Jurisdiction Specific Terms
(Processor to Subprocessor)
(as of July 18, 2023)
Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Eversana Data Processing Agreement, of which these Jurisdiction Specific Terms form a part (the “Agreement”). Except as modified or supplemented below, the Agreement shall remain in full force and effect.
1. Australia.
1.1. Definitions.
(a) “Applicable Laws” (as used in the Agreement) includes the Australian Privacy Act (1998) and the Australian Privacy Principles.
(b) “Controller” (as used in the Agreement) includes “APP Entity” as defined under the Privacy Act.
(c) “Personal Data Breach” (as used in the Agreement) includes “Eligible Data Breach” as defined under the Privacy Act.
(d) “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under the Privacy Act
2. European Economic Area.
2.1. “European Economic Area” or “EEA” means the EU Member States, and Iceland, Liechtenstein, and Norway.
2.2. “EU 2021 Standard Contractual Clauses” (as used in these Jurisdiction Specific Terms) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as updated from time to time if required by law or at the choice of EVERSANA to reflect the latest version promulgated by the European Commission).
2.3. “Restricted Transfer of EEA Personal Data” (as used in this Section 2) means any transfer of Client Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization Third Country (including data storage on foreign servers).
2.4. “Supplemental Clauses” means the supplemental clauses to the EU 2021 Standard Contractual Clauses set out in Exhibit C of the Agreement (as updated from time to time if required by law or at the choice of EVERSANA).
2.5. “Third Country” means a country outside of the EEA.
2.6. With regard to any Restricted Transfer of EEA Personal Data from EVERSANA to the Service Provider within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:
(a) a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred ensures an adequate level of data protection;
(b) the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or
(c) any other lawful data transfer mechanism, as laid down in chapter 5 of the GDPR, as the case may be.
2.7. In the event that a Restricted Transfer of EEA Personal Data can be covered by more than one transfer mechanism under Section 2.6, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 2.6.
2.8. The Agreement incorporates by reference the EU 2021 Standard Contractual Clauses, provided that the content of Annex I.B and Annex II is set forth in Exhibit A of the Agreement and the content of Annex III is set forth in Exhibit B of the Agreement.
(a) The Parties agree to apply Module 3 (Transfer Processor to Processor) of the EU 2021 Standard Contractual Clauses.
(b) For the purpose of Annex I of the EU 2021 Standard Contractual Clauses:
i. EVERSANA shall be deemed the “data exporter” and Vendor shall be deemed the “data importer”.
ii. The Parties have provided each other with the identity information contact details required under Annex I.A.
iii. The Parties’ controllership roles are set forth in Section 3.1 of the Agreement.
iv. The details of the Parties’ data protection officer and data protection representative in the EU are set forth in Exhibit A of the Addendum.
v. The activities relevant to the Personal Data transferred under the EU 2021 Standard Contractual Clauses is set forth in Exhibit A of the Agreement.
(c) For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties elect not to include the optional docking clause.
(d) For the purpose of Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the Option 2 General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.
(e) For the purpose of Clause 11 of the EU 2021 of the EU 2021 Standard Contractual Clauses, the Parties have elected not to include the optional language relating to the use of an independent dispute resolution body.
(f) For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses, the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Article 3(2) of the GDPR. The data exporter has appointed a representative established in the Republic of Ireland pursuant to Article 27(1) of the GDPR, whose supervisory authority shall act as the competent supervisory authority and be responsible for ensuring compliance by the data exporter with the GDPR as regards to the data transfer.
(g) With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Republic of Ireland, provided that such law allows for third party beneficiary rights.
(h) With respect to Cause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
2.9. To the extent that EU 2021 Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, Service Provider shall implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws, including the Supplemental Clauses.
2.10. In cases where the EU 2021 Standard Contractual Clauses apply, and there is a conflict between the terms of the Agreement and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control. For purposes of clarity, terms in the Agreement that supplement, but do not directly contradict or frustrate the purpose of the terms of the EU 2021 Standard Contractual Clauses, shall not be deemed as creating a conflict.
2.11. If the execution of a new version of the EU 2021 Standard Contractual Clauses promulgated by the European Commission is later required in order for the Parties to rely on such instrument as a lawful mechanism for a Restricted Transfer of EEA Personal Data, the Parties are deemed to have agreed to the new version of the EU 2021 Standard Contractual Clauses by signing the Agreement. EVERSANA may update Exhibit A of the Agreement and these Jurisdiction Specific Terms from time to time to reflect changes in or additions necessary to conclude any new version of the EU 2021 Standard Contractual Clauses.
3. United Kingdom.
3.1. “Applicable Laws” (as used in the Agreement) includes the UK Data Protection Act 2018 and the UK GDPR.
3.2. “EU 2021 Standard Contractual Clauses” is defined in Section 2.3 of these Jurisdiction Specific Terms.
3.3. “Third Country” (as used in this Section) means a country outside of the United Kingdom.
3.4. “UK GDPR” means Regulation (EU) 2016/679 as has been amended and adopted to form a part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020.
3.5. “UK Restricted Transfer” (as used in this Section) includes any transfer of Client Personal Data (including data storage in foreign servers) that is subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to a Third Country or an international organization.
3.6. “UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the UK Information Commissioner, Version B1.0, in force as of 21 March 2022, as may be amended from time to time, available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
3.7. With regard to any UK Restricted Transfer from the EVERSANA to the Service Provider within the scope of the Agreement and which is regulated by the Applicable Laws, one of the following Personal Data transfer mechanisms shall apply, in the following order of precedence:
(a) a valid adequacy decision adopted by the European Commission on the basis of the Applicable Laws that provides that the Third Country to which the Client Personal Data is to be transferred, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Client Personal Data is to be transferred, ensures an adequate level of data protection;
(b) the EU 2021 Standard Contractual Clauses ((insofar as their use constitutes an “appropriate safeguard” under the UK GDPR) along with any necessary modifications and addenda to make the EU 2021 Standard Contractual Clauses applicable to transfers of Personal Data (including the adoption and incorporation by reference of the UK Transfer Addendum); or
(c) any other lawful basis, as laid down in Applicable Laws.
3.8. In the event that a UK Restricted Transfer can be covered by more than one transfer mechanism under Section 3.7, the transfer of Client Personal Data will be subject to a single transfer mechanism in accordance with the order of precedence set forth in Section 3.7.
3.9. EU 2021 Standard Contractual Clauses:
(a) The Agreement incorporates by reference the EU 2021 Standard Contractual Clauses (updated from time to time if required by law or at the choice of a Party to reflect the latest version promulgated by the European Commission) and the UK Transfer Addendum.
(b) The contents of Annex I and II of the EU Standard Contractual Clauses are contained in Exhibit A of the Agreement and in Section 2.8 of these Jurisdiction Specific Terms. The contents of Annex III of the EU 2021 Standard Contractual Clauses are set out in Exhibit B of the Agreement.
(c) The tables of the UK Transfer Addendum are set out as follows:
i. The information required in Table 1 of the UK Transfer Addendum has been exchanged in the Agreement and the Service Agreement.
ii. The information required in Table 2 of the UK Transfer Addendum is as follows:
a. The Parties agree to apply Module 3 (Transfer Processor to Processor) of the EU 2021 Standard Contractual Clauses.
b. For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties elect not to include the optional docking clause.
c. For the purpose of Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties have agreed to the authorization and time period as set out in Section 6.3 of the Agreement.
d. For the purpose of Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties have elected not to include the optional language relating to the use of an independent dispute resolution body.
iii. The information required in Table 3 of the UK Transfer Addendum is set out in Section 2.8(b) of the Jurisdiction Specific Terms, and Exhibit A and Exhibit B of the Agreement.
iv. The Parties agree that for the purpose of Table 4 of the UK Transfer Addendum, neither Party may end the UK Addendum as set out in Section 19 of the UK Transfer Addendum.
v. The Parties further agree to the following implementation choices:
a. For the purpose of Clause 13 of the EU 2021 Standard Contractual Clauses, the UK Information Commissioner’s Office shall be the competent Data Protection Authority.
b. For the purpose of Clause 17 of the EU 2021 Standard Contractual Clauses, the EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
c. For the purpose of Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales.
(d) The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto) and the UK Transfer Addendum.
4. United States
4.1. “Applicable Data Protection Laws” (as used in the Agreement) includes the California Consumer Privacy Act Cal. Civ. Code §1798.100 et. seq., as amended by the California Privacy Rights Act, and its the implementing regulations of each; the Virginia Consumer Data Protection Act Virginia Code § 59.1-571 et. seq.; and the Colorado Privacy Act Colorado Revised Statutes § 6-1-1301 et. seq.
4.2. “Business Purpose” (as used in these California Specific Provisions) shall have the same meaning as in the CCPA.
4.3. “Commercial Purpose” (as used in these California Specific Provisions) shall have the same meaning as in the CCPA.
4.4. “Controller” (as used in the Agreement) includes “Business” as defined under the Applicable Data Protection Laws.
4.5. “Data Subject” (as used in the Agreement) includes “Consumer” as defined under the Applicable Data Protection Laws.
4.6. “Sale” and “Share” shall have the same meaning as in the Applicable Data Protection Laws.
4.7. “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under the Applicable Data Protection Laws.
4.8. “Processor” (as used in the Agreement) includes “Service Provider” as defined under the Applicable Data Protection Laws.
4.9. “Personal Data Breach” (as used in the DPA) means (i) the loss or misuse (by any means) of Client Data; (ii) the inadvertent, unauthorized, and/or unlawful disclosure, Processing, alteration, corruption, sale, rental, or destruction of Client Data or other breach with respect to Client Data; (iii) any compromise or vulnerability of the Services; or (iv) any potential or confirmed exposure or vulnerability (which may stem from an act or omission to act) that would result in any of the events described in clause (i) or (iii).
4.10. EVERSANA discloses Personal Data to the Service Provider solely for: (i) valid Business Purposes; and (ii) to enable the Parties to perform the services under the Agreement.
4.11. The Service Provider shall:
(i) Not sell or share Personal Data;
(ii) Not retain, use, or disclose Personal Data for a Commercial Purpose other than providing the services specified in the Agreement or as otherwise permitted by the Applicable Data Protection Laws;
(iii) Not retain, use, or disclose Personal Data except where permitted under the Agreement between the Parties or as otherwise permitted by the Applicable Data Protection Laws.
(iv) Not retain use, and/or disclose sensitive personal information (as defined in the Applicable Data Protection Laws) after it has received instructions from EVERSANA and to the extent it has actual knowledge that the personal information is sensitive information for any other purpose than as expressly provided for in the Agreement.
(v) Not combine Client’s Personal Information with personal information acquired from another source.
The Service Provider certifies that it understands these restrictions and will comply with them.
4.12. The Service Provider undertakes to promptly notify EVERSANA of any verified request received by the Service Provider from a Consumer or authorized representative of the Consumer, enforcing available rights in terms of the Applicable Data Protection Laws. The Service Provider shall direct the Consumer or its authorized representative to contact EVERSANA.
4.13. The Service Provider shall assist EVERSANA where practically possible when responding to a Consumer rights request as required by the Applicable Data Protection Laws, subject to EVERSANA providing a suitably detailed, written request.
4.14. Upon direction by EVERSANA, and within a reasonable amount of time, the Service Provider shall delete or return Personal Information.
4.15. The Service Provider acknowledges and confirms that it did not receive any Personal Data as consideration for any services or other items that the Service Provider provided to EVERSANA. EVERSANA retains all rights and interests in Personal Data. The Service Provider agrees to refrain from taking any action that would cause any transfers of Personal Data to or from EVERSANA to qualify as selling Personal Data under Applicable Data Protection Laws.
5. Canada
5.1. “Applicable Laws” (as used in the Agreement) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
5.2. “Contracted Processor” (as used in the Agreement) includes “Third Party Organization” as defined under PIPEDA.
5.3. “Personal Data” (as used in the Agreement) includes “Personal Information” as defined under PIPEDA.
5.4. “Personal Data Breach” (as used in the Agreement) includes “Breach of Security Safeguards” as defined under PIPEDA.