Common use of DATA PROTECTION Clause in Contracts

DATA PROTECTION. All the PARTIES, in as far as they process the personal data of the CLINICAL TRIAL’S subjects, must take the necessary measures to protect them and prevent access to them by unauthorised third parties. The PARTIES are under the obligation to rigorously observe the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, and Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights. Furthermore, the aforementioned legislation will be applicable to the personal data contained in this contract. If required, the PARTIES will enter into such agreements as are necessary to ensure compliance with the aforementioned legal obligations. The HOSPITAL, the PRINCIPAL INVESTIGATOR and the FOUNDATION will suitably process the personal data of the subjects taking part in the CLINICAL TRIAL in such a way that they cannot be identified by the SPONSOR and CRO (if appropriate). They will only access the personal data of the CLINICAL TRIAL’S subjects, where they are identified, in as far as permitted by the informed consent, and in the exercise of their professional duties, of the monitors and/or representatives appointed by the SPONSOR and CRO (if appropriate), the auditors and competent authorities. The PARTIES signing this contract mutually undertake to: • Solely access the personal data when this is essential for proper performance of the project • Process the data for the sole purpose of performing the purpose of the contract • If any of the parties considers that another breaches the GDPR, the LOPDGDD, or any other provision relating to data protection in the European Union or the member states, it will immediately notify the others, for the purpose of prompt rectification. • Assume the relevant liability in the event that the data are used for a purpose other than the performance of the purpose of this contract, they are communicated or they are used in breach of the stipulations in the current regulations, responding for the breaches they may have incurred personally. • Not to allow access to personal data by any employee it is responsible for who does not need to know them to provide the services. • Not to disclose, transfer, assign, or in any other way communicate the personal data, whether verbally or in writing, by electronic means, on paper or by computer access, not even for their storage, to any third party, unless there is prior authorisation or instruction to do so. • Keep a register of all the categories of treatments carried out in performing this contract, containing the information required by article 30.2 of the GDPR and 31 of the LOPDGDD. • Ensure the necessary training in relation to personal data protection for the persons authorised to process personal data. • Give mutual support in carrying out impact assessments relating to data protection, when appropriate • Give mutual support in carrying out prior consultations with the Supervisory Authority, when appropriate Make all the information needed available to the other party to demonstrate compliance with its obligations, and to carry out the audits and inspections carried out by the other party for the purpose of verifying the proper performance of this contract. • Take and apply the security measures stipulated in this contract, in accordance with the provisions of article 32 of the GDPR, to ensure the security of the personal data and prevent their unauthorised alteration, loss, processing or access, taking into account the level of technology, the nature of the data stored and the risks they are exposed to, whether from human actions or the physical or natural environment. • Designate a data protection officer and notify their identity and contact details to the other party, and comply with all of the provisions of articles 37, 38 and 39 of the GDPR and 35 to 37 of the LOPDGDD. • In the event that either of the parties must transfer or allow access to personal data which are the responsibility of the other to a third party under European Union Law, or of the Member states, which is applicable, it will notify the other of this legal requirement beforehand, unless this is prohibited on grounds of public interest. • In the event that the processing includes personal data gathering, the relevant procedures for data gathering will be set up, particularly in relation to proven identification of the users, the duty to report and, as appropriate, obtaining consent from the affected parties, ensuring that these instructions comply with all the legal and regulatory provisions required by current regulations on data protection. • Supervise processing and compliance with data protection regulations by the other party.

DATA PROTECTION. All the PARTIES, in as far as they process the personal data of the CLINICAL TRIALSTUDY’S subjects, must take the necessary measures to protect them and prevent access to them by unauthorised third parties. The PARTIES are under the obligation to rigorously observe the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, and Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights. Furthermore, the aforementioned legislation will be applicable to the personal data contained in this contract. If required, the PARTIES will enter into such agreements as are necessary to ensure compliance with the aforementioned legal obligations. The HOSPITAL, the PRINCIPAL INVESTIGATOR and the FOUNDATION will suitably process the personal data of the subjects taking part in the CLINICAL TRIAL STUDY in such a way that they cannot be identified by the SPONSOR and CRO (if appropriate). They will only access the personal data of the CLINICAL TRIALSTUDY’S subjects, where they are identified, in as far as permitted by the informed consent, and in the exercise of their professional duties, of the monitors and/or representatives appointed by the SPONSOR and CRO (if appropriate), the auditors and competent authorities. The PARTIES signing this contract mutually undertake to: • Solely access the personal data when this is essential for proper performance of the project • Process the data for the sole purpose of performing the purpose of the contract • If any of the parties considers that another breaches the GDPR, the LOPDGDD, or any other provision relating to data protection in the European Union or the member states, it will immediately notify the others, for the purpose of prompt rectification. • Assume the relevant liability in the event that the data are used for a purpose other than the performance of the purpose of this contract, they are communicated or they are used in breach of the stipulations in the current regulations, responding for the breaches they may have incurred personally. • Not to allow access to personal data by any employee it is responsible for who does not need to know them to provide the services. • Not to disclose, transfer, assign, or in any other way communicate the personal data, whether verbally or in writing, by electronic means, on paper or by computer access, not even for their storage, to any third party, unless there is prior authorisation or instruction to do so. • Keep a register of all the categories of treatments carried out in performing this contract, containing the information required by article 30.2 of the GDPR and 31 of the LOPDGDD. • Ensure the necessary training in relation to personal data protection for the persons authorised to process personal data. • Give mutual support in carrying out impact assessments relating to data protection, when appropriate • Give mutual support in carrying out prior consultations with the Supervisory Authority, when appropriate Make all the information needed available to the other party to demonstrate compliance with its obligations, and to carry out the audits and inspections carried out by the other party for the purpose of verifying the proper performance of this contract. • Take and apply the security measures stipulated in this contract, in accordance with the provisions of article 32 of the GDPR, to ensure the security of the personal data and prevent their unauthorised alteration, loss, processing or access, taking into account the level of technology, the nature of the data stored and the risks they are exposed to, whether from human actions or the physical or natural environment. • Designate a data protection officer and notify their identity and contact details to the other party, and comply with all of the provisions of articles 37, 38 and 39 of the GDPR and 35 to 37 of the LOPDGDD. • In the event that either of the parties must transfer or allow access to personal data which are the responsibility of the other to a third party under European Union Law, or of the Member states, which is applicable, it will notify the other of this legal requirement beforehand, unless this is prohibited on grounds of public interest. • In the event that the processing includes personal data gathering, the relevant procedures for data gathering will be set up, particularly in relation to proven identification of the users, the duty to report and, as appropriate, obtaining consent from the affected parties, ensuring that these instructions comply with all the legal and regulatory provisions required by current regulations on data protection. • Supervise processing and compliance with data protection regulations by the other party.