Jurisdiction Specific Terms
(Controller to Processor)
(as of July 18, 2023)
Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Eversana Data Processing Agreement, of which these Jurisdiction Specific Terms form a part (the “Agreement”). Except as modified or supplemented below, the Agreement shall remain in full force and effect.
1. Australia.
1.1. Definitions.
(a) “Applicable Laws” (as used in the Agreement) includes the Australian Privacy Act (1998) and the Australian Privacy Principles.
(b) “Client Personal Data Breach” (as used in the Agreement) includes “Eligible Data Breach” as defined under the Privacy Act.
(c) “Controller” (as used in the Agreement) includes “APP Entity” as defined under the Privacy Act.
(d) “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under the Privacy Act.
2. European Economic Area.
2.1. “European Economic Area” or “EEA” means the EU Member States, and Iceland, Liechtenstein, and Norway.
2.2. “EU 2021 Standard Contractual Clauses” means the Standard Contractual Clauses as defined in the Agreement.
2.3. “Restricted Transfer of EEA Personal Data” (as used in this Section 1) means any transfer of Client Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization Third Country (including data storage on foreign servers).
2.4. “Third Country” means a country outside of the EEA.
2.5. With regard to any Restricted Transfer of EEA Personal Data from the Client to EVERSANA within the scope of this Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:
(a) a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection;
(b) the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or
(c) any other lawful data transfer mechanism, as laid down in chapter 5 of the GDPR, as the case may be.
2.6. In the event that a Restricted Transfer of EEA Personal Data can be covered by more than one transfer mechanism under Section 1.4, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 1.4.
2.7. These Jurisdiction Specific Terms are hereby incorporated by reference to the EU 2021 Standard Contractual Clauses (updated from time to time if required by law or at the choice of EVERSANA to reflect the latest version promulgated by the European Commission), provided that the content of Annex I.B and Annex II of the EU 2021 Standard Contractual Clauses are set forth in Exhibit A of the Agreement. For the purpose of the EU 2021 Standard Contractual Clauses:
(a) The Parties agree to apply Module 2 (Transfer Controller to Processor) of the EU 2021 Standard Contractual Clauses.
(b) For the purpose of Annex I of the EU 2021 Standard Contractual Clauses:
(i) The Client shall be deemed the “data exporter” and EVERSANA shall be deemed the “data importer”.
(ii) The Parties have provided each other with the identity and contact details required under Annex I.A.
(iii) The Parties’ controllership roles are set forth in Section 3.1 of the Agreement.
(iv) The details of the Parties’ data protection officer and data protection representative in the EU are set forth in Exhibit A of the Agreement.
(v) The activities relevant to the Client Personal Data transferred under the EU 2021 Standard Contractual Clauses are set forth in Exhibit A of the Agreement.
(c) For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties elect not to include the optional docking clause.
(d) For the purpose of Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties have agreed to authorization and time period as set out at Section 6 of the Agreement.
(e) For the purpose of Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties have elected not to include the optional language relating to the use of an independent dispute resolution body.
(f) For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses, the Parties elect the competent supervisory authority as set out in Exhibit A of the Agreement.
(g) With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select Option 1 and agree that the EU 2021 Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland, provided that such law allows for third party beneficiary rights.
(h) With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
2.8. To the extent that the EU 2021 Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, EVERSANA shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws, more specifically, the Supplemental Measures set forth in Appendix A and the Technical and Organizational Security Measures set forth in Appendix B hereto.
2.9. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Agreement and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control. For purposes of clarity, terms in this Agreement that supplement, but do not directly contradict or frustrate the purpose of the terms of the EU 2021 Standard Contractual Clauses, shall not be deemed as creating a conflict.
3. United Kingdom.
3.1. “Applicable Laws” (as used in the Agreement) includes the UK Data Protection Act 2018 and the UK GDPR.
3.2. “EU 2021 Standard Contractual Clauses” means the Standard Contractual Clauses as defined in the Agreement.
3.3. “Third Country” (as used in this Section) means a country outside of the United Kingdom.
3.4. “UK GDPR” means Regulation (EU) 2016/679 as has been amended and adopted to form a part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020.
3.5. “UK Restricted Transfer” (as used in this Section) means any transfer of Client Personal Data (including data storage in foreign servers) that is subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to a Third Country or an international organization.
3.6. “UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU 2021 Standard Contractual Clauses, issued by the UK Information Commissioner, Version B1.0, in force as of 21 March 2022, as may be amended from time to time, available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
3.7. With regard to any UK Restricted Transfer from the Client to EVERSANA within the scope of the Agreement and which is regulated by the Applicable Laws, one of the following Personal Data transfer mechanisms shall apply, in the following order of precedence:
(a) a valid adequacy decision adopted by the European Commission on the basis of the Applicable Laws that provides that the Third Country to which the Client Personal Data is to be transferred, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred, ensures an adequate level of data protection;
(b) the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the UK GDPR) along with any necessary modifications and addenda to make the EU 2021 Standard Contractual Clauses applicable to transfers of Personal Data (including the adoption and incorporation by reference of the UK Transfer Addendum); or
(c) any other lawful basis, as laid down in Applicable Laws.
3.8. In the event that a UK Restricted Transfer can be covered by more than one transfer mechanism under Section 3.7, the transfer of Client Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 3.7.
3.9. EU 2021 Standard Contractual Clauses:
(a) The Agreement incorporates by reference the EU 2021 Standard Contractual Clauses (updated from time to time if required by law or at the choice of a Party to reflect the latest version promulgated by the European Commission) and the UK Transfer Addendum.
(b) The content of Annex I and II of the EU 2021 Standard Contractual Clauses are contained in Section 2.7(b) and Exhibit A of the Agreement respectively. The contents of Annex III of the EU 2021 Standard Contractual Clauses are set out in Section 6 of the Agreement.
(c) The tables of the UK Transfer Addendum are set forth as follows:
(i) The information required in Table 1 of the UK Transfer Addendum has been exchanged in the Agreement and the Service Agreement.
(ii) The information required in Table 2 of the UK Transfer Addendum is as follows:
a. The Parties agree to apply Module 2 (Transfer Controller to Processor) of the EU 2021 Standard Contractual Clauses.
b. For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties elect not to include the optional docking clause.
c. For the purpose of Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties have elected not to include the optional language relating to the use of an independent dispute resolution body.
d. For the purpose of Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties have agreed to the authorization and time period as set out at Section 6 of the Agreement.
(iii) The information required in Table 3 of the UK Transfer Addendum is set out in Section 2.7(b) of these Jurisdiction Specific Terms, Section 6 of the Agreement, and Exhibit A of the Agreement.
(iv) The Parties agree that for the purpose of Table 4 of the UK Transfer Addendum neither Party may end the UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.
(v) The Parties further agree to the following implementation choices:
a. For the purpose of Clause 13 of the EU 2021 Standard Contractual Clauses, the UK Information Commissioner’s Office shall be the competent Data Protection Authority.
b. For the purpose of Clause 17 of the EU 2021 Standard Contractual Clauses, the Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
c. For the purpose of Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales.
d. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto) and the UK Transfer Addendum.
4. United States
4.1. “Applicable Laws” means the California Consumer Privacy Act Cal. Civ. Code §1798.100 et. seq., as amended by the California Privacy Rights Act, and the implementing regulations of each; the Virginia Consumer Data Protection Act Virginia Code § 59.1-571 et. seq.; and the Colorado Privacy Act Colorado Revised Statutes § 6-1-1301 et. seq.
4.2. “Consumer” means a consumer as defined in the Applicable Laws, and for purposes of this Addendum, shall include a California, Virginia, and/or Colorado household;
4.3. “Personal Information and/or Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household in California, Virginia, and/or Colorado.
4.4. The Parties acknowledge and agree that when processing Personal Information on behalf of the Client, EVERSANA is a Service Provider and/or Processor (as defined in the Applicable Laws) and receives Personal Information pursuant to the business purpose of providing services to the Client pursuant to the Services Agreement. Accordingly, EVERSANA shall not retain, use, or disclose the Personal information outside of the direct business relationship between Client and Service Provider or for any purpose other than for the specific purpose of performing the services specified in the Services Agreement and as otherwise contemplated in the Agreement, except:
(a) To perform the services and fulfil the limited and specific business purposes specified in the written contract with Client;
(b) To retain and employ another service provider as a subcontractor or subprocessor, where the subcontractor meets the requirements for a service provider under the Applicable Laws and provided that Client has granted Service Provider written approval of such subcontractor;
(c) To detect data security incidents or protect against fraudulent or illegal activity; or
(d) For the purposes enumerated in Cal. Civ. Code section 1798.145, subsections (a)(1) through (a)(4).
4.5. Not retain use, and/or disclose sensitive personal information (as defined in the Applicable Laws) after it has received instructions from Client and to the extent it has actual knowledge that the personal information is sensitive information for any other purpose than as expressly provided for in the Agreement.
4.6. The Parties agree that EVERSANA is authorized to use, retain, and disclose Personal Information for the delivery of the services it provides to the Client in accordance with the Services Agreement. This includes disclosures to Subprocessors, EVERSANA’s business purposes, and as authorized by the Applicable Laws. Any processing of Personal Information outside the scope of the Agreement or Services Agreement will require a prior written Addendum between EVERSANA and the Client.
4.7. EVERSANA shall not disclose, transfer, make available, or otherwise communicate any Personal Information to another third party without the prior written consent of the Client, unless for permitted disclosures to Subprocessors in terms of the Agreement. However, nothing in the Agreement will prevent EVERSANA’s ability to disclose Personal Information in order to comply with the Applicable Law.
4.8. EVERSANA shall not “sell” or “share” (as those terms are defined in the Applicable Laws) any Personal Information to any other business or third party without the prior written consent of the Client.
4.9. Not combine Client’s Personal Information with personal information acquired from another source.
4.10. EVERSANA undertakes to promptly notify the Client of any verified request received by EVERSANA from a Consumer or authorized representative of the Consumer, enforcing available rights in terms of the Applicable Laws. EVERSANA shall direct the Consumer or its authorized representative to contact the Client.
4.11. EVERSANA shall assist the Client where practically possible when responding to a Consumer rights request as required by the Applicable Laws, subject to the Client providing a suitably detailed, written request.
4.12. Upon direction by the Client, and within a reasonable amount of time, EVERSANA shall delete or return Personal Information unless prohibited by Applicable Laws.
4.13. Promptly notify Client if it determines it can no longer meet its obligations under the Data Laws or this Agreement.
4.14. Nothing in this Addendum will prevent EVERSANA from cooperating with law enforcement agencies concerning conduct that it believes may violate international, federal, state, or local laws.
5. Canada
5.1. “Applicable Laws” (as used in the Agreement) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
5.2. “Contracted Processor” (as used in the Agreement) includes “Third Party Organization” as defined under PIPEDA.
5.3. “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under PIPEDA.
5.4. “Personal Data Breach” (as used in the Agreement) includes “Breach of Security Safeguards” as defined under PIPEDA.
Appendix A
Supplemental Clauses to the EU 2021 Standard Contractual Clauses
By this Appendix A (this “Appendix”), the Parties provide additional safeguards to and additional redress to the Data Subjects to whom Client Personal Data relates. This Appendix supplements and is made part of, but is not in variation or modification of, the EU 2021 Standard Contractual Clauses that may be applicable to the Restricted Transfer.
- Applicability of this Appendix. This Appendix only applies with respect to Restricted Transfers when the Parties have concluded the EU 2021 Standard Contractual Clauses pursuant to the Agreement and its Exhibits.
- Definitions.
2.1 “Data Exporter” and “Data Importer” shall have the meaning assigned to them in the Clauses concluded by the parties.
2.2 “EO 12333” means the Executive Order 12333.
2.3 “FISA” means the U.S. Foreign Intelligence Surveillance Act.
2.4 “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
2.5 “Surveillance Laws” includes, but it not limited to, the EO 12333 and FISA.
3. Applicability of Surveillance Laws to the data importer and its or subprocessors
3.1 Data Importer represents and warrants that, as of the signature date hereof, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II Judgment.
3.2 Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
a. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (A) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (B) a member of any of the categories of entities described within that definition.
b. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II Judgment.
3.3 EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.
3.4 Data Importer commits to provide (upon request) information about the laws and regulation in the destination countries of the transferred data applicable to Data Importer and the subprocessors directly contracted by Data Importer that would permit access by public authorities to the transferred Customer Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the transferred Customer Personal Data. In the absence of laws governing the public authorities’ access to Customer Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in situation of the kind of the data transfer at hand. Data Importer providing the information referred to in this subparagraph 3(d) may choose the means to provide the information.
3.5 Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the EU 2021 Standard Contractual Clauses and these Supplemental Clauses, and promptly inform Data Exporter of any such changes and developments. When possible, Data Exporter shall inform Data Exporter of any such changes and developments ahead of their implementation.
- Obligation on Data Importer related to orders for compelled disclosure of Customer Personal Data
In the event Data Importer receives an order from any third party for compelled disclosure of any Customer Personal Data that has been transferred under the EU 2021 Standard Contractual Clauses, Data Importer shall:
4.1 Promptly (and, when possible, before granting access to the Customer Personal Data) notify Data Exporter, unless prohibited by law, or, if prohibited from notifying Data Exporter, use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the order to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the order with the safeguards contained in Clauses and the resulting conflict of obligations for Data Importer and documenting this communication.
4.2 Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable European Economic Area Member State law or any other applicable data protection law. For the purpose of these Supplemental Clauses, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
4.3 Seek interim measures with a view to suspend the effects of the order until the competent court has decided on the merits.
4.4 Not disclose the requested Customer Personal Data until required to do so under the applicable procedural rules.
4.5 Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.
- Redirection of the request to Data Exporter
Unless prohibited under the law applicable to the requesting third party, Data Importer shall use every reasonable effort to redirect the third party requesting the disclosure of any Customer Personal Data subject to the Clauses that has been transferred to Data Importer to request data directly from Data Exporter.
- Information on requests of access to Customer Personal Data by public authorities
Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests of access to Personal Data by public authorities which Data Importer has received over a specified period of time (if any), in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested data. Data Importer may choose the means to provide this information.
- Backdoors
Data Importer certifies that:
7.1 It has not purposefully created backdoors or similar programming that could be used to access Data Importer’s systems or Customer Personal Data subject to the Clauses.
7.2 It has not purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or systems.
7.3 National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Customer Personal Data or systems.
7.4 Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.
- Information about legal prohibitions
Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under Sections 6 through 8 of these Supplemental Clauses. Data Importer may choose the means to provide this information.
- Other measures to prevent authorities from accessing Customer Personal Data
Notwithstanding the application of the security measures set forth in the DPA and Appendix B of these Jurisdiction Specific Terms, Data Importer will implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Customer Personal Data from unauthorized disclosure or access:
9. 1 Encryption of the transferred Customer Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption.
9.2 Encryption at rest within Data Importer’s software applications using a minimum of AES-256.
9.3 Active monitoring and logging of network and database activity for potential security events, including intrusion.
9.4 Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer.
9.5 Restriction of physical and logical access to IT systems that process transferred Customer Personal Data to those officially authorized persons with an identified need for such access.
9.6 Firewall protection of external points of connectivity in Data Importer’s network architecture.
9.7 Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer.
9.8 Internal policies establishing that:
a. Where Data Importer is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Customer Personal Data, Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities.
b. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data.
c.Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid.
d. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.
- Inability to comply with the EU 2021 Standard Contractual Clauses or the Supplemental Clauses
10.1 Data Importer shall promptly inform Data Exporter of its inability to comply with the EU 2021 Standard Contractual Clauses and these Supplemental Clauses.
10.2 If Data Importer determines that is no longer able to comply with its contractual commitments under these Supplemental Clauses, Data Exporter can swiftly suspend the transfer of data and/or terminate the Agreement.
10.3 If Data Importer determines that is no longer able to comply with the Clauses or these Supplemental Clauses, Data Importer shall return or delete the Customer Personal Data received. If returning or deleting the Customer Personal Data transferred is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter’s instructions.
10.4 Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer and/or terminate the contract.
11. Termination
These Supplemental Clauses shall automatically terminate with respect to the Customer Personal Data transferred in reliance of the EU 2021 Standard Contractual Clauses if the European Commission or a competent Supervisory Authority approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Clauses (and if such mechanism applies only to some of the data transfers, this DPA will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in these Supplemental Clauses.