Site content: Global

Data privacy

Data privacy

Terms & Conditions for MSBiosuite Users

>

MENARINI SILICON BIOSYSTEMS S.P.A., with registered office at Via Giuseppe Di Vittorio 21/B3, 40013 Castel Maggiore (BO), Italy (hereinafter “Provider”) shall perform (directly or by means of sub-providers) the services (hereinafter collectively “Services”) duly described and quoted in the final order (hereinafter “Order”) for the company indicated in the Order (hereinafter “Client”), under the following terms and conditions (hereinafter “Terms and Conditions of Business”).

The present Terms and Conditions of Business and the relevant Order hereinafter jointly referred to as “Agreement”.

Client and Provider hereinafter individually referred to as “Party” and collectively as "Parties".

Client enters into the Agreement by 1) clicking a box indicating acceptance when it is presented to the Client; 2) accessing or using any part of the Services; 3) accepting an order form delivered by the Provider.

1. SERVICE

1.1 Provider shall use any reasonable effort to perform the Services described in the relevant Order, according to the terms and conditions set forth in such Order and - to the extent applicable - in the present Terms and Conditions of Business and to any applicable laws and regulations in force from time to time, without exclusions and/or exceptions.

1.2 Client acknowledges and agrees that the Services will be performed by Provider on a non- exclusive basis and, accordingly, Provider has the right to perform similar services for third parties, provided however that Provider shall comply with the present Agreement.

1.3 Upon acceptance of the present Agreement, Client shall, at its own cost, risk and responsibility, deliver to Provider any materials necessary to Provider to perform the Services - if any - as detailed in the Order (hereinafter “Materials”). THE CLIENT SHALL DELIVER/ENTER/UPLOAD ON THE PLATFORM MATERIAL CONTAINING ANONYMOUS/DE-IDENTIFIED/CODED DATA ONLY (“CODED DATA”). CLIENT UNDERTAKES NOT TO COMMUNICATE TO PROVIDER ANY IDENTIFIABLE PATIENTS’ PERSONAL DATA AND/OR ANY INFORMATION THAT MIGHT ALLOW DIRECT OR INDIRECT IDENTIFICATION OF THE CONCERNED DATA SUBJECTS. CLIENT WARRANTS THAT THE MATERIALS AND ANY DATA CONTAINED THEREIN ARE PROVIDED TO PROVIDER IN ACCORDANCE WITH ALL PROVISION OF APPLICABLE LAW AND REGULATIONS, INCLUDING ANY LAWS AND REGULATIONS IN RELATION TO THE PROCESSING OF PERSONAL DATA. FURTHERMORE, CLIENT WARRANTS THAT THE PROVISION OF THE SERVICES IN RELATION TO THE MATERIALS DOES NOT VIOLATE ANY PROVISION OF APPLICABLE LAW AND REGULATION. CLIENT REPRESENTS AND WARRANTS THAT ITS USE OF THE SERVICES COMPLIES WITH ALL APPLICABLE LAWS AND REGULATIONS; WILL NOT VIOLATE THE TERMS OF THIS AGREEMENT; WILL NOT CIRCUMVENT OR RENDER INEFFECTIVE THE TECHNOLOGICAL AND OTHER MEASURES APPLIED TO PROTECT AND CONTROL THE SERVICES AND THE PLATFORM.  FURTHERMORE, CLIENT WARRANTS THAT IT HAS OBTAINED ALL CONSENTS, PERMITS, WAIVERS, AND GOVERNMENTAL OR REGULATORY APPROVALS REQUIRED, NECESSARY OR APPROPRIATE FOR THE USE OF THE SERVICES IN THE MANNER CONTEMPLATED IN THIS AGREEMENT. Without prejudice to Section 7 below, Provider shall not be held liable for any delay or defect in the performance of the Services arising out from, or anyhow connected to, the Materials. Client shall indemnify and hold harmless Provider and its Personnel (as hereinafter defined) from any and all third party’s claims, demands, proceedings, losses, damages, liabilities, deficiencies and costs to the extent arising out of any infringement of third parties’ rights (including patients) in connection with the use of the Materials in the performance of the Services.

1.4 The Client acknowledges that the Services shall be provided by means of a software website platform (“Platform”) hosted by Provider’s sub-providers. Except if a specific country or regional restriction has been agreed in the Order, these servers may be located in any country of the world. Such Platform may contain links to external sites and/or content. The Client agrees that Provider is not liable in any manner for such sites and/or content. Any link to third party sites, contents, services or tools may not be construed as an approval or endorsement of such third party sites, contents, services or tools.   

2. COMPENSATION

In return for the performance of the Services, Client shall pay Provider the amounts listed in the Order, under the terms and conditions detailed thereto.

3. CLIENT’S OBLIGATIONS

3.1 In order to receive the Services from Provider, Client has to create on the Platform one or more user accounts for persons that are authorized to access and use the Platform (“Authorized User”). Client shall, and shall cause its Authorized User to prevent unauthorized access to, or use of, the Platform and of the Services. Client is responsible for keeping the login credentials confidential and for any unauthorized use made of these login credentials. Provider is not liable for any failure of the Client to keep the login credentials confidential. Client shall block immediately any compromised login credentials and inform Provider immediately thereof.

3.2 Client shall not, and shall prevent third parties to:

3.2.1. make unauthorized use of the Platform and/or of the Services;

3.2.2. transfer to any other person any of its rights to use the Platform and/or the Services;

3.2.3. sell, rent or lease the Platform and/or the Services or otherwise use the Platform and/or the Services under a service desk or similar arrangements;

3.2.4. make the Platform and/or the Services available to anyone who is not an Authorized User;

3.2.5. create any derivative work based upon the Service;

3.2.6. translate, modify, adapt, enhance, decompile, disassemble or reverse engineer the Services, the Platform and/or the underlying software or otherwise determine or attempt to determine source code or protocols fro the executable code of the software;

3.2.7. extract ideas, algorithms, procedures, workflows or hierarchies from the Platform and/or from the Service or otherwise use the Platform and/or the Services for the purpose of creating another product or service or another competitive solution or assist someone else to build a competitive solution.

4. CONFIDENTIALITY

4.1. Either Party shall consider any and all information disclosed by the other Party in connection with this Agreement (hereinafter collectively “Information”) as strictly confidential and, therefore, shall not disclose such Information to any third party, with the only exception of its respective directors, officers, employees, agents, sub-providers and consultants (hereinafter collectively “Personnel”), only for the purposes of this Agreement.

4.2. It is understood that either Party shall obtain from the aforesaid Personnel the undertaking to keep and maintain the Information as secret and confidential and shall adopt all the technical measures required to ensure the Information is kept and maintained as secret and confidential; in addition, either Party shall be and remain liable towards the other Party for any non authorized information’s disclosure made by the Personnel.

4.3. The obligations of confidentiality set forth in this Agreement shall not apply to the Information which:

  • at the time of disclosure is generally known to the public;
  • after disclosure becomes public knowledge except by breach of this Agreement by the receiving Party;
  • was in receiving Party’s possession at the time of disclosure and was not acquired, directly or indirectly, from the disclosing Party; and
  • was received from a third party having the legal right to disclose such Information to the receiving Party, provided, however, that such Information was not obtained by said third party, directly or indirectly, from the disclosing Party.

The receiving Party shall always provide competent proof as to the applicability of any of the above circumstances.

4.4. At any time upon disclosing Party’s request, the receiving Party shall promptly return to the disclosing Party any and all Information, retaining only one (1) copy for its legal files, in order to be able to identify, at any time, the data covered by its secrecy obligations.

4.5. The obligations of confidentiality set forth in this Agreement are extended to all the countries of the world and shall remain in full force and effect for five (5) years after the expiration or termination for any cause of this Agreement.

5. INTELLECTUAL PROPERTY RIGHTS

5.1. By means of this Agreement, the Parties do not intend to transfer any intellectual property right, which shall remain the sole property of the Party owning it. In particular, Client agrees that Provider, its licensors and/or sub-providers shall retain exclusive ownership and all intellectual property rights models, programs, methodologies, know-how, data, knowledge used, generated and/or developed by Provider in the performance of the Services - and any relevant improvement - shall be and remain the sole property of the respective owners (the Provider, its licensors and/or its sub-providers, as applicable).

5.2. With respect to the data content of the deliverables provided to Client in the context of the Services different from optional advanced annotation Services, and subject to the terms and conditions of this Agreement, Client shall become the sole owner of such data content.

5.3. With respect to the data content of the deliverables provided to Client in the context of optional advanced annotation Services powered by N-of-one (hereinafter “NoO Content”), and subject to the terms and conditions of this Agreement, Client shall have the perpetual, irrevocable, fully paid-up, worldwide, royalty-free right to use, modify and reproduce such NoO Content, in connection with the provision of healthcare services to the applicable Client patient case. Client may not reuse any NoO Content for later or additional patient cases.

5.4. Without prejudice to Sections 5.2 and 5.3, nothing contained in this Agreement shall be construed as an assignment or grant to the Client of any right, title or interest in or to the intellectual property rights of the Provider, its licensors and/or its sub-providers.

6. DEFECTIVE SERVICES AND INDEMNIFICATION

6.1. Client shall notify in writing to Provider any defect, error, omission or default in the performance of the Services within five (5) days from the date of performance of the relevant Services. Failure to notify any such defect, error, omission or default within such five (5) - day period shall relieve Provider of any liability in respect of those defects, errors, omissions or defaults. In such event, Provider shall - as Client’s sole remedy - use any reasonable effort either (i) to correct or repeat the defective part of the Services, at Provider’s own cost, or (ii) to refund to Client the amount paid for the defective part of the Services.

6.2. Either Party shall defend, indemnify and hold the other Party and its Personnel harmless against any and all third party’s claims, demands, proceedings, losses, damages, liabilities, deficiencies and costs to the extent arising out of (i) any gross negligence or willful misconduct, or (ii) any breach of this Agreement.

7. LIMITATION OF PROVIDER’S WARRANTY AND LIABILITY

7.1. SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE”. CLIENT ACCEPTS SOLE RESPONSIBILITY FOR THE ACCESS TO AND USE OF THE SERVICES, THE PLATFORM, ANY RELATED MATERIAL/SERVICES AND ANY OF THE EFFECTS/RESULTS THEREOF IN RELATION TO THE MATERIALS AND THE CONTENT. PROVIDER MAKES NO EXPRESS OR IMPLIED REPRESENTATION OR WARRANTY ON THE SERVICES, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF PERFORMANCE, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

7.2. TO THE HIGHEST DEGREE PERMITTED BY THE APPLICABLE LAW, NEITHER PROVIDER NOR ITS DIRECTORS, SHAREHOLDERS, EMPLOYEES, OPERATORS AND/OR SUB-PROVIDERS SHALL BE HELD LIABLE VIS-À-VIS THE CLIENT FOR FORESEEABLE OR UNFORESEEABLE INDIRECT DAMAGES OF ANY KIND, RESULTING FROM CONTRACTUAL OR TORT LIABILITY, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE (EVEN IF PROVIDER OR ITS OPERATORS WERE INFORMED THAT SUCH DAMAGES MAY OCCUR) ARISING FROM OR OTHERWISE CONNECTED TO THE USE OF, OR RELIANCE ON THE SERVICES, OR THE DELAYS OR IMPOSSIBILITY TO USE THE SERVICES, INCLUDING, BUT NOT LIMITED TO, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, AND INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFIT, GOODWILL, USE, DATA, INTERRUPTION OF WORK, PRECISION OF RESULTS OR ERRORS OR MALFUNCTIONING OF THE COMPUTER.

7.3. IN NO EVENT PROVIDER’S LIABILITY FOR DIRECT DAMAGES SHALL EXCEED THE AMOUNT OF THE FEES ACTUALLY PAID BY CLIENT UNDER THE CONCERNED ORDER FOR THE PERFORMANCE OF THE SERVICES.

8. TERM

This Agreement shall enter in full force and effect upon the date of acceptance by the Client and shall remain in effect until the completion of the Services and the performance of any obligation contained hereunder or in the relevant Order.

9. TERMINATION FOR BREACH

Either Party shall have the right to terminate this Agreement with immediate effect by written notice to the other Party in case of breach by the other Party of any of the obligations provided in this Agreement, provided that the breaching Party does not cure its breach within thirty (30) days from the notification of such breach by the non breaching Party. In any case of termination, Client shall pay Provider for the Services actually performed up to termination date.

10. FORCE MAJEURE

Neither Party shall be liable to the other Party for any delay or non-performance of its obligations under this Agreement arising from any cause beyond the reasonable control of the affected Party, which could not be reasonably planned for or avoided - including, without limitation, any act of God, governmental act, war, fire, flood explosion and civil commotion - (hereinafter “Force Majeure Event”); provided however that the affected Party shall: (i) promptly notify the other Party in writing the existence and the likely duration of the Force Majeure Event; and (ii) use its best endeavors to remove such Force Majeure Event, to limit the effect of delay or non-performance on the other Party and to resume the execution of its obligations under this Agreement as soon as possible.

11. SUBCONTRACT AND ASSIGNMENT

Client shall not subcontract, transfer, assign or delegate any right or obligation hereunder without the prior written consent of Provider, which consent shall not be unreasonably withheld. Provider shall be entitled to subcontract, transfer, assign or delegate any right or obligation hereunder without the prior written consent of Client.

12. PRIVACY

12.1. The Client shall deliver/enter/upload MATERIAL containing anonymous/ de-identified / coded data only (“Coded Data”). Client undertakes not to communicate to Provider any identifiable patients’ personal data and/or any information that might allow direct or indirect identification of the concerned data subjects. Moreover, the Parties recognize that the Provider and/or any of its sub-providers have neither the possibility nor the right to link any Coded Data to the data subjects’ code pairing list.

12.2. Therefore, the Parties recognise that performing the Services will not involve any personal data processing under Regulation (EU) 2016/679 (the “Regulation”) on the part of the Provider as far as patients’ personal data are concerned. The Client, in its capacity as sole Data Controller with regards to the personal data of patients, and Authorised Users, acknowledges that compliance with the Regulation and with any other applicable domestic legal instrument on data protection that specifies the Regulation's content, including the relevant decisions of the competent Supervisory Authority (collectively "Privacy Laws") is an essential condition of the Terms and Conditions of Performance of Services.

12.3. Thus, the Client undertakes under its sole responsibility to process said personal data in compliance with the Privacy Laws and to fulfil all the obligations that the Privacy Laws place on the Data Controller, such as, by way of non-exhaustive example: supplying data subjects with an information notice pursuant to arts. 13 and 14 of the Regulation and collect the data subjects’ consent when the Privacy Laws so require; implementing appropriate security measures to guarantee that personal data are not unlawfully or accidentally accessed or processed by unauthorised third parties, lost, or otherwise compromised. Client shall indemnify and hold Provider  harmless from any financial or legal consequences stemming from Client’s failure to comply with the Privacy Laws or with this clause.

12.4. However, without prejudice to the above, should the performance of the Services involve personal data processing under the Regulation and/other under an applicable law or sector regulation also on the part of the Provider, the Parties undertake to comply with the terms defined in the Data Processing Agreement (Annex 1).

13. COMPLIANCE WITH LAWS AND ETHICAL PRINCIPLES

13.1. Client represents and warrants to Provider that any activity performed, directly and indirectly, under this Agreement shall be conducted in accordance with the principles of Italian Legislative Decree 231/2001 and international anti-corruption legislations, such as OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, UK Bribery Act and US Foreign Corrupt Practices Act (hereinafter “Laws”).

13.2. In the performance of this Agreement, Client represents and warrants to have received and to comply with, the principles of the Ethical Code and the Crimes Prevention Model of the Menarini Group (hereinafter collectively “Compliance Program”).

13.3. Client represents and warrants to conduct controls to verify the effective implementation and to prevent violations of the Compliance Program.

13.4. Client shall promptly inform Provider in writing of any violation of or deviation from the Laws or the Compliance Program possibly made by Client.

13.5. In any event, Client represents and warrants to Provider that, in the performance of this Agreement, it has not and it shall not, directly or indirectly, offer, pay, give, or promise to pay or give or receive any payment or gift of any money or thing of value to or from any government officer to influence any acts or decisions or to induce such officer to use his influence to effect or influence the decision of the relevant government body or any other decision maker.

13.6. Client agrees that Provider shall have the right to conduct audits in order to verify Client’s compliance with the terms of this Section.

13.7. The Parties hereby agree that, should Client breach the Laws or the Compliance Program in connection with the performance of this Agreement or in case of false declaration thereon, the following sanctions may be applied by Provider:

  • warning notice to Client structured as follows:
    • warning notice to ask Client to strictly abide by the Laws or the Compliance Program. In case the request is not met, Provider may apply to Client a penalty of 10% (ten per cent) of the overall value of this Agreement, or, taking into account the importance of the breach, may immediately terminate this Agreement; or
    • warning notice to implement, at Client’s sole cost and responsibility, one or more corrective actions to remedy the violation of the Laws or the Compliance Program (hereinafter “Remediation Plan”). In case the Remediation Plan is not implemented, Provider may apply to Client a penalty of 10% (ten per cent) of the overall value of this Agreement or, taking into account the importance of the breach, may immediately terminate this Agreement;
  • in case of major violations of the Laws or the Compliance Program, termination of this Agreement with immediate effect.

13.8. It is understood that Client shall hold harmless and indemnify Provider from any and all claim, expense, fine, sanction, prejudice, obligations, consequences or adverse implications that may arise, resulting from the conduct of the Client violating the present Section.

14. GOVERNING LAW AND VENUE

14.1. This Agreement shall be interpreted and construed according to the Italian laws, regardless principles of choice of laws.

14.2. Should any dispute arise out of the interpretation and/or execution of the present Agreement, the Parties will use their best endeavors to solve the dispute amicably. In the event said disputes cannot amicably settled within such period of time, the dispute shall be exclusively submitted to the Court of Bologna (Italy) with the exclusion of any other jurisdiction.

15. FINAL PROVISIONS

15.1. (Independent contractors) The Parties are independent contractors and neither Party has any authority to enter into any agreement or assume any obligation for the other Party or make any warranty or representation on behalf of the other Party, unless expressly and previously authorized in writing by such Party. Nothing in this Agreement is intended to create an agency, partnership or joint-venture relationship between the Parties.

15.2. (Entire agreement) This Agreement is the entire understanding between the Parties with reference to the subject herein dealt with.

15.3. (Severability) In the event any of the provisions of this Agreement is declared invalid or unenforceable by the relevant authorities, according to the applicable laws, the remaining terms of this Agreement shall not be affected by such declaration and the Parties shall make its best efforts to replace such provision with a valid provision reflecting - to the extent possible - the intent of the original provision.

15.4. (Waiver) No failure by either Party to enforce any of the rights hereunder shall be deemed as a waiver of such right or any of the other rights provided in favour of such Party in this Agreement. No waiver of the rights hereunder provided shall be effective unless made in writing with specific reference to the relevant provision of this Agreement and duly signed by the Party granting the waiver.

15.5. (Interpretation) Should any conflict between this Agreement and its annexes arise, the terms and conditions of this Agreement shall prevail.

15.6. (Modifications) This Agreement (including its annexes) may be modified only by written amendments to be jointly agreed and signed by the Parties.

15.7. (Notices) Any notice to be sent by the Parties in connection with the present Agreement (other than ordinary business and technical correspondence) shall be made in writing by registered letter with acknowledge of receipt, anticipated via fax, to the addresses written above.

15.8. (Survival) Neither the expiration nor the termination of this Agreement shall relieve the Parties of their obligation incurred prior to such expiration or termination. All provisions that, by their express or implied terms, are meant to survive expiration or termination of the Agreement - in particular Sections 1, 3, 4, 5, 6, 7, 11, 12, 13 and 14 - shall continue irrespective of such expiration or termination.

 

ANNEX 1

DATA PROCESSING AGREEMENT

1. Scope

1.1. It is in principle acknowledged that the performance of the Services does not entail Personal Data Processing. In fact, as set forth in clause 12 of the Terms and Conditions of Business, “the Client shall deliver/upload MATERIAL containing anonymous/ de-identified / coded data only (“Coded Data”). Client undertakes not to communicate to the Provider any identifiable patients’ and/or any information that might allow direct or indirect identification of the concerned data subjects. Moreover, the Parties recognize that the Provider and/or any of its sub-providers have neither the possibility nor the right to link any Coded Data to the data subjects’ code pairing list”. However, without prejudice to the above, should the performance of the Services involve personal data processing under the Regulation  and/other under any applicable law or sector regulation also on the part of the Provider, the Parties undertake to comply with the terms defined in this Data Processing Agreement.

1.2. This data processing agreement (the “Data Processing Agreement”) applies to Provider’s Processing of Personal Data on Clients’ behalf as part of Providers’s provision of Services as specified in clause 12 of the Terms and Conditions of Business. The Services are described (i) in the applicable Order and/or (ii) in the applicable Terms and Conditions of Business or in other applicable agreement by and between Client and Provider in which this Data Processing Agreement is referenced.

2. Definitions

2.1. “Data Subject”, “Data Protection Officer”, “Process/Processing”, “Personal Data”, “Supervisory Authority”, “Controller”, “Processor”, “Legal Basis” have the meaning set forth under the Regulation.

2.2. “Data Breach Incident is an incident leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Processor to provide the Services that compromises the security, confidentiality or integrity of such Personal Data.

2.3. “EU Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.

2.4. "Processing Instructions" or “Instructions” any instructions issued to the Processor by the Controller and related to the processing of Personal Data in accordance with this Data Processing Agreement.

3. Controller and Processor of Personal Data and Purpose of Processing 

3.1. Client is and will at all times remain the Controller of the Personal Data Processed by the Provider under this Data Processing Agreement. Client is responsible for compliance with its obligations as a Controller under the applicable Privacy Laws in particular for justification of any transmission of Personal Data to the Provider (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate Legal Basis under the Privacy Laws).

3.2. Without prejudice to the conditions set forth in clause 12 of the Terms and Conditions of Business, Provider is and will at all times remain a Processor with regard to the Personal Data provided by the Client to the Processor under the Terms and Conditions of Business and/or any Order. Processor is responsible for compliance with its obligations under this Data Processing Agreement and for compliance with its obligations as a Processor under the Privacy Laws.

3.3. Processor and any persons acting under the authority of the Processor, including any Processor affiliates and third party Sub-processors will Process Personal Data solely for the purpose of (i) providing the Services (ii) complying with Client’s documented written instructions, and/or (iii) complying with Processor’s regulatory obligations.

4. Overview of the Data Processing Activities

4.1. Processing Operations. The Personal Data processed will be subject to the processing activities that are from time to time necessary to perform the Services as described in the Orders. The processing activities may include: collection, recording, organisation, analysis, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, erasure or destruction.

4.2. Data Subjects. Patients (only if under the Regulation and/other under an applicable law or sector regulation the Coded Data transferred by the Client are considered Personal Data); Authorized Users.

4.3. Categories of Data. Patients (Coded Data associated with the analyses/tests results as defined in the Order which may include health and genetic data); Authorized Users (name, surname, email, job title and qualification, log-in information, other information needed to deliver the Services).

5. Transfer of Data to NON European Union Countries

5.1. If the data processing activities entail the transfer of personal data outside the EU, the Parties will abide by the EU Model Clauses, whose terms the Parties hereby agree to consider as being an integral part to this DPA. For the purposes of the Standard Contractual Clauses: (i) Data Exporter - The Data Exporter is the entity identified as “Controller” in the Data Processing Agreement (ii) Data Importer - The Data Importer is the entity identified as "Processor" in the Data Processing Agreement (iii) the Governing law regulating the data processing activities only, pursuant to Standard Contractual Clause 9 and Standard Contractual Clause 11.3, is law of the country where the Data Exporter is based. The Processing operations, Data Subjects and Special Categories of data are those indicated above in this document. The security measures are those defined in Appendix A. In case of conflict between the Standard Contractual Clauses and this article and/or the DPA, the Standard Contractual Clauses will prevail.

6. Data Processing Instructions

6.1. The Processor shall process Personal Data on behalf of the Controller. All such personal data processing activities shall at all times be carried out in accordance with the applicable Privacy Laws and

6.2. The processing of Personal Data by the Processor is authorised solely for the purposes and to the extent necessary to perform the Contract. Consequently, the Personal Data processing operations that the Processor may perform are limited to what is necessary to carry out the Contract.

6.3. Processing Instructions are initially be defined in this Data Processing Agreement; the Controller shall, however, be entitled to issue commercial reasonable changes and amendments to the Processing Instructions and to issue new Processing Instructions / Instructions.

6.4. Where applicable, in relation to the provisions of the Terms and Conditions of Business and the Processor’s organisation, all Instructions under this document shall be deemed extended, mutatis mutandis, also to the Processor’s collaborators, employees, designated persons, supervisors and system administrators. The Processor shall ensure that it and such persons fully comply with this Data Processing Agreement.

The Processor shall, within Processor's scope of responsibility, structure its internal organisation in a way that ensures compliance with the specific requirements of the Privacy Laws. The Processor represents and warrants that it has implemented, or shall implement, update and maintain, technical and organisational security measures to adequately protect Personal Data as described in Appendix A in accordance with and satisfying the requirements of the Regulation, and shall monitor their effectiveness on an on-going basis. The Processor shall document the implemented technical and organisational security measures and shall provide Controller with such documentation upon request including, where available, any certifications. The Controller acknowledge that such measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Agreement, and are suitable and intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of the Services, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

6.5. The Processor shall not disclose Personal Data to any third party except with written consent by the Controller or as necessary to comply with applicable mandatory laws. If the Processor is obliged to disclose Personal Data to a third party, the Processor is obliged to give the Controller a reasonable notice of the access request prior to granting such access. If such notice is legally prohibited, the Processor shall take reasonable measures to protect the Personal Data and shall inform the Controller as soon as legally possible.

6.6. The Processor will ensure its personnel does not process Personal Data without authorisation. Processor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

7. Notification Obligations: Data Breach Incidents

7.1. To the extent the Processor becomes aware and determines that a Data Breach Incident, the Processor shall (i) promptly evaluates and responds to the Data Breach Incident; (ii) inform the Controller of such Data Breach Incident without undue delay (iii) provide the Controller with commercially reasonable support in managing the Data Breach Incident.

8. Inspections and audits from the Authorities or Third Parties

8.1. The Processor shall without undue delay inform the Controller of any inspections or measures carried out by Supervisory Authorities or other third parties if they relate to the Personal Data processing.

9. Assistance with data subjects Rights and Data Protection Impact Assessment

9.1. If the Controller receives any request from data subjects in relation to the scope of this Processing Agreement, the Processor shall provide the Controller, upon Controller's request, with commercially reasonable support in relation to any such request. Where Processor receives any request from the Data Subject, Processor shall not directly respond to such request, but shall notify without undue delay the Controller.

9.2. Upon written request of the Controller, the Processor shall provide any information and commercially reasonable assistance required for the performance of a Data Protection Impact Assessment pursuant to Art. 35-36 of the Regulation, including the assistance for any communication with the respective data protection authorities.

10. Sub-processors

10.1. The Controller provides the Processor general written authorization to engage Processor’s Group Companies (Menarini Group companies) and third party sub-processors to assist in the performance of the Services. The Controller hereby authorises the Processor to contract data processing activities under this Agreement to:

Bluebee Holding BV with registered offices at Laan van Zuid Hoorn 57, 2289 DC Rijswijk (the Netherlands)

N-of-One, Inc.  with registered offices at 561 Virginia Road, Bldg 4, Suite 300 Concord, MA, 01742 (USA)

10.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes. Within ten (10) calendar days of the Processor providing such notice to the Controller, the Controller may object in writing to the intended involvement of a third party sub-processor in the performance of the Services, providing objective justifiable grounds related to the ability of such third party sub-processor to adequately protect Personal Data in accordance with this Data Processing Agreement or Applicable Data Protection Law. In the event Controllers’ objection is justified, The Controller and the Processor will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the third party sub-processors’ compliance with this Data Processing Agreement or applicable Privacy Laws, or delivering the Services without the involvement of such third party sub-processor. To the extent Controller and Processor do not reach a mutually acceptable resolution within a reasonable timeframe, Controller shall have the right to terminate the relevant Services (i) upon serving thirty (30) days prior notice; (ii) without liability to the Processor and (iii) without relieving the Controller from its payment obligations under the Order and the Terms and Conditions of Business or other applicable agreements entered into by the parties up to the date of termination. If the termination only pertains to a portion of the Services under an Order, Controller will enter into an amendment or replacement order to reflect such partial termination.

10.3. Without prejudice to the above, if the Processor subcontracts its rights or obligations under this Data Processing Agreement the same obligations as set out in this Data Processing Agreement shall be imposed on that sub-processors by way of written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.

10.4. If the sub-processor fails to fulfil its data protection obligations, the initial Processor shall remain liable to the Controller for performing that other processor's obligations within the limitations foreseen by the Terms and Conditions of Business or other applicable agreements entered into by the parties.

11. Audit rights and obligations

11.1. Controller may audit Processor’s compliance with its obligations under this Data Processing Agreement up to once per year. Provider will contribute to such audits by providing the Controller or Controller’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, the third party must be mutually agreed to by the Controller and the Processor (except if such Third Party is a competent Supervisory Authority). The Processor will not unreasonably withhold its consent to a third party auditor requested by the Controller. The third party must execute a written confidentiality agreement acceptable to the Processor or otherwise be bound by a statutory confidentiality obligation before conducting the audit.

11.2. To request an audit, the Controller must submit a detailed proposed audit plan to the Processor at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. The Processor will review the proposed audit plan and provide the Controller with any concerns or questions (for example, any request for information that could compromise Processor’s security, privacy, employment or other relevant policies). The Processor will work cooperatively with the Controller to agree on a final audit plan.

11.3. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and may not unreasonably interfere with Processor’s business activities.

11.4. Controller will provide Processor any reports generated in connection with any audit under this Section 11, unless prohibited by the applicable laws or otherwise instructed by a Supervisory Authority. Controller may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement.

11.5. The audit information, plans and reports are Confidential Information under the terms of the applicable agreements executed between the Controller and the Processor.

11.6. Each party will bear its own costs in relation to the audit, unless the Provider promptly informs the Controller that it expects to incur additional charges or fees in the performance of the audit that are not covered by the fees for Services such as additional working days, license or third party contractor fees. The parties will negotiate in good faith with respect to any such charges or fees.

12. Miscellaneous

12.1. As applicable, the Processor shall keep a Record of Processing Activities as per art. 30 of the Regulation.

12.2. The Processor shall immediately notify the Controller if any provision of this Data Processing Agreement becomes void, invalid or non-viable or in contrast with the Privacy Laws.

12.3. Where applicable, in reference to the Italian Data Protection Authority’s Order of 27 November 2008 on system administrators, the Processor represents that it has adopted the specific precautions required by the order, including but not limited to the individual and specific designation of its system administrators and the related audit, registration and retention of access logs, notification upon request to the Controller of the updated list of designated system administrators and their functions.

13. Data Protection Officer

Provider, being part of the Menarini Group, has appointed a Data Protection Officer available at dpo@menarini.com

14. Termination

The Processor shall, upon Controller's written request, securely return to the Controller or delete any Personal Data, data carrier media and other related materials after the termination or expiration of the Agreement, unless storage of any Personal Data is required by applicable law. Within thirty (30) days following termination for any reason of this Data Processing Agreement, the Processor shall provide the Data Controller with a written statement confirming that it has deleted or returned Personal Data, data carrier media and other related materials, including any copies thereof.

 

Appendix A – Security Measures

 

Description of the IT, Technical and Organisational Security Measures according to the Data Processing Agreement and according to Appendix 2 of the EU Standard Contractual Clauses

  1. Confidentiality (Article 32 (1) b) of the Regulation)
a. Physical Access Control: The Processor implements appropriate measures to avoid that unauthorized persons gain access to Data processing facilities.

 

Physical Access Control

Badge-controlled access.

24x7 monitoring of the premises by a security force utilizing CCTV at all entry points.

Visitors to Processors’ premises are accompanied by authorized personnel at all times and visits are logged in a visitor register.

Backup and/or business continuity plans/power supply backup

 

b. Electronic Access Control: The Processor uses IT systems that allow authorized users only to access in accordance with their individual authorization rights. The Processor implements adequate measures to ensure that Personal Data cannot be read, copied, modified or deleted in an unauthorized manner.

 

Electronic Access Control

Personal Data printed in physically secure areas 

Personnel access rights policy

Measures to prevent use/installation of unauthorized hardware and/or software.

Password protected keyboard/screen lock automatically activated after certain minutes of inactivity

Antivirus programs

Desktop firewall programs

Updates of IT security measures (e.g. security patches on Windows, antivirus updates, etc.) regularly scheduled and performed.

 

  1. Integrity (Art. 32 (1) b) of the Regulation
a. Data Transfer Control: The Processor ensures with adequate measures that during data transfer Personal Data cannot be unauthorized read, copied, modified or deleted.

 

Data Transmission Control

Transport encryption (TLS o VPN)

End-to-end encryption (e.g. email, instant messages)

Encryption of physical data carriers

 

b. Data Entry Control: The Processor has implemented adequate measures that enable the identification of those accessing, erasing, etc. Personal Data in data processing systems.

 

Data Entry Control

Logging mechanisms that record data entry and deletion.

Tracking with unalterable IT logs all the following activities:

  • Unsuccessful access attempts;
  • Authority exceptions;
  • Privilege changes;
  • Data object owner changes;
  • Out of hour’s access.

The Processor performs regular security reviews of access logs.

 

  1. Availability and Resilience (Art. 32 (1) b) the Regulation)

Availability Control and Rapid Recovery: The Processor ensures with adequate measures that Personal Data cannot be unintentionally lost or destroyed and that Personal Data can be restored (e.g. backup).

 

Availability Control

Business continuity plans.

Backup processes and other measures that ensure rapid restoration of business critical systems.

Usage of uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to ensure power availability to the data centres.

Sufficient capacity for data storage.

Updated disaster recovery plan in place.