Data Processing Addendum for Consultancy Services
hVIVO B.V.
Data Processing Addendum for Consultancy Services
This Data Processing Addendum (“DPA”) supplements the terms and conditions that have been executed between hVIVO B.V. (“hVIVO”) and Client in relation to the provision of consultancy services by hVIVO to Client (the “Agreement”).
This DPA is entered into between Client and hVIVO when hVIVO enters into the Agreement to provide Services to the Client, and shall apply to the extent that hVIVO processes Personal Data as a Processor under the Agreement.
The provisions of this DPA supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Covered Personal Data.
IT IS AGREED AS FOLLOWS:
1. Definitions
1.1. In this DPA, unless context requires otherwise, the following definitions apply:
| “Client” | means the party to the Agreement to whom hVIVO is providing the services. |
| “Controller” | shall have the meaning given to it in the Data Protection Legislation. For the purposes of this DPA, Client shall be considered the Controller. |
| “Covered Personal Data” | means all “Personal Data”, as defined in Article 4 of the GDPR, processed by the Processor on behalf of the Controller, as further described in Section 2 of this DPA. |
| “Data Protection Legislation” | means all privacy laws and regulations applicable to any Personal Data processed under or in connection with the Agreement and this DPA, including but not limited to the GDPR. |
| “Data Security Breach” | means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Personal data. |
| “Data Subject” | shall have the meaning given to in in Article 4 of the GDPR. |
| “GDPR” | means the General Data Protection Regulation (EU) 2016/679. |
| “Processor” | shall have the meaning given to it in the Data Protection Legislation. For the purposes of this DPA, hVIVO shall be considered the Processor. |
| “Services” | means the Services provided by hVIVO to Client under the Agreement. |
1.2. Any capitalised words included herein but otherwise not defined shall have the meaning prescribed to them within the Agreement.
2. Categories of Covered Personal Data
2.1. The Covered Personal Data concern the following categories of Personal Data (as applicable):
-
surname, first name, patronymic,
-
contact details (business address, telephone, mobile, fax, e-mail address if applicable)
-
medical qualification,
-
job position, employer, previous job experience,
-
previous experience in clinical studies, including those conducted by hVIVO, including, role in the study, number of years,
-
education, licenses and certification,
-
Good Clinical Practice (GCP) training(-s) or training in other relevant ICH guideline(s),
-
bank accounts,
-
mother and foreign tongue(-s),
-
honours and awards,
-
membership of professional societies and associations,
-
invited papers, lectures, presentations,
-
previous teaching experience,
-
publications,
-
other relevant information to allow selection for appropriate clinical studies in the future,
-
pseudonymised health data; if and when collected for the purposes of participation in a Study
3. Categories of Data Subjects
3.1. The Covered Personal Data concern the following categories of individuals:
-
Client personnel and other representatives
4. Purposes of the data Processing
4.1. The Covered Personal Data will be processed solely for the following purposes:
a) conduct of the project(s);
b) administration and management of the Services;
c) administration and management of the relationship between hVIVO and Client;
d) compliance with Applicable Laws and/or lawful requests and orders of governmental authorities or other regulatory bodies;
(hereinafter a) to d) collectively “Purposes of Processing”)
5. Processing activities
5.1. The Covered Personal Data will be subject to the following processing activities: collecting, recording, systemizing, accumulating, storing, rectifying (updating, modifying), retrieving, using, transferring (distributing, providing, accessing), blocking, erasing or removing (“Processing”).
6. Authority
6.1. Client has authorised hVIVO to Process the Covered Personal Data for the Purpose of Processing.
7. Processor Representations and Warranties
7.1. hVIVO warrants and represents that it will:
(i) Process the Covered Personal Data only in accordance with the Data Protection Legislation and Client’s lawful written instructions as specified in this DPA or as may be issued in writing by Client from time to time. Should hVIVO be unable for any reason to ensure its full compliance with any obligations under the Data Protection Legislation, this DPA or Client’s instructions, hVIVO will immediately notify Client, who may suspend the Processing of the Covered Personal Data;
(ii) promptly, but in any event no later than 48 hours after discovering or suspecting a Data Security Breach, (i) notify Client of such Data Security Breach or suspicion of breach; (ii) investigate the Data Security Breach or suspicion of breach and provide Client with detailed information about the Data Security Breach or suspicion of breach, including, where possible, the categories and estimated number of Data Subjects concerned and the categories and estimated number of Personal Data records concerned, the impact and likely consequences on the affected Data Subjects of the Data Security Breach or suspicion of breach, and the corrective action taken or to be taken by hVIVO; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Security Breach. If hVIVO is unable to provide the notice within 48 hours, it will provide Client with reasons for the delay;
(iii) subject to Article 5 of this DPA, transfer or disclose the Covered Personal Data only to Client in accordance with this DPA and with Client's instructions, except where required by European Union or European Union Member State law to which hVIVO is subject, in which case hVIVO shall inform Client of that legal requirement before such transfer or disclosure, unless that law prohibits the provision of such information on grounds of public interest;
(iv) immediately inform Client if, in hVIVO’s opinion, Client’s instructions violate any Data Protection Legislation or other applicable regulations. hVIVO will be entitled to suspend and refuse execution of Client’s instructions that are in evident violation of the Data Protection Legislation or other applicable regulations until Client confirms that there is no such violation or modifies its instructions accordingly;
(v) ensure, where required by Data Protection Legislation, that all necessary consents from Data Subjects have been obtained in the form approved by Client before hVIVO Processes the Covered Personal Data as described in this DPA;
(vi) maintain, and provide Client with, all necessary documents and other information to enable Client to confirm that hVIVO has complied with its obligations under the Data Protection Legislation and this DPA. hVIVO shall allow for and contribute to audits, conducted by Client or any party on Client’s behalf, to ensure compliance with the Data Protection Legislation. Without limitation to the foregoing, Client may carry out such audits by obtaining information from hVIVO, by reviewing the Covered Personal Data hosted by hVIVO, as well as by performing on-site inspections of hVIVO’s premises in order to verify the methods of Processing carried out by hVIVO, including security measures adopted. Inspections and verifications shall be carried out during customary business hours following advance notice of 5 (five) working days;
(vii) notify Client promptly and in any event no later than 2 (two) working days of receiving any communication, complaint, inquiry, or request from any third party, including a supervisory authority or a Data Subject, relating to the Processing by hVIVO of the Covered Personal Data and comply with all relevant instructions that Client may give as to how to handle such communication, complaint, inquiry or request. In any event, hVIVO will not respond to, or comply with, any such communication, complaint, inquiry, or request before it has received Client’s instructions in this regard; and
(viii) duly assist and cooperate with Client to allow Client to comply with its obligations under the Data Protection Legislation, including, where relevant, carrying out data protection impact assessments and engaging in prior consultations with the relevant supervisory authorities.
8. Technical and Organisational Measures
8.1. hVIVO shall take appropriate technical and organisational security measures to safeguard the Covered Personal Data against unauthorised or unlawful access, modification and against accidental or intended loss or destruction of, or damage to the Covered Personal Data, unauthorised transfer or other unauthorised Processing of any Covered Personal Data or any other misuse of the Covered Personal Data, as follows:
(i) Physical security and access control - Rights to access and operate the automatic data processing system shall be available only to hVIVO employees and representatives who shall be trained in handling of the Covered Personal Data and who shall directly handle such Covered Personal Data. Such employees and representatives shall only have access to the Covered Personal Data corresponding to their respective authorisations, which shall be granted solely to such persons. hVIVO shall ensure that the IT systems utilized for the Processing of the Covered Personal Data only allow authorised users access to the data limited to their individual authorisation rights.
(ii) Confidentiality – hVIVO shall at all times keep confidential all Covered Personal Data it Processes pursuant to the Agreement. hVIVO may disclose the Covered Personal Data to its employees, officers, representatives or advisers who need to know such information for the purposes of carrying out its obligations under the Agreement provided that such employees, officers, representatives or advisers are required to maintain the confidentiality of the Covered Personal Data in accordance with the terms of the Agreement.
(iii) Availability control - hVIVO shall ensure that the Covered Personal Data cannot be unintentionally lost or destroyed. Without limitation to the foregoing, hVIVO shall implement an antivirus protection system for all equipment used in the Processing of the Covered Personal Data and a data security backup system.
(iv) Transfer control – hVIVO shall ensure that during any transfer of the Covered Personal Data it cannot be read, copied, modified or deleted without authorisation.
(v) Input control –hVIVO shall implement a system to log who enters the Covered Personal Data into the system used in the Processing of the Covered Personal Data and by whom the Covered Personal Data is removed from such systems.
(vi) Separation of data processing for different purposes – hVIVO shall ensure that any Covered Personal Data collected for different purposes is processed separately.
8.2. During the term of the Agreement, Client may modify the requirements for technical and organisational security measures to take into account technical and organisational developments.
9. Data Transfers
9.1. hVIVO will only transfer the Covered Personal Data from any jurisdiction to any other jurisdiction (the European Economic Area (“EEA”) constituting a single jurisdiction for this purpose) with the prior written consent of Client and as necessary to provide the Services under the Agreement or any specific work order, or otherwise as instructed by Client.
9.2. Without limitation to the foregoing: in the event that hVIVO transfers the Covered Personal Data from the EEA to Client or any hVIVO affiliate (“Processor Recipient”) located in, or in the event that a Processor Recipient has access to such Covered Personal Data from, a country outside the EEA that is not deemed to offer an adequate level of data protection as defined by the Data Protection Legislation, hVIVO will ensure compliance with all the formalities and procedures required under the Data Protection Legislation. More specifically:
a. hVIVO will enter into and execute the Controller to Processor Model Clauses with the Processor Recipient for and on behalf of Client and with its general authority to do so; or
b. hVIVO will rely on another mechanism for transferring the Covered Personal Data to the Processor Recipient that is deemed valid under the Data Protection Legislation;
10. Term and Termination
10.1. The provisions of this DPA shall continue in full force and effect for the duration of the Agreement, or as long as hVIVO processes the Covered Personal Data on behalf of the Client.
10.2. Upon termination of the Agreement in part or in whole, hVIVO will return to Client, or a third party indicated in writing by Client, all Covered Personal Data Processed by hVIVO, together with all copies in any media (hardcopy, electronic and other) of such data, or, if requested in writing by Client, hVIVO will destroy the same, unless hVIVO is required, by European Union or European Union Member State law to retain such data or any part thereof, in which case such retention will be limited to the period prescribed by such law. In case of technical impossibility to delete the Covered Personal Data Processed by electronic means, hVIVO will take all necessary measures to prevent the Covered Personal Data from being accessible, retrievable and amendable. In each case, if Client requests within 15 (fifteen) days following termination of the Agreement, hVIVO will provide Client with a written statement confirming that it has acted in accordance with this section.
11. Liability and Indemnity
11.1. hVIVO will be solely liable to the Data Subjects for any breach of this DPA or the Data Protection Legislation, provided such loss directly results from hVIVO’s breach of its obligations under this DPA or the Data Protection Legislation.
11.2. hVIVO will indemnify Client for any damage caused to a Data Subject to the extent such damage is caused directly by hVIVO’s breach of this DPA or any obligation imposed on hVIVO under the Data Protection Legislation.
11.3. Client shall indemnify hVIVO in respect of all losses suffered or incurred by hVIVO or any sub-processor arising from or in connection with any non-compliance by Client with the Data Protection Laws, or any breach by Client of any of its obligations under this DPA.
12. Governing Law
12.1. This DPA shall be governed by, and construed in accordance with, the laws of The Netherlands.