data processing addendum
Data Processing Addendum
(last modified October 2020)
In connection with and for the purpose of the performance of the Services under the Terms of Use, Personal Data will be processed in accordance with the provisions of this Data Processing Addendum.
This Data Processing Addendum applies to the user agreeing to the terms of this Data Processing Addendum through its acceptance of the Terms of Use (the “User”) and BISC Global CVBA, with registered office at Gaston Crommenlaan 8, 9050 Ghent, Belgium and registered with the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen or KBO) under enterprise number 0673.977.180 (RPR Ghent, section Ghent) (the “Supplier”).
The User and the Supplier shall hereinafter jointly be referred to as the “Parties” and seperately as a “Party”.
A more detailed description of the purposes for the Processing of Personal Data is contained in Article 3 of Annex 1 hereto. This Data Processing Addendum and its annexes set forth the terms and conditions pursuant to which Personal Data will be Processed in the framework of the Terms of Use.
ARTICLE 1 DEFINITIONS
For the purpose of this Data Processing Addendum, the following terms shall have the following meaning. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
| “Contact Person(s)” | means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services; |
|---|---|
| “Controller” | means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; |
| “Processor” | means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller; |
| “Data Protection Legislation” | means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”) together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time; |
| “Data Protection Officer” | means an enterprise security leadership role required by the General Data Protection Regulation who is responsible for overseeing the used data protection strategy and implementation to ensure compliance with GDPR requirements; |
| “Data Subject” | means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1; |
| “Personal Data” | means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The relevant categories of Personal Data that are provided to the Supplier by, or on behalf of the User are identified in Annex 1; |
| “Personal Data Breach” | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services; |
| “Processing”, “Process(es)” or “Processed” | means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| “Services” | means all services, functions, responsibilities and outputs of Supplier as described in the Terms of Use; |
| “Standard Contractual Clauses” | means the standard contractual clauses of which the European Commission on the basis of Article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of Personal Data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship; |
| “Sub-Processor” | means any subcontractor engaged by the Supplier to perform a part of the Services and who agrees to receive Personal Data intended for Processing on behalf of the User in accordance with the User’s instructions and the provisions of the Terms of Use. |
ARTICLE 2 INTERPRETATION
1.1. This Data Processing Addendum forms an integral part of the Terms of Use. The provisions of the Terms of Use therefore apply to this Data Processing Addendum. All capitalized terms not defined in this Data Processing Addendum will have the meaning set forth in the Terms of Use.
1.2. In case of conflict between any provision in this Data Processing Addendum and any provision of another part of the Terms of Use, this Data Processing Addendum shall prevail.
ARTICLE 3 SCOPE AND PURPOSE
In connection with and for the purpose of the performance of the Services under the Terms of Use, the User commissions the Supplier to process Personal Data in accordance with the provisions of the present Data Processing Addendum.
ARTICLE 4 Specification of the Data Processing
4.1. Any Processing of Personal Data under the Terms of Use shall be performed in accordance with the applicable Data Protection Legislation.
4.2. For the performance of the Services, the Supplier is a Processor acting on behalf of the User. As a Processor, Supplier will only act upon the User’s instructions. The Terms of Use, including this Data Processing Addendum, are the User’s complete instruction to Supplier with regard to the Processing of Personal Data. Any additional or alternate instructions must be jointly agreed by the Parties in writing. The Processing of Personal Data in accordance with the Terms of Use is deemed an instruction by the User to the Supplier to Process Personal Data.
4.3. A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Annex 1 hereto.
ARTICLE 5 Data Subjects’ Rights
5.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the User shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
5.2. Should a Data Subject directly contact the Supplier wanting to exercise his individual rights such as requesting a copy, correction or deletion of his data or wanting to restrict or object to the Processing activities, the Supplier shall inform the User of such request within two (2) business days and provide the User with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. The Supplier shall promptly direct such Data Subject to the User. In support of the above, the Supplier may provide the User’s basic contact information to the requestor. The User agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.
5.3. Insofar as this is possible, the Supplier shall cooperate with and assist the User by appropriate technical and organizational measures for the fulfilment of the User’s obligation to respond to requests from Data Subjects exercising their rights.
ARTICLE 6 Consultation and Correction of Personal Data
The Supplier will provide the User, in its role of Processor, with access to Personal Data Processed under the Terms of Use, in order to allow the User to consult and correct such Personal Data.
ARTICLE 7 Disclosure
7.1. The Supplier will not disclose Personal Data to any third party, except (1) as the User directs, (2) as stipulated in the Terms of Use, (3) as required for Processing by approved Sub-Processors in accordance with article 10 or (4) as required by law, in which case the Supplier shall inform the User of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest.
7.2. Supplier represents and warrants that persons acting on behalf of Supplier and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of the present Data Processing Addendum, (ii) are subject to user authentication and log on processes when accessing the Personal Data, and (iii) have undertaken appropriate training in relation to Data Protection Legislation. Supplier shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.
ARTICLE 8 Deletion and Return of Personal Data
8.1. At the latest within thirty (30) calendar days upon termination of the Terms of Use, the Supplier shall sanitize or destroy any Personal Data that it stores in a secure way that ensures that all Personal Data is deleted and unrecoverable. Data used to verify proper data Processing in compliance with the assignment and data that needs to be kept to comply with relevant legal and regulatory retention requirements may be kept by the Supplier beyond termination or expiry of the Terms of Use only as long as required by such laws or regulations.
8.2. Upon written request submitted by the User no later than fourteen (14) calendar days prior to termination of the Terms of Use, the Supplier will provide the User with a readable and usable copy of the Personal Data and/or the systems containing Personal Data prior to sanitization or destruction.
ARTICLE 9 Location of Processing
9.1. The Supplier will use its best efforts to store the Personal Data at rest within the territory of the European Union.
9.2 Any Processing of Personal Data (including the storage thereof) by Supplier personnel or subcontractors not located within the European Union shall be undertaken only following prior written approval of the User and the execution of one of the then legally recognized data transfer mechanisms (in accordance with article 45-47 of the General Data Protection Regulation) such as an additional agreement governed by the Standard Contractual Clauses.
ARTICLE 10 USE OF SUB-PROCESSORS
10.1. The User expressly agrees that the Supplier may engage the Sub-Processors (as listed in Annex 2 of this Data Processing Addendum) for the provision of the Services as described in the Terms of Use.
10.2. Any such Sub-Processors that provide services for the Supplier and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the services Supplier has entrusted them with and will be prohibited from Processing such Personal Data for any other purpose. The Supplier remains fully responsible for any such Sub-Processor’s compliance with Supplier’s obligations under the Terms of Use, including the present Data Processing Addendum. The Supplier shall, prior to the entrusting of services to such Sub-Processor, carry out any relevant due diligence on such Sub-Processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Addendum and provide evidence of such due diligence to the User where requested by the User or a regulator.
10.3. The Supplier will enter into written agreements or any other legal act with any such Sub-Processor which contain obligations no less protective than those contained in this Data Processing Addendum, including the obligations imposed by the Standard Contractual Clauses, as applicable.
10.4. The Supplier shall communciate any intented changes in the appointment of the Sub-Processors as listed in Annex 2 hereof to the User, whereby the User shall have the right to object to any such changes (on reasonable grounds), in accordance with article 10.5. In addition, the Supplier shall provide the User with a notification of any new Sub-Processor before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the Services under the Terms of Use.
10.5. If the User objects to the use of a new Sub-Processor that will be Processing the User’s Personal Data, then the User shall notify Supplier in writing within thirty (30) calendar days after receipt of Supplier’s written request to that effect. In such a case, the Supplier will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the User’s use of the affected Services to avoid the Processing of Personal Data by the Sub-Processor concerned. If the Supplier is unable to make available or propose such change within sixty (60) calendar days, the User may terminate the relevant part of the Terms of Use regarding those Services which cannot be provided by the Supplier without the use of the Sub-Processor concerned. To that end, the User shall provide written notice of termination that includes the reasonable motivation for non-approval.
ARTICLE 11 Technical and Organizational Measures
11.1. The Supplier has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. These measures shall include the following measures:
- the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control);
- the prevention of systems Processing Personal Data from being used without authorization (logical access control);
- ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
- ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
- ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from systems Processing Personal Data (entry control);
- ensuring that Personal Data Processed are Processed solely in accordance with the instructions (control of instructions);
- ensuring that Personal Data are protected against accidental destruction or loss (availability control);
- ensuring that Personal Data collected for different purposes can be processed separately (separation control).
11.2. The Supplier shall adapt these measures systematically to the development of regulations, technology and other aspects and supplemented with the applicable technical and organizational measures of Sub-Processors, as the case may be. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking also into account the state of technology and the cost of their implementation.
11.3. Upon the User’s request, the Supplier must provide the User within fourteen (14) calendar days of receipt by the Supplier of the User's request with an updated description of the implemented technical and organizational protection measures. An ISAE3402 type II report and/or other similar certifications can be used to describe and demonstrate compliance of the implemented technical and organizational measures.
11.4. In general, taking into account the nature of the Processing and the information available to it, the Supplier will provide full assistance to the User in ensuring compliance with the User’s obligations pursuant to article 32-36 of the General Data Protection Regulation (i.e. in relation to data protection impact assessments). In addition, the Supplier shall make available to the User all information necessary to demonstrate compliance with the obligations laid down in article 28 (h) of the General Data Protection Regulation and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.
ARTICLE 12 Personal Data Breaches
12.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, the Supplier shall notify the User without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) such Personal Data Breach, providing the User with sufficient information and in a timescale, which allows the User to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum specify:
- the nature of the Personal Data Breach;
- the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
- the likely consequences of the Personal Data Breach;
- as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
- the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.
12.2. The Supplier shall without undue delay further investigate the Personal Data Breach and shall keep the User informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
12.3. A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.
ARTICLE 13 USER RESPONSABILITIES
13.1. The User shall comply with all applicable laws and regulations, including the Data Protection Legislation.
13.2. The User remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
13.3. The User shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
13.4. With regard to components that User provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the User’s personnel, the User shall implement and maintain the required technical and organizational measures for protection of Personal Data.
ARTICLE 14 NOTIFICATIONS
14.1. Unless legally prohibited from doing so, the Supplier shall notify the User as soon as reasonably possible, and at the latest within two (2) business days of becoming aware of the relevant circumstances, if it or any of its Sub-Processors:
14.1.1. receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing;
14.1.2. intends to disclose Personal Data to any competent public authority outside the scope of the Services of the Terms of Use. At the request of the User, the Supplier shall provide a copy of the documents delivered to the competent authority to the User;
14.1.3. receives an instruction that infringes the Data Protection Legislation or the obligations of this Data Processing Addendum;
14.2. In this respect, the Supplier shall co-operate as requested by the User to enable the User to comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, which shall include the provision of:
- all data requested by the User (which is not otherwise available to the User) within the reasonable timescale specified by the User in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to the relevant Data Subject(s); and
- where applicable, providing such assistance as is reasonably requested by the User to enable the User to comply with the relevant request within the Data Protection Legislation statutory timescales.
14.3. Any notification under this Data Processing Addendum, including a Personal Data Breach notification, will be delivered to one or more of the User’s Contact Persons via email possibly supplemented by any other means the Supplier selects. Upon request of the User, the Supplier shall provide the User with an overview of the contact information of the registered User’s Contact Persons. It is User’s sole responsibility to timely report any changes in contact information and to ensure the User’s Contact Persons maintain accurate contact information.
ARTICLE 15 TERM AND TERMINATION
This Data Processing Addendum enters into force on the date of its signing by all Parties and remains in force until Processing of Personal Data by the Supplier is no longer required in the framework of or pursuant to the Terms of Use.
ARTICLE 16 REQUALIFICATION
If the Supplier infringes the General Data Protection Regulation by determinining the purposes and means of the Processing, the Supplier shall be considered to be a Controller in respect of that Processing.
ARTICLE 17 GOVERNING LAW AND JURISDICTION
17.1. The present Data Processing Addendum is governed by Belgian law. Any dispute regarding the interpretation and/or the execution of the present Data Processing Addendum will be submitted to the competent courts of Ghent (section Ghent). Although this Addendum has been drafted in English, judicial proceedings will be held in Dutch.
17.2. If a court of competent jurisdiction determines any provision, or any portion thereof, of this Addendum to be unenforceable or invalid, then such provision shall be deemed limited to the extent that such court deems it valid or enforceable and the remaining provisions of this Addendum shall nevertheless remain in full force and effect.
Annexe(s)
Annex 1: Details of the Personal Data Processing;
Annex 2: List of current Sub-Processors.
Annex 1 - Details of the Personal Data Processing
1. Data Subjects
- Patients/physical persons providing samples of biometrical, genetic and biological data
2. Categories of Personal Data
2.1. The Supplier may Process (a subset of) the following categories of Personal Data:
- genetic data; and
- biological data.
3. Purposes of Processing of Personal Data
Personal Data will be Processed for the purpose of the performance of the Services under the Terms of Use including the analysis and processing of samples of Personal Data for purposes of providing a written report containing the results of such processing/analysis including but not limited to:
- data cleaning and QC information;
- mapped and annotated data files; and
- expression values.
Annex 2 – List of current Sub-Processors
- AWS provided by Amazon Web Services EMEA Sàrl, 5 Rue Plaetis L-2338 Luxembourg