data processing addendum
Data Processing Addendum
(last modified October 2020)
The User and the Supplier shall hereinafter jointly be referred to as the “Parties” and seperately as a “Party”.
ARTICLE 1 DEFINITIONS
For the purpose of this Data Processing Addendum, the following terms shall have the following meaning. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.
|“Contact Person(s)”||means the individual(s) assigned by a Party and communicated to the other Party as point of contact and representing the Party for (a part of) the Services;|
|“Controller”||means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data;|
|“Processor”||means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller;|
|“Data Protection Legislation”||means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”) together with the codes of practice, codes of conduct, regulatory guidance and standard clauses and other related legislation resulting from such Directive or Regulation, as updated from time to time;|
|“Data Protection Officer”||means an enterprise security leadership role required by the General Data Protection Regulation who is responsible for overseeing the used data protection strategy and implementation to ensure compliance with GDPR requirements;|
|“Data Subject”||means an identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The relevant categories of Data Subjects are identified in Annex 1;|
|“Personal Data”||means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The relevant categories of Personal Data that are provided to the Supplier by, or on behalf of the User are identified in Annex 1;|
|“Personal Data Breach”||means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services;|
|“Processing”, “Process(es)” or “Processed”||means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;|
|“Standard Contractual Clauses”||means the standard contractual clauses of which the European Commission on the basis of Article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of Personal Data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of EU Regulation 2016/679. In the event of any such data protection clauses adopted in accordance with EU Regulation 2016/679, such clauses shall prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship;|
ARTICLE 2 INTERPRETATION
ARTICLE 3 SCOPE AND PURPOSE
ARTICLE 4 Specification of the Data Processing
4.3. A more detailed description of the subject matter of the Processing of Personal Data in terms of the concerned categories of Personal Data and of Data Subjects (envisaged Processing of Personal Data) is contained in Annex 1 hereto.
ARTICLE 5 Data Subjects’ Rights
5.1. With regard to the protection of Data Subjects’ rights pursuant to the applicable Data Protection Legislation, the User shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
5.2. Should a Data Subject directly contact the Supplier wanting to exercise his individual rights such as requesting a copy, correction or deletion of his data or wanting to restrict or object to the Processing activities, the Supplier shall inform the User of such request within two (2) business days and provide the User with full details thereof, together with a copy of the Personal Data held by it in relation to the Data Subject where relevant. The Supplier shall promptly direct such Data Subject to the User. In support of the above, the Supplier may provide the User’s basic contact information to the requestor. The User agrees to answer to and comply with any such request of a Data Subject in line with the provisions of the applicable Data Protection Legislation.
5.3. Insofar as this is possible, the Supplier shall cooperate with and assist the User by appropriate technical and organizational measures for the fulfilment of the User’s obligation to respond to requests from Data Subjects exercising their rights.
ARTICLE 6 Consultation and Correction of Personal Data
ARTICLE 7 Disclosure
7.2. Supplier represents and warrants that persons acting on behalf of Supplier and who are authorized to Process Personal Data or to support and manage the systems that Process Personal Data (i) have committed themselves to maintain the security and confidentiality of Personal Data in accordance with the provisions of the present Data Processing Addendum, (ii) are subject to user authentication and log on processes when accessing the Personal Data, and (iii) have undertaken appropriate training in relation to Data Protection Legislation. Supplier shall inform the persons acting on its behalf about the applicable requirements and ensure their compliance with such requirements through contractual or statutory confidentiality obligations.
ARTICLE 8 Deletion and Return of Personal Data
ARTICLE 9 Location of Processing
9.1. The Supplier will use its best efforts to store the Personal Data at rest within the territory of the European Union.
9.2 Any Processing of Personal Data (including the storage thereof) by Supplier personnel or subcontractors not located within the European Union shall be undertaken only following prior written approval of the User and the execution of one of the then legally recognized data transfer mechanisms (in accordance with article 45-47 of the General Data Protection Regulation) such as an additional agreement governed by the Standard Contractual Clauses.
ARTICLE 10 USE OF SUB-PROCESSORS
10.3. The Supplier will enter into written agreements or any other legal act with any such Sub-Processor which contain obligations no less protective than those contained in this Data Processing Addendum, including the obligations imposed by the Standard Contractual Clauses, as applicable.
ARTICLE 11 Technical and Organizational Measures
11.1. The Supplier has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. These measures shall include the following measures:
- the prevention of unauthorized persons from gaining access to systems Processing Personal Data (physical access control);
- the prevention of systems Processing Personal Data from being used without authorization (logical access control);
- ensuring that persons entitled to use a system Processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
- ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
- ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from systems Processing Personal Data (entry control);
- ensuring that Personal Data Processed are Processed solely in accordance with the instructions (control of instructions);
- ensuring that Personal Data are protected against accidental destruction or loss (availability control);
- ensuring that Personal Data collected for different purposes can be processed separately (separation control).
11.2. The Supplier shall adapt these measures systematically to the development of regulations, technology and other aspects and supplemented with the applicable technical and organizational measures of Sub-Processors, as the case may be. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking also into account the state of technology and the cost of their implementation.
11.3. Upon the User’s request, the Supplier must provide the User within fourteen (14) calendar days of receipt by the Supplier of the User's request with an updated description of the implemented technical and organizational protection measures. An ISAE3402 type II report and/or other similar certifications can be used to describe and demonstrate compliance of the implemented technical and organizational measures.
11.4. In general, taking into account the nature of the Processing and the information available to it, the Supplier will provide full assistance to the User in ensuring compliance with the User’s obligations pursuant to article 32-36 of the General Data Protection Regulation (i.e. in relation to data protection impact assessments). In addition, the Supplier shall make available to the User all information necessary to demonstrate compliance with the obligations laid down in article 28 (h) of the General Data Protection Regulation and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.
ARTICLE 12 Personal Data Breaches
12.1. In the event of a (likely or known) Personal Data Breach and irrespective of its cause, the Supplier shall notify the User without undue delay and at the latest within forty-eight (48) hours after having become aware of (the likelihood or occurrence of) such Personal Data Breach, providing the User with sufficient information and in a timescale, which allows the User to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum specify:
- the nature of the Personal Data Breach;
- the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned;
- the likely consequences of the Personal Data Breach;
- as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
- the identity and contact details of the Data Protection Officer or another Contact Person from whom more information can be obtained.
12.2. The Supplier shall without undue delay further investigate the Personal Data Breach and shall keep the User informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
12.3. A Party’s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by that Party of any fault or liability with respect to the Personal Data Breach.
ARTICLE 13 USER RESPONSABILITIES
13.1. The User shall comply with all applicable laws and regulations, including the Data Protection Legislation.
13.2. The User remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
13.3. The User shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
13.4. With regard to components that User provides or controls, including but not limited to workstations connecting to Services, data transfer mechanisms used, and credentials issued to the User’s personnel, the User shall implement and maintain the required technical and organizational measures for protection of Personal Data.
ARTICLE 14 NOTIFICATIONS
14.1. Unless legally prohibited from doing so, the Supplier shall notify the User as soon as reasonably possible, and at the latest within two (2) business days of becoming aware of the relevant circumstances, if it or any of its Sub-Processors:
14.1.1. receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing;
14.1.3. receives an instruction that infringes the Data Protection Legislation or the obligations of this Data Processing Addendum;
14.2. In this respect, the Supplier shall co-operate as requested by the User to enable the User to comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, which shall include the provision of:
- all data requested by the User (which is not otherwise available to the User) within the reasonable timescale specified by the User in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to the relevant Data Subject(s); and
- where applicable, providing such assistance as is reasonably requested by the User to enable the User to comply with the relevant request within the Data Protection Legislation statutory timescales.
14.3. Any notification under this Data Processing Addendum, including a Personal Data Breach notification, will be delivered to one or more of the User’s Contact Persons via email possibly supplemented by any other means the Supplier selects. Upon request of the User, the Supplier shall provide the User with an overview of the contact information of the registered User’s Contact Persons. It is User’s sole responsibility to timely report any changes in contact information and to ensure the User’s Contact Persons maintain accurate contact information.
ARTICLE 15 TERM AND TERMINATION
ARTICLE 16 REQUALIFICATION
If the Supplier infringes the General Data Protection Regulation by determinining the purposes and means of the Processing, the Supplier shall be considered to be a Controller in respect of that Processing.
ARTICLE 17 GOVERNING LAW AND JURISDICTION
17.1. The present Data Processing Addendum is governed by Belgian law. Any dispute regarding the interpretation and/or the execution of the present Data Processing Addendum will be submitted to the competent courts of Ghent (section Ghent). Although this Addendum has been drafted in English, judicial proceedings will be held in Dutch.
17.2. If a court of competent jurisdiction determines any provision, or any portion thereof, of this Addendum to be unenforceable or invalid, then such provision shall be deemed limited to the extent that such court deems it valid or enforceable and the remaining provisions of this Addendum shall nevertheless remain in full force and effect.
Annex 1: Details of the Personal Data Processing;
Annex 2: List of current Sub-Processors.
Annex 1 - Details of the Personal Data Processing
1. Data Subjects
- Patients/physical persons providing samples of biometrical, genetic and biological data
2. Categories of Personal Data
2.1. The Supplier may Process (a subset of) the following categories of Personal Data:
- genetic data; and
- biological data.
3. Purposes of Processing of Personal Data
- data cleaning and QC information;
- mapped and annotated data files; and
- expression values.
Annex 2 – List of current Sub-Processors
- AWS provided by Amazon Web Services EMEA Sàrl, 5 Rue Plaetis L-2338 Luxembourg