Appears in 3 contracts

Sources: Model Non Commercial Participant Identification Centre Agreement (Mnc Pica), Model Non Commercial Participant Identification Centre Agreement (Mnc Pica), Participant Identification Centre Agreement

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. 2.1 The Parties acknowledge that ~~whereas~~ the ~~Sponsor~~ Customer is the Data Controller ~~in accordance with Clause 3.2~~and Blue Yonder is a Data Processor of Customer Personal Data. As between the Customer and Blue Yonder, the ~~PIC is~~ Customer remains the ~~Controller~~ owner of all Customer Personal Data. 2.2 This Data Processing Addendum only applies to the processing of Customer Personal Data ~~collected~~ by Blue Yonder in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in an Appendix to the Agreement. Customer Personal Data is processed for the purpose of providing ~~clinical care~~ the Services and other purposes as identified in the 'Processing activities' section of the Appendix to the ~~Participants~~Agreement. ~~This~~ Blue Yonder shall process Customer Personal Data ~~may be~~ for the ~~same~~ duration of the Agreement (or longer to the extent permitted by applicable law). 2.3 Each party warrants that in relation to this Data Processing Addendum, it is compliant with and will remain compliant with all Applicable Laws. 2.4 Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PIC. Where the PIC is the Participating Site's Sub-Processor and thus where the Processing is undertaken by the PIC for the purposes of the Study, Clauses 3.5 to 3.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC is Processing the Participant Blue Yonder shall: 2.4.1 process Customer Personal Data ~~as a Controller. The PIC agrees~~ only ~~to Process Personal Data for and on behalf of the Participating Site~~ in accordance with the Customer's instructions as established in the Agreement or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Blue Yonder's right to charge additional sums at its current rates should the scope of the ~~Participating Site~~ agreed services be exceeded. Notwithstanding the foregoing, Blue Yonder may process Customer Personal Data as required under Applicable Laws. In this situation, Blue Yonder will take reasonable steps to inform the Customer of such a requirement before Blue Yonder processes the data, unless the law prohibits this; 2.4.2 ensure only its (or ~~Sponsor and for~~ its Sub-Processors) personnel who are contractually bound to respect the ~~purpose~~ confidentiality of Customer Personal Data shall have access to the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to same; 2.4.3 implement ~~and maintain~~ appropriate technical and ~~organisational~~ organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Blue Yonder may change the security measures ~~sufficient~~ through the adoption of new or enhanced security technologies and authorises Blue Yonder to ~~comply at least with~~ make such changes provided that they do not materially diminish the ~~obligations imposed on~~ level of protection. Blue Yonder shall make information about the ~~Controller by Article 28(1);~~ most up to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC shall notify the Participating Site before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all date security measures ~~required by Article 32 GDPR in relation~~ applicable to the ~~security of processing (Article 28(3c)); to respect~~ Services available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/knowledge-center/gdpr/customer-security-measures; 2.4.4 at the ~~conditions described in Article 28(2)~~ Customer’s reasonable request and ~~(4) for engaging another Processor (Article 28(3d)); to~~at the Customer’s cost, taking into account the nature of the ~~Processing~~processing, assist the ~~Participating Site and/or the Sponsor,~~ Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests ~~for exercising~~ from Data ~~Subjects’~~ Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (~~Article 28(3e~~to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement)~~); to assist~~ ; 2.4.5 at the ~~Controller~~Customer’s reasonable request and at the Customer’s cost, ~~to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR~~ taking into account the nature of ~~the Processing~~ processing and the information available to Blue Yonder, assist the ~~PIC (Article 28(3f)); to~~Customer with its obligations under Articles 32 to 36 of the GDPR. Blue Yonder’s assistance under this Clause 2.4.5 and at Clauses 2.4.3 and 2.4.4 shall be chargeable, as incurred, at Blue Yonder’s then current rates; and 2.4.6 upon request by the ~~choice~~ Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the ~~Sponsor~~provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), ~~destroy~~ unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Blue Yonder reserves the right to charge for such deletion or return ~~all~~ of such Customer Personal Data. 2.5 The Customer agrees that Blue Yonder may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the ~~Sponsor at~~ purposes of providing the ~~expiry~~ Services or ~~early termination~~ other purposes identified in the 'Processing activities' section of the Appendix to the Agreement, ~~unless storage is legally required (Article 28(3g)) or where~~ provided that Blue Yonder complies with the provisions of this Clause 2.5. Blue Yonder shall remain responsible for its Sub-Processor's compliance with the obligations of this Data Processing Addendum. Blue Yonder shall ensure that any Sub- Processors to whom Blue Yonder transfers Customer Personal Data enter into written agreements with Blue Yonder requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is ~~held~~ available to Customer at ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇▇/legal/sub-processor-list. Blue Yonder can at any time and without justification make changes or additions to the Sub-Processor list provided that the Customer is given fifteen (15) days' prior notice and the Customer does not legitimately object to such changes within that timeframe. Blue Yonder shall provide notice through the current Sub- Processor list on the website or, alternatively, if Customer has subscribed to notifications of changes or additions to the Sub-Processor list by clicking this link: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/sub-processor-sign- up.html, Blue Yonder will provide notice to Customer through e-mail. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor's non-compliance with applicable European Data Protection Law. 2.6 The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from the US or another Relevant Country. Where this involves Blue Yonder or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum (as supplemented by the ~~PIC~~ Data Processing Information in the Agreement) will apply in addition to the terms of this Data Processing Addendum. For other Sub-Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as ~~Controller for~~ defined in European Data Protection Laws. Where the ~~purpose of clinical care or other legal purposes; and~~Standard Contractual Clauses apply, the Customer acknowledges the following:

Appears in 2 contracts

Sources: Data Processing Addendum, Data Processing Addendum

DATA PROCESSING TERMS. 2.1.1 For the purposes of the Data Protection Legislation, the Sponsor is the ~~Controller,~~ Controller and the Participating Site is the Sponsor's Processor ~~and the PIC is the Sub-Processor of the Participating Site~~ in relation to all Processing of Personal Data that is Processed for the purpose of ~~this Study~~ the Studies listed under Schedule 1 and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. . 2.1.2 The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~2.1.1, the ~~PIC~~ Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for improving care purposes under the separate Controllerships of the Sponsor and ~~PIC.~~ Participating Site. 2.1.3 Where the ~~PIC~~ Participating Site is the ~~Participating Site~~Sponsor's ~~Sub-~~Processor and thus where the Processing is undertaken by the ~~PIC~~ Participating Site for the purposes of the Study, Clauses ~~3.5~~ 2.1.4 to ~~3.9~~ 2.1.8 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Participating Site is Processing the ~~Participant~~ Participant’s Personal Data as a Controller. . 2.1.4 The ~~PIC~~ Participating Site agrees only to Process Personal Data for and on behalf of the ~~Participating Site~~ Sponsor in accordance with the instructions of the ~~Participating Site or~~ Sponsor and for the purpose of the Study and to ensure the Sponsor’s ~~and Participating Site’s~~ compliance with the Data Protection Legislation; ; 2.1.5 The ~~PIC~~ Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: : a. to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); ; b. to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); ; c. to Process the Personal Data only on documented instructions from the ~~Participating Site or~~ Sponsor unless required to do otherwise by legislation, in which case the ~~PIC~~ Participating Site shall notify the ~~Participating Site~~ Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs ~~immediately,~~ immediately unless legislation prohibits such notification on important grounds of public interest (Article ~~28(3a~~28(3)(a)).; ; d. to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article ~~28(3b~~28(3)(b)); ; e. to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); ; f. to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article ~~28(3d~~28(3)(d)); ; g. to, taking into account the nature of the Processing, assist ~~the Participating Site and/or~~ the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article ~~28(3e~~28(3)(e)); ; h. to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Participating Site (Article ~~28(3f~~28(3)(f)); ; i. to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article ~~28(3g~~28(3)(g)) or where that Personal Data is held by the ~~PIC~~ Participating Site as Controller for the purpose of clinical care or other legal purposes; and j. to maintain a record of Processing activities as required by Article 30(2)

Appears in 2 contracts

Sources: Data Sharing Agreement, Data Sharing Agreement

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the ~~Controller,~~ Controller and the Participating Site is the Sponsor's Processor ~~and the PIC is the Sub-Processor of the Participating Site~~ in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~4.1.2, the ~~PIC~~ Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and ~~PIC~~Participating Site. Where the ~~PIC~~ Participating Site is the ~~Participating Site~~Sponsor's ~~Sub-~~Processor and thus where the Processing is undertaken by the ~~PIC~~ Participating Site for the purposes of the Study, Clauses ~~3.5~~ 4.1.5 to ~~3.9~~ 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Participating Site is Processing the Participant Personal Data as a Controller. The ~~PIC~~ Participating Site agrees only to Process Personal Data for and on behalf of the ~~Participating Site~~ Sponsor in accordance with the instructions of the ~~Participating Site or~~ Sponsor and for the purpose of the Study and to ensure the Sponsor’s ~~and Participating Site’s~~ compliance with the Data Protection Legislation; The ~~PIC~~ Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the ~~Participating Site or~~ Sponsor unless required to do otherwise by legislation, in which case the ~~PIC~~ Participating Site shall notify the ~~Participating Site~~ Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the ~~Participating Site and/or the~~ Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the ~~PIC~~ Participating Site as Controller for the purpose of clinical care or other legal purposes; ~~and~~and to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

Appears in 2 contracts

Sources: Model Agreement for Non Commercial Research, Model Agreement for Non Commercial Research

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the ~~Controller,~~ Controller and the Participating Site is the Sponsor's Processor ~~and the PIC is the Sub-Processor of the Participating Site~~ in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~4.1.2, the ~~PIC~~ Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and ~~PIC~~Participating Site. Where the ~~PIC~~ Participating Site is the ~~Participating Site~~Sponsor's ~~Sub-~~Processor and thus where the Processing is undertaken by the ~~PIC~~ Participating Site for the purposes of the Study, Clauses ~~3.5~~ 4.1.5 to ~~3.9~~ 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Participating Site is Processing the Participant Personal Data as a Controller. The ~~PIC~~ Participating Site agrees only to Process Personal Data for and on behalf of the ~~Participating Site~~ Sponsor in accordance with the instructions of the ~~Participating Site or~~ Sponsor and for the purpose of the Study and to ensure the Sponsor’s ~~and Participating Site’s~~ compliance with the Data Protection Legislation; The ~~PIC~~ Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the ~~Participating Site or~~ Sponsor unless required to do otherwise by legislation, in which case the ~~PIC~~ Participating Site shall notify the ~~Participating Site~~ Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the ~~Participating Site and/or the~~ Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the ~~PIC~~ Participating Site as Controller for the purpose of clinical care or other legal purposes; ~~and~~and to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information ▇▇▇ ▇▇▇▇ (FOIA) or the Freedom of Information (Scotland) ▇▇▇ ▇▇▇▇ (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

Appears in 2 contracts

Sources: Non Commercial Research Agreement, Model Agreement for Non Commercial Research

DATA PROCESSING TERMS. For the ~~purposes~~ purpose of the Data Protection Legislation, the Sponsor is the Controller, the ~~Participating~~ Lead Trial Site is the Sponsor's Processor and the ~~PIC~~ Other Trial Site is the Sub-Processor of the ~~Participating~~ Lead Trial Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~6.3, the ~~PIC~~ Other Trial Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal ~~Data, collected transparently and~~ Data that is processed for research ~~and for care~~ purposes under the separate ~~Controllerships~~ Controllership of the Sponsor ~~and PIC~~in accordance with this Agreement. Where the ~~PIC~~ Other Trial Site is the ~~Participating~~ Lead Trial Site's Sub-Processor and thus where the Processing is undertaken by the ~~PIC~~ Other Trial Site for the purposes of the Study, Clauses ~~3.5~~ 6.6 to ~~3.9~~ 6.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Other Trial Site is Processing the Participant Personal Data as a Controller. The ~~PIC~~ Other Trial Site agrees only to Process Personal Data for and on behalf of the ~~Participating~~ Lead Trial Site in accordance with the instructions of the ~~Participating Site~~ Sponsor, as provided by the Sponsor and / or ~~Sponsor~~ Lead Trial Site, and for the purpose of the Study and to ensure the Sponsor’s and ~~Participating~~ Lead Trial Site’s compliance with the Data Protection Legislation; . The ~~PIC~~ Other Trial Site agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to ~~Process~~ process the Personal Data only on documented instructions ~~from~~ of the ~~Participating Site~~ Sponsor, as provided by the Sponsor and / or ~~Sponsor~~ Lead Trial Site, unless required to do otherwise by legislation, in which case the ~~PIC~~ Other Trial Site shall notify the ~~Participating~~ Lead Trial Site before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article ~~28(3a~~28(3)(a)).; to ensure that ~~personnel~~ Personnel authorised to Process Personal Data are under confidentiality obligations (Article ~~28(3b~~28(3)(b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article ~~28(3c~~28(3)(c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article ~~28(3d~~28(3)(d)); to, taking into account the nature of the Processing, assist the ~~Participating~~ Lead Trial Site ~~and/or~~ and / or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article ~~28(3e~~28(3)(e)); to assist the Controller, to ensure compliance with the obligations pursuant to ~~Articles~~ Article 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Other Trial Site (Article ~~28(3f~~28(3)(f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article ~~28(3g~~28(3)(g)) or where that Personal Data is held by the ~~PIC~~ Other Trial Site as Controller for the purpose of clinical care or other legal purposes; and

Appears in 1 contract

Sources: Hub and Spoke Agreement

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the ~~Controller,~~ Controller and the Participating Site is the Sponsor's Processor ~~and the PIC is the Sub-Processor of the Participating Site~~ in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~4.1.2, the ~~PIC~~ Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and ~~PIC~~Participating Site. Where the ~~PIC~~ Participating Site is the ~~Participating Site~~Sponsor's ~~Sub-~~Processor and thus where the Processing is undertaken by the ~~PIC~~ Participating Site for the purposes of the Study, Clauses ~~3.5~~ 4.1.5 to ~~3.9~~ 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Participating Site is Processing the Participant Personal Data as a Controller. The ~~PIC~~ Participating Site agrees only to Process Personal Data for and on behalf of the ~~Participating Site~~ Sponsor in accordance with the instructions of the ~~Participating Site or~~ Sponsor and for the purpose of the Study and to ensure the Sponsor’s ~~and Participating Site’s~~ compliance with the Data Protection Legislation; The ~~PIC~~ Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the ~~Participating Site or~~ Sponsor unless required to do otherwise by legislation, in which case the ~~PIC~~ Participating Site shall notify the ~~Participating Site~~ Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the ~~Participating Site and/or the~~ Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the ~~PIC~~ Participating Site as Controller for the purpose of clinical care or other legal purposes; ~~and~~and to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the UK and the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the UK and the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

Appears in 1 contract

Sources: Model Agreement for Non Commercial Research

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the ~~Controller,~~ Controller and the Participating Site is the Sponsor's Processor ~~and the PIC is the Sub-Processor of the Participating Site~~ in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause ~~3.2~~4.1.2, the ~~PIC~~ Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and ~~PIC~~Participating Site. Where the ~~PIC~~ Participating Site is the ~~Participating Site~~Sponsor's ~~Sub-~~Processor and thus where the Processing is undertaken by the ~~PIC~~ Participating Site for the purposes of the Study, Clauses ~~3.5~~ 4.1.5 to ~~3.9~~ 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the ~~PIC~~ Participating Site is Processing the Participant Personal Data as a Controller. The ~~PIC~~ Participating Site agrees only to Process Personal Data for and on behalf of the ~~Participating Site~~ Sponsor in accordance with the instructions of the ~~Participating Site or~~ Sponsor and for the purpose of the Study and to ensure the Sponsor’s ~~and Participating Site’s~~ compliance with the Data Protection Legislation; The ~~PIC~~ Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the ~~Participating Site or~~ Sponsor unless required to do otherwise by legislation, in which case the ~~PIC~~ Participating Site shall notify the ~~Participating Site~~ Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the ~~Participating Site and/or the~~ Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the ~~PIC~~ Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the ~~PIC~~ Participating Site as Controller for the purpose of clinical care or other legal purposes; ~~and~~and to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meeting all relevant information governance requirements. Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information ▇▇▇ ▇▇▇▇ (FOIA) or the Freedom of Information (Scotland) ▇▇▇ ▇▇▇▇ (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

Appears in 1 contract

Sources: Model Agreement for Non Commercial Research

Common use of DATA PROCESSING TERMS Clause in Contracts