Version

Published

2

March 2022

1 Definitions

Agreement: the Agreement between Customer and CorrIT which cross refers to this DPA.

Controller, processor, data subject and processing (and process): the meaning given to that term in the EU/UK Data Protection Laws.

EEA: the European Economic Area.

EU/UK Data Protection Laws: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or
superseded from time to time;

Personal Data Breach: means any breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;

Restricted Transfer: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

Standard Contractual Clauses: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").

Supplier: CorrIT as defined in the Agreement.

Supplier Personnel: employees, agents and independent contractors of the Supplier or of a Supplier Affiliate.

Note: Capitalised Terms not defined in the DPA are as defined in the agreement between Customer and CorrIT.

2 Processing

2.1
The parties acknowledge that:

  1. if CorrIT processes any personal data on the Sporify platform on Customer's behalf when performing its obligations under this agreement, the Customer is the controller and CorrIT is the processor for the purposes of the Data Protection Legislation.

  2. the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and CorrIT's other obligations under this agreement.

  3. CorrIT controls any personal data that is ancillary to the Services and processed off the Sporify platform, e.g. personal data that is processed when carrying out CorrIT’s marketing, billing and support activities.

2.2

The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to CorrIT for the duration and purposes of this agreement so that CorrIT may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf.

2.3

CorrIT shall, in relation to any personal data processed in connection with the performance by CorrIT of its obligations under this agreement:

a) process that personal data only on the written instructions of the Customer unless CorrIT is required by EU/UK Data Protection Laws to do otherwise. Where CorrIT is relying on EU/UK Data Protection Laws as the basis for processing Personal Data, CorrIT shall promptly notify the Customer of this before performing the processing required by the EU/UK Data Protection Laws unless those laws prohibit CorrIT from so notifying the Customer;

b) not make a Restricted Transfer unless the following conditions are fulfilled:

i. the Customer or CorrIT has provided appropriate safeguards in relation to the transfer;

ii. the data subject has enforceable rights and effective legal remedies;

iii. CorrIT complies with its obligations under the EU/UK Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and

i.v CorrIT complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data;

c) assist the Customer, at the Customer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the EU/UK Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

d) notify the Customer without undue delay on becoming aware of a personal data breach;

e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer at the Customer’s election within 30 days of termination of the agreement unless required by EU/UK Data Protection Laws to store the Personal Data and where Customer does not make such an election within the 30 days of termination, such data shall be deleted; and

f) maintain complete and accurate records and information to demonstrate its compliance with this Data Processing Agreement.

2.4
The parties agree that when the transfer of personal data from Customer to Supplier is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as described in clauses 0 and 0 below.

2.5
in relation to personal data that is regulated by the EU GDPR, the EU SCCs will apply
completed as follows:

a) Module Two will apply;

b) in Clause 7, the optional docking clause will apply;

c) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be 30 days;

d) in Clause 11, the optional language will not apply;

e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

f) in Clause 18(2), disputes shall be resolved before the courts of Ireland;

g) Annex I of the EU SCCs shall be deemed completed with the information set out in clause 0 to this DPA;

h) Annex II of the EU SCCs shall be deemed completed with the information set out in clause 0 to this DPA;

i) Annex III of the EU SCCs shall be deemed completed with the information set out in Clause 0 to this DPA;

2.6
in relation to personal data that is regulated by the UK GDPR, the UK SCCs will apply completed as follows:

a) Appendix 1 of the UK SCCs shall be deemed completed with the information set out in Schedule 1 to this Agreement; and

b) Appendix 2 of the UK SCCs shall be deemed completed with the information set out in Schedule 1 to this Agreement; and

c) in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

2.7

Each party shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).

2.8

The Customer consents to CorrIT appointing Amazon AWS as CorrIT’s sub-processor of personal data under this agreement for hosting and storage purposes. CorrIT confirms that it has entered or (as the case may be) will enter into a written agreement on AWS's standard
terms of business. CorrIT may also use third parties to provide Optional Services that is a CorrIT subcontractor. Where this is the case, it will be specified in the Order Form. Customer agrees to the appointment of such third parties as subprocessors of CorrIT. As between the Customer and CorrIT, CorrIT shall remain fully liable for all acts or omissions of any sub-processor appointed by it pursuant to this clause. CorrIT shall not engage another subprocessor without notifying Customer in advance and giving the Customer the opportunity to object to such changes. If Customer’s concerns cannot be addressed by CorrIT, CorrIT may terminate the contract without liability to Customer.

2.9

Either party may, at any time on not less than 30 days' notice, revise this Data Processing Agreement by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

2.10

This DPA is subject to the limitations of liability set out in the Terms of Service.

2.11

Description of the processing

Subject matter of the processing: Authorised User accounts on the Services

a) Duration of the processing: The term of the Agreement and the period post termination during which the Customer can elect to have CorrIT delete or return the personal data

b) The nature and purpose of the processing: creation and operation of Authorised User accounts, monitoring of licence compliance, deletion or re-assignment of Authorise User accounts.

c) The type of personal data: username, first name, last name, email address, IP address, log data.

d) The categories of data subjects: personnel of Customer or its suppliers.

e) Sensitive personal data processed: None.

2.12
Description of the security measures in place: See CorrIT security policy as may be updated from time to time, available on request

Schedule 1 to the DPA

This Schedule 1 forms part of the DPA and describes the processing that CorrIT will perform on behalf of Customer.

A. LIST OF PARTIES

Data exporter(s):

1.

Name:

The Customer identified in the Order Form

Address:

The addresses of Customer in the Order Form

Contact person’s name, position and contact details:

Data protection enquiries can be addressed to the Data Protection Contact in the Order Form

Activities relevant to the data transferred under these Clauses:

Customer is a pharmaceutical company or service provider to a pharmaceutical company

Signature and date:

This Schedule 1 shall be deemed executed upon execution of the Order Form.

Role (Controller/Processor):

Controller

Processor(s) / Data importer(s):

Name:

Supplier identified in the TOS

Address:

The addresses of each of the Supplier entities identified in the Agreement.

Contact person’s name, position and contact details:

Data protection enquiries can be addressed to Gary Wilson (gary.wilson@corrit.ie)

Activities relevant to the data transferred under these Clauses:

The Supplier provides the Services described in the Agreement.

Signature and date:

This Schedule 1 shall be deemed executed upon execution of the Order Form.

Role (Controller/Processor):

Processor

В. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred:

Please see clause 0

Categories of Personal Data transferred:

Please see clause 0

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Please see clause 0

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous for the duration of the agreement.

Nature of the Processing:

Please see clause 0

Purpose(s) of the data transfer and further
Processing:

Please see clause 0

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

Duration of the agreement

For transfers to (sub-) Processors, also
specify subject matter, nature and duration
of the Processing:

Please see clause 0

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs.

Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.