“Adequate Country”
means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.
“Agreement Personal Data”
means any Personal Data that is provided or made available by a Party (or on behalf of a Party) to the other Party (or to any third-party vendor acting on behalf of the other Party) under the Agreement in connection with the Agreement, in respect of which each Party is a Controller or Business.
“Norstella Personal Data”
means Personal Data that is processed by Reseller on behalf of Norstella under the Agreement in connection with the Agreement, in respect of which Reseller is a Processor (or, as the case may be, a Sub-processor) or Service Provider.
“Data Protection Law”
means all applicable laws governing the handling of Personal Data, including without limitation (1) EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”); and (2) the UK Data Protection Act 2018 and the UK GDPR as defined in the 2018 Act (together, “UK Data Protection Law”); (3) the Swiss Federal Act on Data Protection 2020 (“FADP” or “Swiss Data Protection Law”); (4) the US Data Protection Laws, in each case as amended, extended or re-enacted from time to time.
“EU Standard Contractual Clauses”
means the standard contractual clauses (“SCCs”) for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
“Controller”, “Processor”, “Business”, “Service Provider”, “Process”, “Processed”, “Processing” “Sub-processor”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority”
have the meanings given under Data Protection Law. In the event that any of these terms are defined differently in applicable Data Protection Law, relevant to the processing of Personal Data under the Agreement, the equivalent terms will apply in each jurisdiction.
“Personal Data” means any information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including without limitation any information that qualifies as “personal information” or “personal data” under Data Protection Law.
“Restricted Transfer”
means a transfer of Agreement Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect Personal Data for the transfer to be lawful under Data Protection Law.
“UK Addendum”
means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“US Data Protection Laws” means US state laws governing the processing of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.
2.1 Each Party is an independent Controller or Business of the Agreement Personal Data that it processes under the Agreement.
2.2 Reseller shall process Norstella Personal Data on behalf of Norstella. The parties agree that Reseller shall be a Processor (or, as the case may be, a Sub-processor) or Service Provider, and Norstella is a Controller (or, as the case may be, a Processor) or Business (or a Service Provider) of Norstella Personal Data.
2.3 The information in Annex 1 of these Data Protection Terms contains the applicable scope of processing pursuant to the Agreement.
Agreement Personal Data
3.1 Each Party will in respect of Agreement Personal Data:
(a) process Agreement Personal Data in accordance with obligations that apply to it as a Controller or Business under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;
(b) provide such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law, including in the event of a Personal Data Breach;
(c) notify the other Party, and provide the other Party with such information, cooperation and assistance as the other Party may reasonably request, if it:
(i) receives any enquiry, complaint, notice or other communication from any Supervisory Authority that names or otherwise identifies or concerns the other Party; or
(ii) suffers a Personal Data Breach and wishes to name or otherwise identify the other Party in a notification of such breach to a Supervisory Authority or a Data Subject.
(d) process its own requests for Data Subjects to exercise their rights, and will cooperate with the other Party to honour any such rights requests (in particular any objections or opt-out requests) that have been received by the other Party, and which relate to Agreement Personal Data that has been shared between the Parties;
(e) ensure that any person who is authorized to process Agreement Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.2 A Party that has made Agreement Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to:
(a) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such Agreement Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and
(b) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such Agreement Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.
Norstella Personal Data
3.3 In respect of its processing of Norstella Personal Data, Reseller will:
(a) only process Norstella Personal Data on the documented instructions of Norstella, including with regard to transfers of personal data to a third country or international organization, and otherwise as necessary to perform its obligations under the Agreement or as required by any applicable law (provided that Reseller first informs Norstella of that legal requirement before processing, unless that law prohibits this on important grounds of public interest);
(b) ensure that any person who is authorized to process Norstella Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);
(c) maintain all appropriate technical and organizational measures to ensure security of Norstella Personal Data including protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Norstella Personal Data) and against accidental loss, destruction or damage and so that the processing of the Norstella Personal Data shall meet the requirements of Data Protection Law and ensure the protection of the rights of Data Subjects. At all times, such measures shall ensure compliance with industry standard security and Data Protection Law;
(d) taking into account the nature of the processing, assist Reseller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Reseller’s obligation to respond to requests for exercising applicable Data Subjects’ rights, including, without limitation, right to access, rectification, erasure and portability of Data Subjects’ Personal Data; (for the avoidance of doubt, Norstella will only assist and enable Reseller to meet Reseller’s obligations to satisfy Data Subjects’ rights, but Reseller will not respond directly to Data Subjects);
(e) use Sub-processors to process Norstella Personal Data in connection with the Agreement. Reseller will provide Norstella with a current list of Sub-processors promptly upon written request. Reseller will notify Norstella of any intended changes concerning the addition or replacement of its Sub-processors and provide Norstella with the opportunity to object to such changes. Norstella will notify Reseller in writing of any such objection within 10 days of receipt of Reseller’s written notice of the change. If an objection is ongoing at the end of the notice period, the Sub-processor shall not be used to process Norstella Personal Data until the resolution of the objection. Reseller will take steps to ensure the reliability of any Sub-processor and impose obligations upon any Sub-processor that are no less protective than those included in these Data Protection Terms. Reseller will remain liable for any acts or omissions of its Sub-processors;
(f) to the extent applicable, provide reasonable assistance to Norstella with any data protection impact assessments, and prior consultations with a Supervisory Authority pursuant to obligations under Data Protection Law;
(g) at the choice of Norstella, delete or return all Norstella Personal Data after the end of the provision of Licensed Products relating to the processing, and delete existing copies unless applicable law requires continued storage of Norstella Personal Data;
(h) make available to Norstella all information necessary to demonstrate compliance with this clause 3.3 and allow for and contribute to audits, including inspections, conducted by Reseller or an independent third-party auditor mandated by Norstella;
(i) notify Norstella without undue delay, but in any event within forty-eight (48) hours of identifying a Personal Data Breach with respect to Norstella Personal Data. Reseller shall reasonably cooperate with Norstella in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits Reseller from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of Norstella so long as Reseller provides notification to Norstella without undue delay;
(j) to the extent that Reseller’s processing of Norstella Personal Data is subject to US Data Protection Law, not:
(i) retain, use, or disclose Norstella Personal Data other than as provided for in the Agreement, as needed to provide the Licensed Licensed Products, or as otherwise required or permitted by US Data Protection Law;
(ii) combine Norstella Personal Data with Personal Data received from customers or individuals (except as required or permitted by US Data Protection Law); or
(iii) sell or share (as those terms are defined by US Data Protection Law) Norstella Personal Data.
Agreement Personal Data
4.1 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby are deemed to conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:
(a) in Clause 7, the optional docking clause applies;
(b) in Clause 11, the optional language is deleted;
(c) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;
(d) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;
(e) the information contained in Annex 1 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate Annexes to the EU Standard Contractual Clauses (For the avoidance of doubt, where Norstella is the importer, Norstella will implement security measures consistent with those implemented by Reseller);
4.2 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK Addendum, which is incorporated herein by reference and as follows:
(a) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Agreement together with the Annexes of these Data Protection Terms and Table 4 will be deemed completed by selecting “neither party”;
(b) where applicable, the elections made in Clause 4.2 of these Data Protection Terms shall apply;
(c) any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
4.3 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under Swiss Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:
(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(c) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.
(d) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
Norstella Personal Data
4.4 To the extent that Reseller’s processing of Norstella Personal Data constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby are deemed to conclude;
(a) Module 2 or 3 (as applicable) of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:
(i) in Clause 7, the optional docking clause applies;
(ii) in Clause 9, Option 2 applies and changes to Sub-processors will be notified in accordance with these Data Protection Terms;
(iii) in Clause 11, the optional language is deleted;
(iv) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;
(v) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;
(vi) The information contained in Annex 1 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate the Appendix to the EU Standard Contractual Clauses.
(b) Or Module 4 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:
(i) in Clause 7, the optional docking clause applies;
(ii) in Clause 9, Option 2 applies and changes to Sub-processors will be notified in accordance with these Data Protection Terms;
(iii) in Clause 11, the optional language is deleted;
(iv) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;
(v) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;
(vi) The information contained in Annex 1 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate the Appendix to the EU Standard Contractual Clauses.
4.5 To the extent that Reseller’s processing of Norstella Personal Data constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK Addendum, which is incorporated herein by reference and as follows:
(a) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Agreement together with the Annexes of these Data Protection Terms and Table 4 will be deemed completed by selecting “neither party”;
(b) where applicable, the elections made in Clause 4.4 of these Data Protection Terms shall apply; and
(c) any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
4.6 To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under Swiss Data Protection Law, the parties hereby conclude
(a) Module 2 or 3 (as applicable) of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:
(i) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
(ii) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(iii) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.
(iv) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
(b) Module 4 of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:
(i) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
(ii) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(iii) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.
(iv) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
Reseller will indemnify, defend, and hold harmless Norstella and its Affiliates from and against any and all liabilities, costs, expenses, damages and losses (including fines, awards and all reasonable legal costs) that Norstella or its Affiliates may suffer or incur arising from or relating to any breach of Data Protection Law by Reseller.
| Processing Activity | Status of the Parties | Categories of Personal Data Processed | Categories of Data Subjects | Categories of Sensitive Data Processed | Frequency of Transfer | Applicable SCCs Module |
| Agreement Administration
The regular exchange of Personal Data between Norstella and Reseller to facilitate the Agreement. |
Reseller is a Controller (Exporter).
Norstella is a Controller (Importer). Or Reseller is a Controller (Exporter). Norstella is a Controller (Importer).
|
Business contact information. | Norstella and Reseller personnel. | N/A | Continuous | Module 1 |
| Licensed Product Administration, Support, Enabling Licensed Product Access and Service Improvement
Reseller discloses Personal Data relating to Customers to Norstella so that it can provide, operate, improve, analyze, personalize, and maintain the Licensed Products for Customers. |
Reseller is a Controller (Exporter).
Norstella is a Controller (Importer). |
Business contact information. | Customer employees, contractors and personnel or representatives with access to the Licensed Products. | N/A | Continuous | Module 1 |
| Norstella Personal Data
To the extent that Personal Data is disclosed by Norstella to and processed by Reseller on Norstella’s behalf under the Agreement. |
Norstella is a Controller (Exporter).
Reseller is a Processor (Importer). |
As determined by Norstella. Personal Data may include business contact and profile information. | As determined by Norstella. Data subjects may include Customer personnel, key opinion leaders, healthcare professionals. | N/A | Continuous | Module 2 |
| Norstella Personal Data
Personal Data collected and processed by Reseller pursuant to Norstella’s instructions or requirements, for the purpose of providing the Licensed Products to Customer, with Reseller acting as a processor or sub-processor. |
Reseller is a Processor (Exporter).
Norstella is a Controller (Importer). |
Licensed Product account registration information, business contact information. | Customer employees, contractors and personnel or representatives with access to the Licensed Products. | N/A | Continuous | Module 4 |