Common use of Roles and responsibilities of the Parties Clause in Contracts

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the project, which is collected via DCLs (data collection logbooks), in accordance with the project Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Participants. Therefore: The Site and/or Principal Investigator will be the parties responsible for informing the project Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the project, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx El promotor del Proyecto y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicable. The Project sponsor and principal investigator are responsible for archiving the Project documentation, in accordance with the provisions of the applicable legislation in force.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Trial Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectTrial, which is collected via DCLs (data collection logbooks), in accordance with the project Trial Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Trial Participants. Therefore: The Site and/or Principal Investigator will be the parties responsible for informing the project Trial Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Trial Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff Staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff xxxxx contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff xxxxx to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project Trial or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project Trial (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Trial Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Trial Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Trial Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectTrial, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project Trial (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Trial Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx xxxx://xxx.xxxx.xx. El promotor del Proyecto ensayo y el/la investigador/a principal son responsables del archivo de la documentación del mismo la cual se mantendrá a disposición de las autoridades competentes durante un periodo de al menos diez años a partir de la introducción en el mercado o puesta en servicio de la última unidad del producto. En el caso de productos implantables, el periodo será de al menos quince años conforme a lo establecido en la legislación vigente aplicableaplicable y al menos durante 25 años desde su finalización o discontinuidad. The Project trial sponsor and principal investigator are responsible for archiving the Project documentationtrial documentation which shall be kept at the disposal of the competent authorities for a period of at least ten years after the last unit of the device has been placed on the market or put into service. In the case of implantable devices, the period shall be at least fifteen years, in accordance with the provisions of the applicable legislation in force, for at least 25 years from the trial’s completion or discontinuation.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project study Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectstudy, which is collected via DCLs (data collection logbooks), in accordance with the project study Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project study Participants. Therefore: The Site and/or Principal Investigator will be the parties responsible for informing the project study Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project study Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff contracts. The Parties also guarantee that access to Personal ersonal Data will be limited to that which is strictly necessary in order for staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project study or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project study (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project study Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project study Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project study Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectstudy, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project study (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project study Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx xxxx://xxx.xxxx.xx. El promotor del Proyecto estudio y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicable. The Project study sponsor and principal investigator are responsible for archiving the Project study documentation, in accordance with the provisions of the applicable legislation in force.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Trial Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectTrial, which is collected via DCLs (data collection logbooks), in accordance with the project Trial Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Trial Participants. Therefore: , The Site and/or Principal Investigator will be the parties responsible for informing the project Trial Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Trial Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, Staff - including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff Staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff Staff contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff Staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project Trial or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project Trial (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Trial Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Trial Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Trial Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectTrial, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project Trial (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Trial Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the our binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx El promotor del Proyecto estudio y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicableaplicable y al menos durante 5 años desde su finalización o discontinuidad. The Project study sponsor and principal investigator are responsible for archiving the Project study documentation, in accordance with the provisions of the applicable legislation in force, for at least 5 years from the study’s completion or discontinuation.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Trial Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectTrial, which is collected via DCLs (data collection logbooks), in accordance with the project Trial Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Trial Participants. Therefore: , The Site and/or Principal Investigator will be the parties responsible for informing the project Trial Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Trial Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, Staff - including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff Staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff Staff contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff Staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project Trial or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project Trial (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Trial Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Trial Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Trial Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectTrial, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project Trial (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Trial Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the our binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx El promotor del Proyecto y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicableaplicable y al menos durante 5 años desde su finalización o discontinuidad. The Project sponsor and principal investigator are responsible for archiving the Project documentation, in accordance with the provisions of the applicable legislation in force, for at least 5 years from the Project’s completion or discontinuation.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Trial Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectTrial, which is collected via DCLs (data collection logbooks), in accordance with the project Trial Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Trial Participants. Therefore: , The Site and/or Principal Investigator will be the parties responsible for informing the project Trial Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Trial Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, Staff - including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff Staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff Staff contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff Staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project Trial or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project Trial (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Trial Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Trial Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Trial Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectTrial, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project Trial (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Trial Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the our binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx El promotor del Proyecto y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicablexxxx://xxx.xxxx.xx. The Project sponsor and principal investigator are responsible for archiving the Project documentation, in accordance with the provisions of the applicable legislation in force8.

Roles and responsibilities of the Parties. The Site and/or Principal Investigator is Data Controller for the personal data contained in the Clinical History of each project Trial Participant. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(h) of the GDPR. The Sponsor is Data Controller for the pseudonymised (“codified”) data in the projectTrial, which is collected via DCLs (data collection logbooks), in accordance with the project Trial Protocol. The legal basis for the processing thereof is derived from articles 6.1(c) and 9.2(i) of the GDPR. The Sponsor may not participate in the process of collecting data from the project Trial Participants. Therefore: The Site and/or Principal Investigator will be the parties responsible for informing the project Trial Participants clearly, accurately and unequivocally of the processing of their personal data with relation to the Protocol, providing them, at the time when they are given the informed consent (IC), with all the information pertaining to the processing of their personal data within the framework of the research. The Site and/or Principal Investigator will be responsible for conducting the process of coding the personal data of the Participants in the clinical research, in a manner that guarantees that the information received by the Sponsor and, particularly, the content in the DCLs, may not be directly attributed to a project Trial Participant, without access to additional information. Said additional information must be safeguarded by the Site and/or Principal Investigator. The Site and/or Principal Investigator undertake to refrain from providing information to the Sponsor and the Sponsor undertakes to refrain from receiving information that would enable them to directly or indirectly access and learn the identifying data of the Participants in the clinical research, even including the coding process used, unless this were strictly necessary in order (i) to comply with their legal obligations or those derived from the good clinical practice guidelines (e.g. auditing and/or monitoring tasks); (ii) to document, investigate or respond to adverse effect reports; and (iii) to respond to legal claims or proceedings initiated by Participants in the clinical research. Confidentiality The Parties shall ensure that all staff, including the staff of the Site and/or the Principal Investigator, as well as all members of the Research Team - who are authorised to process Personal Data have committed to fulfilling their duties of confidentiality and professional secrecy. The Parties shall ensure that staff Staff with access to Personal Data are duly informed of the confidential nature thereof, have received satisfactory training on their obligations and responsibilities with regards to Personal Data processing and have expressly signed the appropriate confidentiality and/or Data Processing agreements. The Site and/or Principal Investigator shall ensure that these confidentiality obligations remain, even after termination of staff contracts. The Parties also guarantee that access to Personal Data will be limited to that which is strictly necessary in order for staff to provide their services in accordance with the Agreement. Rights of the Data Subjects The Site and/or the Principal Investigator shall act as the sole point of contact for the Participants in the project Trial or their legal representatives, and shall respond to as many enquiries and/or exercises of rights made by these parties in relation to the processing of their Personal Data within the scope of the project Trial (rights to access, rectification, cancellation, restriction, data portability and to object), within the legally established time period for so doing. Likewise, in the event that a Participant exercises any of the aforementioned rights before the project Trial Sponsor, the latter shall immediately communicate this to the Site and/or Principal Investigator, so that they can take the appropriate legal action, and it shall erase from its systems any Personal Data received. Security Each Data Controller shall apply to the Personal Data processing for which they are responsible appropriate technical and organisational measures that guarantee a satisfactory level of protection, as well as the permanent confidentiality, integrity, availability and resilience of the systems and services used for the Personal Data processing, based on the existing risks. Such measures must prevent unlawful processing of the Personal Data that are accessed, as well as their loss, manipulation, disclosure, destruction or unauthorised access. For this purpose, the Parties must take into account the state of the art, the costs of implementation, as well as the nature, the scope and the likely, severe risks to the rights and freedoms of the project Trial Participants. Such technical and organisational measures must be implemented, maintained and reviewed during the period for which the data processing lasts, and must include (i) pseudonymisation and encryption of the Personal Data; (ii) the ability to restore availability and access to the Personal Data on an ad-hoc basis in the event of a physical or technical incident; (iii) definition of a procedure to periodically verify, assess and evaluate, in a routine manner, the efficacy of the technical and organisational measures implemented to guarantee the security of data processing; (iv) any other national or international security standard required by virtue of this Agreement or, where appropriate, the applicable regulations (e.g. the National Security Framework, Spain) Subcontracting Both parties guarantee that they will only collaborate with Data Processors: (i) who have sufficient accredited experience and knowledge of the field to perform the specific Processing activities set out in the Agreement; (ii) who have implemented the appropriate technical and organisational measures to perform the Processing activities in accordance with the project Trial Protocol and the applicable Data Protection regulations; (iii) who have signed the appropriate Data Processing agreements, in compliance with the provisions of article 28 of the GDPR and Additional Provision 17 of the LOPDGDD. Documentation Each Party shall conduct a Data Processing Impact Assessment (DPIA) on the Personal Data Processing that they are performing, and shall collaborate with and assist each other regarding any doubts that are raised about this and/or any advance query that needs to be made to the Supervisory Authorities about the Processing. Both Parties undertake to collaborate with and make available to the other Party, as well as to the Government and/or Data Protection Authorities if so requested for this purpose, as much information and documentation as may be reasonably considered necessary to accredit effective compliance with the obligations undertaken by virtue of this Appendix I and the applicable Data Protection regulations. In the event of receiving an information request, demand, ruling or order from a court or from any Administrative or governmental authority, the Recipient Party shall notify the other Party thereof immediately (and under no circumstances more than 24 hours after receiving said court summons or order) via its Data Protection Officer and by e-mail to [INCLUDE SPONSOR E-MAIL ADDRESS] and to xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Said notification must include a copy of the information request, demand, court ruling or order, court summons or order, and all the information that the notified Party has available on this matter. Security Breaches If there is (i) a loss or misuse of the Personal Data, (ii) involuntary, unauthorised or illegal processing, disclosure, access, alteration, corruption, transfer, destruction or use of the Personal Data from the projectTrial, or (iii) any other circumstance that actually compromises or may compromise the security, confidentiality or integrity of the Personal Data and information from the project Trial (hereinafter “Security Incident”), whether by the Sponsor, the Site and/or the Principal Investigator or any of its Subcontractors, the Party that has suffered said Incident must notify the other Party of this circumstance, without undue delay and, in all events, within twenty-four (24) hours of having been made aware thereof. The Data Controller that has suffered said Security Incident must complete any required notification of the Data Protection Supervisory Authority and, where applicable, of the project Trial Participants, in accordance with the provisions of the Data Protection regulations and the Guidelines published by the Supervisory Authority. Data Protection Officers Both parties have designated a Data Protection Officer whose contact details are provided below in order to ensure compliance with the regulations and as a point of contact for issues concerning this agreement: Sponsor: [INCLUDE SPONSOR E-MAIL ADDRESS] Site: xxxxxxxxxxxxxxxxxxxxxxx.xxxxx@xxxxx.xx Information for the Parties on Data Protection The administration and management of this Agreement may involve processing by the Parties of the contact details of the Parties’ representatives. The Site and/or Principal Investigator, as well as the signatory Parties, understand and accept that their Personal Data, including the name, contact details, curriculum vitae, areas of specialisation of the Principal Investigator and, when required, the necessary financial information, will be processed by the Sponsor, its subsidiaries and/or contractual partners for the purpose of fulfilling the Agreement, the legal obligations of the Sponsor and the good clinical practice guidelines. Said information may be used by the Sponsor for other purposes, such as contacting the Principal Investigator to request his/her participation in future research. The legal bases for the processing thereof are the execution of the agreement, as well as the legitimate interest of the Sponsor. The personal information may, if necessary, be made available to the regulatory authorities and Ethics Committees. The Sponsor may process the Personal Data in other countries than that in which they were collected. The Sponsor is a multinational company that has data centres across the world, including Europe and the United States (headquarters at INCLUDE SPONSOR DETAILS). The Parties understand that their Personal Information may be transferred to other entities in the Sponsor’s group or to contractual partners that provide services for it from third countries which may not provide the same level of data protection as the country in which the Parties are located. Nevertheless, the Personal Information will only be transferred after ensuring that satisfactory mechanisms and guarantees exist to protect said information. Transfers of data between the Sponsor and its suppliers are performed by means of Standard Contractual Clauses approved by the European Commission. For more information on these clauses, please contact the Sponsor’s Data Protection Officer at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. The Personal Information transfers between the Sponsor and the entities in its group comply with current legislation and the binding corporate rules (BCR). For more information about the BCR, including the option of filing a claim regarding the processing of your Personal information, please visit [SPONSOR’S WEBSITE] . If you have any requests or questions about exercising your rights to access, rectification, erasure, to object, restriction of processing or data portability, please contact the Data Protection officer of [INCLUDE SPONSOR’S DETAILS] at [INCLUDE SPONSOR’S E-MAIL ADDRESS]. You may also file a claim regarding the processing of your data with our DPO at [INCLUDE SPONSOR’S E-MAIL ADDRESS] or with the Agencia Española de Protección de Datos (Spanish Data Protection Agency) at xxxx://xxx.xxxx.xx xxxx://xxx.xxxx.xx. El promotor del Proyecto ensayo y el/la investigador/a principal son responsables del archivo de la documentación del mismo conforme a lo establecido en la legislación vigente aplicableaplicable y al menos durante 25 años desde su finalización o discontinuidad. The Project trial sponsor and principal investigator are responsible for archiving the Project trial documentation, in accordance with the provisions of the applicable legislation in force, for at least 25 years from the trial’s completion or discontinuation.