, treatment, lab values. | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller)
|
| End User Data – IHD Platform
Customers and End Users upload Real-World Data that constitutes or contains Personal Data onto the IHD platform.
|
Customer is a Controller (Exporter).
Supplier is a Processor (Importer).
|
As determined by Customer or End User. Personal Data may include patient ID, treatment location information, disease information, therapy information, genetic data, adverse events, service requests, questions and complaints, assigned medical devices, diagnoses, treatment, lab values, insurance provider details. | Patients who are the subject of the End User Data. | Sensitive data may include disease information, therapy information, genetic data, adverse events, service requests, questions and complaints, assigned medical devices, diagnoses, treatment, lab values. | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller)
|
| Trialscope Professional Services
Regulatory, medical writing expertise and support services pursuant to which Supplier receives Personal Data from, and processes on behalf of Customer.
|
Customer is a Controller (Exporter).
Supplier is a Processor (Importer). |
As determined by Customer or End User. Personal Data may include business contact and profile information. Personal Data may also include data relating to individuals’ health and clinical study details. | Data subjects may include Customer employees and personnel, clinical study personnel and healthcare professionals and clinical study participants. | As determined by Customer or End User. Personal Data may include health information derived from an individual’s participation in a clinical study. | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller) |
| Professional and Consulting Services
Professional and consulting services pursuant to which Supplier receives from, and processes on behalf of Customer, Personal Data.
|
Customer is a Controller (Exporter).
Supplier is a Processor (Importer). |
As determined by Customer. Personal Data may include business contact and profile information. | As determined by Customer. Data subjects may include Customer employees, key opinion leaders, healthcare professionals. | As determined by Customer or End User. | Continuous | Module 2
or Module 3 (if Customer is a Processor to another Controller) |
| Marketing Services and Market Research
Supplier discloses to Customer, Personal Data which Supplier has collected in the course of its activities to provide lead generation services, marketing services, and market research.
|
Customer is a Controller (Importer).
Supplier is a Controller (Exporter). |
Contact information, including names, email addresses, job titles. | Marketing contacts, market research participants, promotion or competition winners. | N/A | Continuous | Module 1 |
| Patient Engagement and Recruitment Services
Supplier discloses to Customer, Personal Data related to potential clinical study participants and, where permissible, online membership community subscribers.
|
Customer is a Controller (Importer).
Supplier is a Controller (Exporter). |
Contact information, date of birth, location, sex, ethnicity, health information. | Potential clinical study participants and online membership community subscribers.
|
Sensitive data may include health information (health condition or medication related information) and demographic information (e.g., data on race/ethnicity). | Continuous | Module 1 |
Pursuant to Supplier’s processing of Customer Personal Data, Supplier engages Sub-processors to assist with Personal Data processing activities. A list of Sub-processors, their purpose, location and contact details is located on this Sub-processor page, which is incorporated into these Data Protection Terms.
Supplier’s current technical and organizational measures are described here.