EU Data Protection. Without limiting the generality of Section 7.1, to the extent Service Provider may, during or as a result of rendering Services under any Statement of Work, have access to European Union (EU)-originating Personal Data (as that term is defined in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”)), the terms set forth in this Section 7.2 will apply. (For purposes of Section 5.5, Section 9.4(e) and this Section 7.2, capitalized terms not defined in such Sections refer to the definitions in the GDPR). Tectonic will serve as the Controller and Service Provider will serve as Tectonic’s Processor in respect of all Personal Data made available to and Processed by Service Provider in connection with the provision of the Services under this Agreement. Service Provider will provide Personal Data and Processing Services for those categories of Personal Data set out in the applicable Statement of Work and all other Personal Data made available to Service Provider under this Agreement. In connection with such Personal Data and Processing Services, Service Provider will: (a) Process Personal Data solely for the purposes of providing the Services and in accordance with Tectonic’s written instructions and not for any other purpose or in any other manner. If Service Provider is required to use the Personal Data for another purpose by EU or Member State law to which the Service Provider is subject. Service Provider will, unless prohibited by applicable law, promptly (and in no event more than [***] after receipt of such information) notify Tectonic in writing of that legal requirement before Processing such Personal Data; (b) ensure that all Service Provider Personnel that Process Personal Data are subject to confidentiality and non-use obligations expressly covering the Personal Data; (c) comply with the security requirements set out in this Agreement; (d) not disclose or transfer Personal Data to any third party without Tectonic’s prior written consent except where such disclosure or transfer is: (i) to a permitted subcontractor (A) which, prior to such disclosure, was (1) approved by Tectonic pursuant to and subject to Section 2.4, and (2) bound by a written agreement with Service Provider to obligations that are no less onerous than the obligations set out in this Section 7.2; (B) has been qualified by Service Provider to provide Processing Services in compliance with this Agreement and applicable law; and (C) whose provision of Processing Services will be periodically audited by Service Provider for continuing compliance with the obligations set out in this Section 7.2. Under each Statement of Work, Service Provider will provide Tectonic with a written list of subcontractors providing Processing Services. Any additional or replacement subcontractors are subject to requirements of the foregoing (A), (B) and (C); and (ii) required by applicable EU or Member State law to which the Service Provider is subject, in which case Service Provider will, unless prohibited by applicable law, immediately (and no later than [***] after receipt of such information) notify Tectonic in writing of that legal requirement before complying with such requirement. To the extent permitted by applicable EU or Member State law, Service Provider will comply with the written directions of Tectonic, limit the nature and scope of the requested disclosure, and disclose the minimum Personal Data necessary; (e) provide all assistance to Tectonic necessary for Tectonic to meet its obligations as to the rights of Data Subjects, including the right of information, access, rectification, restriction, erasure, portability and opposition, and the right not to be subjected to automated decision-making; (f) provide assistance to Tectonic in the performance by Tectonic, where required, of a data protection impact assessment and in consulting with competent authorities; notify Tectonic in writing within [***] of receiving information about a Personal Data Breach and as part of such notification describe the nature of the incident and, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, and provide information regarding the possible effects of such Personal Data Breach upon Tectonic and the applicable Data Subjects. In no case will Service Provider delay notification because of insufficient information but instead. Service Provider will provide and supplement notifications as information becomes available; (g) in cooperation with Tectonic and with the written consent and approval of Tectonic, use diligent efforts to promptly investigate (i) any Personal Data Breach and take all necessary and appropriate corrective action (as approved by Tectonic in writing) to remediate such breach and prevent a recurrence of such breach; (ii) any request for information from or complaint by a data protection authority/Supervisory Authority in relation to Personal Data that Service Provider Processes for the purpose of providing the Services; and (iii) any request to Service Provider by a Data Subject to exercise rights such as to access, rectify, amend, correct, share, delete or cease Processing his or her Personal Data; (h) retain Personal Data for the longer of the time period necessary to perform the Processing Services or as required by applicable law. Unless otherwise required by EU or Member State law, upon expiration or termination of the applicable Statement of Work Service Provider will, consistent with Tectonic’s written instructions, return or safely destroy all Personal Data that Service Provider obtained in connection with performing the Services, including all originals and copies of such Personal Data in any medium, and any materials derived from or incorporating such Personal Data. Service Provider will promptly notify Tectonic in writing once all such information has been returned or destroyed (as applicable in accordance with Tectonic’s written instructions). Where continued storage is required by EU or Member State law, Service Provider will inform Tectonic of those requirements. The provisions of this Section 7.2 will continue to apply to Personal Data that Service Provider continues to store, and Service Provider will only Process such Personal Data to meet its legal obligations; (i) allow Tectonic or its designee to audit compliance with this Section 7.2 in accordance with Section 2.7; (j) immediately inform ▇▇▇▇▇▇▇▇ if, in the reasonable judgment of Service Provider, a written instruction of Tectonic regarding Processing Personal Data is in violation of applicable data protection laws; (k) Process Personal Data only at the locations/territories set out in the applicable Statement of Work and not change such locations territories without Tectonic’s express prior written consent; and (l) ensure that transfers of Personal Data outside of the European Economic Area are made only pursuant to a framework deemed adequate and approved by the European Commission.
Appears in 1 contract
Sources: Master Clinical Contract Services Agreement (AVROBIO, Inc.)
EU Data Protection. Without limiting the generality of Section 7.1, to the extent Service Provider may, during or as a result of rendering Services under any Statement of Work, have access to European Union (EU)-originating Personal Data (as that term is defined in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”)), the terms set forth in this Section 7.2 will apply. (For purposes of Section 5.5, Section 9.4(e) and this Section 7.2, capitalized terms not defined in such Sections refer to the definitions in the GDPR). Tectonic will serve as the Controller and Service Provider will serve as Tectonic’s Processor in respect of all Personal Data made available to and Processed by Service Provider in connection with the provision of the Services under this Agreement. Service Provider will provide Personal Data and Processing Services for those categories of Personal Data set out in the applicable Statement of Work and all other Personal Data made available to Service Provider under this Agreement. In connection with such Personal Data and Processing Services, Service Provider will:
(a) Process Personal Data solely for the purposes of providing the Services and in accordance with Tectonic’s written instructions and not for any other purpose or in any other manner. If Service Provider is required to use the Personal Data for another purpose by EU or Member State law to which the Service Provider is subject. , Service Provider will, unless prohibited by applicable law, promptly (and in no event more than [***] after receipt of such information) notify Tectonic in writing of that legal requirement before Processing such Personal Data;
(b) ensure that all Service Provider Personnel that Process Personal Data are subject to confidentiality and non-use obligations expressly covering the Personal Data;
(c) comply with the security requirements set out in this Agreement;
(d) not disclose or transfer Personal Data to any third party without Tectonic’s prior written consent except where such disclosure or transfer is:
(i) to a permitted subcontractor (A) which, prior to such disclosure, was (1) approved by Tectonic pursuant to and subject to Section 2.42.3, and (2) bound by a written agreement with Service Provider to obligations that are no less onerous than the obligations set out in this Section 7.2; (B) has been qualified by Service Provider to provide Processing Services in compliance with this Agreement and applicable law; and (C) whose provision of Processing Services will be periodically audited by Service Provider for continuing compliance with the obligations set out in this Section 7.2. Under each Statement of Work, Service Provider will provide Tectonic with a written list of subcontractors providing Processing Services. Any additional or replacement subcontractors are subject to requirements of the foregoing (A), (B) and (C); and
(ii) required by applicable EU or Member State law to which the Service Provider is subject, in which case Service Provider will, unless prohibited by applicable law, immediately (and no later than [***] after receipt of such information) notify Tectonic in writing of that legal requirement before complying with such requirement. To the extent permitted by applicable EU or Member State law, Service Provider will comply with the written directions of Tectonic, limit the nature and scope of the requested disclosure, and disclose the minimum Personal Data necessary;
(e) provide all assistance to Tectonic necessary for Tectonic to meet its obligations as to the rights of Data Subjects, including the right of information, access, rectification, restriction, erasure, portability and opposition, and the right not to be subjected to automated decision-making;
(f) provide assistance to Tectonic in the performance by Tectonic, where required, of a data protection impact assessment and in consulting with competent authorities; notify Tectonic in writing within [***] of receiving information about a Personal Data Breach and as part of such notification describe the nature of the incident and, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, and provide information regarding the possible effects of such Personal Data Breach upon Tectonic and the applicable Data Subjects. In no case will Service Provider delay notification because of insufficient information but instead. Service Provider will provide and supplement notifications as information becomes available;
(g) in cooperation with Tectonic and with the written consent and approval of Tectonic, use diligent efforts to promptly investigate (i) any Personal Data Breach and take all necessary and appropriate corrective action (as approved by Tectonic in writing) to remediate such breach and prevent a recurrence of such breach; (ii) any request for information from or complaint by a data protection authority/Supervisory Authority in relation to Personal Data that Service Provider Processes for the purpose of providing the Services; and (iii) any request to Service Provider by a Data Subject to exercise rights such as to access, rectify, amend, correct, share, delete or cease Processing his or her Personal Data;
(h) retain Personal Data for the longer of the time period necessary to perform the Processing Services or as required by applicable law. Unless otherwise required by EU or Member State law, upon expiration or termination of the applicable Statement of Work Service Provider will, consistent with Tectonic’s written instructions, return or safely destroy all Personal Data that Service Provider obtained in connection with performing the Services, including all originals and copies of such Personal Data in any medium, and any materials derived from or incorporating such Personal Data. Service Provider will promptly notify Tectonic in writing once all such information has been returned or destroyed (as applicable in accordance with Tectonic’s written instructions). Where continued storage is required by EU or Member State law, Service Provider will inform Tectonic of those requirements. The provisions of this Section 7.2 will continue to apply to Personal Data that Service Provider continues to store, and Service Provider will only Process such Personal Data to meet its legal obligations;
(i) allow Tectonic or its designee to audit compliance with this Section 7.2 in accordance with Section 2.7;
(j) immediately inform ▇▇▇▇▇▇▇▇ if, in the reasonable judgment of Service Provider, a written instruction of Tectonic regarding Processing Personal Data is in violation of applicable data protection laws;
(k) Process Personal Data only at the locations/territories set out in the applicable Statement of Work and not change such locations territories without Tectonic’s express prior written consent; and
(l) ensure that transfers of Personal Data outside of the European Economic Area are made only pursuant to a framework deemed adequate and approved by the European Commission.this
Appears in 1 contract