This END USER DATA PROCESSING AGREEMENT ADDENDUM (“Addendum”) is incorporated into the Information Sharing Terms and attached to the License Agreement and Profile and Order Form (together “EULSA”) between InterSystems (“InterSystems”) and End User (“End User”), as noted in the EULSA. InterSystems and End User are parties to this Addendum (each separately “a Party”, altogether “Parties”). In consideration of the mutual covenants and promises contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the Parties hereto, the Parties agree as follows:
All capitalized terms used in this Addendum and not defined elsewhere herein or in the EULSA shall have the same meaning as those terms as used or defined in the GDPR, as defined below. The terms of this Addendum supersede any conflicting terms of the EULSA and any other terms regarding data protection or the processing of information.
The Parties acknowledge that the services provided by InterSystems under the EULSA are not intended to result in InterSystems creating, receiving, maintaining, transmitting, using, disclosing or otherwise Processing Personal Data related to a Data Subject in an operational context that constitutes End User Data, as defined below; however, because the End User, under certain circumstances, may be required to comply with GDPR, as defined below, End User requires its service providers that may come into contact with End User Data to enter into a data processing agreement with End User, and InterSystems is willing to enter into such an agreement in the unlikely event that InterSystems does Process End User Data without conceding that InterSystems is generally a Processor to the End User. The Parties agree with regard to other Personal Data Processed by InterSystems that is not End User Data (“InterSystems Data”) that InterSystems is the Data Controller and that the Parties are not Joint Controllers of InterSystems Data.
1.1. In this Addendum, the expressions “Personal Data”, “Controller”, “Processor”, “Processing” and “Process” shall have the meanings assigned to them by the General Data Protection Regulation, Regulation (EU) 2016/679.
1.2. Data Controller. “Data Controller” means, when used in reference in this Addendum, to refer to End User, even if End User is a Processor for a Controller with regard to the Personal Data Processed.
1.3. Data Owner. “Data Owner” means, with respect to each item of Personal Data in End User Data, the End User or, if End User is a Processor for a Controller with regard to the Personal Data, such Controller.
1.4. Data Processor. “Data Processor” shall generally have the same meaning as Processor under the GDPR and when (1) InterSystems and End User mutually agree that InterSystems is acting in a capacity as a Processor of End User as defined in a specific and individual Rules of Engagement and (2) InterSystems is not otherwise acting in a capacity as a service provider, a third party vendor to the End User, or a Controller.
1.5. Data Protection Legislation. “Data Protection Legislation” means the GDPR and the national implementing legislations; the Swiss Federal Data Protection Act (as amended and replaced from time to time); the United Kingdom Data Protection Act (as amended and replaced from time to time); and the Data Protection Acts of the EEA countries (as amended and replaced from time to time, whenever applicable).
1.6. End User Data. “End User Data” means any Personal Data for which End User or, if the End user is a Processor for a Controller, the Controller solely determines the purposes and means of the Processing of such Personal Data and is provided by or on behalf of End User to by InterSystems; provided that End User Data shall not include any Personal Data defined as InterSystems Data above.
1.7. GDPR. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679).
- Data Ownership.
2.1. End User Data, which the Data Processor processes on behalf of the Data Controller will at all times remain the property of the Data Owner.
2.2. Should any Party for any reason terminate the EULSA, the End User will decide whether each item of End User Data, to the extent that Data Processer still retains such items, will be returned to the End User or deleted. All processing by the Data Processor will end except for any Processing required by law or which is necessary to bring the EULSA to an end.
2.3. The Data Controller may at any time require the Data Processor to stop Processing End User Data and to delete or return the End User Data to the Data Controller.
2.4. In the event Data Processor determines that returning or destroying the End User Data as required in this section is infeasible, Data Processor shall extend the protections of this Addendum to such End User Data, and shall limit further Processing of such End User Data, to those purposes that make the return or destruction infeasible, for so long as Data Processor retains such End User Data.
- Obligations and Activities of Data Processor.
3.1. Data Processor agrees to process End User Data subject to technical and organisational security measures of a sort which, if the Data Processor were the Controller in respect of such data, would satisfy GDPR Article 32, Security of Processing, i.e., “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” and to take reasonable steps to ensure compliance with such measures.
3.2. Data Processor agrees it will process such End User Data only in accordance with instructions from End User that End User shall provide in writing from time to time.
3.3. Data Processor agrees it will comply with all obligations imposed by GDPR Article 32 as though the Data Processor were the Controller in respect of such End User Data.
3.4. Data Processor agrees it shall ensure that all members of staff, agents, contractors and others who have access to End User Data are advised that the data are confidential and not to be disclosed to anyone not subject to an enforceable duty of confidentiality in respect thereof. Only members of staff etc. who have an operational requirement to access End User Data shall be authorised and (in terms of logical, physical or other security measures) able to do so.
3.5. Should the Data Processor wish to sub-contract the Processing of End User Data, they must impose on any sub-contractor the same contractual obligations in respect of data protection and security as has been established in terms of this Addendum.
3.6. Data Processor agrees to advise the Data Controller promptly of any security breaches relevant to End User Data within its own or any sub-contractor’s organisation.
3.7. Data Processor agrees to ensure that all staff who are involved in processing of End User Data receive the appropriate training in data protection procedures, identify and keep records of training received by such staff and contents of all courses. The Data Processor shall ensure that no other agents or employees of the Data Processor are given access to the End User Data.
3.8. Data Processor agrees that the Controller’s Data shall not be transferred to a country or territory out with the European Economic Area without written approval of the End User unless (1) that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data as determined by the appropriate data protection authority; (2) without any implied breach of this provision, where the Data Processor has entered into Standard Contractual Clauses, as approved by the European Commission, with regard to such transfer; or (3) the Data Processor has obligated itself to Binding Corporate Rules as approved or accepted by a relevant data protection authority; provided that End User may restrict such transfers under a specific and individual Rules of Engagement so long as the End User agrees that InterSystems shall not be in breach of its obligations under the EULSA, if InterSystems determines such transfer is necessary to provide the required service or support.
- Obligations of End User.
4.1. End User shall only provide End User Data to InterSystems when strictly required for the purposes of the EULSA and in full compliance with the Data Protection Legislation and agrees to provide only the minimum necessary personal data relevant to the service or support being provided.
4.2. End User shall not ask or require Data Processor to Process End User Data in a manner in which End User could not do as a Controller or a Processor for a Controller; provided that InterSystems shall notify the End User promptly in writing providing sufficient information to describe the objection, if InterSystems considers that any of the End User’s instructions infringe the Data Protection Legislation. Where the End User agrees with the determination of InterSystems that the End User’s instructions infringe the Data Protection Legislation, then the End User shall notify InterSystems as such and InterSystems shall not be required to comply with that instruction nor shall InterSystems be held to be in breach of the EULSA for any failure to comply with such instruction. If the End User objects with the determination of InterSystems that the End User’s instructions infringe the Data Protection Legislation, then the End User shall provide a written explanation of why such instruction does comply with the Data Protection Legislation and InterSystems may rely on such explanation to carry out the End User’s instruction.
4.3. End User represents and warrants that it (or in the case that End User is a Data Processor, the relevant Data Owner) may Process End User Data in the manner that Data Processor is authorized to process Personal Data under this Addendum.
4.4. End User shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of End User Data transmitted to Data Processor in accordance with the standards and requirements of the Data Protection Legislation, until such End User Data is received by Data Processor.
4.5. End User shall obtain any consent or authorization that may be required by applicable law in order for Data Processor to provide its services under the EULSA.
5.1. References. A reference in this Addendum to language in the GDPR means the language as in effect or as amended, and as of its applicable compliance date.
5.2. Changes to this Addendum. End User agrees that InterSystems, in good faith, may amend this Addendum or the EULSA as necessary to comply with any changes in the Data Protection Legislation.
5.3. Survival. The respective rights and obligations of Data Processor and Data Controller shall survive termination for so long as either the Data Processor or Data Controller Process End User Data under this Addendum or the EULSA.
5.4. Interpretation. Any ambiguity in this Addendum shall be resolved to permit the Parties to comply with the Data Protection Legislation.
- The rights and obligations under this Addendum are in addition to, and not instead of, any rights or obligations arising between the parties under any other contract or at common law.
- In the event of a breach or apprehended breach by any person of an obligation of confidentiality which that person owes to any of the Parties hereto in respect of End User Data which that person has or had access to as a consequence of this Addendum, the Party to whom the obligation is owed undertakes to use its best endeavours to enforce the obligation in question