young-businesswoman-standing-in-an-office-with-arms-crossed young-businesswoman-standing-in-an-office-with-arms-crossed

Managed Markets Insights & Technology (MMIT) TPA Data Protection Terms

1. Definitions

a. “Adequate Country” means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.

b. “Data Protection Law” means all applicable laws related to data protection and privacy governing the handling of Personal Data, including without limitation EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”), the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Law”), the California Consumer Privacy Act (“CCPA”) including as modified by the California Privacy Rights Act.

c. “Personal Data” “Controller”, “Processor, “Sub-processor”, Data Subject” and “Supervisory Authority” have the meanings given to under Data Protection Law.

d. “Personal Data Breach” means an unauthorised, accidental or unlawful processing, access, loss, or disclosure of Personal Data.

e. “Process, Processing and Processed” means any operation or set of operations which is performed on Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

f. “Purpose” means the provision of Licensed Products and Services by MMIT to the Third Party.

g. “Restricted Transfer” means a transfer of TPA Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect the TPA Personal Data for the transfer to be lawful under Data Protection Law.

h. “TPA” means the Third-Party Agreement between the Third Party and MMIT governing the provision of the Licensed Products.

i. “TPA Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the TPA in connection with the TPA. Such information pertains to the following categories of Data Subjects:

i. MMIT or Third Party’s employees, contractors and representatives;

ii. Personal Data made available to the Third Party by MMIT through the licenced products, which may include Personal Data relating to MMIT customers, healthcare professionals and payer contacts through the product content.

j. “EU Standard Contractual Clauses” means the standard contractual clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

k. UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

2. Role of the Parties

2.1 Each Party is an independent Controller of the TPA Personal Data that it processes under the TPA. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller or Business under Data Protection Law.

 

3. Obligations of the Parties

3.1 Each Party will:

i. process TPA Personal Data only as necessary for the Purpose and only provide employees, agents or contractors with access to TPA Personal Data where it is necessary to provide such access for the Purpose;

ii. to the extent that the processing of TPA Personal Data is subject to the CCPA, not: (i) retain, use, or disclose TPA Personal Data other than as provided for in the TPA, as needed to provide the Licensed Products and Services, or as otherwise permitted by the CCPA; (ii) combine TPA Personal Data with personal data relating to other customers or individuals (except as permitted by the CCPA); or (iii) sell TPA Personal Data;

iii. process TPA Personal Data in accordance with its respective obligations under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;

iv. provide information to Data Subjects as required under Data Protection Law to ensure sufficient transparency of the Processing of TPA Personal Data;

v. implement appropriate technical and organisational measures to protect the TPA Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction;

vi. ensure that TPA Personal Data is accurate and, where necessary, kept up to date;

vii. retain TPA Personal Data for no longer than necessary for the purpose(s) for which it is processed;

viii. provide the other Party with reasonable details of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority relating to its processing of TPA Personal Data, and act reasonably in co-operating with the other Party in respect of its response to the same;

ix. act reasonably in providing such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law;

x. process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the parties, the parties will collaborate to honour such objections or opt-out requests;

xi. ensure that any person who is authorised to process TPA Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);

xii. enter into a written TPA with any Data Processor used to process TPA Personal Data containing data protection obligations that provide at least the same level of protection for TPA Personal Data as those in these Data Protection terms and in accordance with Data Protection Law. MMIT may disclose TPA Personal Data for (i) security, fraud detection, fraud modelling and related purposes; and (ii) the provision of website, application, development, cloud hosting, maintenance and other services for MMIT. MMIT will limit the TPA Personal Data provided to only what is reasonably necessary;

xiii. remain responsible for such Data Processor compliance with the obligations contained in these Data Protection terms and for any acts or omissions of any such Data Processors that cause the Party to breach any of its obligations under these Data Protection terms;

xiv. notify the other Party without undue delay, but in any event within forty-eight (48) hours of suffering a Personal Data Breach. Both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay;

xv. to the extent that TPA Personal Data relates to individuals in the EEA or the UK, not transfer any personal data received from the other Party outside the EEA/UK unless;

  • the transfer is to an Adequate Country;
  • there are appropriate safeguards in place pursuant to Article 46 GDPR;
  • Binding corporate rules are in place; or
  • one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

 

3.2 A Party that has made TPA Personal Data available to the other Party under the TPA (“Disclosing Party”) will have the right to: (i) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such TPA Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and (ii) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such TPA Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.

4. International Transfers

4.1 To the extent a transfer of TPA Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows;

i. in Clause 7, the optional docking clause applies;

ii. in Clause 11, the optional language is deleted;

iii. in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law of the Netherlands

iv. The information contained in the table in Annex 1 of these Data Protection Terms shall populate the Appendix to the EU Standard Contractual Clauses accordingly

4.2 To the extent a transfer of TPA Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which are incorporated herein by reference and as follows;

i. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;

ii. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

5. Limitation of Liability

To the extent that the Third Party has an entitlement under Data Protection Law to claim from MMIT compensation paid by the Third Party to a Data Subject as a result of a breach of Data Protection Law to which MMIT contributed, MMIT shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant Data Subject.

 

Annex 1 Standard Contractual Clauses Information 

Data Exporter Data Importer Categories of data subjects whose personal data is transferred Categories of personal data transferred

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

 

Nature of the processing

 

Purpose(s) of the data transfer and further processing

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

 

Third Party MMIT Third Party’s employees, contractors and representatives

 

Name, business email address, company, job title

 

Continuous for the duration of the TPA Provision of the services as stated in the TPA To the extent available to MMIT through the provision of services under the TPA

 

For the duration of the TPA
MMIT Third Party

 

MMIT’s employees, contractors and representatives

 

Name, business email address, company, job title

 

Continuous for the duration of the TPA Provision of the services as stated in the TPA To the extent available to Third Party through the provision of services under the TPA

 

For the duration of the TPA
MMIT Third Party MMIT’s customers’ employees, contractors and representatives with access to products

 

Name, business email address, company, job title

 

Continuous for the duration of the TPA Provision of the services as stated in the TPA To the extent available to Third Party through the product For the duration of the TPA
MMIT Third Party Personal data made available to Third Party by MMIT through the licenced products, such as;

 

– Investor relations or media contacts

 

– Drug company contacts

 

– Healthcare Professionals

 

– Payer contacts

 

– Investigator data

 

– Contact information from company websites and direct submissions

 

Name, business email address, company, job title

 

Continuous for the duration of the TPA Provision of the services as stated in the TPA To the extent available to Third Party through product content For the duration of the TPA