CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (i) NOT MATERIAL AND (ii) WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED. [*****] indicates the redacted confidential portions of this...
Exhibit 4.31
CONFIDENTIAL
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (i) NOT MATERIAL AND (ii) WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY DISCLOSED.
[*****] indicates the redacted confidential portions of this exhibit.
clinical study supply agreement
between
and
pari pharma GMBH
Clinical Study Supply Agreement Kamada-PARI | 1/35 |
Clinical Study supply agreement
This Clinical Study Supply Agreement (the “CSSA”) is made effective as of May 8th, 2019 (the “CSSA Effective Date”) by and between KAMADA Ltd., an Israeli company, with a principal place of business at 0 Xxxxxxx Xx., Xxxxxxx Xxxx, X.X. Xxx 0000, Xxxxxxx, 7670402, Israel (“KAMADA”) and PARI Pharma GmbH, with its registered office at Xxxxxxxxxxx 0, 00000 Xxxxxxxxx, Xxxxxxx (“PARI”). In this CSSA, either PARI or KAMADA is referred to as a “Party,” and collectively as the “Parties.”
Recitals
WHEREAS, PARI and KAMADA are parties to a certain License Agreement dated November 16, 2006 (the “License Agreement”).
WHEREAS, PARI has developed and produced an eFlow Technology controller incorporating certain technologies to track, transfer, display and store information about patients adherence to inhaled medication by using data from their eFlow Technology Nebulizer Systems made available to the patients and the clinical development team for storing and transmitting nebulizer adherence data (the “eTrack Controller Kit” as defined in more detail in Schedule 1, Position No. 1) and the PARItrack Web Portal (as further described in Section 2.5 below) to track, display, store and report patients’ adherence to inhaled medication by using the transferred nebulization data from the eTrack Controller, which together allow access to and evaluation of the nebulization data (which is available only to KAMADA and the clinical research and development team, but not provided to the patient, subject to personal data protection law as described in more detail in Schedule 2) (the eTrack Controller Kits and the PARItrack Web Portal are collectively referred to as “eTrack”); and
WHEREAS, KAMADA desires to use the eTrack under the License Agreement for the purpose of conducting its human factor studies and Phase III clinical trial relating to its Drug Product, in accordance with the License Agreement (the “Evaluation Studies”), as set forth under Article 6 “The Device and its Supply” thereof; and
WHERAS, PARI, being the owner of the entire right (including intellectual property rights), title and interest in eTrack, is willing to provide KAMADA with the eTrack Controller Kits (comprising certain accessories as described in Schedule 1 hereto) and Nebulizer Handsets and to provide access to the PARItrack Web Portal for the sole purpose of conducting the clinical Evaluation Studies in accordance with the provisions of the License Agreement; and
Clinical Study Supply Agreement Kamada-PARI | 2/35 |
WHEREAS, the Parties wish to incorporate and supplement the supply and use of the eTrack and Nebulizer Handsets thereunder into the License Agreement for the purpose of the performance of the Evaluation Studies; and
WHEREAS, terms not defined in this CSSA shall have the meaning as set forth in the License Agreement.
NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions hereinafter set forth, and intending to be legally bound hereby, the Parties agree as follows:
1. | Supply and use of material |
1.1 | Provision of Material |
PARI will provide eTrack Controller Kits with monitoring and data transmission functionality used to operate and control Nebulizer Handsets as part of the Device and as specified in Schedule 1 of this CSSA to KAMADA to conduct the clinical Evaluation Studies under Section 6 of the License Agreement. Prices and service fees of eTrack are set forth in Schedule 1 of this CSSA. Following completion of the clinical Evaluation Studies, KAMADA shall ensure that the eTrack Controller Kits are fully returned to PARI and shall retrieve the eTrack Controller Kits at KAMADA’s expense and the eTrack Controller Kits will be stored by KAMADA or a third party on behalf of KAMADA until fully returned to PARI.
1.2 | Restriction of Use |
The Parties agree for the purpose of this CSSA that the term “Device” as used in Section 1.8 of the License Agreement shall include the eTrack Controller Kit and to the extent applicable the PARItrack Web Portal. In addition to the provisions set forth in the License Agreement, KAMADA agrees to be bound by the following restrictions of use.
Use of eTrack Controller Kits. KAMADA agrees to comply with all Applicable Laws and Standards applicable to the clinical Evaluation Studies and eTrack. As used herein, “Applicable Laws and Standards” means (a) all laws, ordinances, rules, directives and regulations applicable to eTrack, the clinical Evaluation Studies or this CSSA, including without limitation applicable local laws and regulations in each relevant country in which the clinical trials are conducted or personal data of study participants is processed, (b) applicable regulations and guidelines of the U.S. Food and Drug Administration (“FDA”) and other regulatory authorities and applicable guidelines of the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (“ICH”); (c) as applicable to the particular activities performed under this CSSA, Good Manufacturing Practices, Good Laboratory Practices and Good Clinical Practices promulgated by the FDA and other regulatory authorities or the ICH; (d) any applicable data protection laws and regulations applicable to the clinical Evaluation Studies and the processing of personal data, including without limitation HIPAA; and (e) all applicable industry and trade standards.
Clinical Study Supply Agreement Kamada-PARI | 3/35 |
Use of the Documentation: Subject to the terms under the Applicable Laws and Standards, PARI shall provide KAMADA with an appropriate description of eTrack for use in specific regulatory filings or other documentation (e.g. Patient Information and Consent Form (as defined below), etc.) required by regulatory authorities for clinical trial applications related to the clinical Evaluation Studies. KAMADA shall not use any description of eTrack or language on eTrack (e.g., the labelling, including the name) other than that provided by PARI in any such regulatory documentation without first obtaining PARI’s written approval of the changes to that description. Any section in a regulatory filing mentioning eTrack must be approved by PARI in writing prior to any submission to such regulatory authority.
Restricted Access to the eTrack Controller Kits. KAMADA shall only distribute or release the eTrack Controller Kits to any patients taking part in the clinical Evaluation Studies who have signed the Patient Information and Consent Form (as defined below) (the “Probands”).
KAMADA, its Affiliates and Permitted Sublicensees shall retain control of the Device and shall not distribute or release the Device to any person or entity other than KAMADA’s, its Affiliates’ and Permitted Sublicensees’ or the clinical trial site’s employees, consultants or contractors (“KAMADA Representatives”) and individuals who will be participating in the clinical trials who have a need to access the Device in connection with use of the Device for the clinical trials and who have been advised of KAMADA’s obligations with respect to such Device. KAMADA shall not allow its Affiliates, its Sublicensees or KAMADA Representatives to keep or disburse the Device to any other person or other location, unless KAMADA first obtains PARI’s written permission, such permission shall not unreasonably withheld or delayed. KAMADA shall be liable for the use of the Device by its Affiliates, its Permitted Sublicensees or KAMADA Representatives in violation of this Section 1.2(d).
Clinical Study Supply Agreement Kamada-PARI | 4/35 |
The Device is to be used in accordance with the terms and conditions of this Agreement only by KAMADA, its Affiliates, its Permitted Sublicensees or KAMADA Representatives or patients participating in the clinical trials under KAMADA’s control, at the clinical trial sites listed in the applicable purchase order for such Devices accepted by PARI.
KAMADA, its Affiliates and Sublicensees shall conduct the clinical trials pursuant to a written protocol (the “Study Protocol”). KAMADA shall provide a synopsis of the Study Protocol to PARI prior to the commencement of the applicable clinical trials. Following the completion of the clinical Evaluation Studies, KAMADA shall use commercially reasonable efforts to ensure that the Material (as described in Schedule 1, but excluding Pos. 2 of Schedule 1) is fully returned to PARI and shall retrieve the Material at KAMADA’s expense and the Material shall be stored by KAMADA or a third party on behalf of KAMADA until fully returned to PARI.
KAMADA shall not, and shall cause its Affiliates and Sublicensees not to, subject to analysis or have subjected to analysis the Devices or components constituting Devices received from PARI for the purpose of reverse engineering or in a manner that would reveal material composition or internal design or operation of such sample or component or its method of manufacture. KAMADA shall be responsible for any breaches of this Section 1.2 by any of its Affiliates or Sublicensees.
1.3 | Patient Information and consent Form |
In addition to any other information material or declarations of consent that may be required to conduct the clinical Evaluation Studies, KAMADA shall not include any patients into the clinical Evaluation Studies who will use eTrack who did not validly and unequivocally sign a Patient Information and Consent Form approved by the applicable Ethics Committees (the “Patient Information and Consent Form”) containing substantially all of the content of Schedule 2 of this CSSA. The content of Schedule 2 may be modified if required by the regulatory authority of the country in which the clinical Evaluation Studies will be conducted and KAMADA shall be entitled to add provisions and third party entities as processors to Schedule 2, provided that any change in Section 1 of Schedule 2 requires PARI’s prior written approval before implementation.
Clinical Study Supply Agreement Kamada-PARI | 5/35 |
2. | Data collection and transmission |
2.1 | Any data captured by the investigational eTrack Controller Kit is transmitted encrypted (in a format determined by PARI but at all times in compliance with Applicable Laws and Standards) via telecommunication services to be provided by a third party (the “Telecommunication Services”) to a computer server hosted by or on behalf of PARI (the “PARI Server”). The Parties agree that, except as provided otherwise under Schedule 3 to this CSSA, as between the Parties, KAMADA shall act as the data controller and therefore is responsible for compliance with all data controller’s obligations under the Applicable Laws and Standards. PARI operates the PARItrack Web Portal on the PARI Server, shall use commercially reasonable efforts to ensure the correctness of the data displayed in the PARItrack Web Portal and shall act as KAMADA’s contract data processor (and therefore, if applicable, as a business associate under HIPAA) and, subject to any applicable law, shall have no responsibility towards Probands or other third parties other than KAMADA. KAMADA confirms to PARI that, as between the Parties, only KAMADA and no third party will have ownership of the Probands’ personal data collected during the clinical Evaluation Studies. In case of access to such personal data by third parties, KAMADA will implement the legally required contractual provisions with such third parties and, if necessary, with the Probands, and PARI shall implement the legally required contractual provisions with any third party acting as PARI’s data processor, including a data processing agreement as required in Schedule 3. To comply with applicable data protection laws, if applicable, the Parties will enter into the data processing agreement attached to this CSSA as Schedule 3 or any other written instrument containing all of the content of Schedule 3 (the “Data Processing Agreement”). In the event that applicable data protection laws require a change to the data protection provisions of this CSSA (including Schedule 3), the Parties shall amend the Data Processing Agreement accordingly. |
2.2 | PARI makes no representation regarding availability, timeline or functionality of the Telecommunication Services, but shall be responsible for the collection of the data by the eTrack Controller Kits and its processing on the PARI Central Servers in accordance with all Applicable Laws, Standards and the Data Processing Agreement. The Parties acknowledge that a delay or cancelation of the third party Telecommunication Services or their implementation with eTrack may lead to potentially severe restriction of the functionalities of eTrack. |
Clinical Study Supply Agreement Kamada-PARI | 6/35 |
2.3 | KAMADA ACKNOWLEDGES THAT THE TELECOMMUNICATION SERVICES ARE MADE AVAILABLE ONLY WITHIN THE OPERATING RANGE OF THE NETWORK. SERVICE MAY BE TEMPORARILY REFUSED, INTERRUPTED, OR LIMITED BECAUSE OF AMONG OTHER THINGS: (i) FACILITIES LIMITATIONS; (ii) TRANSMISSION LIMITATIONS CAUSED BY ATMOSPHERIC, TERRAIN, OTHER NATURAL OR ARTIFICIAL CONDITIONS ADVERSELY AFFECTING TRANSMISSION, AND OTHER CAUSES REASONABLY OUTSIDE OF PARI’S OR ITS SUBCONTRACTORS’ CONTROL; OR (iii) EQUIPMENT MODIFICATIONS, UPGRADES, RELOCATIONS, REPAIRS, AND OTHER SIMILAR ACTIVITIES NECESSARY FOR THE PROPER OR IMPROVED OPERATION OF THE TELECOMMUNICATION SERVICES. CONNECTIONS MAY BE “DROPPED” (I.E., INVOLUNTARILY DISCONNECTED) FOR A VARIETY OF REASONS, INCLUDING, WITHOUT LIMITATION, ATMOSPHERIC CONDITIONS, TOPOGRAPHY, WEAK BATTERIES, SYSTEM OVERCAPACITY, MOVEMENT OUTSIDE A SERVICE AREA OR GAPS IN COVERAGE WITHIN A SERVICE AREA. |
2.4 | Without derogating from the foregoing, PARI undertakes, for no consideration, to make commercially reasonable efforts to fix, within reasonable time and in compliance with the Data Processing Agreement, any defect or bug discovered in the data transmission, or its implementation with eTrack which is reported by KAMADA to PARI, as follows: PARI will (i) identify the source of the bug or defects as stated above, (ii) determine appropriate Solutions to repair such bug or defects, and (iii) initiate without undue delay repairs, including, if commercially reasonable, by giving patches or other temporary repairs of the services to allow for continuous use thereof. |
2.5 | EXCLUDING CASES OF PARI’S GROSS NEGLIGENCE, WILFUL MISCONDUCT, NEITHER PARI NOR PARI’S SUBCONTRACTORS NOR THE UNDERLYING CARRIER SHALL INCUR ANY LIABILITY FOR ITS INABILITY TO PROVIDE ADEQUATE SERVICES HEREUNDER IF SUCH INABILITY IS DUE TO THE LIMITATIONS SET FORTH IN SECTION 2.3 ABOVE OR TO CAUSES BEYOND THE REASONABLE CONTROL OF PARI, ITS SUBCONTRACTORS OR THE UNDERLYING CARRIER. EXCLUDING CASES OF BREACH OF THE DATA PROCESSING AGREEMENT, PARI SHALL NOT BE RESPONSIBLE FOR ANY ACT OR OMISSION RELATED TO EQUIPMENT OR SYSTEMS USED IN CONNECTION WITH THE TELECOMMUNICATION SERVICES OR OTHER DATA PROCESSING ACTIVITIES OTHER THAN eTrack. |
Clinical Study Supply Agreement Kamada-PARI | 7/35 |
2.6 | Privacy: THE NETWORK USED TO PROVIDE THE TELE-COMMUNICATION SERVICES HAS MANY COMPLEX ELEMENTS AND IS NOT GUARANTEED AGAINST EAVESDROPPERS OR INTERCEPTORS. EXCLUDING CASES OF PARI’S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR BREACH OF THE DATA PROCESSING AGREEMENT, AND EXCEPT AS OTHERWISE PROVIDED BY THE DATA PROCESSING AGREEMENT, KAMADA AGREES THAT NEITHER PARI NOR ITS SUBCONTRACTORS NOR AN UNDERLYING CARRIER SHALL BE LIABLE TO KAMADA FOR ANY LACK OF PRIVACY OR SECURITY. |
2.7 | The Parties agree that any rights in and to the software backend solution for managing the functionality of data transfer from eTrack, processing and accessing the collected data and any related features (collectively the “PARItrack Web Portal”) and eTrack Controller Kit, including without limitation copyrights, know-how and other intellectual property rights, shall at all times remain the sole and exclusive property of PARI. Any inventions, improvements or discoveries that are based upon, or derived from the eTrack, but not from any data collected using the Probands, shall be promptly disclosed to and are and shall be the sole and absolute property of PARI. PARI declares and covenants that it retains all right, title to and interest to the PARItrack Web Portal and eTrack Controller Kit, including all intellectual property ownership rights related thereto, or that it is an authorized licensee of the PARItrack Web Portal and eTrack Controller Kit for the duration of this CSSA. KAMADA shall be granted a license to use PARI’s eTrack Controller Kit for the sole purpose of conducting the clinical Evaluation Studies in accordance with the provisions of the License Agreement. The eTrack Controller Kit shall be considered part of the Device as defined in Section 1.8 of the License Agreement. |
2.8 | In accordance with Section 15.3 of the License Agreement, Kamada shall solely own the data collected and captured by PARI’s eTrack during the Evaluation Studies, including without limitation any know-how and intellectual property rights conceived in the course of such Evaluation Studies relating to the Drug Product, and shall be exclusively entitled to incorporate such data and results in its drug master file and to disclose them to any regulatory authority, worldwide, without paying any additional consideration to PARI. In addition, Kamada shall be solely entitled to make any commercial use in such data, subject to the terms under the Applicable Laws and the Data Processing Agreement. |
Clinical Study Supply Agreement Kamada-PARI | 8/35 |
2.9 | Subject to the terms under the Applicable Laws and the Data Processing Agreement, PARI may use the data captured by the investigational eTrack Controller Kit together with other technical data (including the serial numbers of the aerosol heads used with such investigational eTrack Controller Kit) solely for PARI’s internal business purposes to monitor and analyze the Device performance. |
3. | miscellaneous |
3.1 | Term and Termination |
This CSSA shall commence as of the CSSA Effective Date and expire concurrently with the expiration or termination of the License Agreement unless otherwise agreed to in writing by the Parties. Either Party may terminate this CSSA (i) upon ninety (90) days’ written notice, or (ii) upon written notice to the other Party in the event a material breach of this CSSA by such other Party (including an infringement of third party’s IP rights by PARI’s PARItrack Web Portal or eTrack Controller Kit) is incurable or remains uncured sixty (60) days after notice of such breach was received by such other Party. Notwithstanding the termination of this CSSA, the provisions of Sections 2.3, 2.4, 2.8, 2.9, 3.1, and 3.2 shall survive the termination of this CSSA.
3.2 | Disclaimer of Warranties and Limitation of Liability; Indemnification |
EXCLUDING CASES OF FRAUD AND INTENTIONAL MISLEADING, eTrack AND CONFIDENTIAL INFORMATION IS PROVIDED “AS IS” AND PARI MAKES NO REPRESENTATION OR WARRANTY, EITHER EXPRESSED OR IMPLIED, CONCERNING eTrack OR THE CONFIDENTIAL INFORMATION CONTAINED THEREIN OR ANY TELECOMMUNICATION SERVICES. PARI DISCLAIMS ALL EXPRESS AND IMPLIED WARRANTIES RELATED TO eTrack INCLUDING WITHOUT LIMITATION FOR MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; CONFIDENTIAL INFORMATION AND THE TELECOMMUNICATION SERVICES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF MERCHANTABILITY AND THE IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE.
Clinical Study Supply Agreement Kamada-PARI | 9/35 |
Notwithstanding the generality of the foregoing paragraph, if eTrack Controller Kits or Nebulizer Handsets or Hubs supplied by PARI to KAMADA hereunder should not correspond with the Device Specifications (as defined in the License Agreement or amended in accordance with Appendix D of the License Agreement) or KAMADA becomes aware of defective Devices at the time of delivery, PARI shall at its own discretion rectify that defect, provide a replacement product, or provide a credit note to offset any future payment or, in case no later payment is due, repay the purchase price for the affected product. KAMADA’s claims for defects of the Device are subject to notification of PARI of any visibly detectable defects and quantity variances within sixty (60) days after receipt of the relevant delivery. In case of defects of the Device, which were not visibly detectable at receipt by customary inspection of such Device made in due care by a suitable qualified person, PARI shall be notified by KAMADA immediately, but not later than ten (10) Business Days from such recognition of the defect. KAMADA’s claims for defects shall expire in any case eighteen (18) months after delivery of an eTrack Controller Kit to KAMADA. KAMADA shall provide defect Devices to PARI for PARI’s inspection and evaluation of the claimed defect. In the event eTrack data collection, transmission and processing services described or amended in the License Agreement do not comply with this CSSA or the Applicable Laws and Standards, PARI shall use commercially reasonable efforts to amend its services and to repeat such services in compliance with this CSSA.
IN NO EVENT SHALL PARI BE LIABLE TO KAMADA FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOST PROFITS ARISING FROM THE USE OF eTrack OR CONFIDENTIAL INFORMATION, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. This shall not apply either insofar as liability is mandatory, e.g. under the German Product Liability Act, in cases of intent or gross negligence or of injury of life, limb or health, as well as of breach of essential contractual obligations. However, claims for damages in case of breach of essential contractual obligations shall be limited to foreseeable damage typical for the contract insofar as there is no gross negligence and no liability for injury of life, limb or health.
Section 18 (Indemnification) of the License Agreement shall apply to this CSSA mutatis mutandis.
3.3 | Counterparts |
This CSSA may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
Clinical Study Supply Agreement Kamada-PARI | 10/35 |
3.4 | Severability |
If any portion of this CSSA is determined invalid by any court, the rest shall remain in force and shall be construed as if not containing the invalid provision. The Parties undertake to replace the invalid provision or parts thereof by a new provision which will approximate as closely as possible the economic result intended by the Parties.
3.5 | Applicable Provisions |
This CSSA shall supplement the License Agreement. The Parties agree that the applicable provisions of the License Agreement shall apply to this CSSA mutatis mutandis, including without limitation Article 25. “Governing Law; Arbitration”, Article 20. “Relationship between the Parties”, Article 22. “Force Majeure”, Article 23. “Confidentiality” and Article 26. “Notices”.
[Signature Page follows]
Clinical Study Supply Agreement Kamada-PARI | 11/35 |
IN WITNESS WHEREOF, the Parties have entered into the CSSA Agreement as of the CSSA Effective Date:
SIGNATURES
SIGNED for and on behalf of | SIGNED for and on behalf of | |||||||||
KAMADA Ltd. | PARI Pharma GmbH | |||||||||
/s/ Xxxx Xxxxxx | ||||||||||
Xxxx Xxxxxx | Date | ***** | Date | |||||||
CEO | ||||||||||
/s/ Chaime Orlev | ||||||||||
Chaime Orlev | Date | |||||||||
CFO | ||||||||||
Clinical Study Supply Agreement Kamada-PARI | 12/35 |
Schedule 1
Prices and Service Fees
Following table contains prices and service fees for eTrack.
Pos | Description | Price |
1 | eTrack Controller Kit · One (1) eTrack Controller · One (1) carrying bag · One (1) Nebulizer Handset connection cord · One (1) AC power supply · All outer packaging · Instructions for Use · Batteries · One (1) easycare cleaning aid (the “Easycare”), if required |
[*****] |
2 | One (1) hub for access to Telecommunication Services (the “Hub”) | [*****] |
3 | Nebulizer Handset (including required aerosol heads) | To be determined |
[Table continues on following page]
Clinical Study Supply Agreement Kamada-PARI | 13/35 |
[Continuing table from preceding page - Schedule 1]
Pos | Description | Price | |
4 | One time set-up fee per trial (including the first training of study personnel) | [*****] | |
5 | Monthly fee for the PARItrack Web Portal | Up to [*****] patients per trial | [*****] |
Between [*****] and [*****] patients per trial | [*****] | ||
[*****] patients and more per trial | [*****] | ||
6 | Data transmission fee per month and active Hub | [*****] | |
7 | 1st level support / training (excluding the first training of study personnel) | [*****] | |
8 | Travel expenses | [*****] |
Clinical Study Supply Agreement Kamada-PARI | 14/35 |
Schedule 2
PATIENT INFORMATION AND CONSENT FORM
We hereby inform you as follows:
1. | INVESTIGATIONAL EFLOW Technology NEBULIZER SYSTEM WITH ETRACK CONTROLLER |
(a) | Ownership |
The investigational eFlow Technology nebulizer system handed out to you is provided only for the purpose to conduct the [Partner_Study_Title_No] and as long such Study is conducted. Ownership to such nebulizer system will not be transferred to you and you are obligated to return the nebulizer system after the conclusion of the Study or anytime upon request.
(b) | Use of the investigational eFlow Technology nebulizer system |
The nebulizer system is intended to be used by you exclusively for the purpose to conduct the Study.
You are not allowed to:
· | use the nebulizer system or any component thereof (including the hub) for any purpose other than the inhalation therapy within the Study as advised by the investigator; |
· | give the nebulizer system to any other person or entity (other than persons helping you with your inhalation therapy); |
· | destroy, modify, analyze, reverse engineer, the nebulizer system or any components thereof, including any accessories and the hub, or modify, analyze, reverse compile or translate any software contained therein; |
2. | INFORMATION AND CONSENT TO THE PROCESSING OF PERSONAL DATA WITH ETRACK |
You are thinking of taking part in the clinical study [Partner_Study_Title_No]. This study will be conducted by using an eTrack Controller which will collect and transfer certain data about your use of the device. We hereby inform you as follows with respect to the processing of your personal data:
(a) | What data will be processed and what is the purpose of the processing? |
The eTrack Controller, once connected to the internet via the wireless hub, will collect and transfer the serial number of the inhalation device and certain data about the use of the device such as the time of starting the nebulization and the time nebulization ends. Additional technical data of your inhalation device may be processed as well. Other data like your name, address, birthdate, etc. will not be transmitted but an allocation of the processed data to your person will take place at the receiving study centers via the serial number of your eTrack Controller. This is why we consider the pseudonymized data processed as your personal data.
Clinical Study Supply Agreement Kamada-PARI | 15/35 |
Your personal and sensitive data will be collected and processed for the following purposes:
Provision of telemedicine services, in particular delivery of data showing the adherence to inhaled medication in the course of the clinical study [Partner_Study_Title_No].
(b) | Modalities of processing |
Your data will be processed by means of electronic devices and will be transmitted through IT networks with a high level of security. In particular, all preventative measures set forth in data protection legislation, including measures for segregation and encryption of data, will be adopted. Your data will be encrypted directly after creation within the eTrack Controller and transmitted only in encrypted form and without connection to your name (i.e. pseudonymous). Third parties involved in data transmission, other than the receiving healthcare professionals at the study centers as well as the principal investigator of the study, will not have the means to de-pseudonym your data.
(c) | Scope of communication of data |
Your data will be processed through IT instruments that will allow health operators to access patients’ information and monitor their treatment. Access to your health data may only occur through the points of access authorized to access such data by authorized health operators.
Your data will be transmitted, by means of an IT network, to a central collection system. In order to make your data accessible to authorized health operators, your data may be processed by third parties entrusted with technical, logistic, IT, storage and transmission services. If collected within the European Union, your data will not be transferred outside the European Union. However, your data may be accessible in pseudonymized and encrypted form only for purposes of 24/7 technical support provided by service personnel in other territories by contractors of the data processor who are bound by confidentiality obligations and EU Commission standard contractual clauses outside of the European Union, including but not limited to the United States of America, whose legislation may not ensure the same level of protection of personal data as the one ensured in the European Union.
Clinical Study Supply Agreement Kamada-PARI | 16/35 |
(d) | Data controller and data processor |
For the purposes of the provision of telemedicine services, KAMADA Ltd., the sponsor of the [Partner_Study_Title_No] study, shall act as data controller and PARI Pharma XxxX, Xxxxxxxxxxx 0, 00000 Xxxxxxxxx, Xxxxxxx, shall act as data processor. PARI may internally use pseudonymized data for the sole purpose of monitoring and analyzing the technical performance of your nebulizer system.
(e) | Categories of persons in charge of the processing |
Healthcare operators and administrative personnel subject to professional secrecy obligations may process the data, each within their respective competences. The data controller and the data processor indicated in this information document may also entrust their respective personnel, collaborators, contractors and other third parties that may perform on their behalf and under their supervision supporting services for the processing of the data. Recipient of your personal data are the healthcare professionals conducting the [Partner_Study_Title_No] study at the [Partner_Study_Center].
(f) | Sub-processor |
Your data will be also processed by sub-processors engaged by PARI. KAMADA and PARI ensure that any processing of your data by such sub-processors will be subject to data processing agreements ensuring your rights under applicable data protection laws. Should you wish to obtain more information on such sub-processors, please contact KAMADA using the contact details below.
(g) | Duration of processing |
Your data will be processed for as long as your handheld nebulizer device is connected to the internet via the 2net Hub.
(h) | Exercise of rights |
You are entitled, inter alia, to the following rights:
Request the following information: origin of the data; purposes and modalities of processing; logic applied to the processing; identifying information of the data controller and data processors; persons or categories of persons to whom the data may be communicated or that may access the data as data processors or persons in charge of the processing;
Request the update, correction or integration of your data;
Request the cancellation, anonymization or block of your data without prejudice to the obligations to keep the data provided by law.
Clinical Study Supply Agreement Kamada-PARI | 17/35 |
You may exercise the above mentioned rights by submitting a request to:
[Partner_Address]
[Partner_Phone]
[Partner_Email]
(i) | Optional/mandatory nature of the consent and consequences of denial |
Your consent is optional. You are free to refuse your consent or revoke your consent at any time without stating any reason. However, failure to provide your consent for the purposes of the provision of telemedicine services will prevent the processing of your data for the purposes of providing such services to you. In this case, your participation in the [Partner_Study_Title_No] study will not be possible.
By signing this document you consent to the processing of your personal data for the purposes and in the way as described above.
I hereby confirm that I understand and agree to the information contained herein above.
Place and Date: |
Full Name (block letters) | Signature |
Clinical Study Supply Agreement Kamada-PARI | 18/35 |
Schedule 3
DATA PROCESSING AGREEMENT
The Data Processing Agreement set forth in this Schedule 3 hereby is incorporated into and made part of the CSSA. This Schedule 3 shall apply when KAMADA is acting as a data controller (particularly in the meaning of Article 4 No.7 of EU Regulation 2016/679) (“Controller”), and PARI is acting as a data processor for KAMADA (particularly in the meaning of Article 4 No.8 of EU Regulation 2016/679) (“Processor”).
1. | DEFINITIONS |
1.1 | Unless otherwise specified in this Schedule 3, all capitalized terms used in this Schedule 3 not otherwise defined in this Schedule 3 or otherwise in the CSSA have the meanings established for purposes of EU Regulation 2016/679. Capitalized terms used in this Schedule 3 that are not otherwise defined in this Schedule 3 and that are defined in the CSSA shall have the respective meanings assigned to them in the CSSA. |
1.2 | “GDPR” shall mean EU Regulation 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”), as well as any EU or national statute implementing or replacing it. |
1.3 | “Applicable Laws” shall mean (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which the Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws |
1.4 | “Data Protection Laws” shall mean EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; |
1.5 | “EU Data Protection Laws” shall mean EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; |
1.6 | “Breach” shall mean the acquisition, access, use or disclosure of PD in a manner not permitted by the GDPR or national data protection laws or this Schedule 3, as well as a ‘personal data breach’ in the meaning of EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). |
Clinical Study Supply Agreement Kamada-PARI | 19/35 |
1.7 | “Compliance Date” shall mean, in each case, the date by which compliance is required under the referenced provision of GDPR or its implementing regulations, as applicable; provided that, in any case for which that date occurs prior to the CSSA Effective Date, the Compliance Date shall mean that CSSA Effective Date. |
1.8 | “Data Subject” shall mean a data subject as defined in Article 4 No.1 of the GDPR. |
1.9 | “Personal Data” or “PD” shall have the meaning as provided for in Article 4 No.1 of the GDPR. |
1.10 | “Electronic Protected Health Information” (“ePHI”) shall mean PHI as defined in Section 1.11 that is transmitted or maintained in electronic media. |
1.11 | “PHI” shall mean Personal Data concerning health, as defined in Article 4 No.15 of the GDPR, and is limited to the data concerning health received from, or received or created on behalf of, KAMADA by PARI pursuant to performance of the Services. |
1.12 | “Security Rules” shall mean the EU or national security regulations, whether or not included in the GDPR, with respect PHI. |
1.13 | “Services” shall mean, to the extent and only to the extent they involve the processing of PD, the services provided by PARI to or on behalf of KAMADA under the CSSA. |
Clinical Study Supply Agreement Kamada-PARI | 20/35 |
2. | SCOPE, ROLES OF THE PARTIES, OWNERSHIP OF PD |
2.1 | This Schedule 3 applies to all PD that PARI collects, processes and uses in the course of providing the Services under the CSSA and in accordance with KAMADA’s instructions. |
Kind of PD concerned: | Serial number of the device; Serial number of aerosol heads used in the device; |
Date, time and duration of nebulization and easycare backwash with such device; patient ID that is collected under the PARItrack portal; patient’s study start/end; and therapy monitoring start/end. | |
Data Subjects concerned: | Probands participating in KAMADA’s clinical studies which comply with the Development Agreement. |
Purpose of collection, processing and use of PD: | Provision of telemedicine services, in particular delivery of data showing probands’ adherence to inhaled medication. |
2.2 | Without prejudice to processing of PD that is carried out in accordance with this Data Processing Agreement, in the event that PARI infringes the Applicable Laws and this Data Processing Agreement by processing the PD for another reason than to provide the Service, the Processor will be regarded as the controller in respect of that processing. It should be noted that PARI, under the aforementioned circumstances, will be fully liable as the controller for such processing under the Applicable Laws including in relation to any sanctions under the said provisions. |
3. | RESPONSIBILITIES OF PARI |
With regard to its collection, processing and use of data that is PD, PARI agrees to:
3.1 | collect, process and use PD only as necessary to provide the Services, including monitoring and analysing the performance of the nebulizer systems, and in accordance with the instructions given by KAMADA in text format or oral instructions that are then confirmed in text format from time to time, and in compliance with each applicable requirement of the GDPR or as otherwise required by Applicable Law. PARI shall immediately inform KAMADA in writing if, in PARI’s opinion, an instruction infringes Data Protection Laws, and provide an explanation of the reasons for this opinion in writing. PARI shall pursue appropriate investigations, if PARI doubts the lawfulness of an instruction. |
3.2 | inform KAMADA in writing, in case PARI is required to process PD under mandatory laws, before processing unless that law prohibits such information on important grounds of public interests, in which case PARI shall immediately inform KAMADA without undue delay once PARI is permitted to inform KAMADA. |
Clinical Study Supply Agreement Kamada-PARI | 21/35 |
3.3 | taking into account the nature of the processing, implement and use appropriate administrative, organizational, physical and technical safeguards, and at all times as may be required by Applicable Laws, to (i) prevent use or disclosure of PD other than as permitted or required by this Schedule 3; (ii) appropriately protect the confidentiality, integrity, and availability of the PD that PARI creates, receives, maintains, or transmits on behalf of KAMADA; (iii) assist KAMADA when data subjects make use of their rights under Chapter III of the GDPR and (iv) as of the Compliance Date, comply with the Security Rules which shall ensure a level of security appropriate to the risk in accordance with GDPR Art. 32. Exhibit 1 to this Schedule 3 contains a description of safeguards implemented by PARI. |
3.4 | without unreasonable delay, report to KAMADA (i) any use or disclosure of PD not provided for by this Schedule 3 of which it becomes aware; or (ii) any accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. |
3.5 | in the event of a Breach or in the event PARI has a reason to believe that a Breach occurred , without any delay, and in any event no later than two (2) working days after discovery, PARI shall provide KAMADA with written notification that includes a description of the Breach, the relevant data accessed, disclosed or used pursuant to such Breach, a list of Data Subjects and other information as required by, and in accordance with, the data breach notification requirements set forth in the GDPR and EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In case not all information is already available after two (2) working days, PARI shall inform KAMADA of data breach and provide further information without undue delay once it is reasonably available in order to enable KAMADA to comply with applicable breach notification requirements under Applicable Laws. |
3.6 | use its best efforts to immediately remedy any security incident and Breach that occurred on PARI information systems and prevent any further consequences at its own expense in accordance with Applicable Laws, regulations and standards. |
Clinical Study Supply Agreement Kamada-PARI | 22/35 |
3.7 | assist KAMADA by providing necessary information, insofar as this is possible, for the fulfilment of KAMADA’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws. PARI shall promptly notify KAMADA if it receives a request from a Data Subject under any data protection law in respect of Controller Personal Data, and shall document, and within five (5) working days after receiving a written request from KAMADA, make available to KAMADA, information necessary for KAMADA to comply with an information request of Data Subject and upon written notice of KAMADA implement any Data Subject’s request concerning the correction, deletion or blocking of data, in accordance with GDPR. |
3.8 | ensure that it does not respond to any Data Subject’s request, except on the documented instructions of KAMADA or as required by Applicable Laws to which PARI is subject, in which case PARI shall to the extent permitted by Applicable Laws inform KAMADA of that legal requirement before PARI responds to the request. |
3.9 | notwithstanding Section 3.7, in the event that PARI in connection with the Services uses or maintains an electronic health record of PHI of or about a Data Subject, then PARI shall only if and as directed by KAMADA, make an accounting of disclosures of PHI directly to such Data Subject within five (5) working days, in accordance with the requirements for accounting for disclosures made through an electronic health record, as of its Compliance Date. |
3.10 | provide access, within five (5) working days after receiving a written request from KAMADA, to PHI in a set of data concerning health relating to a Data Subject, to KAMADA, sufficient to allow KAMADA to comply with the requirements of the GDPR. |
3.11 | notwithstanding Section 3.7, in the event that PARI in connection with the Services uses or maintains an electronic health record of PHI of or about a Data Subject, then PARI shall provide an electronic copy of the PHI within two (2) working days, to KAMADA, sufficient to allow KAMADA to comply with GDPR requirements as of its Compliance Date, all in accordance with the GDPR as of its Compliance Date. |
3.12 | to the extent that the PHI in PARI’s possession constitutes data concerning health relating to a Data Subject, PARI shall make available, within five (5) working days after a written request by KAMADA, PHI for amendment and incorporate any amendments to the PHI as directed by KAMADA, all in accordance with the GDPR. |
3.13 | assist KAMADA with respect to, where applicable, data protection impact assessment in the meaning of Art. 35 and 36 of the GDPR, by providing such information and cooperation as KAMADA may require, for the purpose of assisting it in carrying out a data protection impact assessment and periodic reviews to assess if the processing of PD is performed in compliance with the data protection impact assessment and by assisting KAMADA with prior consultations with any competent data privacy authorities, and in case of a Breach. |
Clinical Study Supply Agreement Kamada-PARI | 23/35 |
3.14 | not make or cause to be made any communication about a product or service that is prohibited by the GDPR or applicable law as of its Compliance Date. |
3.15 | not make or cause to be made any written fundraising communication that is prohibited by applicable law as of its Compliance Date. |
3.16 | shall appoint a data protection officer that has sufficient mandate and responsibilities to fulfil his or her tasks set forth in Art. 38 and 39 GDPR and that monitors compliance of the data processing for the purpose of this Data Processing Agreement and the GDPR on a permanent and continuous basis. |
4. | RESPONSIBILITIES OF KAMADA |
In addition to any other obligations set forth in the CSSA, including in this Schedule 3, KAMADA:
4.1 | shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of PHI transmitted by KAMADA to PARI pursuant to the CSSA, including this Schedule 3, in accordance with the standards and requirements of HIPAA (if applicable) and the GDPR, until such PHI is received by PARI. |
4.2 | shall ensure that there is a legal ground for processing the PD covered by this Data Processing Agreement. |
4.3 | shall be responsible for implementation of procedures for Data Subjects’ rights to access to personal data concerning health as required under Article 15 GDPR and shall function as point of contact for Data Subjects seeking to exercise these rights. |
4.4 | shall appoint a data protection officer that has sufficient mandate and responsibilities to fulfil his or her tasks set forth in Art. 38 and 39 GDPR, to function as single point of contact with regard to the processing of Personal Data contemplated under this Data Processing Agreement and that monitors compliance of Processor and Controller for the purpose of this Data Processing Agreement and the GDPR on a permanent and continuous basis. |
Clinical Study Supply Agreement Kamada-PARI | 24/35 |
5. | SUB PROCESSING |
5.1 | PARI shall provide KAMADA with a full list of sub-processors, including the name and jurisdiction of each sub-processor and the type of the processing to be undertaken by such sub-processors, before starting any processing operations concerning PD under the Agreement. PARI shall inform KAMADA of any intended changes concerning the addition or replacement of any sub-processors with KAMADA being permitted to object to such a change upon reasonable grounds only, by sending a notice to PARI, before the PD is made accessible to the sub-processor. If KAMADA notifies PARI in writing of any objections (on reasonable grounds) to the proposed appointment: |
5.1.1 | PARI shall work with KAMADA in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor; and |
5.1.2 | where such a change cannot be made within 30 days from PARI’s receipt of KAMADA’s notice, notwithstanding anything in the CSSA, KAMADA may by written notice to PARI with immediate effect terminate the CSSA to the extent that it relates to the Services which require the use of the proposed sub-processors. |
5.2 | Before any new sub-processor first processes Controller Personal Data, PARI shall ensure that such sub-processor is capable of providing the level of protection for Controller Personal Data required by the CSSA and this Data Processing Agreement; PARI shall ensure that each sub-processor enters into a data processing agreement as required under Applicable Law. |
5.3 | PARI shall remain responsible for all obligations performed and any omission to perform or comply with the provisions under this Data Processing Agreement by subcontractors to the same extent as if such obligations were performed or omitted by PARI. PARI shall also remain the KAMADA’s sole point of contact. |
5.4 | PARI shall ensure that only such employees which must have access to the PD in order to meet PARI’s obligations under this Data Processing Agreement, shall have access to the PD processed on behalf of KAMADA, and that such employees have received appropriate training and instructions regarding processing of PD and are subject to a confidentiality undertaking that provides that he/she must keep all PD secret and may not use it for other purposes not required for the performance of the tasks he/she may be assigned to in performing the Services. |
Clinical Study Supply Agreement Kamada-PARI | 25/35 |
6. | AUDIT RIGHTS |
6.1 | PARI shall regularly monitor and control compliance of the collection, processing and use of PD with the CSSA and KAMADA’s instructions. Prior to beginning of the data processing under this Data Processing Agreement it shall confirm in writing that it has implemented the technical and organizational measures as set forth in Section 3.3 above. PARI then shall perform a yearly audit of such technical and organizational measures and make available to KAMADA a copy of the audit report in order to enable KAMADA to monitor compliance with agreed terms upon KAMADA’s written request. In addition, once a year PARI shall make available to KAMADA on request all other information necessary to demonstrate compliance with this Data Processing Agreement. |
6.2 | If KAMADA reasonably determines that the yearly audit report is not sufficient to comply with its duty, as a Controller, to monitor its Processor (e.g. because there was a data breach or because a competent data protection authority requests it) KAMADA may instruct an auditing company to perform an external audit of PARI at its own cost, except where the audit reveals non-negligible non-compliance with this Data Processing Agreement or the Applicable Laws, in which case PARI shall bear all costs of such audit. Within such audit PARI shall make available to KAMADA on request all information necessary to demonstrate compliance with this Data Processing Agreement. It is being understood, that the audit report may contain parts which have to be kept confidential in which case it shall suffice that auditors declare that this issue was complied with, unless a competent data protection authority requests more detailed information. PARI shall also allow audits from data protection authorities competent for KAMADA. |
7. | PERMITTED USES AND DISCLOSURES OF PHI |
Unless otherwise limited in this Schedule 3, in addition to any other uses or disclosures permitted or required by this Schedule 3, PARI may:
7.1 | make any and all uses and disclosures of PHI, solely when necessary to provide the Services to KAMADA in accordance with the CSSA. |
Clinical Study Supply Agreement Kamada-PARI | 26/35 |
7.2 | subject to the terms of Section 5 above, use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of PARI under the CSSA, provided that any third party to which PARI discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as required for performance of the Services; (ii) the information will be used only for the purpose for which it was disclosed to the third party; and (iii) the third party promptly will notify PARI of any instances of which it becomes aware in which the confidentiality of the information has been breached; (iv) subcontractor or agent is subject to audit obligations to ensure that full audit according to Section 6 can be performed; |
7.3 | use the PHI and other data for the sole purpose of monitoring and analyzing the technical performance of the nebulizer system, but in no event for any other business activity or purpose of PARI. |
8. | TERMINATION AND COOPERATION |
8.1 | Termination. This Schedule 3 terminates automatically, if the CSSA terminates. In addition, if either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this Schedule 3 then the non-breaching party shall provide written notice of the breach or violation to the other party that specifies the nature of the breach or violation. The breaching party shall cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching party may, if feasible, terminate the CSSA, including this Schedule 3. |
8.2 | Effect of Termination or Expiration. Within sixty (60) days after the expiration or termination for any reason of the CSSA or this Schedule 3, PARI shall upon KAMADA’s choice return or destroy all PHI, if feasible to do so, including all PHI in possession of PARI’s agents or subcontractors. In the event that PARI determines that return or destruction of the PHI is not feasible, PARI shall notify KAMADA in writing and may retain the PHI subject to this Section 8.2 if permitted by GDPR. Under any circumstances, PARI shall extend any and all protections, limitations and restrictions contained in this Schedule 3 to PARI’s use or disclosure of any PHI retained after the expiration or termination of the CSSA or this Schedule 3, and shall limit any further uses or disclosures solely to the purposes that make return or destruction of the PHI infeasible. |
Clinical Study Supply Agreement Kamada-PARI | 27/35 |
9. | INDEMNIFICATION |
9.1 | PARI will indemnify, hold harmless and defend KAMADA and its Affiliates and their respective officers, employees and agents from and against any and all third party, claims and related expenses (including reasonable attorney fees) resulting from, or arising out of any negligent non-compliance of the responsibilities of PARI as described in this Data Processing Agreement. |
9.2 | PARI acknowledges and agrees that any unauthorized access to, use or disclosure of PD would cause immediate and irreparable harm for which money damages would not constitute an adequate remedy and that in the event of any unauthorized use or disclosure of PD, KAMADA shall be entitled to immediate injunctive relief. |
10. | MISCELLANEOUS |
10.1 | Contradictory Terms; Construction of Terms. Any other provision of the CSSA that is directly contradictory to one or more terms of this Schedule 3 (“Contradictory Term”) shall be superseded by the terms of this Schedule 3 to the extent and only to the extent of the contradiction, only for the purpose of KAMADA’s and PARI’s compliance with the GDPR, and only to the extent reasonably impossible to comply with both the Contradictory Term and the terms of this Schedule 3. The terms of this Schedule 3 to the extent they are unclear shall be construed to allow for compliance by KAMADA and PARI with the GDPR. |
10.2 | Survival. Sections 8.2, 10.1, and this 10.2 shall survive the expiration or termination for any reason of the CSSA or of this Schedule 3. |
10.3 | Assignation of rights or obligations. PARI shall not assign its rights or obligations under this Data Processing Agreement without the prior written consent of KAMADA. KAMADA shall be entitled to assign its rights and obligations under this Data Processing Agreement, specifically for the purpose of conducting clinical studies using third party contractors and processors, other than PARI. |
10.4 | Notices. All notices to a party under this Data Processing Agreement shall be in writing and sent to its address as set forth at the beginning of this CSSA, or to such other address as such party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email. Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) business days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email. |
Clinical Study Supply Agreement Kamada-PARI | 28/35 |
IN WITNESS WHEREOF, the Parties have entered into the CSSA as of the CSSA Effective Date; Schedule 3 will be made an integral part of it:
SIGNED for and on behalf of | SIGNED for and on behalf of | |||||
KAMADA Ltd. | PARI Pharma GmbH | |||||
/s/ Xxxx Xxxxxx | ||||||
Xxxx Xxxxxx | Date | ***** | Date | |||
CEO | ||||||
/s/ Chaime Orlev | ||||||
Chaime Orlev | Date | |||||
CFO |
Clinical Study Supply Agreement Kamada-PARI | 29/35 |
Exhibit 1 to Schedule 3
Description of Technical and Organizational Safeguards
This Exhibit 1 forms an integral part of Schedule 3 (Data Processing Agreement)
1. | Physical access control |
Are there any regulations governing access to the building, to the computer centre and to the premises comprising the IT infrastructure?
Explanations / comments:
The physical approach to a data processing system (“DPS”) must be controlled. Unauthorised persons must be prevented from gaining access to and operating the DPS in any way.
Examples: - access control system, badge reader
- magnetic card, chip card
- keys, key allocation
- door lock mechanism (electrical door opener, etc.)
- company security, gatekeeper
- monitoring facility, alarm system, video/closed-circuit TV
Measures implemented on Data Processor’s premises:
PARI IT infrastructure components are located in two separated data centres at Xxxxxxxxxx 0, 00000 Xxxxxxxxx. Access to these data centres is controlled by E-Token/smartcard and allowed only to defined persons.
SAP infrastructure as well as digital infrastructure are hosted by QSC AG in Hamburg (contract information available if requested). QSC is audited by PARI QM department.
Clinical Study Supply Agreement Kamada-PARI | 30/35 |
2. | Computer access control |
Are there any regulations governing the use of DP systems?
Explanations / comments:
Any unauthorised use of DPS must be prevented, no matter whether or not such use is effected by means of data transmission equipment (e.g. via the internet).
Examples: | - password procedures (including special characters, minimum length, regular change of password) |
- automatic blocking (e.g. password or pausing)
- setting up one user master record per user
- encryption of data volumes
Measures implemented on Data Processor’s premises:
Use of Laptops/desktops is secured by E-Token/smartcard and Password; every application needs user and Password authentication.
3. | Data access control |
Are there any regulations governing the allocation of user rights, their modification and withdrawal?
Explanations / comments:
It must be ensured that the authorised persons have access only to those data they are authorised to access. A set of rules for the allocation and withdrawal of authorisations must be organised and implemented to protect personal data, at all stages of their collection, processing and use and after their storage, in such a way that they cannot be read, copied, altered or removed by unauthorised persons.
Clinical Study Supply Agreement Kamada-PARI | 31/35 |
Examples: | - differentiated authorisations (profiles, roles, transactions, objects), data encryption |
Measures implemented on Data Processor’s premises:
There must be a written request for system access and authorisation (documented by Sharepoint workflow) made by GPO’s (Global process owner) or line manager; they define which role IT adds to a specific person.
All Laptop Harddrives are encrypted by Bitlocker.
The eFlow data are encrypted (transformation: Rijndael/ECB/NoPadding; Algorithm: AES).
4. | Disclosure control |
Is the transfer or transmission of data controlled? Is the dispatch of data volumes (including paper) controlled? Are there any regulations governing the transmission of sensitive or personal data (passwords, encryption, etc.)? Are there any process-independent plausibility and security checks in place upon data input by the Data Processor? Are the results checked for correctness by the Controller?
Explanations / comments:
During transport or electronic transmission, personal data must be protected in such a way that they cannot be read, copied, altered or removed by unauthorised persons (encryption may be an option). Besides the verifiability and traceability of data transmission it must be ensured that unauthorised persons are prevented from accessing the data during their transmission. Since this cannot be guaranteed by technical means at this point, it must be ensured that any modification or deletion of data can be recognised.
Clinical Study Supply Agreement Kamada-PARI | 32/35 |
Examples: | - encryption / tunnelling connection (VPN = Virtual Private Network) |
- electronic signature
- logging
- transport protection
Measures implemented on Data Processor’s premises:
If somebody wants to have access to our infrastructure from outside our network, again a specific written request is needed (documented by Sharepoint workflow) and if allowed implemented by VPN tunnel.
In SAP we have implemented the Standard SAP Audit Trail as well as an extended Audit Trail.
5. | Input control |
Are the collection, modification and deletion of personal data logged?
Explanations / comments:
It must be ensured (by logging) that it is possible after the fact to check and ascertain whether personal data have been entered, altered or removed, and if so, when and by whom.
Examples: | - logging systems and report evaluation systems |
Measures implemented on Data Processor’s premises:
See point 4 Audit Trail and extended Audit Trail
6. | Job control |
Is it ensured that the data to be processed by the Data Processor are processed exclusively according to the Controller’s instructions? Are these instructions implemented by the Data Processor without delay? Are there any checks in place to prevent the data from being copied, altered or transmitted to unauthorised third parties?
Clinical Study Supply Agreement Kamada-PARI | 33/35 |
Explanations / comments:
It must be verified and ensured that personal data processed on behalf of others are processed strictly in compliance with the Controller’s instructions.
Examples: | - obligation of staff involved in data processing to maintain data secrecy |
- code of conduct for data processing by the Data Processor
- procedures for revealing any error instructions
- checking compliance with instructions
- granting the Controller monitoring rights as per data privacy agreement
Measures implemented on Data Processor’s premises:
The use of IT Systems is described in a standard operating procedure of PARI.
PARI IT is audited by internal QM department as well as external audits by cancom/acentrix (detailed audit documentation available if requested).
7. | Availability control |
Does the Data Processor has a backup scheme in place and is it checked at regular intervals? Are there any disaster response exercises in place? Is the place of storage and processing clearly identified? Has the storage period for the data sets and possibly for the software been defined?
Explanations / comments:
The availability of personal data must be ensured. Appropriate measures are to be taken to protect DPS (hardware and software) against accidental destruction (disaster case).
Clinical Study Supply Agreement Kamada-PARI | 34/35 |
Examples: | - backup procedures |
- mirror disks, e.g. RAID procedure
- uninterruptible power supply (UPS)
- separate storage
- antivirus protection, firewall
- contingency plan
Measures implemented on Data Processor’s premises and are described in several standard operation procedures at PARI.
Data are hosted by QSC AG; Information regarding backup procedure etc are available if requested.
8. | Separation control |
Has the separation control requirement been fulfilled to ensure the separate processing of data collected for different purposes (separation rule)? Are the systems multi-client capable?
Explanations / comments:
It must be ensured that personal data collected for different purposes can be processed separately. Logical rather than physical separation is required.
Examples: | - “internal client capability” / earmarking |
- functional separation (production, testing)
Measures implemented on Data Processor’s premises:
Data access is based on different roles so that the users only see the data they need for work.
Relevant system landscape is separated into Development system, Quality system and Production system.
Clinical
Study Supply Agreement Kamada-PARI Effective Date: May 8th, 2019, Version: 1.0 |
35/35 |