AZIENDA OSPEDALIERO UNIVERSITARIA MEYER

AZIENDA OSPEDALIERO UNIVERSITARIA XXXXX

Delibera del Direttore Generale n. 324 del 23-06-2022

Proposta n. 610 del 2022

Oggetto: PROGETTO DENOMINATO “FAIRVASC - BUILDING REGISTRY INTEROPERABILITY TO INFORM CLINICAL CARE” – APPROVAZIONE SCHEMA DI ACCORDO DI CONDIVISIONE DI DATI

Dirigente: XXXX XXXXX

Struttura Dirigente: RESPONSABILE AFFARI GENERALI E SVILUPPO

Delibera del Direttore Generale n. 324 firmata digitalmente il 23-06-2022

AZIENDA OSPEDALIERO UNIVERSITARIA XXXXX

(Art. 33 L.R.T. 24 febbraio 2005 n. 40)

Xxxxx Xxxxxxxxxx, 00 - 00000 XXXXXXX

C.F. P.Iva 02175680483

DELIBERAZIONE DEL DIRETTORE GENERALE

Oggetto	Progetto
Contenuto	PROGETTO DENOMINATO “FAIRVASC - BUILDING REGISTRY INTEROPERABILITY TO INFORM CLINICAL CARE” – APPROVAZIONE SCHEMA DI ACCORDO DI CONDIVISIONE DI DATI

Area Tecnico Xxx.xx	AREA TECNICO AMMINISTRATIVA
Coord. Area Tecnico Xxx.xx	XXXX XXXXX
Struttura	AFFARI GENERALI E SVILUPPO
Direttore della Struttura	XXXX XXXXX
Responsabile del procedimento	XXXXXXX XXXXXXXX
Immediatamente Esecutiva	SI

Conti Economici
Spesa prevista	Conto Economico	Codice Conto	Anno Bilancio

Estremi relativi ai principali documenti contenuti nel fascicolo
Allegato	N° di pag.	Oggetto
1	28	Data Sharing Agreement

“documento firmato digitalmente”

IL DIRETTORE GENERALE

Dr. Xxxxxxx Xxxxxxxx (D.P.G.R.T. n. 99 del 30 luglio 2020)

Visto il D. Lgs.vo 30/12/1992 n. 502 e sue successive modifiche ed integrazioni e la L. R. Toscana n. 40 del 24/02/2005 e s.m.i. di disciplina del Servizio Sanitario Regionale;

Dato atto:

- che con deliberazione del Direttore Generale n. 54 del 01.02.2021 è stato approvato il nuovo Atto Aziendale dell’A.O.U. Xxxxx, ai sensi dell’art. 6 del Protocollo d’intesa del 22.04.2002 fra Regione Toscana e Università degli Studi di Firenze, Siena e Pisa, con decorrenza dal 1.2.2021;

- che con deliberazione del Direttore Generale n. 55 del 1.02.2021 sono stati assunti i primi provvedimenti attuativi in relazione alla conferma/riassetto delle strutture complesse e semplici dotate di autonomia ed al conferimento dei relativi incarichi di direzione;

- che con deliberazione del Direttore Generale n. 56 del 1.02.2021 sono state assunte determinazioni attuative del nuovo Atto aziendale in relazione alla conferma/riassetto delle strutture Dipartimentali e/o a valenza dipartimentale, delle Aree Funzionali Omogenee, dell’Area Servizi dell’Ospedale, dell’Area dei Diritti del Bambino, dell’Area Tecnico Amministrativa ed al conferimento di relativi incarichi di direzione;

- che con successiva deliberazione del Direttore Generale n.92 del 15.02.2021 si è provveduto ad assumere ulteriori disposizioni attuative relative all’organizzazione dell’AOU Xxxxx in ordine alle Strutture semplici Intrasoc, Unità Professionali, Uffici e Incarichi professionali;

Su proposta del Responsabile ad interim della S.O.C Affari Generali e Xxxxxxxx, Dr.ssa Xxxxx Xxxx, come da nota del Direttore Generale prot. 10531 del 31/12/2021, la quale attesta la regolarità amministrativa e la legittimità dell’atto;

Premesso:

- che l’AOU Meyer è il Coordinatore, sotto la responsabilità del Xxxx. Xxxxxxx Xxxxxx, del progetto denominato “FAIRVASC - building registry interoperability to inform clinical care”, finanziato nell’ambito del Programma Comune Europeo sulle Malattie Rare (European Joint Programme on Rare Diseases EJP RD), sezione “Progetti di ricerca transnazionali per accelerare la diagnosi e/o esplorare la progressione della malattia e dei meccanismi delle malattie rare”, e che lo stesso progetto è sostenuto dalla Società Europea sulle Vasculiti (European Vasculitis Society) e dalla Rete di Riferimento Europea denominata “Rare Primary Immunodeficiency, Autoinflammatory and Autoimmune Diseases” (ERN-XXXX);

- che con Delibera del Direttore Generale n. 316 del 17.07.2020 è stato autorizzato lo svolgimento del progetto FAIRVASC a seguito di parere favorevole del Comitato Etico Pediatrico della Regione Toscana nella seduta del 07.04.2020 e che sono stati approvati i documenti fondamenti per la realizzazione del progetto stesso, l’accordo consortile (Consortium Agreement) e il programma di lavoro comune (Description of Action);

Specificato che il Consortium Agreement è stato sottoscritto da tutti i partner del progetto, con data di inizio 01.06.2020;

Evidenziato che il progetto FAIRVASC ha lo scopo di combinare i database regionali e nazionali di una pluralità di istituzioni partner appartenenti a diversi paesi europei così da consentire, con una quantità di dati rilevante ed adeguata, collezionati in un unico dataset, una più solida comprensione delle vasculiti e incoraggiare altresì forme di ricerca più mirate per pervenire ad un eventuale trattamento e ad una cura appropriata di questa malattia rara;

Puntualizzato che la Description of Action, nell’ambito del Work Package 5 (WP5) di cui è responsabile per la collezione dei dati la LUND University con sede in Svezia, prevede la conduzione di uno studio clinico sulle vasculiti che sfrutti i dati messi a disposizione dai database delle istituzioni partner nell’ambito del progetto FAIRVASC;

Atteso che, per condurre lo studio del WP5, si rende necessario sottoscrivere un Accordo di condivisione di dati (Data Sharing Agreement) con i partner del progetto FAIRVASC allo scopo di disciplinare il trasferimento di dati dei partner di progetto verso la LUND University e consentire così la realizzazione delle finalità dello studio clinico del WP 5 (clustering fenotipico per la stratificazione e scoring del rischio basato su evidenze);

Vista la bozza di Data Sharing Agreement che è unita quale allegato N. 1 al presente provvedimento a formarne parte integrante e sostanziale;

Verificato che dall’Accordo di cui sopra non derivano oneri economici a carico dell’AOU Xxxxx;

Acquisito il parere favorevole ai termini e alle condizioni del Data Sharing Agreement da parte del DPO di questa Azienda;

Ritenuto pertanto di stipulare il Data Sharing Agreement con i partner del progetto FAIRVASC, allegato

N. 1 al presente atto a formarne parte integrante e sostanziale, per la disciplina delle condizioni normative ed operative della condivisione di dati nell’ambito del WP 5 del medesimo progetto FAIRVASC;

Rilevata l’opportunità di dichiarare il presente atto immediatamente eseguibile in considerazione della necessità di procedere in tempi brevi all’attivazione del WP5, in linea con le scadenze progettuali;

Considerato che il Responsabile del Procedimento, individuato ai sensi della Legge n. 241/1990 nella persona del Dr. Xxxxxxx Xxxxxxxx sottoscrivendo l’atto attesta che lo stesso, a seguito dell’istruttoria effettuata, nella forma e nella sostanza è legittimo;

Acquisito il parere del Coordinatore dell’Area Tecnico Amministrativa, Dr.ssa Xxxxx Xxxx, espresso mediante sottoscrizione del presente atto;

Vista la sottoscrizione del Direttore Sanitario e del Direttore Amministrativo, per quanto di competenza, ai sensi dell’art. 3 del Decreto Legislativo n. 229/99;

DELIBERA

Per quanto esposto in narrativa che espressamente si richiama,

1. Di approvare lo schema di Data Sharing Agreement da stipulare con i partner del progetto FAIRVASC che, allegato N. 1 al presente atto, ne forma parte integrante e sostanziale.

2. Di precisare che dal presente atto non derivano oneri economici a carico dell’AOU Xxxxx.

3. Di dichiarare il presente provvedimento immediatamente eseguibile ai sensi dell’art. 42, comma 4, della L.R.T. n. 40/2005 in considerazione della necessità di procedere in tempi brevi con l’attivazione del WP5, in linea con le scadenze progettuali.

4. Di trasmettere il presente atto al Collegio Sindacale ai sensi dell’art. 42, comma 2, della L.R.T. n. 40/2005 contemporaneamente all’inoltro all’albo di pubblicità degli atti di questa A.O.U. Xxxxx.

IL DIRETTORE GENERALE
(Dr. Xxxxxxx Xxxxxxxx)
IL DIRETTORE SANITARIO	IL DIRETTORE AMMINISTRATIVO
(Dr.ssa Xxxxxxxxx Xxxxxxx)	(Dr. Xxxx Xxxxx)

DATA SHARING AGREEMENT

between

XXXX University

AND

General University Hospital in Prague

AND

Xxxxxxxxxxxx University

AND

Xxxxx Children's University Hospital

AND

Universitaet zu Luebeck and University Hospital of Schleswig-Holstein

AND

The Provost, Fellows, Foundation Scholars, and the other members of Board of The College of the Holy and Undivided Trinity of Queen Xxxxxxxxx, near Dublin

AND

The University Court of the University of Glasgow

This Data Sharing Agreement shall be effective as of the date of the last-executed signature below (“Effective Date”) is made by and between:

(i) General University Hospital in Prague, Prague, Czech Republic (hereinafter referred to as ‘GUH’); and

(ii) Xxxxxxxxxxxx University, Krakow, Poland (hereinafter referred to as ‘JUK’);

and

(iii) Meyer Children's University Hospital, Italy (hereinafter referred to as ‘Meyer’); and

(iv) Universitaet zu Luebeck and University Hospital of Schleswig-Holstein,

Germany (hereinafter referred to as ‘UKSH’); and

(v) The Provost, Fellows, Foundation Scholars, and the other members of Board of The College of the Holy and Undivided Trinity of Queen Xxxxxxxxx, near Dublin (hereinafter referred to as ‘TCD), Ireland and

(vi) The University Court of the University of Glasgow (hereafter referred to as ‘Glasgow’)

AND

(vii) LUND University, Sweden (hereinafter referred to as ‘LUND’ and/or Data Importer

individually the Data Exporters and Data Importer are referred to as a “Party” and collectively referred to as the “Parties”.

BACKGROUND

(A) The Parties (and some others not party to this Agreement) have entered into the FAIRVASC Consortium Agreement (CA) with an effective date of 1 June 2020.

(B) FAIRVASC is a consortium with the aim of using semantic-web technologies to link vasculitis registries across Europe into a ‘single European dataset’, facilitating new research into these challenging diseases.

(C) The Parties are each collaborating on Work packages 3, 4 and 5 of FAIRVASC as described in Schedules 1 and 4 and are entering into this Agreement to confirm the framework and the terms and conditions upon which the Parties agree to share and process the Shared Data for FAIRVASC. (“Purpose”).

(D) The Parties acknowledge and agree that they are Joint Controllers for the

Purpose.

(E) The Parties listed above in (i) to (vi) are each a Data Exporter for the Purpose.

(F) The Parties acknowledge and agree that LUND (vii) is the sole Data Importer for the Purpose.

(G) The Parties acknowledge that Glasgow will only receive anonymous aggregated data as part of Work packages 3 and 4 of the Purpose.

(H) The Parties wish to share Shared Data in order to fulfil the Purpose.

(I) The Parties wish to enter into this Agreement to reflect the responsibilities allocated to them and to set out the principles and procedures that the Parties shall adhere to in relation to use of the Shared Data for the Purpose.

(J) This Agreement sets out the principles and procedures which the Parties will adhere to and the responsibilities the Parties owe to each other in respect of the Shared Data Processed for the Purpose. At all times the Parties will comply with the Code of Practice and Standard Operating Procedures attached as Schedule 7.

(K) This Agreement does not address other commercial or operational matters or any other matters as between the Parties.

Therefore, the Parties agree as follows:

Data Breach means a breach of security leading to the accidental or unlawful

destruction, loss, altercation, unauthorised disclosure of, or access to, Shared Data transmitted, stored or otherwise processed.

Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data Processor means any person (other than an employee of the data controller) who processes the data on behalf of and under the instruction of the Data Controller.

Data Protection Laws any and all legislation and regulations relating to the protection

of personal data in force during the Term of this Agreement, including (without limitation), the General Data Protection Regulation (EU) 2016/679, and all other national implementing law, statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the European Data Protection Board relating to the processing of personal data or privacy or any amendments and re-enactments thereof.

Data Exporter means the Party transferring the Personal Data to the Data Importer.

Data Importer means the Party receiving the Personal Data from the Data Exporter.

Data Subject means an individual, whether a patient or not, whose data (including personal data) is being shared by the Parties for the Purpose.

Delete means removing all Personal Data which is electronically held in such a way that it can never be retrieved from the device on which it is held.

GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679).

Joint Controllers shall mean two or more Data Controllers jointly determining the

purposes and means of processing as defined in Article 26 of GDPR.

Personal Data shall mean any personal data (as defined in the Data Protection

Law) Processed by a Party in connection with this Agreement, and for the purposes of this Agreement includes the special categories of sensitive personal data as listed in Article 9(1) of GDPR.

Processing shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and Process and Processed should be construed accordingly).

Pseudonymised shall mean Personal Data which has been processed in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures within each university to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

Shared Data means the Data to be shared and processed between each Data Exporter(s) and the Data Importer. Shared Data shall be confined to that listed in Schedules 1 and 6.

1. JOINT CONTROLLER OBLIGATIONS

1.1. The Parties acknowledge that each Data Exporter, will as necessarily disclose to the Data Importer Shared Data collected by the Data Exporter for the Purpose.

1.2. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in the performance of its obligations under this Agreement and any other agreement between the Parties which pertains to Shared Data (“Relevant Agreements”), and any material breach of the Data Protection Laws in respect of a Relevant Agreement by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect.

1.3. The Parties have allocated their responsibilities in the Joint Controller Matrix in Schedule 3 to this Agreement.

1.4. The Parties have included a record of processing activities in Schedule 4 to this Agreement. Schedule 4 may be modified to add, delete or otherwise change the terms of this Agreement from time to time. Such modified schedule shall become a part of this Agreement from the date of modification (as agreed between the Parties in writing.) The Parties agree to keep all information necessary to evidence compliance with Article 30 GDPR.

1.5. Data Importer will Process the Shared Data only for the Purpose.

1.6. Data Importer will take such technical and organisational measures as may be appropriate to ensure the security of the Shared Data (including by way of example those listed in Schedule 2) and without limitation, the Pseudonymisation and encryption of Shared Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and the ability to restore the availability and access to Shared Data in a timely manner in the event of a physical or technical incident). Without prejudice to the generality of the foregoing, Data Importer will keep the Shared Data secure from any unauthorised or accidental use, access, disclosure, damage, loss or destruction.

1.7. Data Importer will ensure that access to that Shared Data is limited to those of its employees, staff, officers and agents who need access to the Shared Data for the Purpose and will take reasonable steps to ensure the reliability of such persons which shall include ensuring that such persons understand the confidential nature of the Shared Data, have received appropriate training in data protection prior to their use of the Shared Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

1.8. Data Importer will not authorise any third party or sub-contractor to Process any Shared Data without (1) the prior written consent of the relevant Disclosing Party and

(2) such third party or sub-contractor entering into a contract with it on terms which are substantially the same as the terms set out in this Agreement and, on condition that the Processing of that Shared Data pursuant to such contract shall terminate on the earlier of termination or expiry of this Agreement, the end of the Purpose or the sharing of Shared Data between the Parties no longer being required for the Purpose.

1.9. Data Importer will give each Data Exporter such information and assistance as it reasonably requires in order to enable the Data Exporter to meet their obligations to Data Subjects, in particular, but without limitation, complying with Data Subjects’ requests for access to, information about, and the rectification of, their Personal Data.

1.10. Unless agreed otherwise between the Parties, each Disclosing Party which is responsible for obtaining the participant consent for the research in their respective site, shall be appointed as single point of contact (SPoC) for their respective Data Subjects. The SPoC shall be detailed within Clause 6.4 of this Agreement.

1.11. The SPoC is responsible for maintaining a record of individual requests for information, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.

1.12. Data Exporter will notify the Data Importer immediately should it receive any request or enquiry from any Data Subject in relation to the Shared Data being Processed for the Purpose, Data Importer shall give the Data Exporter such assistance in dealing

with that request or enquiry as it may reasonably request; and not disclose or release Shared Data without first consulting with the Data Exporter wherever possible.

1.13. Data Importer will notify the relevant Data Exporter without delay but no later than 24 hours of becoming aware of any actual or suspected breach of security which involves Shared Data or breach of this Clause 1.

1.14. In respect of any Shared Data breach, Data Importer will notify the Data Exporter of the Data Breach without undue delay (in accordance with applicable law) and provide the other Party without undue delay with such details as the Data Exporter reasonably requires regarding the nature of the Data breach (including the categories and approximate numbers of Data Subjects and protected data records concerned or likely to be concerned), any investigations into such Data Breach, the likely consequences of the Data Breach and any measures taken, or recommended, to address the Data Breach, including to mitigate its possible adverse effects.

1.15. At the Data Exporter’s written request without delay (in accordance with the applicable law), Data Importer will either securely Delete or securely return to the Data Exporter all the Shared Data that the Data Exporter has shared with it in such form as it requests after the earlier of:

1.15.1. the expiry or termination of this Agreement;

1.15.2. the end of FAIRVASC; or

1.15.3. the sharing of the Shared Data in question no longer being required for the Purpose; and

securely Delete existing copies (unless storage of any data is required by applicable law and, if so, it will inform the Data Exporter of any such requirement).

1.16. Data Exporter will promptly (and in any event within two Business Days) inform the Data Importer if it receives a complaint or request relating to either Party’s obligations under the Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering any Data Protection Laws and provide the Data Importer with full details of such complaint or request; and

1.17. Data Importer will not transfer that Personal Data outside the European Economic Area without first obtaining the Data Exporter’s written consent.

1.18. All Parties will ensure that the sharing of responsibilities between the Parties reflects the Joint Controller Matrix in Schedule 3 of this Agreement.

2. AUDIT

Data Importer will allow each Data Exporter at all reasonable times to inspect and review the steps being taken by it to comply with Clause 1 above and will give each Data Exporter any assistance which it reasonably requires with that inspection and review.

3. TERMINATION

3.1 Subject to clause 3.2 any Party may terminate this Agreement upon giving one month's prior written notice to the other, providing the reasons for such termination. For the

avoidance of doubt, this Agreement shall continue to bind the other Parties notwithstanding the termination of the Agreement vis-à-vis the terminating Party.

3.2 The provisions in this Agreement will continue in full force and effect for so long as a Party is a Data Controller or shares any Shared Data with the Data Importer, notwithstanding the expiry or termination of this Agreement or the completion of FAIRVASC.

3.3 Without prejudice to any termination rights in this Agreement, if any Party is in breach of its obligations under Clause 1, the Disclosing Party may suspend any sharing of Shared Data for the Purpose until the breach is remedied.

4. DATA RETENTION

4.1 The Data Importer shall not retain or process Shared Personal Data for longer than is necessary to carry out the Purpose.

4.2 The Shared Data shall be held by the Data Importer for 5 years after the completion of FAIRVASC.

5. ASSIGNMENT

5.1 No Party shall assign, sub-licence, delegate or otherwise transfer all or any of its rights or obligations under this Agreement, without the prior written consent of the other Parties.

6. GENERAL

6.1 Each of the provisions of this Agreement is separate and severable and enforceable accordingly. If at any time any of the provisions is held to be void or unenforceable, the validity or enforceability of the remaining provisions shall not be affected. If any provision is held to be void or unenforceable, the Parties agree to substitute any such provision with a valid enforceable provision which achieves to the greatest extent possible the economic, legal and commercial objectives of the invalid or unenforceable provision.

6.2 This Agreement represents the entire agreement between the Parties with respect to compliance with Data Protection Laws and supersede all prior representations, agreements, arrangements and undertakings with respect thereto whether written or oral. This Agreement may only be amended in writing signed by duly authorised representatives of the Parties.

6.3 Neither this Agreement nor any subsequent discussions between the Parties shall create any obligations other than those expressly stated herein. Nothing in this Agreement shall oblige either Party to enter into any further agreement with the other in relation to the subject matter of this Agreement.

6.4 All notices given by a Party to the other pursuant to this Agreement shall be in writing and may be delivered by email, including request of read receipt, or pre-paid post, registered courier, by hand to the address at the beginning of this Agreement. The current points of contact for each of the Parties are:

(a) LUND: Xxxxxxx.xxxxxxxx@xxx.xx.xx

(b) GUH: Xxxxxxx.xxxxxxxxx@xxx.xx

(d) Meyer: xxxxxxx.xxx@xxxxx.xx

(e) UKSH: xxx.xxxxxxxx@xxxx.xxxxxxxxx-xxxxxxxx.xx

(f) TCD: xxxxxxxxxxx@xxx.xx

(g) Glasgow: Xxxxxxx.Xxxxxxxxxx@xxxxxxx.xx.xx

Any such notice, if so given, shall be deemed to have been served:

(a) if sent by hand, when delivered;

(b) if sent by post or courier, five business day after posting.

6.5 This Agreement may be executed in any number of counterparts all of which taken together shall constitute one single agreement between the Parties. Transmission of an executed counterpart of this Agreement by e-mail (in PDF or other agreed format) shall take effect as delivery of an executed counterpart of this Agreement. The Parties acknowledge and agree that this Agreement may be executed by electronic signature, which shall be considered as an original signature for all purposes and shall have the same force and effect as an original signature. Without limitation, “electronic signature” shall include emailed versions of an original signature or electronically scanned and transmitted versions (e.g., via pdf) of an original signature.

6.6 This Agreement shall be construed in accordance with and governed by the laws of Belgium excluding its conflict of law provisions, as specified in Clause 11.7 of the CA.

6.7 The Parties shall endeavour to settle their disputes amicably according to Xxxxxx 11.8 of the CA.

6.8 A Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of the Member State in which he/she has his/her habitual residence.

6.9 Parties agree to submit themselves to the jurisdiction of such courts.

6.10 External Parties may accede to this Agreement by signing the Accession document under Schedule 9 which shall be countersigned by the FAIRVASC Coordinator.

The Parties hereto have caused this Agreement to be executed the day and year herein as of the last date of signature between the parties.

7. LIABILITY

7.1 Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of Data Protection Laws.

7.2 Each Party’s aggregate liability towards the other Party under this Agreement shall not exceed each Party’s share of budget in the collaborative research project FAIRVASC.

7.3 Each Party is liable for damage or loss resulting from that Party not complying with or actively violating the Data Protection Laws. Furthermore, each Party is liable hereunder for damage or loss caused by it through material breach of any provision of this Agreement and/or through gross negligence or a willful act or omission. The liability does not comprise compensation for any indirect or consequential loss or damages, including, but not limited to, loss as result of punitive or liquidated damages or loss of profit. For the avoidance of doubt, such damage as is stated in the first paragraph of this section is considered to constitute direct damage.

7.4 The Data Importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

SIGNATURES OF PARTIES

SIGNED for and on behalf of XXXX University Sweden.

Signature:

Date:

Name:

Title:

Signature:

Date:

Name:

Title:

SIGNED for and on behalf of General University Hospital in Prague, Prague, Czech Republic

Signature:

Date:

Name:

Title:

SIGNED for and on behalf of Xxxxxxxxxxxx University, Krakow, Poland

Signature:

Date:

Name:

Title:

SIGNED for and on behalf of Meyer Children's University Hospital, Italy

Signature:

Date:

Name:

Title:

SIGNED for and on behalf of Universitaet zu Luebeck and University Hospital of Schleswig-Holstein, Germany

Signature:

Date:

Name:

Title:

SIGNED for and on behalf of The Provost, Fellows, Foundation Scholars, and the other members of Board of The College of the Holy and Undivided Trinity of Queen Xxxxxxxxx, near Dublin, Ireland

Signature:

Date:

Name: Dr Xxxxxx Xxxxxx

Title: Senior Patents and Licencing Manager

SIGNED for and on behalf of The University Court of the University of Glasgow

Signature:

Date:

Name:

Title:

Schedule 1

TABLE – SHARED PERSONAL DATA

The subject matter of the Processing

FAIRVASC will use semantic-web technologies to link vasculitis (AAV) registries across Europe into a ‘single European dataset’, and thus open the door to new research into these challenging diseases. In FAIRVASC, this large new European resource will be analysed to identify features (clinical and physical characteristics, etc.) that predict how a patient’s illness will develop, and what their major health risks are. These markers can, in the future, be developed into new predictive tools that help doctors to choose the best treatment options for the individual patient. The Work packages and project goals are described under Schedule 5.

Work Package 5 (WP5, Risk Stratification), led by LUND, will leverage the linked registries by carrying out important new research in AAV: phenotypic clustering for stratification, and evidence-based risk scoring. The WP5 research is not possible without data transfer of specific data items to

LUND. All WP details are provided under Schedule 5 and the DPIA under Schedule 8.

The nature and purpose of the Processing

Work packages 3 and 4 will develop specifications for the data required from each of the registries. Each registry site will process and share data into a database called a TripleStore that they will hold locally. These TripleStores will be queried by a central federated querying engine deployed by Trinity College Dublin according to a predefined set of queries that have been pre-defined by WP4 in line with clinical research questions. In order to enable the central querying engine to query local TripleStores, the local registry sites must provide Trinity College Dublin with the required credentials (username/password). The Parties agree that such credentials will be integrated in the querying algorithm only so as to facilitate the federated querying process, but will not be used by human users to manually query patient-level data within the local TripleStores. The results of the queries will only return aggregated results and

will blur any results that are fewer than 10. Note that no data

	will be shared from the TripleStores, only the aggregated results of the predefined queries. Work Package 5 (WP5, Risk Stratification), led by LUND, will leverage the linked registries by carrying out important new research in AAV: phenotypic clustering for stratification, and evidence-based risk scoring. The WP5 research is not possible without data transfer of specific data items to LUND. All WP details are provided under Schedule 5 and the DPIA under Schedule 8.
The type of Personal Data being Processed	De-identified clinical and registry data as defined in the data dictionary specified in Schedule 6; aggregated data as results from clinical queries (where results fewer than 10 will be blurred). Shared Data will be anonymised at each Data Exporter site or where appropriate and in line with existing approvals or consents Shared Data may be Pseudonymised and will only be linked back to source data at the local registry sites. No site will be obliged to keep a link between Shared Data and their source data. Each Registry will issue a specific FAIRVASC ID and, where permissible, retain the key link back to the Source Data. The LUND Repository will receive the FAIRVASC ID only. Data from patients / participants therefore Includes: • FAIRVASC ID • Year of Birth (YoB) • Genetic • Racial or Ethnic • Health
The categories of Data Subjects	• Research subject • Patients / Participants Additionally, usernames and email addresses will be stored of FAIRVASC researchers within the Clinical Dashboard hosted at Trinity College Dublin for WP3 and 4.
Party responsible for providing information under art 13 and 14 i.e. data protection notice	Each Site through the contact point listed in the Agreement at Clause 6.4

Schedule 2 – MINIMUM DATA PROECTION AND INFORMATION SECURITY REQUIREMENTS

Personnel

The Parties shall:

• limit data access and processing of the Shared Data to the necessary and directly involved personnel, using appropriate and governed access control measures;

• ensure the directly involved personnel are adequately trained in data protection and information security requirements and safeguards;

• ensure directly involved personnel are aware of the sensitivity of the Shared Data, their obligations to protect the data and the potential for disciplinary actions for deliberate misconduct.

ICT infrastructure

The Parties shall:

• use hardware, software and networks that are of a suitable specification and currency to process the Shared Data;

• adopt appropriate information, physical and organisational security measures to safeguard the Shared Data, that meet currently accepted standards, including

o the appropriate uses of access controls,

o the governance of data transmission and remote access,

o the use of firewalls, encryption and, on the client side an anti-viral solution.

o the safeguarding of backup copies of the Shared Data;

• have a proportionate business continuity strategy relating to the Shared Data, the data processing capabilities and data access services;

• have a process for regularly reviewing the adequacy of these provisions, including testing the adequacy of the information security safeguards.

Destruction of data

The Parties shall:

• implement measures to securely and permanently delete (destroy) databases, files, media and documents containing the Shared Data when required to under the terms of this Agreement.

SCHEDULE 3

Joint Controllers Matrix

Data protection obligation	Responsible party
Provide information on the processing of shared data to Data Subjects in accordance with articles 13 and 14 GDPR.	Each Data Exporter
Obtaining informed consent for the processing of shared data or establish another legal basis for the processing of personal data.	Each Data Exporter
Safeguarding that the Data Subjects can exercise their rights under the GDPR.	All Parties.
Safeguarding the security of shared data in accordance with article 32 GDPR and in accordance with other arrangements in this Agreement.	All Parties
Comply with data breach obligations (articles 33 and 34 GDPR).	If Data Importer becomes aware of a personal data breach in connection with this Agreement, that party shall promptly notify the Disclosing Party. Parties will fully cooperate with each other in order to fulfil the (statutory) notification obligations timely. Should a data breach occur in connection with shared data, the organisation causing the breach takes on to inform the Data Exporter(s) and Supervisory Authority, as appropriate.
Safeguarding that employees who have access to personal data are instructed by a binding agreement or binding instruction(s) to process the personal data in conformity with the instructions of the controllers, including the duty of confidentiality.	Data Importer
Safeguarding that engaged (sub) processors who have access to personal data are instructed by a binding agreement (data processor agreement) to process the personal data in accordance with the requirements stated in article 28 of the GDPR.	Data Importer
Safeguarding that the transfer of shared data takes place in accordance with the GDPR.	All Parties
Safeguarding the compliance with the requirements regarding retention periods, destruction, return and/or migration of shared data.	All Parties provided that these requirements are made known to each other.

Safeguarding that a data protection impact assessment is conducted prior to the collection,

including obtaining and further processing of shared data (Article 35 GDPR).

Each Data Exporter

Cooperation with and audits by the supervisory authorities.

All Parties

SCHEDULE 4

Record of Transfer (ROPA)

Lead agency for XXXXXXXX

Xxxxx Children’s University Hospital (Coordinator in the FAIRVASC Consortium)

Full name of study and context of transfer (Brief description – no more than 150 words)

FAIRVASC will use semantic-web technologies to link vasculitis (AAV) registries across Europe into a ‘single European dataset’, and thus open the door to new Purpose into these challenging diseases. In FAIRVASC, this large new European resource will be analysed to identify features (clinical and physical characteristics, etc.) that predict how a patient’s illness will develop, and what their major health risks are. These markers can, in the future, be developed into new predictive tools that help doctors to choose the best treatment options for the individual patient. The Work packages and project goals are described under Schedule 5.

to the data sharing agreement.

Date of DPIA submission and review by DPO. If no DPIA submitted please submit for review and advice, prior to any transfer

General DPIA has been run as part of WP2 for FAIRVASC and is available under Schedule 8. Each registry is to review this

	DPIA and perform a local DPIA for themselves as they deem appropriate.
Ethical approval date and committee name:	As per local Independent Review Board approvals at each registry site
Duration of processing	Up to 5 Years after the end of the FAIRVASC Project.
Legal basis for processing under Article 6 and Article 9 (if applicable)	Informed consent or Public Task (dependent on Member State or Third Country Jurisdiction)
Identify how explicit consent was obtained	Handled by each Registry site where their consents and approvals were reviewed by Independent Review Boards
Will the dataset be combined with any other data set? If yes, please detail	The Shared Data will be collected centrally at LUND and combined there.
List of recipients within organization who will access the data;	As per the Parties specified within this Data Sharing Agreement, including the LUND department LUSEC for providing the ICT infrastructure to hold the data. FAIRVASC is exploring the possibility of eventual access to the anonymous dataset by external parties by the end of the FAIRVASC project and thereafter depending on the sustainability of FAIRVASC after the project completes.
Any envisaged onward transfer of the data? Any transfer outside of EEA? What safeguards will be put in place?	Data might be accessed from Australia, New Zealand, Japan, USA and potentially others assuming continuity after the end of the project. Any such data will be anonymous for this kind of access. Extra- EEA transfers will be, should they occur, for the purposes of scientific research in the public interest.
How will withdrawal by Data Subject be managed?	Registry Sites will maintain their own datasets and inform the project of any withdrawals. In the event of participant withdrawal locally the Registries may elect to cease sending data and require that the LUND Central Repository archive the associated record (that can be identified by the FAIRVASC ID) where their local jurisdiction requires this.

SCHEDULE 5

Schedule of Work packages in FAIRVASC

Work package 3: Development of a local RDF Triplestore at each registry site and local SPARQL Endpoints.

This Workpackage develops a local RDF Triplestore that contains a pseudonymised or anonymised copy of quality-assured registry data, with local terms and descriptions replaced by standardised ontologies and vocabularies. The local SPARQL endpoints interface with the local RDF Triplestore and provides a secure link to allow remote access. This Workpackage will also ensure that local access control policies are enforced by the SPARQL endpoint. No data will be shared by one Party to another, with the exception of aggregated data that will be the sole results of the queries defined in WP4. Blurring of aggregated results fewer than 10 will be applied at source.

Work package 4: Creation of a clinical user interface (dashboard) to the federated registries.

This Work package will create a clinical user interface (dashboard) to the federated registries, that meets the needs of the AAV clinicians. While the dashboard will initially be used for the demonstration study, it should be suitable for other AAV research questions, and will be readily modifiable for re-use in other domains. No data will be shared by one Party to another, with the exception of aggregated data that will be the sole results of the queries defined in WP4. Blurring of aggregated results fewer than 10 will be applied at source.

Work package 5: carry out an AAV research study.

This Work package will carry out an AAV research study that takes advantage of the availability of unprecedented numbers of comparable AAV patient records. The research aims of the FAIRVASC study will be:

1. To discover clinically-relevant phenotypic clusters of AAV patients, thus enabling more relevant stratification; and

2. To create new risk scores of AAV progression and treatment response, based on registry data.

The co-location of registry data and of statistical processing codes is required, where complex statistics or machine learning (across data from multiple registries) is envisaged - as is the case in WP5. To enable this, a copy of some or all of the RDF triple store needs to be located at the location where the research is carried out (in the case of WP5, this is on a secure server at LUND). While the RDF data is anonymised and not sensitive, it does contain patient-level information and so is carefully protected.

SCHEDULE 6

Categories of Data – FAIRVASC Data Dictionary

The Data Dictionary for FAIRVASC can be found at the following link, which may from time to time be updated on agreement with the FAIRVASC Consortium:

xxxxx://xxxx.xxxxxx.xxx/xxxxxxxxxxxx/x/0x- sAVbmPtDw2PS8CQIfQj1IC5hDVNHo4qFhlWbA8sbU/edit#gid=0

This represents the data collected within each TripleStore and subsequently shared with the Data Importer. Note that the data is anonymous and includes for the FAIRVASC ID that each Data Exporter will assign where only the Data Exporter is able to link back to personal data.

SCHEDULE 7

FAIRVASC Code of Practice

The FAIRVASC Code of Practice can be found at the following link, and may from time to time be updated as agreed by FAIRVASC Consortium:

xxxxx://0.xxxxxxxx.xxx/0000000/xxxxxxx/00000000/xxxxxxx/0000000000

SCHEDULE 8

FAIRVASC General Data Protection Impact Assessment

The FAIRVASC Data Protection Impact Assessment can be found at the following link, and may from time to time be updated as agreed by FAIRVASC Consortium:

xxxxx://0.xxxxxxxx.xxx/0000000/xxxxxxx/00000000/xxxxxxx/0000000000

SCHEDULE 9 Accession document

ACCESSION

of a new Party to the

FAIRVASC Data Sharing Agreement, version […, YYYY-MM-DD]

[OFFICIAL NAME OF THE NEW PARTY]

hereby consents to become a Party to the Data Sharing Agreement identified above and accepts all the rights and obligations of a Party starting [date].

[OFFICIAL NAME OF THE COORDINATOR AS IDENTIFIED IN THE Description of Action]

hereby certifies that the consortium has accepted in the meeting held on [date] the accession of [the name of the new Party] to the data sharing agreement [version number/date].

This Accession document has been done in 2 originals to be duly signed by the undersigned authorised representatives.

[Date and Place]

[INSERT NAME OF THE NEW PARTY]

Signature(s)

Name(s)

Title(s)

[Date and Place]

[INSERT NAME OF THE COORDINATOR]

Signature(s)

Name(s)

Title(s)

Document Metadata

Table of Contents

AZIENDA OSPEDALIERO UNIVERSITARIA MEYER

Document Metadata