DATA PROTECTION ADDENDUM

Transcription

1 DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd. ( Sunovion ) and (ii) the service provider, vendor, or consultant identified in the Underlying Agreement (for the purpose of this Addendum, Service Provider ) requires Service Provider to collect, store, use, disclose, or otherwise process any Personal Information (defined below) under Data Protection Laws (defined below), the terms and conditions stated in this addendum ( Addendum ) shall apply and are incorporated by reference into the Underlying Agreement. To the extent the terms in this Addendum conflict with those in the Underlying Agreement, these terms will control. 1. Definitions. a. Data Protection Laws means privacy and data protection laws and regulations, including any law, regulation, order, guideline, industry code, or other requirement that is applicable to Sunovion or to Service Provider in its performance of the Services. b. Data Subject means any person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to identity of that natural person. c. Personal Information means any information relating to a Data Subject which is collected or used by or on behalf of Sunovion by Service Provider. Personal Information includes Sensitive Personal Information. d. Privacy Program means Service Provider s comprehensive written privacy and information security program. e. Process or Processing means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, including, without limitation, any collection, transfer, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, blocking, erasure, or destruction thereof. f. Records means all Personal Information, documentation, data, records, materials, and information obtained or generated by Service Provider in the course of providing the Services. g. Security Incident means any actual or suspected unauthorized access, use, destruction, loss, alteration, acquisition, or disclosure of Personal Information under the control of Service Provider or being processed by a Subprocessor on Service Provider s behalf. h. Sensitive Personal Information means i. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;

2 ii. genetic data, biometric data, and data concerning health; iii. data concerning a natural person s sex life or sexual orientation; iv. any other data which, if involved in a Security Incident, would result in a breach notification obligation to Data Subjects or government authorities under Data Protection Laws, including but not limited to Social Security, national identification, or driver s license numbers, financial account or credit card numbers, and usernames and passwords. i. Services means those goods and services provided to Sunovion by Service Provider as set forth in the Underlying Agreement. j. Subprocessor means any third-party agents, subcontractors, or vendors of Service Provider. 2. Obligations. a. Service Provider agrees to comply with all applicable Data Protection Laws and appropriate industry standards applicable to the processing of Personal Information including, if appropriate, ISO/IEC b. Service Provider agrees to use reasonable and appropriate technical, organizational, and physical controls to protect Personal Information and other data covered by Data Protection Laws which are collected or used by or on behalf of Sunovion by Service Provider from loss, destruction, and unauthorized access, use, or disclosure. In assessing the appropriate level of security, Service Provider shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise processed. Service Provider further agrees as follows: i. The technical, organizational, and physical controls to protect Personal Information will include: A. the encryption of Personal Information or, with Sunovion s approval, the implementation of equivalent security measures to protect Personal Information; B. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; C. the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and D. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. ii. Service Provider agrees that all Personal Information transferred to or stored on any mobile device, including but not limited to laptop computers, compact discs,

3 PDAs, thumb drives, backup tapes, and/or zip drives, shall be in an encrypted form and that all Personal Information transferred over open networks shall be in encrypted form. c. Service Provider agrees to Process Personal Information only as necessary to carry out its responsibilities under the Underlying Agreement, and will Process only the minimum amount of Personal Information required. d. To the extent that Service Provider collects information on Sunovion s behalf or provides to Sunovion, Service Provider will use notices and consents approved by Sunovion. Service Provider represents and warrants that the Personal Information it collects and provides to Sunovion may be lawfully used by Sunovion for the purposes for which it was collected. e. Service Provider agrees not to disclose Personal Information unless: i. it is necessary to carry out an obligation under the Underlying Agreement, including any Statement of Work thereunder; ii. Service Provider notifies Sunovion (to the extent permitted by law) of a legal requirement to disclose Personal Information, which notification shall be prior to disclosure in order to permit Sunovion to oppose the same by appropriate legal action, and Service Provider shall use best efforts to limit the nature and scope of the disclosure and will only disclose the minimum amount of Personal Information necessary to comply with the law or court order; or iii. Sunovion otherwise agrees to such disclosure in writing. f. Service Provider shall assist Sunovion in taking any steps necessary to ensure that Sunovion is able to comply with its obligations under Data Protection Law with respect to Service Provider s processing activities, including assisting Sunovion in consultations with governmental authorities and to prepare any required materials or assessments. g. Service Provider will maintain and materially comply with a Privacy Program designed to protect Personal Information against reasonably foreseeable risks of unauthorized processing, including policies and procedures demonstrating that: i. Personal Information will only be used and disclosed consistent with providing the services hereunder; ii. Service Provider implements appropriate technical, organizational, and physical controls to protect the Personal Information as required by Data Protection Laws; iii. Service Provider trains its workforce on Service Provider s Privacy Program, including on appropriate uses of and protection of Personal Information; iv. Service Provider complies with the requirement to contact Sunovion immediately if a Data Subject contacts Service Provider to exercise any rights under any Data Protection Law; and

4 v. Service Provider takes measures to ensure that Personal Data is only collected, used, stored, shared, and transferred consistent with the instructions of Sunovion. h. Service Provider agrees that, if required by Data Protection Laws, it will: i. employ a data protection officer; and ii. appoint (in writing) a representative within the European Union and any other jurisdictions where a representative is required. i. Service Provider agrees to notify Sunovion within 24 hours of becoming aware of any Security Incident and to take such reasonable, remedial actions warranted to investigate and halt the root cause of such incident to the extent it is ongoing. j. In the event of a Security Incident, Service Provider agrees to assist and fully cooperate with any investigation by Sunovion or Sunovion s designated agent. Sunovion will determine whether to make any notifications to affected individuals or government authorities. k. Service Provider shall not disclose any information about Sunovion in relation to a suspected Security Incident to any third party without Sunovion s prior written approval unless required by law, except that Service Provider may retain a third party subject to obligations of confidentiality and non-disclosure to investigate or mitigate such Security Incident. l. Service Provider agrees to promptly notify Sunovion of any inquiry, complaint, governmental inspection, or audit concerning compliance with Data Protection Laws or applicable industry standards to the extent related to the services provided under the Underlying Agreement. m. In the event Service Provider receives a request from a Data Subject to access, amend, delete, or otherwise exercise the Data Subject s rights under Data Protection Laws, Service Provider will notify Sunovion within three (3) days and follow Sunovion s instructions for responding to the request. n. Service Provider agrees that it will not disclose Personal Information to any Subprocessor without Sunovion s prior written approval. Any Subprocessor will receive Personal Information only pursuant to a written agreement signed by Service Provider and the Subprocessor which will require the Subprocessor to: i. comply with the terms of this Addendum; ii. be properly trained on how to handle Personal Information; and iii. comply with applicable Sunovion policies and procedures. o. Service Provider shall be responsible for any noncompliance with the terms of this Addendum by any Subprocessor, which noncompliance will constitute a breach as if committed directly by Service Provider.

5 p. Service Provider shall ensure that any persons authorized to process Personal Information on Service Provider s behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3. International Data Transfers. a. Service Provider agrees that it will obtain Sunovion s prior written approval before transferring Personal Information outside of the country where such data was collected. In cases of doubt, Personal Information should be deemed collected in the country where the Data Subject resides. For the purpose of this paragraph, countries within the European Economic Area ( EEA ) will be deemed a single country. b. Service Provider agrees to comply with applicable Data Protection Laws when transferring Personal Information internationally, including, where appropriate, entering into standard contractual clauses that have been approved by regulatory authorities as a basis for international data transfers. An international transfer of data includes the use of cloud-based storage solutions which may permit access to data stored on servers in one country to an individual located in a different country. c. If the Services provided by Service Provider will involve the collection or processing of Personal Information collected from persons within the EEA, then Sunovion shall serve as the controller of such data, as defined by the European Union General Data Protection Regulation ( GDPR ), and Service Provider shall act only under the instructions of Sunovion in regard to such EEA Personal Information. If Sunovion determines that it is legally required, the parties shall negotiate in good faith to agree on an appropriate data transfer agreement. 4. Indemnification. a. Notwithstanding any provision in the Underlying Agreement to the contrary, Service Provider shall indemnify Sunovion, Sunovion s affiliates and their respective directors, officers, employees, agents, subcontractors, and representatives (collectively, Indemnified Parties ), from and against all damages, fines, fees, penalties, costs (including costs associated with providing notices, any offered remediation services, and investigation of a Security Incident), expenses, or other liabilities, including reasonable attorney s fees and court costs, arising out of, or incurred in connection with: (i) any third-party claim, action, or proceeding arising from any breach by Service Provider, or by a Subprocessor or other contractor of Service Provider, of the terms of this Addendum, including any negligent or reckless act, omission or default by Service Provider or Service Provider s Subprocessors or contractors in the provision of the Services; or (ii) any Security Incident. b. Service Provider shall at its own expense obtain and maintain insurance of a type and amount adequate to cover loss, damage, liability or costs in respect of which it is liable to indemnify Sunovion and shall not do or omit to do any act, matter or thing which may prejudice or render voidable any such insurance. Service Provider shall, upon request by

6 5. Data Retention. Sunovion, provide Sunovion with a copy of the insurance policy which it is obliged to take out pursuant to its obligations under this paragraph. a. Upon the expiration or termination of the Underlying Agreement, all Personal Information obtained or generated by Service Provider in the course of providing the Services hereunder shall, upon Sunovion s written request, be: i. delivered to Sunovion or permanently and securely destroyed within thirty (30) days upon receipt of Sunovion s written request; or ii. retained by Service Provider for Sunovion in a facility offering reasonable protection against damage to, wrongful access to, or loss of Personal Information and other Records in accordance with and for the periods specified in Sunovion s SOP on data retention and information policy and the Underlying Agreement. b. If Service Provider retains copies of any Personal Information pursuant to this Section, such Personal Information will be subject to the obligations in this Addendum, which will survive the termination of the Underlying Agreement. 6. Notices. All notices required pursuant to this Addendum should be sent to Sunovion s Data Privacy Officer by and physical mail at the following addresses: a. privacy@sunovion.com b. Gregory Bokar Attn: Legal Affairs 84 Waterford Drive Marlborough, MA USA