Data Processing Addendum (DPA)
(Data Controller/ Data Exporter to Data Processor/ Data Importer)
Data Processing Confirmation
This Data Processing Addendum (or ‘DPA’) comprises the Data Processing Confirmation and Data Processing Terms and is entered into by and between the DXRX Member referred to in the DXRX Terms (‘Data Controller’ or ‘Data Exporter’); and Diaceutics PLC, a company registered in Northern Ireland under company number NI055207, whose registered office is at 55-59 Adelaide Street, Belfast, BT2 8FE (‘Data Processor’ or ‘Data Importer’) pursuant to the Data Processing Terms (each a ‘Party’ and together the ‘Parties’).
The Standard Contractual Clauses are incorporated herein by reference and shall prevail to the extent that they conflict with the Data Processing Terms (or the DXRX Membership Terms).
This DPA shall commence on the Effective Date of the DXRX Terms.
The Data Exporter/ Data Controller’s business or organization type
☑ Products and services relating to laboratories or pharmaceutical or diagnostic or other data science industries.
The Data Importer/ Data Processor’s business or organization type
☑ DXRX – The Diagnostic Network® is a purpose-built SaaS platform providing access to Precision Medicine solutions and collaborations for multiple stakeholders in one digital, secure location which is facilitated by the Data Processor (“DXRX Platform”).
The Data Processor will only Process Personal Data for the duration of the DPA which shall start on the Effective Date of the DXRX Terms and shall terminate upon termination or expiry of the DXRX Terms.
Sub-Data Processors can be found in the Sub-Data Processor List.
2. OVERVIEW OF DATA PROCESSING ACTIVITIES
Categories of Data Subjects:
The Personal Data transferred includes but is not limited to the following categories of current, past and prospective Data Subjects. Where any of the following is itself a business or organization, it includes their personnel as applicable to the Processing:
☑ DXRX Members (including Administrators and End Users) (as defined in the DXRX Terms).
☑ Healthcare professionals, healthcare business professionals, pharmaceutical professionals, laboratory professionals, diagnostic company professionals and/or data science professionals.
Categories of Personal Data:
The Personal Data transferred includes but is not limited to the following categories of data:
General: ☑ Any general Personal Data comprised within the Member Communications and Contribution Content (as defined in the DXRX Terms).
No special category data is Processed.
The Personal Data transferred will be subject to the following basic Processing Operations:
☑ Receiving data, including collection, accessing, retrieval, recording, storage, organization and data entry
☑ Protecting data, including restricting, encrypting, and security testing as applicable
☑ Sharing data, including disclosure, dissemination, allowing access or otherwise making available
☑ Returning data to the Data Exporter or Data Subject (or erasing data, including destruction and deletion upon request)
For the following purposes:
☑ Management and administration of Data Controller’s DXRX Membership to facilitate the provision of the DXRX Services accessible via the hosted DXRX Platform. Personal Data will be transferred from the DXRX Member to Diaceutics to facilitate interaction, communication, collaboration and engagement between the DXRX Members. Additional details about Diaceutics’ products and services can be found at https://www.dxrx.io/en/
Technical and Organizational Security Measures:
Please refer to the description of the Data Importer’s Technical and Organizational Security Measures as set out in the DXRX Security Policy.
Data Processing Addendum (DPA)
Data Processing Terms
Binding Corporate Rules: shall have the meaning set out in the Applicable Data Protection Law.
Control: means direct or indirect ownership or control of more than 50% of the voting interests of a Party.
Data Breach: refers to any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to any Personal Data.
Data Controller: shall have the meaning set out in the Applicable Data Protection Law as the natural or legal person which decides the purposes and means of Processing data. In this DPA, this is the DXRX Member.
Data Exporter: means the Data Controller who sends the Personal Data.
Data Importer: means the Data Processor who agrees to receive the Personal Data from the Data Exporter for Processing on the Data Exporter’s behalf in accordance with its instructions and the terms herein (and the duly incorporated SCCs where such Processing is subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of the GDPR).
Data Processor: shall have the meaning set out in the Applicable Data Protection Law as the natural or legal person which is responsible for Processing the Personal Data on behalf of the Data Controller. In this DPA, this is Diaceutics PLC.
Data Subject: shall have the meaning set out in the Applicable Data Protection Law as the individual or household to whom the Personal Data relates.
Data Processing Addendum or DPA: means this document.
DSAR: refers to a data subject access request which is the right of access as further described in Article 15 of the GDPR.
DXRX Member: for the purposes of this DPA means the primary enrolling business entity to whom the DXRX Terms apply.
DXRX Membership Terms: means the DXRX Terms between the Data Controller and the Data Processor for the provision of the DXRX Services.
DXRX Services: means Data Processor’s proprietary software-as-a-service solution, including the DXRX Platform, designated communication and collaboration areas within the DXRX Platform, tools and services and technical user documentation made available via the DXRX Platform.
Sub-Data Processor: means any person or entity engaged by the Data Importer who agrees to receive the Personal Data from the Data Importer or from any other Sub-Data Processor of the Data Importer in order for it to be Processed on behalf of the Data Exporter in accordance with its instructions, the terms of the SCCs and the terms of any sub-contract who are referred to in the Data Processing Confirmation.
Supervisory Authority: an independent national data protection authority such as the ICO in the UK.
Technical and Organizational Security Measures: means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
The Data Processor has agreed to provide the DXRX Services to the Data Controller in accordance with the DXRX Terms. In providing the DXRX Services, the Data Processor shall Process the Personal Data referred to in the Data Processing Confirmation on behalf of the Data Controller. The Data Processor will Process and protect such Personal Data in accordance with the terms of this DPA.
Data Processor shall Process Personal Data only to the extent necessary to provide the DXRX Services in accordance with both the DXRX Terms and the Data Controller’s instructions documented in the DXRX Terms and this DPA. The scope of the Processing is set out in the Data Processing Confirmation.
4. Your obligations as Data Controller/ Data Exporter
The Data Controller represents and warrants that it shall comply with the DXRX Terms, this DPA and all Applicable Data Protection Law.
The Data Controller represents and warrants that it has obtained any and all necessary permissions and authorizations necessary to permit the Data Processor and Sub-Data Processors, to execute their rights or perform their obligations under this DPA.
The Data Controller is responsible for compliance with all Applicable Data Protection Law, including requirements with regards to the transfer of Personal Data under this DPA and the DXRX Terms.
The Data Controller shall implement appropriate Technical and Organizational Security Measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Data Controller shall take steps to ensure that any natural person acting under the authority of the Data Controller who has access to Personal Data only Processes the Personal Data on the documented instructions of the Data Controller.
The Data Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the DXRX Terms. The Data Processor will Process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.
The Data Controller acknowledges and agrees that some instructions from the Data Controller, including destruction or return of data, assisting with audits, inspections or data protection impact assessments by the Data Processor, may result in additional reasonable fees. In such case, the Data Processor will notify the Data Controller of its fees for providing such assistance in advance, unless otherwise agreed.
5. Our obligations as Data Processor/ Data Importer
The Data Processor may Process Personal Data only within the scope of this DPA.
The Data Processor confirms that it shall Process Personal Data on behalf of the Data Controller and shall take steps to ensure that any natural person acting under the authority of the Data Processor who has access to Personal Data shall only Process the Personal Data on the documented instructions of the Data Controller. The Data Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data:
The Data Processor shall promptly inform the Data Controller, if in the Data Processor’s opinion, any of the instructions regarding the Processing of Personal Data provided by the Data Controller, breach any Applicable Data Protection Law.
The Data Processor shall implement appropriate Technical and Organizational Security Measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Data Processor shall implement appropriate Technical and Organizational Security Measures to ensure a level of security appropriate to the risk as set out in the DXRX Security Policy. The Data Controller accepts and agrees that the Technical and Organizational Security Measures are subject to development and review and that the Data Processor may use alternative suitable measures to those detailed therein where necessary.
The Data Processor shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with its Processing obligations and allow for and contribute to remote audits and inspections. Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the DXRX Terms. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Data Controller, the Data Controller may conduct a more extensive remote audit which will be: (i) at the Data Controller’s expense; (ii) limited in scope to matters specific to the Data Controller and agreed in advance; (iii) carried out during UK business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with the Data Processor’s day-to-day business.
The limitations on liability set out in the DXRX Terms apply to all claims made pursuant to any breach of the terms of this DPA by the Data Processor.
The Parties agree that the Data Processor shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Sub-Data Processors subject to any limitations on liability set out in the terms of the DXRX Terms.
The Parties agree that the Data Controller shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Data Controller itself.
The Data Controller shall not be entitled to recover more than once in respect of any one same claim.
7. Notification of a Data Breach
The Data Processor shall notify the Data Controller without undue delay after becoming aware of any Data Breach. Such notification of, or response to, a Data Breach shall not be construed as an acknowledgement by the Data Processor of any fault or liability with respect to the Data Breach. Upon becoming aware of a Data Breach in respect of Personal Data Processed by the Data Processor on behalf of the Data Controller under this DPA, the Data Processor will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist the Data Controller in meeting the Data Controller’s obligations under the Applicable Data Protection Law.
8. Co-operation (with each other and with Supervisory Authorities), compliance and Response
In the event that the Data Processor receives a DSAR from a Data Subject in relation to Personal Data, the Data Processor will refer the Data Subject to the Data Controller unless otherwise prohibited by law. The Data Controller shall reimburse the Data Processor for all costs incurred resulting from providing reasonable assistance in dealing with a DSAR. In the event that the Data Processor is legally required to respond to the Data Subject, the Data Controller will fully cooperate with the Data Processor as applicable.
The Data Processor will notify the Data Controller promptly of any request or complaint regarding the Processing of Personal Data, which adversely impacts the Data Controller, unless such notification is not permitted under applicable law or a relevant court order.
The Data Processor may make copies of, and/or retain, Personal Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.
The Data Processor shall reasonably assist the Data Controller in meeting its obligation to carry out data protection impact assessments, taking into account the nature of Processing and the information available to the Data Processor.
The Data Processor shall respond within a reasonable timeframe in respect of any changes that need to be made to the terms of this DPA or to the Technical and Organizational Security Measures to maintain compliance. If the Parties agree that amendments are required, but the Data Processor is unable to (promptly) accommodate the necessary changes, the Data Controller may terminate its’ own use of the part or parts of the DXRX Services which gives rise to the non-compliance. To the extent that other parts of the DXRX Services provided are not affected by such changes, the provision of those DXRX Services shall remain unaffected.
The Data Controller and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with a Supervisory Authority in the performance of their respective obligations under this DPA.
9. Sub-Processing & International Transfers
The Data Controller acknowledges and agrees that:
All Sub-Data Processors who Process Personal Data in the provision of the DXRX Services to the Data Controller shall comply with the obligations of the Data Processor set out in this DPA, in particular, in providing at least the same level of protection for the Personal Data and the DSARs as the Data Importer.
Where Sub-Data Processors are located outside of the EEA, the Data Processor confirms that such Sub-Data Processors:
The Data Processor makes available to the Data Controller, the Sub-Data Processor List (which includes the identities of Sub-Data Processors and their country of location) which it shall maintain and keep up-to-date.
The Data Controller may object to the use of a new or replacement Sub-Data Processor, by notifying the Data Processor. If the Data Controller objects to a new or replacement Sub-Data Processor, and that objection is not unreasonable, the Data Controller may terminate the DXRX Terms with respect to those DXRX Services which cannot be provided by the Data Processor without the use of the new or replacement Sub-Data Processor. The Data Processor will refund the Data Controller any prepaid DXRX Platform Fees covering the remainder of the Term of the DXRX Terms following the effective date of termination with respect to such terminated DXRX Services as applicable.
Upon expiry of the Term, the Data Processor shall at the Data Controller’s option, delete or return Personal Data to the Data Controller after the end of the provision of the DXRX Services in accordance with the DXRX Terms relating to Processing, and delete existing copies unless applicable law or regulations require the retained storage of any part of the Personal Data.