This Data Processing Addendum (DPA) applies to the processing of personal data by the Vendor on behalf of the Client in connection with the provision of the service(s).

1. DEFINITIONS.

In this DPA, the following terms shall have the meanings set out below:

• “Controller(s)” means the legal person which, alone or jointly with others, is subject to the main obligations and responsibilities relating to the Processing of Personal Data as per the applicable Data Protection Laws.
• “Data Breach” means (i) any breach of security leading to the accidental or unlawful access, destruction, loss, disclosure of any Personal Data stored on the Processors’ equipment or (ii) any unlawful access to the Processors’ facilities or unauthorized access to such facilities resulting in loss, disclosure, or alteration of Personal Data stored and/or Processed in the same facilities.
• “Data Protection Laws” means all applicable laws, acts and regulations in connection with privacy and the Processing, collection, use and protection of Personal Data. Data Protection Laws includes, but is not limited to, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
• “Data Subject” means the natural person to whom Personal Data relates as defined in the applicable Data Protection Laws.
• “Data Subject Request” means a request from a Data Subject seeking to exercise its data protection rights, concerning the Processing of its Personal Data under the Agreement and in accordance with the applicable Data Protection Laws.
• “EU Standard Contractual Clauses” or “EU SCC” means the standard contractual clauses as approved by the European Union Commission Implementing Decision 2021/914 of 4 June 2021, as amended or supplemented from time to time.
• “International Data Transfer Mechanism” means any condition necessary, as per the applicable Data Protection Laws, for the Transfer of Personal Data to a recipient located in a Non-Adequate Country.
• “Non-Adequate Country” means a country not providing an adequate level of Personal Data protection pursuant to applicable Data Protection Laws or a decision of a Supervisory Authority.
• “Opella” means any company which, at the date of signature of the DPA or subsequently, is controlled by, controlling or under common control with Opella Healthcare Group SAS, with “control” meaning direct or indirect ownership of more than fifty per cent (50%) of the capital stock or the voting rights in said company.
• “Personal Data” means any information relating to an identified or identifiable person to be processed under the Agreement and this DPA.
• “Personnel” means any employees, representatives, or collaborators of the Parties.
• “Process” or “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
• “Processor(s)” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controllers.
• “Sub-Processor(s)” means a natural or legal person (including affiliate or subsidiary companies), public authority, agency or other body to whom the Processors may sub-contract a part of their Processing activities carried out on behalf of the Controllers.
• “Supervisory Authority” means an independent public authority responsible for monitoring the application of the applicable Data Protection Laws.
• “Transfer” means any transfers of Personal Data which are undergoing Processing or are intended for Processing after being sent or made accessible to a recipient in a Non-Adequate Country.

2. GENERAL OBLIGATIONS.

2.1. Compliance. In the execution of the Agreement, the Parties shall comply with their respective obligations as Processors and Controllers under applicable Data Protection Laws and pursuant to this DPA. If either Parties cannot comply with this DPA and/or the applicable Data Protection Laws, it shall notify the other Party without unreasonable delay upon becoming aware of such inability.

2.2. Instructions. The Processors shall Process Personal Data (i) only according to this DPA and, (ii) only on documented instructions from the Controllers, including subsequent instructions throughout the performance of the Agreement. The Processors shall promptly inform the Controllers if, in the Processors’ opinion, such instructions infringe applicable Data Protection Laws.

When providing the Services, the Processors will not further combine, use, retain or disclose the Controllers’ Personal Data outside of the direct business relationships between the Processors and the Controllers or for any purpose other than to perform the Services and business purposes specified in the Agreement. The Processors will not sell or share the Controllers’ Personal Data as required by the applicable Data Protection Laws.

2.3. Instructions adaptation. The Controllers may adapt their instructions at no further costs and without unreasonable delay (i) to remediate any discovered breach of applicable Data Protection Laws or this DPA and/or (ii) take into account changes of the applicable

Data Protection Laws, or (iii) in case of suspected or confirmed Data Breach. Any other instruction change shall be subject to applicable change control provisions under the Agreement. The Processors shall implement such changes without additional costs unless agreed between the Parties in accordance with the Agreement and without unreasonable delay.

2.4. Accountability and audit. The Processors shall make available to the Controllers all information necessary to demonstrate compliance with this DPA and the applicable Data Protection Laws.

Except as otherwise agreed in the Agreement, the Controllers shall have the right to audit and inspect, including through third parties, the Processors’ equipment or facilities during normal business hours, with reasonable notice and an advance-declared scope, to verify that Processing is being conducted strictly in accordance with the Controllers’ instructions and the applicable Data Protection Laws.

2.5. Pre-collected Personal Data. Should the Services involve the Processing of Personal Data collected by the Processors outside the scope of the Agreement or licensed to the Processors by a third-party, the Processors, as independent Controllers, warrants that such Personal Data have been obtained in accordance with applicable Data Protection Laws and can be lawfully Processed as part of the Services.

3. SECURITY AND CONFIDENTIALITY.

3.1. Security. The Processors shall implement technical and organizational measures that provide reasonably appropriate safeguards against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Controllers’ Personal Data. Such measures shall be implemented in accordance with industry standards and the Controllers’ security requirements as set forth in the relevant contractual document(s) or otherwise formally communicated to the Processors.

Subject to prior notification to the Controllers, the Processors may implement changes to the implementation of the security measures without the Controllers’ prior approvals exclusively to maintain or increase the level of security. The Processors shall regularly audit the effectiveness of these measures and, upon written request, disclose a summary report of such audit and tests consistent with internationally recognized standards, without prejudice to the Controllers’ audit rights as set forth herein.

3.2. Confidentiality. The Processors shall grant access to the Controllers’ Personal Data to its Personnel only to the extent that (i) it is strictly necessary for the performance of the Services, (ii) such Personnel is under a legal, statutory or contractual obligation of confidentiality that survives the termination of their engagement with the Processors and (iii) such Personnel has received proper training regarding the protection of Personal Data.

3.3. Technical expertise. The Processors must represent that they have the expertise, organization, assets and Personnel to implement the required technical and organizational measures to Process Personal Data and to protect the rights of Data Subjects according to applicable Data Protection Laws and this DPA.

4. SUB-PROCESSING.

4.1. Appointment of Sub-Processors. The Processors may engage Sub-Processors to provide certain Services on their behalf exclusively in accordance with the terms and conditions of the Agreement and this DPA. This DPA constitutes the Controllers’ prior written authorization for the subcontracting by the Processors of the Processing of Controllers’ Personal Data, provided that all conditions for subcontracting set forth by the Agreement and this DPA are met. The Processors shall carry out reasonable prior due diligence to ensure that the Sub-Processors are capable of providing the level of protection required by this DPA and applicable Data Protection Laws.

4.2. List of Sub-Processors. The Sub-Processors listed under section 6 of the DPA Details are currently engaged by the Processors to carry out Processing activities in scope with the Agreement. The Processors shall inform the Controllers in advance of any intended changes concerning the addition or replacement of the Sub-Processors. Within 30 (thirty) days from the notification, the Controllers can object to the proposed change on reasonable grounds relating to the protection of the Controllers’ Personal Data. In such a case, unless otherwise stipulated by the Agreement, the Processors shall have the right to cure the objection through one of the following options: (a) the Processors will not use the Sub-Processor for the Processing of the Controllers’ Personal Data; or (b) the Processors will take the corrective steps requested by the Controllers to remove the Controllers’ objection before using the Sub-Processor.

4.3. Obligations of Sub-Processors. The Sub-Processors shall be contractually bound to the Processors by substantially equivalent obligations as those set forth by this DPA. The Processors shall ensure that the Sub-Processors implement appropriate technical and organizational measures to meet the requirements of applicable Data Protection Laws and this DPA, including by way of regular audits. At the Controllers’ written request, the Processor shall provide, in a redacted form if necessary, copies of sub-processing agreements and audit reports.

4.4. Liability of Sub-Processor. The Processors shall remain fully liable towards the Controllers for the performance of the Sub-Processors’ obligations, as well as their actions and/or omissions. The Processors shall (i) promptly notify the Controllers in writing should a Sub-Processor fail to comply with this DPA and/or applicable Data Protection Laws and (ii) decommission the Sub-Processor from Processing the Controllers’ Personal Data.

5. PERSONAL DATA TRANSFERS MECHANISMS.

5.1. Transfers to Non-Adequate Countries. Transfers of Personal Data to Non-Adequate Countries are only permitted in the presence of a valid International Data Transfer Mechanism as required by applicable Data Protection Laws and as documented in sections 7 of the DPA Details. Where, according to applicable Data Protection Law, Data Subject consent is required for the Transfer of Personal Data, the Parties commit not to conduct the Transfer unless the appropriate consent has been obtained.

The Parties must evaluate on a case-by-case basis, prior the Transfer, the necessity of additional security and/or contractual measures.

5.2. Transfer outside the EU/EEA. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the GDPR, the EU SCC apply. The EU SCC, including Module 2 Controller-to-Processor (“Module 2”) and Module 3 Processor-to-Processor (“Module 3”) are incorporated by reference and are entered into by entering into this DPA.

The Parties agree to amend the EU SCC as follows:

a.In the body of the EU SCC: (i) withdraw Clause 7 (Docking), (ii) withdraw Clause 11 (Redress), (iii) in clause 13.a (Supervision) and Appendix I.C, the Supervisory Authority where the data exporter is located, as per Section 7 of the DPA Details, is selected, (iv) in Clause 17 (Governing law), the law of the country where the data exporter is located, as per Section 7 of the DPA Details, is selected, and (v) in Clause 18 (Choice of forum and jurisdiction), the courts where the data exporter is located, according to Section 7 of the DPA Details, are selected.

b.In Annex I.A.:

i. the data exporter’s name, roles, address, country and activity relevant to the Personal Data transferred under the EU SCC are all listed in Section 7 of the DPA Details;

ii. the data exporter’s contact person’s name, position and contact details are indicated in Section 1 of the DPA Details;

iii. the data importer’s name, roles, address, country and activity relevant to the Personal Data transferred under the EU SCC are all listed in Section 7 of the DPA Details;

iv. the data importer’s contact person’s name, position and contact details are indicated in Section 1 of the DPA Details;

c.The information required to complete the Annex I.B and Annex II. can be found in Sections 1, 7 and 10.1 of the DPA Details.

d. With regards to any Transfer listed in Section 7 of the DPA Details, the Personal Data is transferred on a continuous basis.

If the EU SCC were updated, and to the extent of the new EU SCC remaining consistent with the DPA, the new EU SCC shall replace the former version of the EU SCC in this DPA on the day their use become mandatory.

5.3. Transfer outside the UK. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the United Kingdom (“UK”) Data Protection Act 2018 (“UK GDPR”), the EU SCC, as well as Section 5.2 above apply and the UK International Data Transfer Addendum to the EU SCC, entered into force on 21 March 2022 (as amended or supplemented from time to time) (“UK Addendum”), is incorporated by reference and is entered into by entering into this DPA.

The Parties agree to amend the UK Addendum as follows:

a. In the body of the approved EU SCC referenced in Section 5.2 above, to which the UK Addendum is appended to: (i) the Information Commissioner’s Office is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the laws of the UK as per Clause 17 (Governing law) apply, (iii) the courts of the UK as per Clause 18 (Choice of forum and jurisdiction) are selected, (iv) references to the GDPR shall be replaced by the UK GDPR and references to specific Section(s) of the GDPR are replaced with the equivalent section(s) of the UK GDPR (if any), and (v) references to the Union, EU and EU Member State are all replaced with the UK.

b. The EU SCC’s Annexes are completed as per Section 5.2 (b) to (d).

c.In Table 4 of the UK Addendum, “Both Parties may end the UK Addendum as set out in Section 19 of the UK Addendum” is added in the section “Ending this Addendum when the Approved Addendum changes”.

d. The Alternative Part 2 Mandatory Clauses of the UK Addendum is selected.

5.4. Transfer outside Switzerland. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Swiss Federal Act on Data Protection from September 1st, 2023 (“FADP”), Section 5.2 above and the EU SCC apply, with the following amendments: (i) the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the governing law shall be the Swiss law in case the Transfer is exclusively subject to the FADP, as per Clause 17 (Governing law), (iii) the term EU Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), and (iv) references to the GDPR shall also include the reference to the equivalent provisions of the FADP (as amended or replaced). The EU SCC’s Annexes are completed as per Section 5.2 (b) to (d).

5.5. Transfer outside Thailand. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Thai Personal Data Protection Act ("PDPA”), Section 5.2 above and the EU SCC apply, with the following amendments: (i) the Personal Data Protection Committee is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the governing law shall be the Thai law in case the Transfer is exclusively subject to the PDPA, as per Clause 17 (Governing law), (iii) the term EU Member State must not be interpreted in such a way as to exclude Data Subjects in Thailand from the possibility of suing for their rights in their place of habitual residence (Thailand), and (iv) references to the GDPR shall also include the reference to the equivalent provisions of the PDPA (as amended or replaced). The EU SCC’s Annexes are completed as per Section 5.2 (b) to (d).

5.6. Alternative International Data Transfer Mechanisms for Transfers from the EU/EEA and/or the UK and/or Switzerland to the U.S. Where the Processors are located in the United States (“U.S.”) and Personal Data subject to the GDPR and/or UK GDPR and/or FADP are transferred to the U.S, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (together “DPFs”) apply, where relevant, when (i) the Processors have valid and current DPFs self-certifications and (ii) the DPFs are in force.

In such case, the Processors warrants that they comply with the requirements of the applicable DPF. Should conditions (i) or (ii) no longer be met, the Processors shall promptly notify the Controllers and the EU SCC shall immediately and automatically govern such transfers in the place of the applicable DPF.

5.7. Transfers outside Argentina. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to Argentina’s Personal Data Protection Act No. 25.326 of 2000, the Parties involved in the Transfer undertake to stipulate an agreement based on the model clauses for International Transfer of Personal Data, adopted trough the Provision DNPDP 60/2016.

5.8. Transfer outside India. Transfer of Personal Data subject to the Indian Digital Personal Data Protection Act is not permitted to countries specifically blacklisted by the Government of India.

5.9. Transfer outside the People’s Republic of China. The Processors shall not Transfer any Personal Data outside the People’s Republic of China (“PRC”) nor allow any third parties outside PRC to access Controllers’ Personal Data without the written consent of the Controllers. Where the Controllers consent to the Transfer of Personal Data to and/or by the Processors, the latter shall collaborate and assist the Controllers, in accordance with the applicable PRC’s laws and regulations, by (i) providing the required documentation to obtain the Transfer(s) approvals from the appropriate regulatory authorities and/or (ii) conducting security assessments and/or (iii) filing the applicable standard contractual clauses.

5.10. Transfer outside Russia. Before Personal Data subject to the Russian Federal Law on Personal Data is Transferred from Russia and if the Personal Data was collected in the territory of the Russian Federation, the Party conducting the Transfer undertakes that such Personal Data has been stored in the same territory before the Transfer occurs.

In addition, the Party conducting the Transfer undertakes to comply with Russian notification or authorization requirements to the local Supervisory Authority before the Transfer occurs.

5.11. Applicability of the EU SCC for other Data Protection Laws. The Parties undertake to adopt the EU SCC as an International Data Transfer Mechanism where, the applicable Data Protection Law: (i) expressly deems the EU SCC as valid International Data Transfer Mechanism, or (ii) requires the Parties to enter into a specific agreement to regulate the Transfer of Personal Data, where no dedicated template is available, and the EU SCC provide substantially similar but no less protective safeguards. In these cases, the Section 5.2 above applies, with the following amendments: (i) the Supervisory Authority in accordance with Clause 13 (Supervision) and Appendix I.C shall be the competent Supervisory Authority stated in the applicable Data Protection Laws, (ii) the governing law in accordance with Clause 17 (Governing law) shall be the law of the applicable country, (iii) the choice of forum and jurisdiction in accordance with Clause 18 (Choice of forum and jurisdiction) shall be the one applicable under the applicable country, (iv) references to the Union, EU and EU member state are all replaced with the reference to the applicable country, and (v) any references to the GDPR shall include the reference to the equivalent provisions of the applicable Data Protection Laws. The EU SCC Annexes are completed as per Section 5.2 (b) to (d).

5.12. Transfers to Sub-Processors. In case of Transfer of Personal Data from Processor to a Sub-Processor located in a Non-Adequate Country, the Processors warrant that, where and to the extent required by the applicable Data Protection Laws, valid International Data Transfer Mechanisms are implemented.

6. DATA SUBJECT RIGHTS.

6.1. Data Subject Requests. The Controllers shall be exclusively in charge of responding to Data Subject Requests, unless the Processors are formally instructed to do so by the Controllers. The Processors shall promptly and without undue delay, notify the Controllers in writing, using the address specified in this DPA, of any Data Subject Request they may receive in relation to the Processing of the Controllers’ Personal Data under the Agreement. The Processors shall cooperate proactively with the Controllers and provide all relevant information to allow the Controllers to prepare and send a response to the Data Subject within the timeframe set forth by the applicable Data Protection Laws.

6.2. Management by Processors. If the Processors are instructed by the Controllers to respond directly to Data Subject Requests as set forth in this DPA, the Processors shall in any case: (i) communicate the request to the Controllers, (ii) acknowledge receipt to the Data Subject, (iii) cooperate with the Controllers to respond to the Data Subject, and (iv) after providing the response within the timeframe required by applicable Data Protection Laws, promptly provide a copy of the response to the Controllers and retain of copy of the response.

6.3. Information of Data Subjects. If the Controllers instruct the Processors to provide privacy notices to Data Subjects, and where applicable, to obtain their consent for the respective Processing activities, the Processors shall: (i) prior to collecting the Personal Data, use the privacy notice(s) or consent form provided by the Controllers, (ii) cooperate with the Controllers to provide such privacy notice, and as applicable, obtain the consent from Data Subjects, and (iii) retain evidence of the communication of the privacy notice and the collection of the Data Subject’s consent.

7. ASSISTANCE AND COOPERATION.

7.1. Assistance. The Processors shall provide reasonable assistance to the Controllers’ obligations to, where applicable (i) carry out a privacy impact assessment, (ii) consult the competent Supervisory Authority, (iii) complete a transfer impact assessment, and (iv) ensure that Personal Data is accurate and up-to-date.

7.2. Supervisory Authority inspections. In case of inquiries or inspections by a Supervisory Authority against the Processors regarding the Processing of the Controllers’ Personal Data, and to the extent authorized under the applicable law, the Processors shall promptly and without undue delay, inform the Controllers in writing and duly cooperate with such inquiries and inspections.

In case of inquiries or inspections by any Supervisory Authority against the Controllers within the scope of the Agreement, the Processors shall provide diligent assistance to the Controllers, in particular by providing answers without undue delay. Upon request, the Processors shall provide all information pertaining to the Processing activities available to the competent Supervisory Authority, including information regarding compliance with applicable Data Protection Laws and the results of any audits.

7.3. Access to Personal Data by a government authority or others. Should a government authority, law enforcement or other public body demand access to the Controllers’ Personal Data, the Processors shall: (i) notify the Controllers of such request to enable them to take all necessary actions to communicate directly with the relevant authority and respond to such request, (ii) if the Processors are prohibited by law from notifying the Controllers of such request, they shall make the best reasonable efforts to challenge such prohibition and commit to providing the minimum amount of information permissible when responding, based on a reasonable interpretation of the order, and (iii) provide the Controllers with general information regarding any such requests received from a government or regulatory authority during the preceding 12-month period.

8. DATA BREACH.

8.1. Notification. The Processors shall promptly notify the Controllers, without undue delay and in any case within 24 hours after becoming aware of a Data Breach. The notification shall include all relevant information related to the Data Breach, as required under the applicable Data Protection Laws, including at least: (i) a description of the incident, (ii) the nature of the impacted Personal Data and the categories/volume of impacted Data Subjects, (iii) the name and contact details of the Processors’ data protection officer or any other relevant privacy point of contact, (iv) a description of the likely consequences of the Data Breach and, (v) the measures taken or proposed to be taken to mitigate its adverse effect. Depending on the circumstances, information may be provided in phases without further undue delay.

8.2. Cooperation. In the event of a Data Breach affecting the Services, the Processors shall provide diligent assistance to the Controllers to comply with their obligations under applicable Data Protection Laws, in particular regarding the Controllers’ obligation to: (i) where applicable, notify the competent Supervisory Authority and Data Subjects, (ii) provide the information referred into the Section 8.1 above, and (iii) determine and implement the relevant remediation or minimization measures.

9. SUSPENSION / TERMINATION.

9.1. Suspension right. In case of non-compliance by the Processors with their obligations under this DPA or applicable Data Protection Laws, the Controllers may require the suspension of the Processing activities by the Processors until they comply with applicable Data Protection Laws or this DPA and remediate the breach without (i) undue delay, and (ii) prejudice to Controllers’ termination rights set forth in the Agreement.

9.2. Deletion and restitution. Following the termination of the Agreement, the Processors shall: (i) cease the Processing activities, (ii) at the choice of the Controllers, delete all Personal Data Processed on behalf of the Controllers or return all Controllers’ Personal Data to the Controllers, (iii) certify such operations, and/or (iv) delete existing copies unless required by the applicable laws. Until the Personal Data is deleted or returned, the Processors shall continue to ensure compliance with this DPA and applicable Data Protection Laws.

10. FINAL PROVISIONS.

10.1. Point of contact. For any communications and official notifications under the DPA, as well as for any other inquiries regarding Personal Data matters, the Parties have appointed the points of contact as specified in section 1 above.

10.2. Contractual Personal Data. The Parties acknowledge that, for the exclusive purposes of managing the contractual relationship and complying with applicable regulatory requirements, they may communicate Personal Data concerning their Personnel (such as names, professional contact details etc.) to each other. For this purpose, each Party shall be considered as independent Controller and shall conduct its own Processing activities in accordance with its obligations under applicable Data Protection Laws.

10.3. Liability. Unless the Agreement provides a specific liability mechanism regarding data protection obligations, the Processors shall be fully accountable and liable in the event of any breach under this DPA and/or applicable Data Protection Laws without being subject to any limitation or exclusions of liability.

10.4. Waiver. No waiver by either Party of a breach of any term of this DPA by the Processors shall constitute a waiver of any other breach of this DPA.

10.5. Severability. Should any provisions of this DPA be held to be void, invalid, illegal or unenforceable in any respect, no other provision of this DPA shall be affected thereby. In such case however, the Parties shall promptly negotiate in good faith to adjust such provisions of this DPA as necessary to comply with applicable Data Protection Laws and the governing law stated in the section below.

10.6. Governing Law. The validity, performance, construction and termination of this DPA shall be governed by the laws governing the Agreement.