Data Processing Addendum
Physicians as Controller, MedaSystems as Processor
1. Definitions
In this “Addendum”, the following words and expressions have the following meanings:
“Company” means MedaSystems, Inc.;
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Supervisory Authority” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings). “Controller” includes a “Business” and “Processor” includes a service provider or contractor, each as defined under the CCPA;
“Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy as applicable to the parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the CCPA, the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the UK Data Protection Act 2018, the Swiss New Federal Act on Data Protection 2023 (“FADP”), and all applicable U.S. federal and state privacy laws, including without limitation the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act, in each case including any associated implementing legislation and regulations, as in force, and as amended, supplemented or replaced from time to time;
“EU Controller to Processor Standard Contractual Clauses” means the Annex to the European Commission’s decision of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries which do not ensure an adequate level of data protection pursuant to the EU GDPR, with “Module 2” selected (which covers transfers of Personal Data from a Controller to Processor);
“Physician Personal Data” means Personal Data Processed by Company as Processor on behalf of a physician (as Controller) who uses the Services (each, a “Physician”) pursuant to the Expanded Access Case Management Platform Terms of Service (as amended from time to time) (the “Terms of Service”).
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Physician Personal Data. A Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Physician Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems;
“Sell” or “Share” have the meaning given to them under Data Protection Laws;
“Services” means MedaSystems’ secure cloud-based communication and content management platform enabling the management and processing of requests for access to investigational drugs;
“Sub-Processor” means any vendor, supplier or subcontractor of Company authorized to Process Physician Personal Data on behalf of Company; and
“UK International Data Transfer Addendum” means the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR.
2. Data Processing Details and Compliance
2.1 Company shall be an independent Controller with respect to its Processing of Personal Data in connection with the execution and administration of the Services (including contact details of its customer’s personnel/representatives); processing of initial requests submitted on the Services by patients and caregivers; creation and maintenance of user accounts on the Services; and the anonymization of Personal Data to perform analysis for the purposes of improving the Services. The parties agree that the Personal Data described under this Section 2.1 does not form part of Physician Personal Data and Company shall comply with its obligations as a Controller with respect to such Personal Data.
2.2 Subject to Section 2.1 of this Addendum, the parties acknowledge that in respect of Physician Personal Data, Company is a Processor Processing Personal Data on behalf of the Physician as Controller. Each party shall comply with its obligations under Data Protection Laws as relates to Physician Personal Data.
2.3 Details of Physician Personal Data Processed by Company as a Processor for Physician under the Agreement are as follows:
(a) Subject Matter, Nature and Purpose of Processing. Company’s provision of the Services pursuant to the Terms of Service. The frequency of transfers of Physician Personal Data from the Physician to Company will be continuous and any transfers of Physician Personal Data to Sub-Processors shall be in line with the subject matter, nature and duration of the Processing identified above.
(b) Duration of Processing. Processing of Physician Personal Data by Company shall be for the period during which the Physician has access to the Services pursuant to the Terms of Service, and in accordance with Company’s applicable retention obligations.
(c) Personal Data in Scope. Personal Data of Data Subjects processed for the purposes of the Services: (i) Information provided by Physicians in connection with submitting an initial request to a customer of MedaSystems (including name and medical specialty) and subsequent interactions between physician and the customer via the Services (including name, contact details, employer/company name, medical specialty, professional licensure, and professional affiliations); (ii) de-identified medical information provided by Physicians in connection with submitting an initial request and through subsequent interactions between Physicians and MedaSystems’ customers (including medical history, diagnosis, copies of medical imaging tests, lab test results, results of other medical tests).
(d) Category of Data Subjects. Users of the Services, including physicians, patients, and caregivers who submit requests through the Services for access to investigational products of MedaSystems’ customers, and MedaSystems’ customer personnel.
3. Processing of Physician Personal Data
3.1 Physician’s instructions for the Processing of Physician Personal Data shall comply with Data Protection Laws. Physician represents and warrants that (a) it has provided or will provide any necessary notices to Data Subjects of Physician Personal Data; (b) it has obtained any necessary approvals and rights necessary for Company to Process Physician Personal Data in accordance with the Terms of Service, this Addendum, and Data Protection Laws; and (c) Company’s processing of Personal Data in line with the Physician’s instructions will not cause Company to violate any applicable law. Where Company provides transparency information to Data Subjects on behalf of the Physician as part of the Services (including with respect to the provision of the website), the parties agree that Physician is responsible for providing transparency information to Data Subjects as Controller and will supply Company with the required transparency information in the form of a privacy notice. This privacy notice will (a) contain all required transparency information under Data Protection Laws; (b) govern the Physician’s use of any Personal Data provided by Data Subjects in relation to the Services; and (c) permit Company’s Processing of Personal Data as contemplated by this Addendum.
3.2 Company shall Process Physician Personal Data only for the purposes of providing the Services and on the written instructions of the Physician (as agreed between the parties), unless Company is required to otherwise Process Physician Personal Data by applicable laws. Where Company is required by applicable laws to Process Physician Personal Data other than for the purposes of providing the Services and in accordance with Physician’s instructions, prior to any such Processing and to the extent permitted by applicable laws, Company shall notify the Physician in writing of that legal requirement prior to Processing Physician Personal Data.
3.3 Company shall not (a) retain, use, or disclose Physician Personal Data other than as needed to provide the Services or comply with legal obligations applicable to Company; (b) retain, use, or disclose Physician Personal Data outside of the direct business relationship between Physician and Company, including by combining Physician Personal Data with Personal Data Company receives from third parties, other than Physician; or (3) Sell or Share Physician Personal Data. Physician’s provision of access to Physician Personal Data for Processing is not part of and explicitly excluded from the exchange of consideration, or any other thing of value, between the parties. Physician has the right to take reasonable and appropriate steps to help ensure that Company uses Physician Personal Data in a manner consistent with Physician’s obligations under the Data Protection Laws. Company shall notify Physician if it makes a determination that it can no longer meet its obligations under the Data Protection Laws and Physician has the right, upon reasonable notice to Company, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Physician Personal Data.
3.4 Company shall promptly inform the Physician if Company becomes aware of a written instruction given by the Physician under this Section 3 that, in Company’s reasonable opinion, infringes Data Protection Laws.
4. Company Personnel and Sub-Processors
4.1 Company shall ensure that all Company personnel authorised to Process Physician Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Physician Personal Data confidential.
4.2 The Physician authorises Company to engage the Sub-Processors included in the Sub-Processor list maintained at the web page: https://medasystems.com/subprocessors (“Sub-Processor List”). Where Company intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, Company shall notify the Physician of the proposed engagement of the Sub-Processor giving the Physician the opportunity to object. The Physician shall be entitled to make a written objection to the proposed engagement (with respect to confidentiality and data protection compliance concerns) within 21 days of Company providing notice to the Physician under this Section. If no objection is received within the timeframe under this Section, the Physician is deemed to have authorised the engagement of such Sub-Processor.
4.3 Where the Physician raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with this Section, Company may, at its option: (a) use its reasonable endeavours to remedy the situation giving rise to the reasonable objection; or (b) propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Section 4.2 of this Addendum, provided that, in the event that Company is unable to remedy the situation or propose an alternative Sub-Processor, Company shall be entitled to terminate the Addendum without penalty or liability effective immediately on written notice to the Physician.
4.4 Company shall ensure that prior to permitting any Sub-Processor to Process Physician Personal Data, the Sub-Processor has entered into a binding written agreement with Company that imposes obligations substantially equivalent to the obligations imposed on Company as a Processor under this Addendum. Company shall remain fully liable to the Physician for the performance of the Sub-Processor’s data protection obligations concerning Physician Personal Data in the event the Sub-Processor fails to fulfil those obligations.
5. Transfers
5.1 Where Company is certified to the EU-U.S., Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”), such certification permits the international transfer of Physician Personal Data from Physician to Company in the U.S. in compliance with Data Protection Laws. Where the Company is not certified to the DPF or Company’s certification to the DPF ceases to permit such international transfers of Physician Personal Data to Company in the U.S., Sections 5.2 of this Addendum shall apply where permitted under Data Protection Laws.
5.2 Subject to Section 5.1 of this Addendum, where Company Processes Physician Personal Data subject to the EU GDPR, FADP or UK GDPR, the following international transfer provisions shall apply:
(a) For Physician Personal Data subject to the EU GDPR, the parties agree to comply with the provisions of the EU Controller to Processor Standard Contractual Clauses (“EU SCCs”), which are incorporated into this Agreement by reference and are varied as follows for this purpose: (i) For Annex I of the EU SCCs, the list of parties section shall be deemed completed with the details of Physician (as data exporter) and Company (as data importer) provided in this Addendum and contact information provided by the parties from time to time; the “description of transfers” section shall be deemed completed with the corresponding information in Section 2.3 of this Addendum; transfers are “continuous” and the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs; (ii) For Annex II of the EU SCCs, the technical and organizational measures is completed with the corresponding information set out in Section 6.1 of this Addendum; (iii) the optional Clause 7 (Docking Clause) is included; (iv) Clause 9 (Sub-processors) Option 2 shall apply and the time period for notification of a proposed Sub-Processor will be twenty-one (21) days; (v) the optional Clause 11 (Redress) is excluded; (v) Clause 13 (Supervision) provides for three alternative options and the most appropriate option will apply, as communicated by the Physician to Company; (vi) Clause 17 (Governing law) will be the laws of Ireland; and (vii) Clause 18 (Choice of forum and jurisdiction) is amended so that the courts which have jurisdiction are the courts of the EU Member State referenced by Clause 17 (Governing law) as amended above.
(b) For Physician Personal Data subject to the Swiss FADP, the parties agree to comply with the provisions of the EU SCCs as set out and varied by Section 5.2(a) of this Addendum and as further amended as follows: (i) The term “Member State” according to Clause 18 (c) of the EU SCCs shall not be interpreted in a such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence; (ii) Any references to EU legislation, EU authorities and the EU Member States in the EU SCCs are amended to reflect corresponding Switzerland legislation, Switzerland authorities and Switzerland as appropriate; (iii) The Supervisory Authority selected for the purposes of Clause 13 (Supervision) of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iv) Clause 17 (Governing law) of the EU SCCs shall refer to the law of Switzerland as the governing law and Clause 18 (Choice of forum and jurisdiction) shall refer to the Swiss courts as the proper forum and jurisdiction for disputes and legal proceedings arising.
(c) For Physician Personal Data subject to the UK GDPR, the parties agree to comply with the provisions of the UK International Data Transfer Addendum (“UK IDTA”) which is incorporated into this Agreement by reference and varied as follows for this purpose: (i) the date to be included in Table 1 of the UK IDTA is the date of this Agreement; (ii) for Table 1 and Table 3 of the UK IDTA, the parties’ details, description of the transfer and technical and organizational measures shall be deemed completed with the relevant information as referenced in Section 5.2(a) of this Addendum; (iii) for Table 2 of the UK IDTA, information about the version of the EU Standard Contractual Clauses, modules and selected clauses which the UK IDTA is appended to shall reference the EU Standard Contractual Clauses as amended by Section 5.2(a) of this Addendum; (iii) for Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with its terms; and Part 2 Mandatory Clauses of the UK IDTA shall be deemed completed with the following provision “Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 2 February 2022, as it is revised under section 18 of those Mandatory Clauses”.
5.3 Company shall not transfer Physician Personal Data to any party in a country not deemed adequate for the transfer of Personal Data under Data Protection Laws, including permitting access to Physician Personal Data from any party in such countries, without the prior written consent of the Physician, unless:
(a) the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Section 4 of this Addendum; and
(b) the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).
6. Security and Personal Data Breach Notification
6.1 Company shall implement and maintain appropriate technical and organisational measures in relation to the Processing of Physician Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Physician Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Physician Personal Data, including as set out in Annex 1. Company may update or modify the security measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
6.2 Company shall notify the Physician without undue delay on becoming aware of a Personal Data Breach, provide the Physician with details of the Personal Data Breach as required under Data Protection Laws and take reasonable steps to identify the cause of, minimize harm and prevent a recurrence of such Personal Data Breach. To the extent available, the details of the Personal Data Breach provided shall include:
(a) the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Physician Personal Data records concerned;
(b) the name and contact details of the data protection officer or other contact point of Company, where more information can be obtained;
(c) description of the likely consequences of the Personal Data Breach; and
(d) description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.
7. Assistance
7.1 To the extent related to its Processing of Physician Personal Data (taking into account the nature of Processing and the information available to Company), Company shall, on request from the Physician, promptly provide the Physician with reasonable assistance:
(a) using appropriate technical and organisational measures, in complying with any requests received from Data Subjects of Physician Personal Data exercising Data Subject rights under Data Protection Laws;
(b) to enable the Physician to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Physician is required to do so under Data Protection Laws, in connection with data protection impact assessments;
(c) in complying with its obligation to implement and maintain appropriate technical and organisational security measures to protect Physician Personal Data; and
(d) in complying with its obligation to notify a Personal Data Breach to a Supervisory Authority or to a Data Subject as applicable.
8. Deletion or Return of Data
8.1 Company shall delete (or, at the election of the Physician, return) all Physician Personal Data in the possession or control of Company after Company ceases to provide the Services, in accordance with the Terms of Service, unless otherwise required to further store Physician Personal Data by applicable laws or agreement with the Physician.
8.2 Upon expiration or termination of Physician’s access to the Services, Company will make all Physician Data available to Physician for electronic retrieval in a mutually agreed format for a period of sixty (60) days, but thereafter, unless required by law, Company may, but is not obligated to, in its sole discretion and without delivery of any notice to Physician, delete stored Physician Data. Upon any expiration or termination of Physician’s access to the Services, all rights granted hereunder and all obligations of Company to provide the Services will immediately terminate and (a) Physician will cease use of the Services; and (b) each party will return or destroy all copies or other embodiments of the other party’s Confidential Information (subject to Company’s rights under Section 3.3).
9. Information Requests and Audits
9.1 Company shall, on request from the Physician, make available to the Physician all information necessary to demonstrate Company’s compliance with its obligations under this Addendum. Company shall allow for audits (including inspections), at Physician’s cost, conducted by the Physician or the Physician’s designated auditor, for the purpose of demonstrating Company’s compliance with its obligations under this Addendum. For the avoidance of doubt such audits shall be limited to once per calendar year except as required by a Supervisory Authority and the scope of any audit will be limited to Company’s policies, procedures, systems and controls relevant to the Processing of Physician Personal Data.
9.2 Company’s obligations under Section 9.1 of this Addendum are subject to the Physician:
(a) giving Company reasonable prior notice of such information requests, audits and/or inspections being required by the Physician;
(b) ensuring that all information obtained or generated by the Physician or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and
(c) ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to Company’s business and the business of other customers of Company.
10. Liability
10.1 The Physician acknowledges that Company is reliant on the Physician for direction as to the extent to which the Physician is entitled to Process Physician Personal Data on behalf of the Physician in the provision of the Services. Consequently Company will not be liable for any claim arising from any action or omission, to the extent that such action or omission resulted directly from the Physician’s instructions or from the Physician’s failure to comply with its obligations under the applicable Data Protection Laws.
10.2 Notwithstanding any provisions to the contrary included in this Addendum, each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the Terms of Service.