Global Data Processing Addendum.

This Global Data Processing Addendum (DPA) applies to the processing of personal data by the Vendor on behalf of the Client in connection
with the provision of the Service(s). 

DEFINITIONS.

In this DPA, the following terms shall have the meanings set out below:

  • Agreement means either: (i) a purchase order issued by the Client and sent to the Vendor by post or internet electronic file transfer containing the binding request to execute the Service(s) which sets forth the specific terms and conditions for the performance of the Service(s) and the acceptance of the same by the Vendor, whether expressly or by conduct implying an intent (such as, by way of example and not of limitation: if the Contractor starts execution of the Service), and/or (ii) a specific contract/other written agreement between the Parties which sets forth the specific terms and conditions for the performance of the Service(s).
  • ASEAN SCC means the ASEAN Model Contractual Clauses for Cross-Border Data Flows, as published by the Association of Southeast Asian Nations (ASEAN) and available at https://asean.org.
  • Brazil SCC means the standard contractual clauses set out in the International Data Transfer Regulation (Resolution CD/ANPD No. 19, of August 23, 2024), by the Brazilian National Data Protection Authority (“ANPD”).
  • Client means the company belonging to Opella requesting the Service(s) under the Agreement. The Client may be either the Controller, one of the Controllers, a Processor processing data on behalf of one or more Opella Controllers.
  • Controller(s) means the legal person which, alone or jointly with others, is subject to the main obligations and responsibilities relating to the Processing of Personal Data as per the applicable Data Protection Laws.
  • Data Breach means (i) any breach of security leading to the accidental or unlawful access, destruction, loss, disclosure of any Personal Data stored on the Processors’ equipment or (ii) any unlawful access to the Processors’ facilities or unauthorized access to such facilities resulting in loss, disclosure, or alteration of Personal Data stored and/or Processed in the same facilities.
  • Data Protection Laws means all applicable laws, acts and regulations in connection with privacy and the Processing, collection, use and protection of Personal Data. Data Protection Laws includes, but is not limited to, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
  • Data Subject means the natural person to whom Personal Data relates as defined in the applicable Data Protection Laws.
  • Data Subject Request means a request from a Data Subject seeking to exercise its data protection rights, concerning the Processing of its Personal Data under the Agreement and in accordance with the applicable Data Protection Laws.
  • EU Standard Contractual Clauses or EU SCC means the standard contractual clauses as approved by the European Union Commission Implementing Decision 2021/914 of 4 June 2021, as amended or supplemented from time to time.
  • International Data Transfer Mechanism means any condition necessary, as per the applicable Data Protection Laws, for the Transfer of Personal Data to a recipient located in a Non-Adequate Country.
  • IADPNSCC means the Ibero-American Data Protection Network SCCs, as published by the Ibero-American Data Protection Network and available at https://www.redipd.org/en/document/annex-model-contractual-clauses-en.pdf.
  • Non-Adequate Country means a country not providing an adequate level of Personal Data protection pursuant to applicable Data Protection Laws or a decision of a Supervisory Authority.
  • Opella means any company which, at the date of signature of the DPA or subsequently, is controlled by, controlling or under common control with Opella Healthcare Group SAS, with “control” meaning direct or indirect ownership of more than fifty per cent (50%) of the capital stock or the voting rights in said company.
  • Party and Parties mean, respectively, the Client or the Vendor individually and both the Client and the Vendor collectively.
  • Personal Data means any information relating to an identified or identifiable person to be processed under the Agreement and this DPA.
  • Personnel means any employees, representatives, or collaborators of the Parties.
  • Process or Processing means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  • Processor(s) means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controllers.
  • SDAIA SCC means the Saudi Data & AI Authority (SDAIA) Standard Contractual Clauses for Personal Data Transfer.
  • Service(s) means all the activities that the Client requires to the Vendor in a specific Agreement and specifically identified therein.
  • Sub-Processor(s) means a natural or legal person (including affiliate or subsidiary companies), public authority, agency or other body to whom the Processors may sub-contract a part of their Processing activities carried out on behalf of the Controllers.
  • Supervisory Authority means an independent public authority responsible for monitoring the application of the applicable Data Protection Laws.
  • Transfer means any transfers of Personal Data which are undergoing Processing or are intended for Processing after being sent or made accessible to a recipient in a country subject to a different Data Protection Law.
  • Vendor means the company providing the Service(s) under the Agreement. For the purpose of this DPA, the Vendor is always meant as a Processor or as a Sub-Processor, as the case may be.

2. GENERAL OBLIGATIONS.

  1. 2.1. Compliance. In the execution of the Agreement, the Parties shall comply with their respective obligations as Processors and Controllers under applicable Data Protection Laws and pursuant to this DPA. If either Parties cannot comply with this DPA and/ou the applicable Data Protection Laws, it shall notify the other Party without unreasonable delay upon becoming aware of such inability.

  2. 2.2. Instructions. The Processors shall Process Personal Data (i) only according to this DPA, (ii) only within the scope and limits set forth in the Data Processing Details included in the Agreement ("DPA Details") and, (iii) only on documented instructions from the Controllers as provided in sections 2 to 5 of the DPA Details, including subsequent instructions throughout the performance of the Agreement. The Processors shall promptly inform the Controllers if, in the Processors' opinion, such instructions infringe applicable Data Protection Laws. When providing the Services, the Processors will not further combine, use, retain or disclose the Controllers' Personal Data outside of the direct business relationships between the Processors and the Controllers or for any purpose other than to perform the Services and business purposes specified in the Agreement. The Processors will not sell or share the Controllers' Personal Data as required by the applicable Data Protection Laws.

  3. 2.3. Instructions adaptation. The Controllers may adapt their instructions at no further costs and without unreasonable delay (i) to remediate any discovered breach of applicable Data Protection Laws or this DPA and/or (ii) take into account changes of the applicable Data Protection Laws, or (iii) in case of suspected or confirmed Data Breach. Any other instruction change shall be subject to applicable change control provisions under the Agreement. The Processors shall implement such changes without additional costs unless agreed between the Parties in accordance with the Agreement and without unreasonable delay.

  4. 2.4. Accountability and audit. The Processors shall make available to the Controllers all information necessary to demonstrate compliance with this DPA and the applicable Data Protection Laws. Except as otherwise agreed in the Agreement, the Controllers shall have the right to audit and inspect, including through third parties, the Processors' equipment or facilities during normal business hours, with reasonable notice and an advance-declared scope, to verify that Processing is being conducted strictly in accordance with the Controllers' instructions and the applicable Data Protection Laws.

  5. 2.5. Pre-collected Personal Data. Should the Services involve the Processing of Personal Data collected by the Processors outside the scope of the Agreement or licensed to the Processors by a third-party, the Processors, as independent Controllers, warrants that such Personal Data have been obtained in accordance with applicable Data Protection Laws and can be lawfully Processed as part of the Services.

3. SECURITY AND CONFIDENTIALITY.

  1. 3.1. Security. The Processors shall implement technical and organizational measures that provide reasonably appropriate safeguards against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Controllers' Personal Data. Such measures shall be implemented in accordance with industry standards and the Controllers' security requirements as set forth in the relevant contractual document(s) or otherwise formally communicated to the Processors. Subject to prior notification to the Controllers, the Processors may implement changes to the implementation of the security measures without the Controllers' prior approvals exclusively to maintain or increase the level of security. The Processors shall regularly audit the effectiveness of these measures and, upon written request, disclose a summary report of such audit and tests consistent with internationally recognized standards, without prejudice to the Controllers' audit rights as set forth herein.

  2. 3.2. Confidentiality. The Processors shall grant access to the Controllers' Personal Data to its Personnel only to the extent that (i) it is strictly necessary for the performance of the Services, (ii) such Personnel is under a legal, statutory or contractual obligation of confidentiality that survives the termination of their engagement with the Processors and (iii) such Personnel has received proper training regarding the protection of Personal Data.

  3. 3.3. Technical expertise. The Processors must represent that they have the expertise, organization, assets and Personnel to implement the required technical and organizational measures to Process Personal Data and to protect the rights of Data Subjects according to applicable Data Protection Laws and this DPA.

4. SUB-PROCESSING.

  1. 4.1. Appointment of Sub-Processors. The Processors may engage Sub-Processors to provide certain Services on their behalf exclusively in accordance with the terms and conditions of the Agreement and this DPA. This DPA constitutes the Controllers' prior written authorization for the subcontracting by the Processors of the Processing of Controllers' Personal Data, provided that all conditions for subcontracting set forth by the Agreement and this DPA are met. The Processors shall carry out reasonable prior due diligence to ensure that the Sub-Processors are capable of providing the level of protection required by this DPA and applicable Data Protection Laws.

  2. 4.2. List of Sub-Processors. The Sub-Processors listed under section 6 of the DPA Details are currently engaged by the Processors to carry out Processing activities in scope with the Agreement. The Processors shall inform the Controllers in advance of any intended changes concerning the addition or replacement of the Sub-Processors. Within 30 (thirty) days from the notification, the Controllers can object to the proposed change on reasonable grounds relating to the protection of the Controllers' Personal Data. In such a case, unless otherwise stipulated by the Agreement, the Processors shall have the right to cure the objection through one of the following options: (a) the Processors will not use the Sub-Processor for the Processing of the Controllers' Personal Data; or (b) the Processors will take the corrective steps requested by the Controllers to remove the Controllers' objection before using the Sub-Processor.

  3. 4.3. Obligations of Sub-Processors. The Sub-Processors shall be contractually bound to the Processors by substantially equivalent obligations as those set forth by this DPA. The Processors shall ensure that the Sub-Processors implement appropriate technical and organizational measures to meet the requirements of applicable Data Protection Laws and this DPA, including by way of regular audits. At the Controllers' written request, the Processor shall provide, in a redacted form if necessary, copies of sub-processing agreements and audit reports.

  4. 4.4. Liability of Sub-Processor. The Processors shall remain fully liable towards the Controllers for the performance of the Sub-Processors' obligations, as well as their actions and/or omissions. The Processors shall (i) promptly notify the Controllers in writing should a Sub-Processor fail to comply with this DPA and/or applicable Data Protection Laws and (ii) decommission the Sub-Processor from Processing the Controllers' Personal Data.

5. PERSONAL DATA TRANSFERS.

  1. 5.1. Transfers to Non-Adequate Countries. Transfers of Personal Data to Non-Adequate Countries are only permitted in the presence of a valid International Data Transfer Mechanism as required by applicable Data Protection Laws and as documented in sections 7 of the DPA Details. Where, according to applicable Data Protection Law, Data Subject consent is required for the Transfer of Personal Data, the Parties commit not to conduct the Transfer unless the appropriate consent has been obtained. The Parties must evaluate on a case-by-case basis, prior the Transfer, the necessity of additional security and/or contractual measures.

  2. 5.2. Transfer outside the EU/EEA. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the GDPR, the EU SCC apply. The EU SCC, including Module 2 Controller-to-Processor ("Module 2") and Module 3 Processor-to-Processor ("Module 3") are incorporated by reference and are entered into by entering into this DPA. The Parties agree to amend the EU SCC as follows:

    a. In the body of the EU SCC: (i) withdraw Clause 7 (Docking), (ii) withdraw Clause 11 (Redress), (iii) in clause 13.a (Supervision) and Appendix I.C, the Supervisory Authority where the data exporter is located, as per Section 7 of the DPA Details, is selected, (iv) in Clause 17 (Governing law), the law of the country where the data exporter is located, as per Section 7 of the DPA Details, is selected, and (v) in Clause 18 (Choice of forum and jurisdiction), the courts where the data exporter is located, according to Section 7 of the DPA Details, are selected.

    b. In Annex I.A.:

    C.

    i. the data exporter's name, roles, address, country and activity relevant to the Personal Data transferred under the EU SCC are all listed in Section 7 of the DPA Details;

    ii. the data exporter's contact person's name, position and contact details are indicated in Section 1 of the DPA Details;

    ii. the data importer's name, roles, address, country and activity relevant to the Personal Data transferred under the EU SCC are all listed in Section 7 of the DPA Details;

    iv. the data importer's contact person's name, position and contact details are indicated in Section 1 of the DPA Details;

    The information required to complete the Annex I.B and Annex II. can be found in Sections 1, 7 and 10.1 of the DPA Details.

    d. With regards to any Transfer listed in Section 7 of the DPA Details, the Personal Data is transferred on a continuous basis.

    If the EU SCC were updated, and to the extent of the new EU SCC remaining consistent with the DPA, the new EU SCC shall replace the former version of the EU SCC in this DPA on the day their use become mandatory.

  3. 5.3. Transfer outside the UK. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the United Kingdom ("UK") Data Protection Act 2018 ("UK GDPR"), the EU SCC, as well as Section 5.2 above apply and the UK International Data Transfer Addendum to the EU SCC, entered into force on 21 March 2022 (as amended or supplemented from time to time) ("UK Addendum"), is incorporated by reference and is entered into by entering into this DPA. The Parties agree to amend the UK Addendum as follows:

    a. In the body of the approved EU SCC referenced in Section 5.2 above, to which the UK Addendum is appended to: (i) the Information Commissioner's Office is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the laws of the UK as per Clause 17 (Governing law) apply, (iii) the courts of the UK as per Clause 18 (Choice of forum and jurisdiction) are selected, (iv) references to the GDPR shall be replaced by the UK GDPR and references to specific Section(s) of the GDPR are replaced with the equivalent section(s) of the UK GDPR (if any), and (v) references to the Union, EU and EU Member State are all replaced with the UK.

    b. The EU SCC's Annexes are completed as per Section 5.2 (b) to (d).

    C. In Table 4 of the UK Addendum, "Both Parties may end the UK Addendum as set out in Section 19 of the UK Addendum" is added in the section "Ending this Addendum when the Approved Addendum changes".

    d. The Alternative Part 2 Mandatory Clauses of the UK Addendum is selected.

  4. 5.4. Transfer outside Switzerland. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Swiss Federal Act on Data Protection from September 1st, 2023 ("FADP"), Section 5.2 above and the EU SCC apply, with the following amendments: (i) the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the governing law shall be the Swiss law in case the Transfer is exclusively subject to the FADP, as per Clause 17 (Governing law), (iii) the term EU Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), and (iv) references to the GDPR shall also include the reference to the equivalent provisions of the FADP (as amended or replaced). The EU SCC's Annexes are completed as per Section 5.2 (b) to (d).

  5. 5.5. Alternative International Data Transfer Mechanisms for Transfers from the EU/EEA and/or the UK and/or Switzerland to the U.S. Where the Processors are located in the United States ("U.S.") and Personal Data subject to the GDPR and/or UK GDPR and/or FADP are transferred to the U.S, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (together "DPFs") apply, where relevant, when (i) the Processors have valid and current DPFs self-certifications and (ii) the DPFs are in force. In such case, the Processors warrants that they comply with the requirements of the applicable DPF. Should conditions (i) or (ii) no longer be met, the Processors shall promptly notify the Controllers and the EU SCC shall immediately and automatically govern such transfers in the place of the applicable DPF.

  6. 5.6. Transfer outside Turkey. When Personal Data is Transferred from Turkey the exporter undertakes that, with regard to such specific Transfer, it has obtained either (i) appropriate consent from relevant Data Subjects, according to applicable Data Protection Laws, or (ii) a permission from the competent Supervisory Authority based on an additional agreement with the importer(s).

  7. 5.7. Transfer outside South Korea. When Personal Data is Transferred from South Korea, the exporter undertakes that, with regard to such specific Transfer, it has informed the Data Subjects and obtained appropriate consent from them unless otherwise allowed by the law, according to Personal Information Protection Act 2011 (PIPA).

  8. 5.8. Transfer outside India. Transfer of Personal Data subject to the Indian Digital Personal Data Protection Act is not permitted to countries specifically blacklisted by the Government of India.

  9. 5.9. Transfer outside the People's Republic of China. The Processors shall not Transfer any Personal Data outside the People's Republic of China ("PRC") nor allow any third parties outside PRC to access Controllers' Personal Data without the written consent of the Controllers. Where the Controllers consent to the Transfer of Personal Data to and/or by the Processors, the latter shall collaborate and assist the Controllers, in accordance with the applicable PRC's laws and regulations, by (i) providing the required documentation to obtain the Transfer(s) approvals from the appropriate regulatory authorities and/or (ii) conducting security assessments and/or (iii) filing the applicable standard contractual clauses.

  10. 5.10. Transfer outside Brazil. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Data Protection Law applicable in Brazil, the Brazil SCC apply. The Brazil SCC are incorporated by reference and are entered into by entering into this DPA. The Parties agree to amend the Brazil SCC as follows:

    a. in Clause 2 (Object),

    i. the description of the international data transfer, the categories of personal data transferred and other information are those in Section 7 of the DPA Details,

    ii. the Main purposes of the international data transfer is the provision of the service described is Section 1 of the DPA Details.

    iii. the Data retention period is the duration of the Service as described in the Agreement.

    b. under Clause 3.1, Option B is selected to allow for subsequent transfer, and the details concerning the transfer are the same included in Clause 2,

    C. in Section III, the applicable security measures are those adopted by the importer pursuant to Section 3 of the DPA,

    d. the exporters indicated in Section 1 of the DPA Details are responsible for the activities indicated at Clause 4.

    If the Brazil SCC were updated, and to the extent of the new Brazil SCC remaining consistent with the DPA, the new Brazil SCC shall replace the former version of the Brazil SCC in this DPA on the day their use become mandatory.

  11. 5.11 Transfer outside ASEAN MEMBER STATES (SINGAPORE, MALAYSIA, INDONESIA, PHILIPPINES, THAILAND, VIETNAM) Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the laws appliable to one or more ASEAN Member staties, Module 1 of the ASEAN SCC apply. The Module 1 of the ASEAN SCC is incorporated by reference and is entered into by entering into this DPA. The Parties agree to amend the Module 1 of the ASEAN SCC as follows:

    a. all the optional language does not apply,

    b. Clause 3.10 is completed to indicate that the data exporter shall be notified without undue delay,

    C. The descriptions required under Appendix A are those in Section 7 of the DPA Details.

    If the ASEAN SCC were updated, and to the extent of the new ASEAN SCC remaining consistent with the DPA, the new ASEAN SCC shall replace the former version of the ASEAN SCC in this DPA on the day their use become mandatory.

  12. 5.12 Transfer outside ARGENTINA, COLOMBIA, ECUADOR, MEXICO, PANAMA AND PERU Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the laws appliable to Argentina, Colombia, Ecuador, Mexico, Panama or Peru, Module 2 of the IADPN SCC apply. The Module 2 of the IADPN SCC is incorporated by reference and is entered into by entering into this DPA. The Parties agree to amend the Module 2 IAPDN SCCs as follows:

    a. The information identifying the parties are those in Section 1 and Section 7 of the DPA Details,

    b. The information required under Annex B are those in Section 7 of the DPA, except for the Frequency of transfer which is agreed to be continuous, and the Term which is agreed to be the same of the Agreement,

    C. Annex C references Section 3 of the DPA.

    If the IADPN SCC were updated, and to the extent of the new IADPN SCC remaining consistent with the DPA, the new IADPN SCC shall replace the former version of the IADPN SCC in this DPA on the day their use become mandatory.

  13. 5.13 Transfer outside SAUDI ARABIA Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the laws appliable to Saudi Arabia, The Controller to Processor template (Second template) of the SDAIA SCCs apply. The Controller to Processor template (Second template) of the SDAIA SCC is incorporated by reference and is entered into by entering into this DPA. The Parties agree to amend the Controller to Processor template (Second template) of the SDAIA SCCs as follows:

    a. The information required in Appendix 1 and Appendix 2 of the SDAIA SCC are those in Section 1 and Section 7 of the DPA Details.

    b. The information required in Appendix 3 of of the SDAIA SCC are those in Section 3 of the DPA

    If the SDAIA SCC were updated, and to the extent of the new SDAIA SCC remaining consistent with the DPA, the new SDAIA SCC shall replace the former version of the SDAIA SCC in this DPA on the day their use become mandatory.

  14. 5.14 Transfer outside the UNITED STATES OF AMERICA (U.S.). The Processors shall not Transfer any Bulk Sensitive Personal Data outside the U.S. to any entity or individual located in, or subject to the jurisdiction of, a Country of Concern, nor shall they permit any such entity or individual to access the Controllers' Bulk Sensitive Personal Data, without the prior written authorization of the Controllers. Where the Controllers provide such authorization, the Processors shall cooperate with and support the Controllers in accordance with applicable U.S. laws and regulations, including Executive Order 14117 and 28 C.F.R. Part 202, by (i) conducting and documenting appropriate due diligence and risk assessments, (ii) implementing technical and organizational safeguards to mitigate the risk of unauthorized access, and/or (iii) ensuring that any onward transfers are subject to contractual terms that reflect equivalent restrictions and obligations. For the purposes of the this clause:

    a. "Bulk Sensitive Personal Data" refers to large-scale datasets containing information on U.S. persons that includes, but is not limited to, biometric identifiers, genetic data, health records, financial information, precise geolocation data, and personal identifiers that could be used to infer sensitive attributes or behaviors. The term also encompasses U.S. government-related data as defined by the U.S. Department of Justice.

    b. "Countries of Concern" means any foreign nation designated by the U.S. Department of Justice as posing a national security risk under Executive Order 14117. As of the effective date of this Agreement, these include the People's Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

  15. 5.15. Applicability of the EU SCC for other Data Protection Laws. The Parties undertake to adopt the EU SCC as an International Data Transfer Mechanism where, the applicable Data Protection Law: (i) expressly deems the EU SCC as valid International Data Transfer Mechanism, or (ii) requires the Parties to enter into a specific agreement to regulate the Transfer of Personal Data, where no dedicated template is available, and the EU SCC provide substantially similar but no less protective safeguards. In these cases, the Section 5.2 above applies, with the following amendments: (i) the Supervisory Authority in accordance with Clause 13 (Supervision) and Appendix I.C shall be the competent Supervisory Authority stated in the applicable Data Protection Laws, (ii) the governing law in accordance with Clause 17 (Governing law) shall be the law of the applicable country, (iii) the choice of forum and jurisdiction in accordance with Clause 18 (Choice of forum and jurisdiction) shall be the one applicable under the applicable country, (iv) references to the Union, EU and EU member state are all replaced with the reference to the applicable country, and (v) any references to the GDPR shall include the reference to the equivalent provisions of the applicable Data Protection Laws. The EU SCC Annexes are completed as per Section 5.2 (b) to (d).

  16. 5.16. Transfers to Sub-Processors. In case of Transfer of Personal Data from Processor to a Sub-Processor located in a Non-Adequate Country, the Processors warrant that, where and to the extent required by the applicable Data Protection Laws, valid International Data Transfer Mechanisms are implemented.

6. DATA SUBJECT RIGHTS.

  1. 6.1. Data Subject Requests. The Controllers shall be exclusively in charge of responding to Data Subject Requests, unless the Processors are formally instructed to do so by the Controllers in section 5 of the DPA Details. The Processors shall promptly and without undue delay, notify the Controllers in writing, using the address specified in this DPA, of any Data Subject Request they may receive in relation to the Processing of the Controllers' Personal Data under the Agreement. The Processors shall cooperate proactively with the Controllers and provide all relevant information to allow the Controllers to prepare and send a response to the Data Subject within the timeframe set forth by the applicable Data Protection Laws.

  2. 6.2. Management by Processors. If the Processors are instructed by the Controllers to respond directly to Data Subject Requests, as set forth in section 5 of the DPA Details, the Processors shall in any case: (i) communicate the request to the Controllers, (ii) acknowledge receipt to the Data Subject, (iii) cooperate with the Controllers to respond to the Data Subject, and (iv) after providing the response within the timeframe required by applicable Data Protection Laws, promptly provide a copy of the response to the Controllers and retain of copy of the response.

  3. 6.3. Information of Data Subjects. If the Controllers instruct the Processors to provide privacy notices to Data Subjects, as set forth in section 5 of the DPA Details, and where applicable, to obtain their consent for the respective Processing activities, the Processors shall: (i) prior to collecting the Personal Data, use the privacy notice(s) or consent form provided by the Controllers, (ii) cooperate with the Controllers to provide such privacy notice, and as applicable, obtain the consent from Data Subjects, and (iii) retain evidence of the communication of the privacy notice and the collection of the Data Subject's consent.

7. ASSISTANCE AND COOPERATION.

  1. 7.1. Assistance. The Processors shall provide reasonable assistance to the Controllers' obligations to, where applicable (i) carry out a privacy impact assessment, (ii) consult the competent Supervisory Authority, (iii) complete a transfer impact assessment, and (iv) ensure that Personal Data is accurate and up-to-date.

  2. 7.2. Supervisory Authority inspections. In case of inquiries or inspections by a Supervisory Authority against the Processors regarding the Processing of the Controllers' Personal Data, and to the extent authorized under the applicable law, the Processors shall promptly and without undue delay, inform the Controllers in writing and duly cooperate with such inquiries and inspections. In case of inquiries or inspections by any Supervisory Authority against the Controllers within the scope of the Agreement, the Processors shall provide diligent assistance to the Controllers, in particular by providing answers without undue delay. Upon request, the Processors shall provide all information pertaining to the Processing activities available to the competent Supervisory Authority, including information regarding compliance with applicable Data Protection Laws and the results of any audits.

  3. 7.3. Access to Personal Data by a government authority or others. Should a government authority, law enforcement or other public body demand access to the Controllers' Personal Data, the Processors shall: (i) notify the Controllers of such request to enable them to take all necessary actions to communicate directly with the relevant authority and respond to such request, (ii) if the Processors are prohibited by law from notifying the Controllers of such request, they shall make the best reasonable efforts to challenge such prohibition and commit to providing the minimum amount of information permissible when responding, based on a reasonable interpretation of the order, and (iii) provide the Controllers with general information regarding any such requests received from a government or regulatory authority during the preceding 12-month period.

8. DATA BREACH.

  1. 8.1. Notification. The Processors shall promptly notify the Controllers, without undue delay and in any case within 24 hours after becoming aware of a Data Breach. The notification shall include all relevant information related to the Data Breach, as required under the applicable Data Protection Laws, including at least: (i) a description of the incident, (ii) the nature of the impacted Personal Data and the categories/volume of impacted Data Subjects, (iii) the name and contact details of the Processors' data protection officer or any other relevant privacy point of contact, (iv) a description of the likely consequences of the Data Breach and, (v) the measures taken or proposed to be taken to mitigate its adverse effect. Depending on the circumstances, information may be provided in phases without further undue delay.

  2. 8.2. Cooperation. In the event of a Data Breach affecting the Services, the Processors shall provide diligent assistance to the Controllers to comply with their obligations under applicable Data Protection Laws, in particular regarding the Controllers' obligation to: (i) where applicable, notify the competent Supervisory Authority and Data Subjects, (ii) provide the information referred into the Section 8.1 above, and (iii) determine and implement the relevant remediation or minimization measures.

9. SUSPENSION/TERMINATION.

  1. 9.1. Suspension right. In case of non-compliance by the Processors with their obligations under this DPA or applicable Data Protection Laws, the Controllers may require the suspension of the Processing activities by the Processors until they comply with applicable Data Protection Laws or this DPA and remediate the breach without (i) undue delay, and (ii) prejudice to Controllers' termination rights set forth in the Agreement.

  2. 9.2. Deletion and restitution. Following the termination of the Agreement, the Processors shall: (i) cease the Processing activities, (ii) at the choice of the Controllers, delete all Personal Data Processed on behalf of the Controllers or return all Controllers' Personal Data to the Controllers, (iii) certify such operations, and/or (iv) delete existing copies unless required by the applicable laws. Until the Personal Data is deleted or returned, the Processors shall continue to ensure compliance with this DPA and applicable Data Protection Laws.

10. FINAL PROVISIONS.

  1. 10.1. Point of contact. For any communications and official notifications under the DPA, as well as for any other inquiries regarding Personal Data matters, the Parties have appointed the points of contact as specified in section 1 above.

  2. 10.2. Contractual Personal Data. The Parties acknowledge that, for the exclusive purposes of managing the contractual relationship and complying with applicable regulatory requirements, they may communicate Personal Data concerning their Personnel (such as names, professional contact details etc.) to each other. For this purpose, each Party shall be considered as independent Controller and shall conduct its own Processing activities in accordance with its obligations under applicable Data Protection Laws.

  3. 10.3. Liability. Unless the Agreement provides a specific liability mechanism regarding data protection obligations, the Processors shall be fully accountable and liable in the event of any breach under this DPA and/or applicable Data Protection Laws without being subject to any limitation or exclusions of liability.

  4. 10.4. Waiver. No waiver by either Party of a breach of any term of this DPA by the Processors shall constitute a waiver of any other breach of this DPA.

  5. 10.5. Severability. Should any provisions of this DPA be held to be void, invalid, illegal or unenforceable in any respect, no other provision of this DPA shall be affected thereby. In such case however, the Parties shall promptly negotiate in good faith to adjust such provisions of this DPA as necessary to comply with applicable Data Protection Laws and the governing law stated in the section below.

  6. 10.6. Governing Law. The validity, performance, construction and termination of this DPA shall be governed by the laws governing the Agreement.

Reach out.

Have a question or simply want to know more?

Drop us a line.

Any question or adverse reaction related to our products must be addressed via www.sanofi.com.