Common use of DATA PROTECTION Clause in Contracts

DATA PROTECTION. All the PARTIES, in as far as they process the personal data of the CLINICAL TRIAL’S subjects, must take the necessary measures to protect them and prevent access to them by unauthorised third parties. The PARTIES are under the obligation to rigorously observe the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, and Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights. Furthermore, the aforementioned legislation will be applicable to the personal data contained in this contract. If required, the PARTIES will enter into such agreements as are necessary to ensure compliance with the aforementioned legal obligations. The HOSPITAL, the PRINCIPAL INVESTIGATOR and the FOUNDATION will suitably process the personal data of the subjects taking part in the CLINICAL TRIAL in such a way that they cannot be identified by the SPONSOR and CRO (if appropriate). They will only access the personal data of the CLINICAL TRIAL’S subjects, where they are identified, in as far as permitted by the informed consent, and in the exercise of their professional duties, of the monitors and/or representatives appointed by the SPONSOR and CRO (if appropriate), the auditors and competent authorities. The PARTIES signing this contract mutually undertake to: • Solely access the personal data when this is essential for proper performance of the project • Process the data for the sole purpose of performing the purpose of the contract • If any of the parties considers that another breaches the GDPR, the LOPDGDD, or any other provision relating to data protection in the European Union or the member states, it will immediately notify the others, for the purpose of prompt rectification. • Assume the relevant liability in the event that the data are used for a purpose other than the performance of the purpose of this contract, they are communicated or they are used in breach of the stipulations in the current regulations, responding for the breaches they may have incurred personally. • Not to allow access to personal data by any employee it is responsible for who does not need to know them to provide the services. • Not to disclose, transfer, assign, or in any other way communicate the personal data, whether verbally or in writing, by electronic means, on paper or by computer access, not even for their storage, to any third party, unless there is prior authorisation or instruction to do so. • Keep a register of all the categories of treatments carried out in performing this contract, containing the information required by article 30.2 of the GDPR and 31 of the LOPDGDD. • Ensure the necessary training in relation to personal data protection for the persons authorised to process personal data. • Give mutual support in carrying out impact assessments relating to data protection, when appropriate • Give mutual support in carrying out prior consultations with the Supervisory Authority, when appropriate Make all the information needed available to the other party to demonstrate compliance with its obligations, and to carry out the audits and inspections carried out by the other party for the purpose of verifying the proper performance of this contract. • Take and apply the security measures stipulated in this contract, in accordance with the provisions of article 32 of the GDPR, to ensure the security of the personal data and prevent their unauthorised alteration, loss, processing or access, taking into account the level of technology, the nature of the data stored and the risks they are exposed to, whether from human actions or the physical or natural environment. • Designate a data protection officer and notify their identity and contact details to the other party, and comply with all of the provisions of articles 37, 38 and 39 of the GDPR and 35 to 37 of the LOPDGDD. • In the event that either of the parties must transfer or allow access to personal data which are the responsibility of the other to a third party under European Union Law, or of the Member states, which is applicable, it will notify the other of this legal requirement beforehand, unless this is prohibited on grounds of public interest. • In the event that the processing includes personal data gathering, the relevant procedures for data gathering will be set up, particularly in relation to proven identification of the users, the duty to report and, as appropriate, obtaining consent from the affected parties, ensuring that these instructions comply with all the legal and regulatory provisions required by current regulations on data protection. • Supervise processing and compliance with data protection regulations by the other party. 7.3 SECURITY MEASURES AND SECURITY BREACHES. Taking into account the level of technology, the application costs, and the nature, scope, context and purposes of the processing, along with the variable risks of probability and severity for the rights and freedoms of natural persons, the parties will take such technical and organisational measures as are appropriate to ensure a security level which is in line with the risk, which, as appropriate, includes, amongst others, the following: a) personal data pseudonymisation and encoding; b) the capacity to ensure permanent confidentiality, integrity, availability and resilience in the processing systems and services, along with rapid availability and access to the personal data en the event of a physical or technical incident. c) a conventional verification, evaluation and assessment process of the effectiveness of the technical and organisational measures to ensure secure processing. d) a catalogue of security measures recognised by information security regulations or standards. When assessing the suitability of the security level, the parties will take into account the risks involved in data processing, particularly as a result of the accidental or unlawful destruction, loss or alteration to the personal data sent, stored or processed in another way, or the unauthorised communication of, or access to, such data. The parties will allow audits, and inspections, by the other party and contribute to them. Furthermore, in the event that the current regulations on data protection, or other related regulations which are applicable to the processing which is the purpose of this contract, are amended, the parties guarantee to implement and maintain any other security measures which may be required of them, without this involving any amendment to the terms of this contract. In the event of a breach of the security of the personal data on the computer systems used by the parties to provide the Services, they should notify each other, without undue delay, and, at any event, within a maximum of 24 working hours, of the breaches of the security of the personal data held by them that they are aware of, together with all the relevant information to document and notify the incident in accordance with the provisions of article 33.3 of the GDPR. In this case, each party, to the extent that it concerns them, must notify data security breaches to the Data Protection Authority and/or the parties concerned in accordance with the provisions of the current regulations. 7.4

DATA PROTECTION. All the PARTIES, in as far as they process the personal data of the CLINICAL TRIALSTUDY’S subjects, must take the necessary measures to protect them and prevent access to them by unauthorised third parties. The PARTIES are under the obligation to rigorously observe the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, and Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights. Furthermore, the aforementioned legislation will be applicable to the personal data contained in this contract. If required, the PARTIES will enter into such agreements as are necessary to ensure compliance with the aforementioned legal obligations. The HOSPITAL, the PRINCIPAL INVESTIGATOR and the FOUNDATION will suitably process the personal data of the subjects taking part in the CLINICAL TRIAL STUDY in such a way that they cannot be identified by the SPONSOR and CRO (if appropriate). They will only access the personal data of the CLINICAL TRIALSTUDY’S subjects, where they are identified, in as far as permitted by the informed consent, and in the exercise of their professional duties, of the monitors and/or representatives appointed by the SPONSOR and CRO (if appropriate), the auditors and competent authorities. The PARTIES signing this contract mutually undertake to: • Solely access the personal data when this is essential for proper performance of the project • Process the data for the sole purpose of performing the purpose of the contract • If any of the parties considers that another breaches the GDPR, the LOPDGDD, or any other provision relating to data protection in the European Union or the member states, it will immediately notify the others, for the purpose of prompt rectification. • Assume the relevant liability in the event that the data are used for a purpose other than the performance of the purpose of this contract, they are communicated or they are used in breach of the stipulations in the current regulations, responding for the breaches they may have incurred personally. • Not to allow access to personal data by any employee it is responsible for who does not need to know them to provide the services. • Not to disclose, transfer, assign, or in any other way communicate the personal data, whether verbally or in writing, by electronic means, on paper or by computer access, not even for their storage, to any third party, unless there is prior authorisation or instruction to do so. • Keep a register of all the categories of treatments carried out in performing this contract, containing the information required by article 30.2 of the GDPR and 31 of the LOPDGDD. • Ensure the necessary training in relation to personal data protection for the persons authorised to process personal data. • Give mutual support in carrying out impact assessments relating to data protection, when appropriate • Give mutual support in carrying out prior consultations with the Supervisory Authority, when appropriate Make all the information needed available to the other party to demonstrate compliance with its obligations, and to carry out the audits and inspections carried out by the other party for the purpose of verifying the proper performance of this contract. • Take and apply the security measures stipulated in this contract, in accordance with the provisions of article 32 of the GDPR, to ensure the security of the personal data and prevent their unauthorised alteration, loss, processing or access, taking into account the level of technology, the nature of the data stored and the risks they are exposed to, whether from human actions or the physical or natural environment. • Designate a data protection officer and notify their identity and contact details to the other party, and comply with all of the provisions of articles 37, 38 and 39 of the GDPR and 35 to 37 of the LOPDGDD. • In the event that either of the parties must transfer or allow access to personal data which are the responsibility of the other to a third party under European Union Law, or of the Member states, which is applicable, it will notify the other of this legal requirement beforehand, unless this is prohibited on grounds of public interest. • In the event that the processing includes personal data gathering, the relevant procedures for data gathering will be set up, particularly in relation to proven identification of the users, the duty to report and, as appropriate, obtaining consent from the affected parties, ensuring that these instructions comply with all the legal and regulatory provisions required by current regulations on data protection. • Supervise processing and compliance with data protection regulations by the other party. 7.3 13.3 SECURITY MEASURES AND SECURITY BREACHES. Taking into account the level of technology, the application costs, and the nature, scope, context and purposes of the processing, along with the variable risks of probability and severity for the rights and freedoms of natural persons, the parties will take such technical and organisational measures as are appropriate to ensure a security level which is in line with the risk, which, as appropriate, includes, amongst others, the following: a) personal data pseudonymisation and encoding; b) the capacity to ensure permanent confidentiality, integrity, availability and resilience in the processing systems and services, along with rapid availability and access to the personal data en the event of a physical or technical incident. c) a conventional verification, evaluation and assessment process of the effectiveness of the technical and organisational measures to ensure secure processing. d) a catalogue of security measures recognised by information security regulations or standards. When assessing the suitability of the security level, the parties will take into account the risks involved in data processing, particularly as a result of the accidental or unlawful destruction, loss or alteration to the personal data sent, stored or processed in another way, or the unauthorised communication of, or access to, such data. The parties will allow audits, and inspections, by the other party and contribute to them. Furthermore, in the event that the current regulations on data protection, or other related regulations which are applicable to the processing which is the purpose of this contract, are amended, the parties guarantee to implement and maintain any other security measures which may be required of them, without this involving any amendment to the terms of this contract. In the event of a breach of the security of the personal data on the computer systems used by the parties to provide the Services, they should notify each other, without undue delay, and, at any event, within a maximum of 24 working hours, of the breaches of the security of the personal data held by them that they are aware of, together with all the relevant information to document and notify the incident in accordance with the provisions of article 33.3 of the GDPR. In this case, each party, to the extent that it concerns them, must notify data security breaches to the Data Protection Authority and/or the parties concerned in accordance with the provisions of the current regulations. 7.413.4