Data Privacy and Security Vzorová ustanovení
Data Privacy and Security. Institution and Principal Investigator represent and certify that they have documented information security policies, standards and/or procedures in place to protect the confidentiality and integrity of sensitive information, or any other special classification of information given protection under local privacy laws (including its collection, use, storage, and disclosure), in addition to protected health information and individually identifiable health information, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations set forth in 45 CFR §§ 160 and 164 (HIPAA”) (together, “Protected Data”) which include a procedure or process for identifying threats and vulnerabilities to their information system(s) and training their personnel accordingly.
Data Privacy and Security. 9.1 Personal Data Usage and Disclosure
Data Privacy and Security. When processing personal data for purposes of fulfilling an obligation under the Protocol or as otherwise arising under this Agreement, Sponsor is determining the purposes and means for the processing of personal data and therefore acting as data controller as that term is defined under article 4 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The Institution is processing this personal data pursuant to the Protocol, this Agreement, and any other documented instructions from Sponsor . Institution shall maintain written records of the processing of all personal data as required by GDPR article 30. Institution shall provide such written record to Sponsor promptly upon request and agrees that such written record may be submitted by Sponsor to any third-party data controller (where applicable) and to relevant government and regulatory authorities. Investigator and/or Institution shall promptly notify Sponsor in the event Investigator and/or Institution breach the terms and/or obligations contained in this Section or become aware of such breach. Sponsor and Institution will each maintain a comprehensive privacy and security program designed to ensure that personal data will only be processed in accordance with the terms of this Agreement, including the appointment of a data protection officer as required by applicable law. Sponsor and Institution agree that the Institution is best able to manage requests from data subjects for access, amendment, transfer, blocking, or deletion of personal data. Institution acknowledges that in order to maintain the integrity of Study results, the ability to amend, block, or delete personal data may be limited, by applicable law. Data Protection Impact Assessment. The Institution shall cooperate and assist Sponsor with respect to any data protection impact assessments and/or prior consultations with Government Authorities that may be required in respect of processing carried out under the Agreement. Security Incidents. Notification of Suspected Personal Data Incident. The Institution agrees to notify the Sponsor and PPD within twenty-four (24) hours of discovery of a suspected personal data incident and will cooperate with reasonable Sponsor requests for information regarding such suspected personal data incident as necessary to enable Sponsor to determine and comply with Lilly’s notification obligations under applicable law. Institution agrees to indemnify Sponsor for all losses resulting from any security inc...