Common use of Processing of Clinical Trial Subject Personal Data Clause in Contracts

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor before undertaking the Processing, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without Sponsor’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the Sponsor. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor and CRO are Processors of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) before undertaking the Processing, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without [Sponsor’s ’s] [CRO’s] (delete as appropriate) prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the SponsorSponsor and/or CRO. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation from or on behalf of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.;

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor and CRO are Processors of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) before undertaking the Processing, or as soon as possible thereafter, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without [Sponsor’s ’s] [CRO’s] (delete as appropriate) prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the SponsorSponsor and/or CRO. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation from or on behalf of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.;

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor before undertaking the Processing, or as soon as possible thereafter, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS HSE organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insertINSERT EMAIL ADDRESS OF SPONSOR’s DATA PROETECTION OFFICER]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without Sponsor’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the Sponsor. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE five (5)] ) business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws Legislation and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes requirements of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor before undertaking the Processing, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without Sponsor’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the Sponsor. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation Trial Site is the Processor of Personal Data Processed for the purpose of the Clinical Trial. The Participating OrganisationTrial Site’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation Trial Site is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating OrganisationTrial Site, in its role as Processor of the Personal Data under Clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation Trial Site is required by law to otherwise Process the Personal Data, the Participating Organisation Trial Site shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) before undertaking the Processing, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation Trial Site shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation Trial Site agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation Trial Site (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation Trial Site as a Processor of the Sponsor, the Participating Organisation Trial Site shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without [Sponsor’s ’s] [CRO’s] (delete as appropriate) prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the SponsorSponsor and/or CRO. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation Trial Site agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation from or on behalf of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation Trial Site may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with or on behalf of the Sponsor, by notifying the Sponsor [Sponsor] [CRO] (delete as appropriate) that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it [Sponsor] [CRO] (delete as appropriate) does not notify the Participating Organisation Trial Site to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation Trial Site shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation Trial Site as Controller for its own purpose(s). The Participating Organisation Trial Site will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating OrganisationTrial Site’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation Trial Site agrees to: Provide the Sponsor and/or CRO with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s Sponsor and/or CROs discretion and on reasonable notice, to allow the SponsorSponsor and/or CRO, or a third party appointed by the SponsorSponsor and/or CRO, to audit the Participating OrganisationTrial Site’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the SponsorSponsor and/or CRO, or its the appointed third party, complying with all relevant health and safety and security policies of the Participating OrganisationTrial Site. Obtain prior written agreement of the Sponsor to [Sponsor] [CRO] [delete as appropriate]to Process Personal Data outside of the UK and the EEA. In addition to the Participating OrganisationTrial Site’s obligations under Clause 6.2.9(b), where the Participating OrganisationTrial Site, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation Trial Site warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation Trial Site to the Sponsor and/or CRO unless this is required directly or indirectly to satisfy the purposes of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees and CRO agree not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees and CRO agree to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor and CRO further agrees agree not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees and CRO agree to ensure persons Processing Personal Data and/or processing Pseudonymised Data of actual or potential Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating OrganisationTrial Site or any Other Trial Site(s)) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or process Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating OrganisationTrial Site or any Other Trial Site(s)) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees and CRO agree to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or processing Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees and CRO agree to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed Processed/processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or processing of Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process Process/process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor before undertaking the Processing, or as soon as possible thereafter, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without Sponsor’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the Sponsor. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE five (5)] ) business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s discretion and on reasonable notice, to allow the Sponsor, or a third party appointed by the Sponsor, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws Legislation and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes requirements of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and GuidanceLaws, the Sponsor is the Controller and Controller, the Participating Organisation is the Processor and the PIC is the Sub-Processor of the Participating Organisation in relation to the Processing of Personal Data Processed for the purpose of the Clinical Trial. The Participating OrganisationPIC’s Processing of Personal Data, Data as a Sub-Processor of the Sponsor, Participating Organisation shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature nature, and purpose of the Processing, the type of Personal Data and the categories of Data Subjectsdata subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation PIC is the Controller of Personal Data Processed that it processes for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating OrganisationPIC, in its role as Processor of the Personal Data under Clause 6.2.1clause 3.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor Participating Organisation in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisationSponsor and/or Participating Organisation. If the Participating Organisation PIC is required by law to otherwise Process process the Personal Data, Data the PIC shall notify the Participating Organisation shall notify the Sponsor before undertaking the Processing, Processing or as soon as possible thereafter unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation PIC agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor Participating Organisation pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed processed in its own systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality obligations (Article 28(3)(b28(3b)); taking all measures required by GDPR Article 32 in relation to the security of Processing processing (GDPR Article 28(3)(c28(3c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d28(3d)); taking into account the nature of the Processing, assist the SponsorSponsor and/or the Participating Organisation, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e28(3e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation PIC (GDPR Article 28(3)(f28(3f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and GuidanceLaws, including the records required pursuant to GDPR Article 30(2); . in the event of any Personal Data Breach by the Participating Organisation PIC as a Sub-Processor of the SponsorParticipating Organisation, the Participating Organisation PIC shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; ] (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, Breach to any individual affected by the incident, the public or any third party without SponsorSponsor or Participating Organisation’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with Sponsor and the SponsorParticipating Organisation. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation PIC agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor or Participating Organisation (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation PIC shall, at the choice of the SponsorParticipating Organisation, destroy or return all Personal Data to the Sponsor or Participating Organisation unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g28(3g)), and/or ) or where that Personal Data is held by the Participating Organisation PIC as Controller for its own purpose(s)purpose/s, outside of the Clinical Trial. The Participating Organisation willPIC agrees that it shall ensure that: ensure that its Its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take It takes all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating OrganisationPIC’s duties under this Clause 6 3 (Confidentiality and Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their the responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation PIC agrees to: Provide the Sponsor and/or the Participating Organisation with evidence of its compliance with the obligations set out in this Agreement, and/oror, at the SponsorSponsor and/or Participating Organisation’s discretion and on reasonable notice, to allow the Sponsor, Participating Organisation or a third party appointed by the SponsorSponsor or Participating Organisation, to audit the Participating OrganisationPIC’s compliance with the obligations described in this Agreement, Data Protection Laws Legislation and Guidance (including but not limited to and Article 28 GDPR), subject to the Sponsor, Participating Organisation or its appointed third party, complying with all relevant health and safety and security policies of the Participating OrganisationPIC. Obtain prior written agreement of the Sponsor or Participating Organisation to Process Personal Data outside of the UK and the EEA. In addition to Where the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating OrganisationPIC, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation PIC warrants that it does so in compliance with the Data Protection Laws Legislation and Guidance. Sharing SIGN OFF* Each Party represents that it has ‘redlined’ or otherwise called attention to all changes that it made and sent to the other Party in previously-sent drafts of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data this Agreement. Signed by the duly authorised representatives of Clinical Trial Subjects the Parties. SIGNED ON BEHALF OF THE PARTICIPATING ORGANISATION ………………………… ……………………… ………………………… ……………… Name Position Signature Date SIGNED ON BEHALF OF THE PIC ………………………… ……………………… ………………………… ……………… Name Position Signature Date * Duly authorised scanned signatures shall be transferred by the Participating Organisation to the Sponsor unless this is required directly or indirectly to satisfy the purposes mutually acceptable and email deemed a valid medium for exchanging signed copies of this Agreement, or for the purposes of monitoring and reporting of adverse events or which may be executed in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosurecounterpart.

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and Controller, the Participating Organisation is the Processor and the PIC is the Sub-Processor of the Participating Organisation in relation to the Processing of Personal Data Processed for the purpose of the Clinical Trial. The Participating OrganisationPIC’s Processing of Personal Data, as a Sub-Processor of the SponsorParticipating Organisation, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature nature, and purpose of the Processing, the type of Personal Data and the categories of Data Subjectsdata subjects, and obligations and rights of the Sponsor as ControllerController and Participating Organisation as Sub-Processor. The Participating Organisation PIC is the Controller of Personal Data Processed that it processes for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating OrganisationPIC, in its role as Processor of the Personal Data under Clause 6.2.13.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the SponsorSponsor and/or Participating Organisation, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation PIC is required by law to otherwise Process the Personal Data, the Participating Organisation PIC shall notify the Sponsor Participating Organisation before undertaking the Processing, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation PIC shall notify the Sponsor Participating Organisation as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation PIC agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor Participating Organisation pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing processing (GDPR Article 28(3)(c28(3c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d28(3d)); taking into account the nature of the Processing, assist the SponsorSponsor and/or the Participating Organisation, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e28(3e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation PIC (GDPR Article 28(3)(f28(3f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation PIC as a Sub-Processor of the SponsorParticipating Organisation, the Participating Organisation PIC shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insert]; ] (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without SponsorSponsor or Participating Organisation’s prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with Sponsor and the SponsorParticipating Organisation. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation PIC agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation of the Sponsor or Participating Organisation (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with the Sponsor, by notifying the Sponsor that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] business days. At the expiry or lapse of this Agreement, the Participating Organisation PIC shall, at the choice of the SponsorParticipating Organisation, destroy or return all Personal Data to the Sponsor or Participating Organisation unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g28(3g)), ) and/or where that Personal Data is held by the Participating Organisation PIC as Controller for its own purpose(s). The Participating Organisation PIC will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating OrganisationPIC’s duties under this Clause 6 3 (Confidentiality and Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation PIC agrees to: Provide provide the Sponsor and/or the Participating Organisation with evidence of its compliance with the obligations set out in this Agreement, and/oror, at the SponsorSponsor and/or Participating Organisation’s discretion and on reasonable notice, to allow the Sponsor, Participating Organisation or a third party appointed by the SponsorSponsor or Participating Organisation, to audit the Participating OrganisationPIC’s compliance with the obligations described in this Agreement, Data Protection Laws Legislation and Guidance (including but not limited to Article 28 GDPR), subject to the Sponsor, Participating Organisation or its appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain PIC; obtain prior written agreement of the Sponsor or Participating Organisation to Process Personal Data outside of the UK and the EEA. In addition to the Participating OrganisationPIC’s obligations under Clause 6.2.9(b)3.2.9.b, where the Participating OrganisationPIC, acting as the SponsorParticipating Organisation’s Sub-Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation PIC warrants that it does so in compliance with the Data Protection Laws and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred Intellectual Property All Intellectual Property Rights and Know-How owned by or licensed to the Sponsor, Participating Organisation or Affiliate(s) prior to and after the Sponsor unless this is required directly or indirectly to satisfy the purposes date of this Agreement, or for the purposes of monitoring other than any Intellectual Property Rights and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor further agrees not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and subKnow-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of How arising from the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers , are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data and shall remain the property of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Sponsor, Participating Organisation or its Agent(s) receive a request under Affiliate(s), as the FOIA case may be. All Intellectual Property Rights and Know-How owned by or licensed to disclose information the PIC prior to and after the date of this Agreement, other than any Intellectual Property Rights and Know-How arising from the Clinical Trial, are and shall remain the property of the PIC. All Intellectual Property Rights and Know-How arising from and relating to this Agreement the Clinical Trial, the IMP (including but not limited to the Sponsor, Investigational Drugs (its formulation and use alone or their manufacturersin combination with other drugs), or and/or the Clinical Trial)Protocol, it will notify but excluding any clinical procedure and improvements thereto that are clinical procedures of the Sponsor as soon as is reasonably practicablePIC, and shall vest in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidanceClauses 4.4 and 4.5 of this Agreement. The Sponsor acknowledges that subject to In accordance with Clause 7.3.14.3, the decision on whether PIC hereby assigns, and shall procure that its Agents assign, its rights in relation to all Intellectual Property Rights and Know-How, falling within Clause 4.3, to the Sponsor or its nominee. At the request and expense of the Sponsor, the PIC shall execute, and shall procure that its Agents shall execute, all such documents and do all such other acts as the Sponsor may reasonably require in order to vest fully and effectively all such Intellectual Property Rights and Know-How in the Sponsor or its nominee. PIC shall and will ensure that the Personnel promptly disclose to the Participating Organisation any exemption applies Know-How generated pursuant to a request for disclosure of recorded information under the FOIA is a decision solely this Agreement and falling within Clause 4.3 and undertakes not to use or disclose such Know-How other than for the purposes of this Agreement. Nothing in this Clause 4 shall be construed so as to prevent or hinder the PIC from using its Know-How generated during the performance of the Clinical Trial in the furtherance of its normal activities, to the extent that such use does not result in the disclosure or misuse of Confidential Information or the infringement of any Intellectual Property Right or Know-How of the Sponsor or Participating Organisation. The Sponsor shall cooperate with Sign Off* Each Party represents that it has ‘redlined’ or otherwise called attention to all changes that it made and sent to the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days other Party in previously sent drafts of this Agreement. Signed by the duly authorised representatives of the Participating Organisation’s reasonable request Parties. SIGNED ON BEHALF OF THE PARTICIPATING ORGANISATION ………………………… ……………………… ………………………… ……………… Name Position Signature Date SIGNED ON BEHALF OF THE PIC ………………………… ……………………… ………………………… ……………… Name Position Signature Date * Duly authorised scanned signatures shall be mutually acceptable and email deemed a valid medium for assistanceexchanging signed copies of this Agreement, which may be executed in counterpart. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify Appendix 1 – Financial Arrangements The interactive Costings Tool (iCT) should be used by the Sponsor to formulate the budget with respect to the Clinical Trial. The agreed financial arrangements relevant to the activities to be performed by the PIC should form this Appendix, including the arrangements for invoicing. Note: This Appendix should only be used to specify financial matters and should not be used to include additional or different terms to those set out in writingthe Agreement. Please remove this text once the document has been agreed for the Clinical Trial Study Title: [Insert SHORT TITLE OF STUDY] Reference: [Insert REFERENCE NUMBER e.g. IRAS, giving at least two (2) working days’ notice of its intended disclosure.EUDRACT NUMBER OR SIMILAR REFERENCE]

Processing of Clinical Trial Subject Personal Data. For the purpose of the Data Protection Laws and Guidance, the Sponsor is the Controller and the Participating Organisation is the Processor and CRO are Processors of Personal Data Processed for the purpose of the Clinical Trial. The Participating Organisation’s Processing of Personal Data, as a Processor of the Sponsor, shall be governed by this Agreement, including the Protocol, which sets out the subject matter, duration, nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and obligations and rights of the Sponsor as Controller. The Participating Organisation is the Controller of Personal Data Processed for purposes other than the Clinical Trial, e.g. the provision of medical care. The Participating Organisation, in its role as Processor of the Personal Data under Clause 6.2.1, agrees to only Process Personal Data for and on behalf of the Sponsor in accordance with the documented instructions of the Sponsor, including with regard to transfers of personal data to a third country or an international organisation. If the Participating Organisation is required by law to otherwise Process the Personal Data, the Participating Organisation shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) before undertaking the Processing, or as soon as possible thereafter, unless such notification is prohibited on important grounds of public interest in accordance with GDPR Article 28(3)(a). In the case of such prohibition, the Participating Organisation shall notify the Sponsor [Sponsor] [and the] [or the] [CRO] (delete as appropriate) as soon as possible once the prohibition is lifted, if it is lifted. The Participating Organisation agrees to comply with the obligations applicable to Processors described by Article 28 of the GDPR, as well as those additional obligations required by the Sponsor pursuant to this Agreement, including but not limited to the following: implementing and maintaining appropriate technical and organisational security measures for Personal Data Processed in its systems, in keeping with its obligations as an NHS HSE organisation, thereby providing guarantee to the Sponsor pursuant to GDPR Article 28(1); ensuring that Personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); taking all measures required by GDPR Article 32 in relation to the security of Processing (GDPR Article 28(3)(c)); subject to Clause 6.2.6 complying with the conditions described in GDPR Article 28(2) and (4) for engaging another Processor (GDPR Article 28(3)(d)); taking into account the nature of the Processing, assist the Sponsor, by appropriate technical and organisational measures, insofar as this is possible, to respond to requests for exercising Data Subjects’ rights (GDPR Article 28(3)(e)); assisting the Controller, to ensure compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing and the information available to the Participating Organisation (GDPR Article 28(3)(f)); maintaining a record to demonstrate compliance with this Clause and Data Protection Laws and Guidance, including the records required pursuant to GDPR Article 30(2); in the event of any Personal Data Breach by the Participating Organisation as a Processor of the Sponsor, the Participating Organisation shall: (i) promptly and without undue delay following discovery of such Personal Data Breach, send written notice of the incident via e-mail to [insertinsert EMAIL ADDRESS OF SPONSOR’s DATA PROETECTION OFFICER]; (ii) not make any statements or notifications about the Personal Data Breach, as it relates to the Processing for the purpose of the Clinical Trial, to any individual affected by the incident, the public or any third party without [Sponsor’s ’s] [CRO’s] (delete as appropriate) prior written approval; and (iii) immediately take steps to investigate and mitigate the Personal Data Breach and reasonably cooperate with the SponsorSponsor and/or CRO. In furtherance of its obligations under Article 28 GDPR, the Participating Organisation agrees that it will not engage another Processor for the purpose of the Clinical Trial without the prior written authorisation from or on behalf of the Sponsor (GDPR Article 28(2)), excepting where that other Processor is a Participant Identification Centre (PIC), in which case Clause 6.2.6 (a) shall apply; In accordance with GDPR Article 28(2), the Participating Organisation may appoint PICs, on the basis of an unmodified template data processing agreement agreed in advance with or on behalf of the Sponsor, by notifying the Sponsor [Sponsor] [CRO] (delete as appropriate) that they intend to contract the PIC. The Sponsor will be considered to have authorised this sub-processing if it [Sponsor] [CRO] (delete as appropriate) does not notify the Participating Organisation to the contrary within [INSERT NUMBER, FOR EXAMPLE, FIVE (5)] ) business days. At the expiry or lapse of this Agreement, the Participating Organisation shall, at the choice of the Sponsor, destroy or return all Personal Data to the Sponsor unless there is a legal requirement for retention and storage (GDPR Article 28(3)(g)), and/or where that Personal Data is held by the Participating Organisation as Controller for its own purpose(s). The Participating Organisation will: ensure that its Personnel and the Principal Investigator, do not Process Personal Data except in accordance with the Protocol and this Agreement; take all reasonable steps to ensure the reliability and integrity of the Principal Investigator and any of its Personnel who have access to the Personal Data and will ensure that the Principal Investigator and the Personnel: are aware and comply with the Participating Organisation’s duties under this Clause 6 (Data Protection); are subject to mandatory training in their information governance responsibilities and have appropriate contracts, including sanctions, including for breach of confidence or misuse of Personal Data; and are informed of the confidential nature of the Personal Data and understand their responsibilities for information governance, including their obligation to Process Personal Data securely and to only disseminate or disclose it for lawful and appropriate purposes. The Participating Organisation agrees to: Provide the Sponsor and/or CRO with evidence of its compliance with the obligations set out in this Agreement, and/or, at the Sponsor’s Sponsor and/or CROs discretion and on reasonable notice, to allow the SponsorSponsor and/or CRO, or a third party appointed by the SponsorSponsor and/or CRO, to audit the Participating Organisation’s compliance with the obligations described in this Agreement, Data Protection Laws and Guidance (including but not limited to Article 28 GDPR), subject to the SponsorSponsor and/or CRO, or its the appointed third party, complying with all relevant health and safety and security policies of the Participating Organisation. Obtain prior written agreement of the Sponsor to [Sponsor] [CRO] [delete as appropriate]to Process Personal Data outside of the UK and the EEA. In addition to the Participating Organisation’s obligations under Clause 6.2.9(b), where the Participating Organisation, acting as the Sponsor’s Processor, Processes Personal Data outside of the UK and the EEA, the Participating Organisation warrants that it does so in compliance with the Data Protection Laws Legislation and Guidance. Sharing of Personal Data and/or Clinical Trial Subject Pseudonymised Data Neither Personal Data nor Pseudonymised Data of Clinical Trial Subjects shall be transferred by the Participating Organisation to the Sponsor and/or CRO unless this is required directly or indirectly to satisfy the purposes requirements of this Agreement, or for the purposes of monitoring and reporting of adverse events or in relation to a claim or proceeding brought by a Clinical Trial Subject in connection with the Clinical Trial or is otherwise required by applicable law. The Sponsor agrees and CRO agree not to pass Personal Data or Pseudonymised Data of Clinical Trial Subjects provided under this Agreement to a third party, unless that third party is bound by contractual obligations at least as stringent as in this Clause 6. The Sponsor agrees and CRO agree to use Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purpose of the Clinical Trial and in all circumstances for no purpose which is incompatible with the Clinical Trial purpose. The Sponsor and CRO further agrees agree not to disclose the Personal Data or Pseudonymised Data of Clinical Trial Subjects to any person except as required or permitted by law or applicable guidance. The Sponsor agrees to comply with the obligations placed on it as a Controller pursuant to Data Protection Laws and Guidance, including but not limited to demonstrating compliance with the principles relating to Processing of Personal Data (Article 5 GDPR). The Sponsor agrees and CRO agree to ensure persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects under this Agreement are equipped to do so respectfully and safely. In particular: to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) understand the responsibilities for information governance, including their obligation to Process Personal Data and/or Pseudonymised Data of Clinical Trial Subjects securely and to only disseminate or disclose for lawful and appropriate purposes; to ensure any such persons (excluding employees, honorary employees, students, researchers, consultants and sub-contractors of the Participating Organisation) have appropriate contracts providing for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable Personal Data Breaches. The Sponsor agrees and CRO agree to take reasonable steps to proactively prevent Personal Data Breaches, and/or equivalent breaches relating to Pseudonymised Data of Clinical Trial Subjects, and to respond appropriately to incidents or near misses. In particular: to ensure that Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are only accessible to persons who need it for the purposes of the Clinical Trial and to remove access as soon as reasonably possible once it is no longer needed; to ensure all access to Personal Data and/or Pseudonymised Data of Clinical Trial Subjects on IT systems Processed for Clinical Trial purposes can be attributed to individuals; to review processes to identify and improve processes which have caused Personal Data Breaches or near misses, or which force persons Processing Personal Data and/or Pseudonymised Data of Clinical Trial Subjects to use workarounds which compromise data security; to adopt measures to identify and resist cyber-attacks against services and to respond to relevant external security advice; to take action immediately following a Personal Data Breach or near miss. The Sponsor agrees and CRO agree to ensure Personal Data and/or Pseudonymised Data of Clinical Trial Subjects are Processed using secure and up-to-date technology. In particular: to ensure no unsupported operating systems, software or internet browsers are used to support the Processing of Personal Data and/or Pseudonymised Data of Clinical Trial Subjects for the purposes of the Clinical Trial; to put in place a strategy for protecting relevant IT systems from cyber threats which is based on a proven cyber security framework; to ensure IT suppliers are held accountable via contracts for protecting Personal Data and/or Pseudonymised Data of Clinical Trial Subjects that they Process and for meeting all relevant information governance requirements. Freedom of Information The Sponsor acknowledges that the Participating Organisation is subject to the FOIA and associated guidance and codes of practice. If the Participating Organisation or its Agent(s) receive a request under the FOIA to disclose information relating to this Agreement (including but not limited to the Sponsor, Investigational Drugs (or their manufacturers), or the Clinical Trial), it will notify the Sponsor as soon as is reasonably practicable, and in any event, no later than five (5) working days after receiving the request. The Participating Organisation will consult with the Sponsor in accordance with all applicable guidance. The Sponsor acknowledges that subject to Clause 7.3.1, the decision on whether any exemption applies to a request for disclosure of recorded information under the FOIA is a decision solely for the Participating Organisation. The Sponsor shall cooperate with the Participating Organisation and shall use its reasonable endeavours to respond within ten (10) working days of the Participating Organisation’s reasonable request for assistance. Where the Participating Organisation determines that it will disclose information, notwithstanding any objections from the Sponsor, it will notify the Sponsor in writing, giving at least two (2) working days’ notice of its intended disclosure.