Common use of DATA PROCESSING TERMS Clause in Contracts

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.2, the PIC is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PIC. Where the PIC is the Participating Site's Sub-Processor and thus where the Processing is undertaken by the PIC for the purposes of the Study, Clauses 3.5 to 3.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC is Processing the Participant Personal Data as a Controller. The PIC agrees only to Process Personal Data for and on behalf of the Participating Site in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC shall notify the Participating Site before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC as Controller for the purpose of clinical care or other legal purposes; and

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, Controller and the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.24.1.2, the PIC Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PICParticipating Site. Where the PIC Participating Site is the Participating SiteSponsor's Sub-Processor and thus where the Processing is undertaken by the PIC Participating Site for the purposes of the Study, Clauses 3.5 4.1.5 to 3.9 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Participating Site is Processing the Participant Personal Data as a Controller. The PIC Participating Site agrees only to Process Personal Data for and on behalf of the Participating Site Sponsor in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC Participating Site shall notify the Participating Site Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC Participating Site as Controller for the purpose of clinical care or other legal purposes; andand to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Data Sharing Terms Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. FREEDOM OF INFORMATION Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Xxx 0000 (FOIA) or the Freedom of Information (Scotland) Xxx 0000 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, Controller and the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.24.1.2, the PIC Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PICParticipating Site. Where the PIC Participating Site is the Participating SiteSponsor's Sub-Processor and thus where the Processing is undertaken by the PIC Participating Site for the purposes of the Study, Clauses 3.5 4.1.5 to 3.9 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Participating Site is Processing the Participant Personal Data as a Controller. The PIC Participating Site agrees only to Process Personal Data for and on behalf of the Participating Site Sponsor in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC Participating Site shall notify the Participating Site Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC Participating Site as Controller for the purpose of clinical care or other legal purposes; andand to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Data Sharing Terms Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. FREEDOM OF INFORMATION Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, Controller and the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.24.1.2, the PIC Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PICParticipating Site. Where the PIC Participating Site is the Participating SiteSponsor's Sub-Processor and thus where the Processing is undertaken by the PIC Participating Site for the purposes of the Study, Clauses 3.5 4.1.5 to 3.9 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Participating Site is Processing the Participant Personal Data as a Controller. The PIC Participating Site agrees only to Process Personal Data for and on behalf of the Participating Site Sponsor in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC Participating Site shall notify the Participating Site Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC Participating Site as Controller for the purpose of clinical care or other legal purposes; andand to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the UK and the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the UK and the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Data Sharing Terms Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. FREEDOM OF INFORMATION Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Xxx 0000 (FOIA) or the Freedom of Information (Scotland) Xxx 0000 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, Controller and the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.24.1.2, the PIC Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PICParticipating Site. Where the PIC Participating Site is the Participating SiteSponsor's Sub-Processor and thus where the Processing is undertaken by the PIC Participating Site for the purposes of the Study, Clauses 3.5 4.1.5 to 3.9 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Participating Site is Processing the Participant Personal Data as a Controller. The PIC Participating Site agrees only to Process Personal Data for and on behalf of the Participating Site Sponsor in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC Participating Site shall notify the Participating Site Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC Participating Site as Controller for the purpose of clinical care or other legal purposes; andand to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. [SECTION TO BE REMOVED WHERE PERSONAL DATA IS NOT BEING TRANSFERRED TO THE SPONSOR OR AN AGENT OF THE SPONSOR] Data Sharing Terms Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meetings all relevant information governance requirements. FREEDOM OF INFORMATION Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.

DATA PROCESSING TERMS. For the purposes purpose of the Data Protection Legislation, the Sponsor is the Controller, the Participating Lead Trial Site is the Sponsor's Processor and the PIC Other Trial Site is the Sub-Processor of the Participating Lead Trial Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.26.3, the PIC Other Trial Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and Data that is processed for research and for care purposes under the separate Controllerships Controllership of the Sponsor and PICin accordance with this Agreement. Where the PIC Other Trial Site is the Participating Lead Trial Site's Sub-Processor and thus where the Processing is undertaken by the PIC Other Trial Site for the purposes of the Study, Clauses 3.5 6.6 to 3.9 6.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Other Trial Site is Processing the Participant Personal Data as a Controller. The PIC Other Trial Site agrees only to Process Personal Data for and on behalf of the Participating Lead Trial Site in accordance with the instructions of the Participating Site Sponsor, as provided by the Sponsor and / or Sponsor Lead Trial Site, and for the purpose of the Study and to ensure the Sponsor’s and Participating Lead Trial Site’s compliance with the Data Protection Legislation; . The PIC Other Trial Site agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process process the Personal Data only on documented instructions from of the Participating Site Sponsor, as provided by the Sponsor and / or Sponsor Lead Trial Site, unless required to do otherwise by legislation, in which case the PIC Other Trial Site shall notify the Participating Lead Trial Site before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a28(3)(a)).; to ensure that personnel Personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b28(3)(b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c28(3)(c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d28(3)(d)); to, taking into account the nature of the Processing, assist the Participating Lead Trial Site and/or and / or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e28(3)(e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles Article 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Other Trial Site (Article 28(3f28(3)(f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g28(3)(g)) or where that Personal Data is held by the PIC Other Trial Site as Controller for the purpose of clinical care or other legal purposes; and

DATA PROCESSING TERMS. For the purposes of the Data Protection Legislation, the Sponsor is the Controller, Controller and the Participating Site is the Sponsor's Processor and the PIC is the Sub-Processor of the Participating Site in relation to all Processing of Personal Data that is Processed for the purpose of this Study and for any future research use under the Controllership of the Sponsor, that would not have taken place but for this Agreement regardless where that Processing takes place. The Parties acknowledge that whereas the Sponsor is the Controller in accordance with Clause 3.24.1.2, the PIC Participating Site is the Controller of the Personal Data collected for the purpose of providing clinical care to the Participants. This Personal Data may be the same Personal Data, collected transparently and processed for research and for care purposes under the separate Controllerships of the Sponsor and PICParticipating Site. Where the PIC Participating Site is the Participating SiteSponsor's Sub-Processor and thus where the Processing is undertaken by the PIC Participating Site for the purposes of the Study, Clauses 3.5 4.1.5 to 3.9 4.1.9 below will apply. For the avoidance of doubt, such Clauses do not apply where the PIC Participating Site is Processing the Participant Personal Data as a Controller. The PIC Participating Site agrees only to Process Personal Data for and on behalf of the Participating Site Sponsor in accordance with the instructions of the Participating Site or Sponsor and for the purpose of the Study and to ensure the Sponsor’s and Participating Site’s compliance with the Data Protection Legislation; The PIC Participating Site agrees to comply with the obligations applicable to Processors described by Article 28 GDPR including, but not limited to, the following: to implement and maintain appropriate technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Article 28(1); to not engage another Processor without the prior written authorisation of the Sponsor (Article 28(2)); to Process the Personal Data only on documented instructions from the Participating Site or Sponsor unless required to do otherwise by legislation, in which case the PIC Participating Site shall notify the Participating Site Sponsor before Processing, or as soon as possible after Processing if legislation requires that the Processing occurs immediately, unless legislation prohibits such notification on important grounds of public interest (Article 28(3a)).; to ensure that personnel authorised to Process Personal Data are under confidentiality obligations (Article 28(3b)); to take all measures required by Article 32 GDPR in relation to the security of processing (Article 28(3c)); to respect the conditions described in Article 28(2) and (4) for engaging another Processor (Article 28(3d)); to, taking into account the nature of the Processing, assist the Participating Site and/or the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (Article 28(3e)); to assist the Controller, to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to the PIC Participating Site (Article 28(3f)); to, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor at the expiry or early termination of the Agreement, unless storage is legally required (Article 28(3g)) or where that Personal Data is held by the PIC Participating Site as Controller for the purpose of clinical care or other legal purposes; andand to maintain a record of Processing activities as required by Article 30(2) GDPR. The Participating Site shall ensure that: its Agents do not Process Personal Data except in accordance with this Agreement (and in particular the Protocol); it takes all reasonable steps to ensure the reliability and integrity of any of its Agents who have access to the Personal Data and ensure they: are aware and comply with the Participating Site's duties under this clause; are subject to mandatory training in their information governance responsibilities and have appropriate contracts including sanctions, including for breach of confidence or misuse of data; and are informed of the confidential nature of the Personal Data and understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. The Participating Site agrees to: allow the Sponsor(s) or another auditor appointed by the Sponsor(s) to audit the Participating Site’s compliance with the obligations described by this Agreement, Data Protection Legislation in general and Article 28 GDPR in particular, on reasonable notice subject to the Sponsor complying with all relevant health and safety and security policies of the Participating Site and/or to provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement; and obtain prior agreement of the Sponsor to store or Process Personal Data outside the European Economic Area. Where the Participating Site stores or otherwise Processes Personal Data outside of the European Economic Area as the Sponsor’s Processor, it warrants that it does so in compliance with the Data Protection Legislation. Data Sharing Terms Personal Data shall not be disclosed to the Sponsor by the Participating Site, save where this is required directly or indirectly to satisfy the requirements of the Protocol, or for the purpose of monitoring or reporting adverse events, or in relation to a claim or proceeding brought by a Participant in connection with the Study. The Sponsor agrees to use Personal Data solely in connection with the operation of the Agreement, or otherwise for purposes not incompatible with this original purpose (Article 5, 1 (b) GDPR), and not otherwise. In particular, Not to disclose Personal Data to any person except in accordance with applicable legal requirements and codes of practice. The Sponsor agrees to comply with the obligations placed on a Controller by the Data Protection Legislation. This is not limited to, but includes, being responsible for and able to demonstrate compliance with the principles relating to Processing of Personal Data (Article 5 GDPR) The Sponsor agrees to ensure persons processing Personal Data under this Agreement are equipped to do so respectfully and safely. In particular: To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) Processing Personal Data understand the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose for lawful and appropriate purposes. To ensure any persons (excluding employees, honorary employees, students, researchers, consultants and subcontractors of the Participating Site) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable data breaches. The Sponsor agrees to proactively prevent data security breaches and to respond appropriately to incidents or near misses. In particular, To ensure that Personal Data are only accessible to persons who need it for the purposes of the Study and to remove access as soon as reasonably possible once it is no longer needed. To ensure all access to Personal Data on IT systems processed for Study purposes can be attributed to individuals. To review processes to identify and improve processes which have caused breaches or near misses, or which force persons Processing Personal Data to use workarounds which compromise data security. To adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice. To take action immediately following a data breach or near miss. The Sponsor agrees to ensure data are Processed using secure and up to date technology. In particular, To ensure no unsupported operating systems, software or internet browsers are used to support the processing of Personal Data for the purposes of the Study. To put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. To ensure IT suppliers are held accountable via contracts for protecting Personal Data they Process and for meeting all relevant information governance requirements. FREEDOM OF INFORMATION Parties to this Agreement which are subject to the Environmental Information Regulations 2004 (EIR) and the Freedom of Information Xxx 0000 (FOIA) or the Freedom of Information (Scotland) Xxx 0000 (FOI(S)A) and which receive a request under EIR, FOIA or FOI(S)A to disclose any information that belongs to another Party shall notify and consult that Party in accordance with clause 13, as soon as reasonably practicable, and in any event, not later than seven (7) working days after receiving the request. The Parties acknowledge and agree that the decision on whether any exemption applies to a request for disclosure of recorded information under EIR, FOIA or FOI(S)A is a decision solely for the Party responding to the request. Where the Party responding to an EIR, FOIA or FOI(S)A request determines that it will disclose information it will notify the other Party in writing, giving at least four (4) working days’ notice of its intended disclosure.