Common use of Obligations of Data Processors Clause in Contracts

Obligations of Data Processors. The Data Processors and all their staff are obligated to: a. Use the Personal Data only for the completion of the Trial proposed by the Data Controller. In no case the Data Processors may use the Personal Data for their own purposes without the prior written consent of affected parties. Data Processors will follow the indications and models provided by the Data Controller, committing to use the information clauses and follow the mechanisms for obtaining consent and other instructions indicated by the Data Controller. b. Process Personal Data in accordance with the documented instructions of the Data Controller. If the Data Processors consider that any of the instructions provided by the Data Controller infringes the GDPR or any other data protection provision, they shall inform the Data Controller in the legal term. c. Maintain a written record of all categories of processing activities carried out on behalf of the Data Controller. The record must include: The name and contact details of the Data Processors and the Data Controller on behalf of which the Data Processors are acting, as well as, where applicable, their representatives and the Data Protection Officer. The categories of processing carried out on behalf of the Data Controller. When applicable, transfers of personal data to a third country or an international organization, including the identification of that said third country or international organization and, in the case of transfers referred to in article 49, paragraph 1, second paragraph of the Regulation, the documentation of suitable safeguards. A general description of the technical and organizational security measures related to: Pseudonymisation and encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and permanent resilience of the processing systems and services. The ability to restore the availability and access to personal data quickly, in the event of a physical or technical incident. The process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing. d. To not communicate the Personal Data to third parties, unless express authorization has been granted by the Data Controller or is required in accordance with applicable regulations. The Data Processors may communicate the Personal Data with other Data Processors for the same Data Controller, in accordance with the instructions provided by the Data Controller. In this case, the Data Controller will identify, in advance and in writing, the entity to which the data must be communicated, which data will be communicated and the security measures that will be put in place in order to proceed with the communication. If the Data Processors have to transfer the Personal Data to a third country or to an international organization, required to do so by European Community or national law to which the Data Processors are subjects, they shall inform the Data Controller of that legal requirement before processing, unless such Law prohibits it for reasons of public interest. e. Data Processors are authorized to subcontract with other companies the services they consider necessary. To subcontract with other companies, the Data Processors must communicate it in writing, to the Data Controller, identifying clearly and unequivocally the company to be subcontracted, its contact details, and the services that will be provided. The subcontracting may be carried out if the Data Controller party does not state its opposition within one month. The subcontractors will also be obliged to comply with the obligations established in this Contract for those Data Processor and with the instructions given by the Data Controller. The Data Processor is responsible for managing this new relationship, ensuring that the Data Subprocessor is subject to the same conditions (instructions, obligations, security measures, etc.), and complying with the same formal requirements regarding the Processing of Personal Data and guaranteeing the rights of the affected parties. In case of non-compliance by the outsourced Data Subprocessor, the Data Processor will remain fully responsible before the Data Controller, in terms of fulfilling the obligations. f. Maintain the duty of secrecy regarding the Personal Data that has been processed, even after the end of the contract. g. Guarantee that the people authorized to handle Personal Data expressly and in writing commit themselves to respect confidentiality and to comply with the corresponding security measures, of which they will be informed accordingly. h. Assist the Data Controller diligently in the response to the exercise of the rights of: 1. Access, rectification, erasure and objection 2. Restriction of processing 3. Data portability 4. Not to be subject to automated individualized decisions (including profiling). When the affected parties exercise the rights of access, rectification, erasure and object, restriction of processing, data portability and not being the subject of automated individualized decisions, before the Data Processors, Data Processors must communicate it without undue delay to the Data Controller, by the means indicated by the Data Controller and following their instructions. i. Notify the Data Controller, without undue delay, and in any case before the maximum period of 72 hours, the data breaches of which it is aware, along with any and all information relevant to documenting and communicating the incident. The notification shall at least: Describe the nature of the data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained. Describe the likely consequences of the data breach. Describe the measures taken or proposed to be taken by the Controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Data Controller is who should communicate in the shortest possible time the data breaches to the Data Protection Authority and to the interested parties, when applicable. j. Assist the Data Controller in ensuring compliance with the performance of the data protection impact assessments, when applicable. k. Assist the Data Controller in ensuring compliance with the above to the controlling authority, when applicable. l. Provide the Data Controller with all the information necessary to demonstrate compliance with its obligations set forth in this clause as well as for the performance of audits or inspections carried out by the Data Controller or another auditor authorized by him. The Parties agree that, in order not to hinder daily operations of the Data Processors, the audits must be conducted during office hours and with the notice indicated in section e) of Clause 5 below. The costs of the audit will be borne by the Data Controllers. m. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and, in particular, the measures included at the end of this, in order to avoid destruction, alteration, loss, theft, treatment or unauthorized access to data personal. n. Appoint a Data Protection Officer, if necessary, and inform the Data Controller of the identification and contact information of the person appointed.

Obligations of Data Processors. The Data Processors and all their staff are obligated to: a. Use the Personal Data only for the completion of the Trial Study proposed by the Data Controller. In no case the Data Processors may use the Personal Data for their own purposes without the prior written consent of affected parties. Data Processors will follow the indications and models provided by the Data Controller, committing to use the information clauses and follow the mechanisms for obtaining consent and other instructions indicated by the Data Controller. b. Process Personal Data in accordance with the documented instructions of the Data Controller. If the Data Processors consider that any of the instructions provided by the Data Controller infringes the GDPR or any other data protection provision, they shall inform the Data Controller in the legal term. c. Maintain a written record of all categories of processing activities carried out on behalf of the Data Controller. The record must include: The name and contact details of the Data Processors and the Data Controller on behalf of which the Data Processors are acting, as well as, where applicable, their representatives and the Data Protection Officer. The categories of processing carried out on behalf of the Data Controller. When applicable, transfers of personal data to a third country or an international organization, including the identification of that said third country or international organization and, in the case of transfers referred to in article 49, paragraph 1, second paragraph of the Regulation, the documentation of suitable safeguards. A general description of the technical and organizational security measures related to: Pseudonymisation and encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and permanent resilience of the processing systems and services. The ability to restore the availability and access to personal data quickly, in the event of a physical or technical incident. The process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing. d. To not communicate the Personal Data to third parties, unless express authorization has been granted by the Data Controller or is required in accordance with applicable regulations. The Data Processors may communicate the Personal Data with other Data Processors for the same Data Controller, in accordance with the instructions provided by the Data Controller. In this case, the Data Controller will identify, in advance and in writing, the entity to which the data must be communicated, which data will be communicated and the security measures that will be put in place in order to proceed with the communication. If the Data Processors have to transfer the Personal Data to a third country or to an international organization, required to do so by European Community or national law to which the Data Processors are subjects, they shall inform the Data Controller of that legal requirement before processing, unless such Law prohibits it for reasons of public interest. e. Data Processors are authorized to subcontract with other companies the services they consider necessary. To subcontract with other companies, the Data Processors must communicate it in writing, to the Data Controller, identifying clearly and unequivocally the company to be subcontracted, its contact details, and the services that will be provided. The subcontracting may be carried out if the Data Controller party does not state its opposition within one month. The subcontractors will also be obliged to comply with the obligations established in this Contract for those Data Processor and with the instructions given by the Data Controller. The Data Processor is responsible for managing this new relationship, ensuring that the Data Subprocessor is subject to the same conditions (instructions, obligations, security measures, etc.), and complying with the same formal requirements regarding the Processing of Personal Data and guaranteeing the rights of the affected parties. In case of non-compliance by the outsourced Data Subprocessor, the Data Processor will remain fully responsible before the Data Controller, in terms of fulfilling the obligations. f. Maintain the duty of secrecy regarding the Personal Data that has been processed, even after the end of the contract. g. Guarantee that the people authorized to handle Personal Data expressly and in writing commit themselves to respect confidentiality and to comply with the corresponding security measures, of which they will be informed accordingly. h. Assist the Data Controller diligently in the response to the exercise of the rights of: 1. Access, rectification, erasure and objection 2. Restriction of processing 3. Data portability 4. Not to be subject to automated individualized decisions (including profiling). When the affected parties exercise the rights of access, rectification, erasure and object, restriction of processing, data portability and not being the subject of automated individualized decisions, before the Data Processors, Data Processors must communicate it without undue delay to the Data Controller, by the means indicated by the Data Controller and following their instructions. i. Notify the Data Controller, without undue delay, and in any case before the maximum period of 72 hours, the data breaches of which it is aware, along with any and all information relevant to documenting and communicating the incident. The notification shall at least: Describe the nature of the data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained. Describe the likely consequences of the data breach. Describe the measures taken or proposed to be taken by the Controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Data Controller is who should communicate in the shortest possible time the data breaches to the Data Protection Authority and to the interested parties, when applicable. j. Assist the Data Controller in ensuring compliance with the performance of the data protection impact assessments, when applicable. k. Assist the Data Controller in ensuring compliance with the above to the controlling authority, when applicable. l. Provide the Data Controller with all the information necessary to demonstrate compliance with its obligations set forth in this clause as well as for the performance of audits or inspections carried out by the Data Controller or another auditor authorized by him. The Parties agree that, in order not to hinder daily operations of the Data Processors, the audits must be conducted during office hours and with the notice indicated in section e) of Clause 5 below. The costs of the audit will be borne by the Data Controllers. m. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and, in particular, the measures included at the end of this, in order to avoid destruction, alteration, loss, theft, treatment or unauthorized access to data personal. n. Appoint a Data Protection Officer, if necessary, and inform the Data Controller of the identification and contact information of the person appointed.