Data Processing Agreement
1. Purpose of the DPA
This Data Processing Agreement (DPA) applies solely to the processing of personal data carried out by SAFETY OBSERVER on behalf of the Client as part of the provision of the Platform.
As indicated in the Contract:
– the Client is responsible for the processing carried out on its behalf by SAFETY OBSERVER within the framework of the provision of the Platform;
– and SAFETY OBSERVER is its subcontractor within the meaning of the GDPR.
In accordance with Article 28 of the GDPR, a data processing agreement (DPA) must be agreed between the data controller, i.e. the Client, and the subcontractor, i.e. SAFETY OBSERVER.
2. Description of outsourced processing
SAFETY OBSERVER is authorised to process, on behalf of the Client, the personal data that the Client needs to process as part of its regulatory monitoring activities using the Platform.
|Service provided by SAFETY OBSERVER :
|Platform for reading regulatory monitoring reports for pharmacovigilance and drug safety professionals
|Category of data subjects
|– Users of the Platform
(hereinafter the « data subjects »)
|Identity: first name, last name, email address,
User account: email address and password
|Purpose of processing
The purposes of the processing include :
Only the purposes indicated above may be processed as part of the provision of the Platform. Any other purpose implemented via the Platform by the Client will be determined by the Client at its sole discretion, and will be expressly excluded from the scope of this agreement.
|Nature of operations carried out on personal data:
Any operation made necessary for the provision of the Platform, and in particular:
– the consultation, collection, recording and storage of the data required to provide the Platform;
|Duration of data retention
|SAFETY OBSERVER will keep the data for the duration of the contractual relationship with the Client.
3. Duration of the DPA
This agreement shall come into force at the same time as the Contract to which it is attached and for the same duration.
It may be amended under the same conditions as the Contract.
4. General obligations of SAFETY OBSERVER as a subcontractor
SAFETY OBSERVER undertakes to:
– process the data solely for the sole purpose(s) for which it is subcontracted as described in this appendix;
– process the data in accordance with any documented instructions that may subsequently be provided by the Client.
If SAFETY OBSERVER considers that an instruction constitutes a breach of the GDPR or of any other provision of Union law or of the law of the Member States relating to data protection, it shall immediately inform the Client.
In addition, if SAFETY OBSERVER is required to transfer data to a third country or to an international organisation under Union law or the law of the Member State to which it is subject, it must inform the Client of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest.
– guarantee the confidentiality of personal data processed under this agreement;
– ensure that persons authorised to process personal data under this agreement:
o undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
o receive the necessary training in the protection of personal data.
– take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default..
5. General authorisation to use subcontractors
SAFETY OBSERVER may call upon another sub-contractor (hereinafter the “subsequent sub-contractor“) to carry out specific processing. In this case, SAFETY OBSERVER shall inform the Client in advance and in writing.
This information must clearly indicate the sub-contracted processing activities, the identity and contact details of the subsequent sub-contractor and the dates of the sub-contracting contract.
The Client has a period of fifteen (15) days from the date of receipt of this information to submit any objections. This sub-contracting may only be carried out if the Client has not raised any objections within the agreed period.
The current subsequent subcontractors used by the subcontractor are as follows:
|Existence of data transfers outside the EU/EEA
|Hosting of the Platform
|Maintenance of the Platform
If SAFETY OBSERVER wishes to transfer data to a third country or to an international organisation, pursuant to the aforementioned regulation, it must first ensure that the subsequent processor takes adequate guarantees to frame the data transfer in accordance with the requirements of the GDPR, such as:
(i) the existence of an adequacy decision from the European Commission,
(ii) standard data protection clauses adopted by the European Commission,
(iii) codes of conduct approved in accordance with the GDPR,
(iv) certification mechanisms approved in accordance with the GDPR,
(v) contractual clauses validated by the CNIL.
The subsequent processor is required to comply with the obligations of this contract on behalf of and in accordance with the instructions of SAFETY OBSERVER. It is the responsibility of SAFETY OBSERVER to ensure that the subsequent processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. If the subsequent subcontractor does not fulfil its data protection obligations, SAFETY OBSERVER remains fully responsible to the Client for the subsequent subcontractor’s performance of its obligations.
6. Obligation d’informer les Data subjects du traitement
It is the Client’s responsibility to inform Data Subjects of the existence of its processing of personal data concerning them by any appropriate means depending on the methods of collection of the personal data, the nature of the processing and the category of Data Subjects.
This information must be concise, transparent, complete and comprehensible in accordance with the requirements of the GDPR.
In particular, they must contain the following information
– Identity and contact details of the organisation (data controller);
– Purposes (what the data collected will be used for);
– Legal base for the data processing (i.e. what gives an organisation the right to process the data): this may be the consent of data subjects, compliance with an obligation laid down by law, performance of a contract, etc.);
– Whether data collection is mandatory or optional (which implies that consideration must be given upstream to the usefulness of collecting this data in view of the objective pursued – the principle of data “minimisation”) and the consequences for the individual in the event of failure to provide the data;
– Recipients or categories of recipients of the data (who needs to access or receive it in view of the purposes defined, including sub-contractors);
– Data retention period (or criteria for determining it);
– Rights of data subjects (the rights of access, rectification, erasure and restriction apply to all processing operations);
– Details of the organisation’s data protection officer, if appointed, or of a contact point for personal data protection issues;
– The right to lodge a complaint with the CNIL.
To find out more, the Client is invited to consult the CNIL website: https://www.cnil.fr/fr/conformite-GDPR-information-des-personnes-et-transparence
7. Exercise of their GDPR rights by Data Subjects
As far as possible, SAFETY OBSERVER shall assist the Client in fulfilling its obligation to comply with the Data Subjects’ requests to exercise their rights: right of access, rectification, erasure and objection, right to restrict processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
When Data Subjects make requests to SAFETY OBSERVER to exercise their rights, SAFETY OBSERVER must send these requests to the Client as soon as they are received by e-mail.
8. Notification in case of data breach
SAFETY OBSERVER shall notify the Client of any violation of personal data within a maximum period of 48 hours after becoming aware of it and shall do so by sending an electronic mail to the Client at the email address provided by the Client. This notification shall be accompanied by any useful documentation to enable the Client, if necessary, to notify this breach to the competent supervisory authority.
SAFETY OBSERVER shall assist the Client in carrying out data protection impact assessments. This assistance will be limited to providing technical information on the security measures implemented and does not release the Client from carrying out the impact analysis which is its responsibility.
SAFETY OBSERVER shall also assist the Client in carrying out the prior consultation with the supervisory authority.
These assistance services may be subject to reasonable additional invoicing, taking into account the need to mobilise technical and human resources to carry out these services:
10. Security measures
SAFETY OBSERVER undertakes to implement appropriate physical, logical and organisational security measures, including the following:
– limiting access to any tool, software, application or other used for processing to authorised persons only (in particular by setting up appropriate authentication and password systems);
– making frequent back-ups of data
– trace access to the SAFETY OBSERVER information system.
The Client acknowledges that the technical and organisational measures listed above meet its expectations in order to adequately guarantee the security and confidentiality of the processing it wishes to implement.
The Client nevertheless remains responsible for implementing its own security policy within its organisation, in particular in order to :
– make its teams aware of the confidentiality and protection of personal data ;
– inform its teams of the personal data that they may process and those that they must not process, with regard to the processing of personal data that the Client will carry out via SAFETY OBSERVER ;
– manage the teams authorised to access the Data Subjects’ data (in particular by setting up appropriate authentication and password systems);
– securing workstations and IT systems (networks, terminals, etc.);
– regularly back up its data locally.
11. Fate of data
At the end of the provision of services relating to the processing of this data, SAFETY OBSERVER undertakes to return or delete the data at the express request of the Client.
In the absence of an express request to this effect made within 30 days of the end of the service, SAFETY OBSERVER may, without fault, delete the Client’s data in its possession.
12. Data Protection Officer (DPO)
Each Party shall communicate to the other the identity and contact details of its Data Protection Officer if it appoints one, in accordance with Article 37 of the GDPR.
13. Register of categories of processing activities
SAFETY OBSERVER declares that it keeps a written record of all categories of processing activities carried out on behalf of the Client, including:
– the name and contact details of the Client, those of any sub-contractors and, where applicable, the data protection officer;
– the categories of processing carried out on behalf of the Client;
– where applicable, transfers of personal data to a third country or to an international organisation, including the identification of this third country or this international organisation and the documents attesting to the existence of appropriate guarantees;
– as far as possible, a general description of the technical and organisational security measures implemented.
SAFETY OBSERVER shall make available to the Client the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the data controller or another auditor appointed by it, and to contribute to such audits.
Any request for an audit and/or inspection must be requested by the Client by registered letter with acknowledgement of receipt at least 15 days before the date envisaged for its performance as well as the identity of the auditors envisaged.
SAFETY OBSERVER will have 7 days to confirm to the Client the possibility of this date and to make any objective reservations (non-competition in particular) about the auditors envisaged.
Any audit and/or inspection can only be carried out after a confidentiality agreement has been signed between SAFETY OBSERVER and all the auditors.