Processor Terms | EVERSANA

Jurisdiction Specific Terms

(Processor to Subprocessor)

(as of June 7, 2021)

Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Eversana Data Processing Agreement, of which these Jurisdiction Specific Terms form a part (the “Agreement”). Except as modified or supplemented below, the Agreement shall remain in full force and effect.

European Economic Area.

1.1 “European Economic Area” or “EEA” means the EU Member States, and Iceland, Liechtenstein, and Norway.

1.2 “Restricted Transfer of EEA Personal Data” (as used in this Section 1) means any transfer of Client Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization Third Country (including data storage on foreign servers).

1.3 “Standard Contractual Clauses” (as used in these Jurisdiction Specific Terms) means the contractual clauses adopted by Decision of the European Commission of 5 February 2010 (decision 2010/87/EU) for the purpose of adducing adequate protection of Personal Data transferred from a Controller to a Processor established in a Third Country, where the legislation in such Third Country has not been deemed to provide an adequate level of data protection.

1.4 “Third Country” means a country outside of the EEA.

1.5 With regard to any Restricted Transfer of EEA Personal Data from EVERSANA to the Service Provider within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection;

(b) the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or

1.6 In the event that a Restricted Transfer of EEA Personal Data can be covered by more than one transfer mechanism under Section 4, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 1.4.

1.7 These Jurisdiction Specific Terms are hereby incorporated by reference to the Standard Contractual Clauses (updated from time to time if required by law or at the choice of EVERSANA to reflect the latest version promulgated by the European Commission). The specific description and details of the Client Personal Data transferred, as required by the annexes and appendices of the Standard Contractual Clauses, are further elaborated in Exhibit A of the Agreement. For the purpose of the Standard Contractual Clauses and these Jurisdiction Specific Terms, the EVERSANA shall be deemed the “data exporter” and the Service Provider the “data importer”. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto, and including the “Illustrative Indemnification Clause” as an operative clause).

1.8 To the extent that Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, EVERSANA shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws.

1.9 In cases where the Standard Contractual Clauses apply, and there is a conflict between the terms of the Agreement and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. For purposes of clarity, terms in the Agreement that supplement, but do not directly contradict or frustrate the purpose of the terms of the Standard Contractual Clauses, shall not be deemed as creating a conflict.

1.10 If the execution of a new version of the Standard Contractual Clauses promulgated by the European Commission is later required in order for the Parties to rely on such instrument as a lawful mechanism for a Restricted Transfer of EEA Personal Data, the Parties are deemed to have agreed to the new version of the Standard Contractual Clauses by signing the Agreement. EVERSANA may update Exhibit A of the Agreement and these Jurisdiction Specific Terms from time to time to reflect changes in or additions necessary to conclude any new version of the Standard Contractual Clauses.

2. United Kingdom.

2.1. “Applicable Laws” (as used in the Agreement) includes the UK Data Protection Act 2018 and the UK GDPR.

2.2. “UK Standard Contractual Clauses” (as used in this Section) means the Standard Contractual Clauses as defined in these Jurisdiction Specific Terms, provided that those clauses are the standard data protection clauses specified pursuant to Article 46(2) of the UK GDPR and Section 17C (13) or Section 119A(14) of the Data Protection Act 2018.

2.3. “UK Restricted Transfer” (as used in this Section) includes any transfer of Client Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to the Applicable Laws, to a Third Country (as defined below) or an international organization.

2.4. “Third Country” (as used in this Section) means a country outside of the United Kingdom.

2.5. “UK GDPR” means Regulation (EU) 2016/679 as has been amended and adopted to form a part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020.

2.6. With regard to any UK Restricted Transfer from the EVERSANA to the Service Provider within the scope of the Agreement and which is regulated by the Applicable Laws, one of the following Personal Data transfer mechanisms shall apply, in the following order of precedence:

(a) a valid adequacy decision adopted by the European Commission on the basis of the Applicable Laws that provides that the Third Country to which the Client Personal Data is to be transferred, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred, ensures an adequate level of data protection;

(b) the UK Standard Contractual Clauses (insofar the prospective UK Restricted Transfer would be considered lawful under this mechanism, pursuant to Applicable Laws); or

2.7. In the event that a UK Restricted Transfer can be covered by more than one transfer mechanism under Section 2.6, the transfer of Client Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 2.6.

2.8. For the purpose of the UK Standard Contractual Clauses and this Section 2.8, the EVERSANA shall be deemed the “data exporter” and the Service Provider the “data importer”. The UK Standard Contractual Clauses are: (i) deemed to have been accepted, executed, and signed, where necessary, by the Parties in their entirety (including the annexes and appendices thereto); and (ii) incorporated by reference and constitute an integral part of these Jurisdiction Specific Terms. The specific description and details of the Client Personal Data transfers, as required by the annexes and appendices of the UK Standard Contractual Clauses, are further elaborated in Exhibit A of the Agreement.

2.9. In cases where the UK Standard Contractual Clauses apply and there is a conflict between the terms of the Agreement and the terms of the UK Standard Contractual Clauses, the terms of the UK Standard Contractual Clauses shall control. For purposes of clarity, terms in the Agreement that supplement, but do not directly contradict or frustrate the purposes of the terms of the UK Standard Contractual Clauses, shall not be deemed as creating a conflict.

2.10. If the execution of a new version of the UK Standard Contractual Clauses promulgated by the European Commission is later required in order for the Parties to rely on such instruments as a lawful mechanism for UK Restricted Transfers, the Parties are deemed to have agreed to the new version of the UK Standard Contractual Clauses by signing the Agreement. EVERSANA may update Exhibit A of the Agreement and these Jurisdiction Specific Terms from time to time to reflect changes in or additions necessary to conclude any new version of the UK Standard Contractual Clauses.

2.11. To the extent that the UK Standard Contractual Clauses are applicable to a UK Restricted Transfer, EVERSANA shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws.

3. California

3.1. “Applicable Data Protection Laws” (as used in the Agreement) includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”), and the California Consumer Privacy Act Regulations (“CCPA Regulations”) as may be amended from time to time.

3.2. “Business Purpose” (as used in these California Specific Provisions) shall have the same meaning as in the CCPA.

3.3. “Commercial Purpose” (as used in these California Specific Provisions) shall have the same meaning as in the CCPA.

3.4. “Controller” (as used in the Agreement) includes “Business” as defined under the CCPA.

3.5. “Data Subject” (as used in the Agreement) includes “Consumer” as defined under the CCPA.

3.6. “Sale” (as used in these California Specific Provisions) and its related terms shall have the same meaning as in the CCPA.

3.7. “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under the CCPA.

3.8. “Processor” (as used in the Agreement) includes “Service Provider” as defined under the CCPA.

3.9. “Personal Data Breach” (as used in the DPA) includes “Breach of the Security of the System” as defined under Section 1798.82 of the California Civil Code.

3.10. EVERSANA discloses Personal Data to the Service Provider solely for: (i) valid Business Purposes; and (ii) to enable the Parties to perform the services under the Agreement.

3.11. The Service Provider shall not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for a Commercial Purpose other than providing the services specified in the Agreement or as otherwise permitted by the CCPA and the CCPA Regulations; nor (iii) retain, use, or disclose Personal Data except where permitted under the Agreement between the Parties or as otherwise permitted by the CCPA and the CCPA Regulations. The Service Provider certifies that it understands these restrictions and will comply with them.

3.12. The Service Provider undertakes to promptly notify EVERSANA of any verified request received by the Service Provider from a Consumer or authorized representative of the Consumer, enforcing available rights in terms of the CCPA. The Service Provider shall direct the Consumer or its authorized representative to contact EVERSANA.

3.13. The Service Provider shall assist EVERSANA where practically possible when responding to a Consumer rights request as required by the CCPA, subject to EVERSANA providing a suitably detailed, written request.

3.14. Upon direction by EVERSANA, and within a reasonable amount of time, the Service Provider shall delete CCPA Personal Information.

3.15. The Service Provider acknowledges and confirms that it did not receive any Personal Data as consideration for any services or other items that the Service Provider provided to EVERSANA. EVERSANA retains all rights and interests in Personal Data. The Service Provider agrees to refrain from taking any action that would cause any transfers of Personal Data to or from EVERSANA to qualify as selling Personal Data under Applicable Data Protection Laws.

Appendix A

Supplemental Clauses to the Standard Contractual Clauses

By this Appendix A (this “Appendix”), the Parties provide additional safeguards to and additional redress to the Data Subjects to whom Client Personal Data relates. This Appendix supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer.

1. Applicability of this Appendix. This Appendix only applies with respect to Restricted Transfers when the Parties have concluded the Standard Contractual Clauses pursuant to the Agreement and its Exhibits.

2. Definitions.

2.1. “Data Exporter” and “Data Importer” shall have the meaning assigned to them in the Clauses concluded by the parties.

2.2. “EO 12333” means the Executive Order 12333.

2.3. “FISA” means the U.S. Foreign Intelligence Surveillance Act.

2.4. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.

2.5. “Surveillance Laws” includes, but it not limited to, the EO 12333 and FISA.

3. Applicability of Surveillance Laws to the data importer and its or subprocessors.

3.1. Data Importer represents and warrants that, as of the signature date hereof, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II Judgment.

3.2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

a. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (A) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (B) a member of any of the categories of entities described within that definition.

b. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II Judgment.

3.3. EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.

3.4. Data Importer commits to provide (upon request) information about the laws and regulation in the destination countries of the transferred data applicable to Data Importer and the subprocessors directly contracted by Data Importer that would permit access by public authorities to the transferred Customer Personal Data, in particular in the areas of intelligence, law enforcement, or administrative and regulatory supervision applicable to the transferred Customer Personal Data. In the absence of laws governing the public authorities’ access to Customer Personal Data, Data Importer shall provide Data Exporter with information and statistics based on the experience of Data Importer or reports from various sources (such as partners, open sources, national case law, and decisions from oversight bodies) on access by public authorities to Personal Data in situation of the kind of the data transfer at hand. Data Importer providing the information referred to in this subparagraph 3(d) may choose the means to provide the information.

3.5. Data Importer shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the Standard Contractual Clauses and these Supplemental Clauses, and promptly inform Data Exporter of any such changes and developments. When possible, Data Exporter shall inform Data Exporter of any such changes and developments ahead of their implementation.

4. Obligation on Data Importer related to orders for compelled disclosure of Customer Personal Data

In the event Data Importer receives an order from any third party for compelled disclosure of any Customer Personal Data that has been transferred under the Standard Contractual Clauses, Data Importer shall:

4.1. Promptly (and, when possible, before granting access to the Customer Personal Data) notify Data Exporter, unless prohibited by law, or, if prohibited from notifying Data Exporter, use all lawful efforts to obtain the right to waive the prohibition to communicate information relating to the order to Data Exporter as soon as possible. This includes, but is not limited to, informing the requesting public authority of the incompatibility of the order with the safeguards contained in Clauses and the resulting conflict of obligations for Data Importer and documenting this communication.

4.2. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable European Economic Area Member State law or any other applicable data protection law. For the purpose of these Supplemental Clauses, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

4.3. Seek interim measures with a view to suspend the effects of the order until the competent court has decided on the merits.

4.4. Not disclose the requested Customer Personal Data until required to do so under the applicable procedural rules.

4.5. Provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request.

5. Redirection of the request to Data Exporter

Unless prohibited under the law applicable to the requesting third party, Data Importer shall use every reasonable effort to redirect the third party requesting the disclosure of any Customer Personal Data subject to the Clauses that has been transferred to Data Importer to request data directly from Data Exporter.

6. Information on requests of access to Customer Personal Data by public authorities

Data Importer commits to provide Data Exporter with sufficiently detailed information on all requests of access to Personal Data by public authorities which Data Importer has received over a specified period of time (if any), in particular in the areas of intelligence, law enforcement, administrative, and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body, and the legal basis for disclosure and to what extent Data Importer has disclosed the requested data. Data Importer may choose the means to provide this information.

7. Backdoors

Data Importer certifies that:

7.1. It has not purposefully created backdoors or similar programming that could be used to access Data Importer’s systems or Customer Personal Data subject to the Clauses.

7.2. It has not purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or systems.

7.3. National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Customer Personal Data or systems.

7.4. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

8. Information about legal prohibitions

Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under Sections 6 through 8 of these Supplemental Clauses. Data Importer may choose the means to provide this information.

9. Other measures to prevent authorities from accessing Customer Personal Data

Notwithstanding the application of the security measures set forth in the DPA, Data Importer will implement the following technical, organizational, administrative, and physical measures designed to protect the transferred Customer Personal Data from unauthorized disclosure or access:

9.1. Encryption of the transferred Customer Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption.

9.2. Encryption at rest within Data Importer’s software applications using a minimum of AES-256.

9.3. Active monitoring and logging of network and database activity for potential security events, including intrusion.

9.4. Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Data Importer.

9.5. Restriction of physical and logical access to IT systems that process transferred Customer Personal Data to those officially authorized persons with an identified need for such access.

9.6. Firewall protection of external points of connectivity in Data Importer’s network architecture.

9.7. Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Data Importer.

9.8. Internal policies establishing that:

a. Where Data Importer is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Customer Personal Data, Data Importer shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities.

b. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data.

c. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid.

d. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request.

10. Inability to comply with the Standard Contractual Clauses or the Supplemental Clauses

10.1. Data Importer shall promptly inform Data Exporter of its inability to comply with the Standard Contractual Clauses and these Supplemental Clauses.

10.2. If Data Importer determines that is no longer able to comply with its contractual commitments under these Supplemental Clauses, Data Exporter can swiftly suspend the transfer of data and/or terminate the Agreement.

10.3. If Data Importer determines that is no longer able to comply with the Clauses or these Supplemental Clauses, Data Importer shall return or delete the Customer Personal Data received. If returning or deleting the Customer Personal Data transferred is not possible, Data Importer must securely encrypt the data without necessarily waiting for Data Exporter’s instructions.

10.4. Data Importer shall provide the Data Exporter with sufficient indications to exercise its duty to suspend or end the transfer and/or terminate the contract.

11. Termination

These Supplemental Clauses shall automatically terminate with respect to the Customer Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent Supervisory Authority approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Clauses (and if such mechanism applies only to some of the data transfers, this DPA will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in these Supplemental Clauses.