Introduction – Information about Data Protection
DATA PROTECTION & PRIVACY OBLIGATIONS
Service Provider agrees that it shall comply with the following provisions with respect to all BSC Information Assets accessed, collected, used, transmitted or maintained for Boston Scientific Corporation and/or its Affiliates (“Client”, “Customer”, “BSC” or “Boston Scientific”). This Appendix stipulates privacy, confidentiality, and security requirements and demonstrates compliance with applicable privacy, security and data protection Laws.
The following provisions shall apply to the extent applicable to the Services being performed under the Agreement:
1.1 “Affiliate”meansany Person that controls, is controlled by, or is under common control with, a party. For purposes of this definition, “control(s)” (with correlative meanings for the term “controlled” and “under common control with”) means the direct or indirect ownership of more than fifty percent (50%) of the shares or interests which are entitled to vote for the directors of the controlled Person, or otherwise has the actual ability to direct and control the management of the controlled Person, but only for as long as such control exists or is retained.
1.1 “BSC Information Assets” means information or data created wherever located, which is collected, generated, licensed, leased, or purchased by or on behalf of Client, or otherwise under the control or responsibility of Client, and includes Personal Information, Intellectual Property, and Financial Records.
1.2 “Financial Records” means all records relating to the finances of Client, including: stock and debt instruments; accounts and records showing the receipt, management, and disbursement of funds; accounts payable and accounts receivable information; purchase and travel card information; travel and expense information; credit card and merchant account information; and minutes of meetings in which financial decisions are made.
1.3 “Intellectual Property” means information or Client property in the form of patents, trademarks, service marks, trade names, trade secrets, and copyrights. This definition incorporates technology, designs, processes, machines, manufacture, composition of matter, know-how, computer programs, product designs, market and business plans, all registered and unregistered designs, copyrightable works (including rights in software, firmware, and hardware), design rights, database rights, domain names, rights in Confidential Information (defined in the main body of the Agreement) and all similar property rights anywhere in the world, in each case whether registered or not, and including any application for registration of the foregoing.
1.4 “Law(s)” is defined in the main body of the Agreement.
1.5 “Personal Information” means information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of the citizenship, age, or other status of the individual.
1.6 “Processing” or “Process” means any operation or set of operations which is performed upon BSC Information Assets, whether or not by automatic means, such as access, collection, compilation, use, disclosure, duplication, organization, storage, alteration, transmission, combination, redaction, erasure, or destruction.
1.7 “Sensitive Personal Information” is a subset of Personal Information, which due to its nature has been classified by Law or by Client policy as deserving additional privacy and security protections. Sensitive Personal Information consists of: (i) all government-issued identification numbers (including social security, passport, national ID and driver’s license numbers); (ii) all financial account numbers (including payment or credit card numbers and bank account numbers); (iii) individually identifiable health information; (iv) biometric information; (v) all data obtained from a consumer reporting agency (such as employee background investigation reports, credit reports, and credit scores); and (vi) data elements revealing race, ethnicity, national origin, religion, trade union membership, sex life or sexual orientation, and criminal records or allegations of crimes.
1.8 “Services” is defined in the main body of the Agreement. 2. Privacy, Compliance & Notifications
2.1 Service Provider shall Process BSC Information Assets only as authorized and as necessary to perform the Services. Client will be and remain the owner and controller of the BSC Information Assets for purposes of all applicable privacy Laws, with rights under such Laws to determine the purposes for which the BSC Information Assets are Processed. Nothing in this Appendix will restrict or limit in any way Client’s rights or obligations as owner and/or controller of the BSC Information Assets for such purposes. As such, Client is directing Service Provider to Process the BSC Information Assets in accordance with the terms of this Appendix. The parties acknowledge and agree that Service Provider may have certain responsibilities prescribed as of the effective date of the Agreement by applicable privacy Laws as a processor of Personal Information, and Service Provider hereby acknowledges its obligation to comply with such responsibilities to the extent required under such Laws.
2.2 Service Provider shall ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Service Provider shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Service Provider shall ensure that its access to Client’s Personal Information is limited to those personnel performing Services in accordance with the Agreement.
Service Provider shall immediately inform Client in writing: (i) if it cannot comply with any material term of this Appendix. If this occurs, Service Provider shall use reasonable efforts to remedy the non-compliance, and Client shall be entitled to terminate any of Service Provider’s further Processing of BSC Information Assets, in accordance with the provisions contained in the Agreement, and may qualify for a refund if provided for in the Agreement; (ii) of any request, related to Personal Information received from an individual (“Data Subject”) to exercise his right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or his right not to be subject to an automated individual decision making (“Data Subject Request”). Service Provider shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable Law; (iii) of any request for access to any BSC Information Assets received by Service Provider from any government official (including any data protection agency or law enforcement agency); (iv) of any other requests with respect to BSC Information Assets received from Client’s employees or other third parties, other than those set forth in the Agreement. Service Provider shall not respond to any such requests unless explicitly authorized by Client, or the response is legally required under a subpoena or similar legal document issued by a government agency that compels disclosure by Service Provider.; (v) after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to BSC Information Assets, including Personal Information, transmitted, stored or otherwise Processed by Service Provider or its Sub-processors of which Service Provider becomes aware.
2.3 If the Services involve the collection of BSC Information Assets by Service Provider directly from anyone other than Client (i.e., individuals or customers of Client), Service Provider will provide such users with a clear and conspicuous privacy notice, describing Service Provider’s privacy and data protection obligations with respect to such collection. The notice must contain obligations that are consistent with Service Provider’s obligations under this Appendix, and must be approved by Client in writing.
3. Cross Border Transfer and Processing
3.1 Service Provider shall not transfer Personal Information across any national borders or permit remote access to the Personal Information from any employee, Affiliate, contractor, or other third party outside of the country in which the Personal Information is located unless expressly permitted by the terms of the Agreement, and only if accomplished in accordance with the terms of this Appendix.
3.2 Where Personal Information located within the European Union will be transferred to or accessed by Service Provider from a country within the European Union to a country outside the European Union that does not have a “finding of adequacy” by the European Commission, the transfer and Processing shall be done in accordance with Chapter 5 (Articles 44-50) of EU Regulation 2016/679, the General Data Protection Regulation (“GDPR”). In order to achieve this, the Parties will rely on the EU-US Privacy Shield Certification for transfers to the United States (“Privacy Shield”), or the Standard Contractual Clauses (the “Data Processor Agreement”) for the transfer of such Personal Information from Client (as the data controller) to Service Provider (as the data processor), unless the parties otherwise agree in writing. In cases where the parties intend to rely on the Privacy Shield, Service Provider shall and hereby does certify its compliance and good standing under the Privacy Shield and continuing its certification during the term of the Agreement. Otherwise, simultaneously with the execution of the Agreement, the parties shall execute the Data Processor Agreement, with Service Provider acting in its capacity as data importer, and Client or the appropriate data controller, acting in the capacity of the data exporter.
3.3 Service Provider shall cooperate with Client and with Client’s authorized representatives in responding to inquiries, claims and complaints regarding the Processing of the Personal Information.
3.4 Service Provider shall notify Client promptly of any request, complaint, claim, or other communication received by the Service Provider or Subcontractor from a Data Subject or a Supervisory Authority (as defined below) relating in whole or in part to the Services (each, a “Data Protection Communication”), and shall promptly provide assistance as requested by Client in connection with any Data Protection Communication. “Supervisory Authority” means a body with regulatory powers applicable to Client.
3.5 Client undertakes for itself and on behalf of each Client Affiliate to respond to any Data Protection Communication that is notified to Client under the preceding paragraph, including, but not limited to, a request from a Data Subject for a copy of the documentation specified in the Data Processor Agreement.
3.6 If any country outside of the European Union where Services are to be rendered has enacted or enacts in the future, a data protection-related Law that Client concludes, in its sole judgment, requires the execution of a supplemental agreement similar to the Data Processor Agreement, then upon Client’s request, Service Provider shall execute and cause its Subcontractors to execute, such supplemental agreement promptly; provided, however, that the parties shall make reasonable efforts to leverage the already executed Data Processor Agreement(s) (if feasible) to fulfill any such requirement, so as to minimize the cost and effort involved in achieving compliance with such requirement.
4. Protected Health Information
If the Services require Service Provider to Process individually identifiable health information (“Protected Health Information” or “PHI”) concerning individuals from the United States, Service Provider shall be deemed “a Business Associate” of the Client, and shall be subject to the same restrictions and conditions that apply to Client with respect to such PHI, as codified in the Health Insurance Portability and Accountability Act, as modified and amended by the Health Information Technology for Economic and Clinical Health Act. At Client’s request, Service Provider will execute, and cause any Subcontractor to execute, Client’s standard form of Business Associate Agreement.
5. Privacy Questionnaire; Compliance with Applicable Law
5.1 Upon request, Service Provider shall provide Client with information about the Service Provider’s data privacy program, including providing complete, accurate and timely responses to Client’s privacy questionnaire. No more often than once during each 12 month period, Client may submit Client’s standard privacy questionnaire to Service Provider, and Service Provider shall issue its response promptly, and at no additional cost to Client.
5.2 Service Provider shall stay informed of the legal and regulatory requirements for its Processing of BSC Information Assets. Service Provider’s Processing shall comply with all Laws applicable to such Processing, in all relevant jurisdictions, including directives and codes, as well as Service Provider’s own privacy and security notices and policies.
6. Information Security Obligations
6.1 Service Provider shall have implemented and documented reasonable and appropriate administrative, technical, and physical safeguards to protect BSC Information Assets against loss and accidental, unlawful and unauthorized destruction, alteration, use disclosure or access. Service Provider shall monitor access to, use and disclosure of BSC Information Assets, whether in physical or electronic form. Service Provider will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Service Provider will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, and availability of the BSC Information Assets, and ensure that these risks are addressed. Service Provider shall use secure user identification and authentication protocols, including, but not limited to unique user identification, use of appropriate access controls, and strict measures to protect identification and authentication processes. At appropriate intervals or as otherwise requested by Client, Service Provider will provide a copy of its written information security policies and procedures to Client.
6.2 Prior to allowing any Subcontractor, employee or independent contractor to Process any BSC Information Assets, Service Provider shall (i) conduct an appropriate background investigation of the individual (and receive an acceptable response), unless such investigation is prohibited by Law; (ii) ensure the individual understands and abides by Service Provider’s duty to keep BSC Information Assets confidential; and (iii) provide the individual with appropriate privacy and security training. Service Provider will also monitor its Subcontractors, employees and independent contractors for compliance with the security program requirements. Service Provider shall make available to Client the current list of Sub-processors for the Services covered by the Agreement and each such Sub-processor shall be included as a “Subcontractor” as such term is used in the main body of the Agreement. Such Sub-processor lists shall include the identities of those Sub-processors and their country of location. Service Provider may provide Client with a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Client shall subscribe, and if Client subscribes, Service Provider shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services and in line with Section 3.1 of this Appendix. Client may object to Service Provider use of a new Sub-processor by notifying promptly Service Provider following the mechanism to do so set up by Service Provider.
6.3 If the Processing involves the transmission of Personal Information, Service Provider shall have implemented appropriate supplementary measures to protect the Personal Information against the specific risks presented by the Processing. If Personal Information is stored on systems with connections to wireless or public networks, Service Provider shall encrypt all Personal Information stored on such systems. Sensitive Personal Information may only be transmitted and stored encrypted.
6.4 Sensitive Personal Information may not be stored on any portable or mobile devices or media (e.g., laptop computers, tablets, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless the Sensitive Personal Information is encrypted.
6.5 Upon request, Service Provider shall provide Client with information about the Service Provider’s security program, including providing complete, accurate and timely responses to Client’s security questionnaire. No more often than once during each 12 month period, Client may submit Client’s standard security questionnaire to Service Provider, and Service Provider shall issue its response promptly, and at no additional cost to Client.
6.6 Upon request and with a minimum of 21 days’ notice, Service Provider shall submit its data processing facilities and practices for audit, which shall be carried out by Client (or by an independent third party agreed to Service Provider and Client). Service Provider shall fully co-operate with any such audit at no additional cost to Client. In the event that any such audit reveals material gaps or weaknesses in Service Provider’s security program, Service Provider shall have 90 days (unless Service Provider and Client agree to a different timeline) to remediate those gaps and weaknesses to Client’s satisfaction. After 90 days, Client shall be entitled to suspend transmission of BSC Information Assets to Service Provider and terminate Service Provider’s Processing of BSC Information Assets until such issues are resolved. Any such termination shall be done in accordance with the provisions set forth in the Agreement, and in addition to Client’s other rights and remedies, shall result in the issuance of a refund for unaccrued prepaid fees.
6.7 Service Provider will promptly and thoroughly investigate all allegations, suspicions, and potential and actual discoveries of loss and accidental, unlawful and unauthorized destruction, alteration, use disclosure or access to BSC Information Assets. Service Provider will notify Client immediately upon discovery of any such unauthorized access to, use or disclosure and before any notification to any government official (including any data protection agency or agency). Service Provider shall bear all costs associated with investigating, remediating and resolving such a breach to the extent not caused as a result of Client’s act or omission.
6.8 When the Service Provider ceases to perform Services for Client, Service Provider will either: (i) return BSC Information Assets (and all media containing copies of the BSC Information Assets) to Client; or (ii) purge, delete and destroy the BSC Information Assets. Electronic media containing BSC Information Assets will be disposed of in a manner that renders the BSC Information Assets unrecoverable. Upon request, Service Provider will provide Client with an Officer’s Certificate to certify its compliance with this provision.
7. Use and Disclosure Limitations
7.1 BSC Information Assets are the Confidential Information of Client, and shall be treated in accordance with the terms set forth in the Agreement.
7.2 Service Provider shall not disclose, transmit, or otherwise make BSC Information Assets available to other third parties (including subcontractors) unless such Processing is required to perform the Services or has been explicitly authorized by Client in writing. Any party performing Processing on behalf of Service Provider shall be a “Subcontractor” (as such term is defined in the Agreement) for purposes of the Agreement. Any rights that Client may exercise in connection with this Appendix in relation to Service Provider, Service Provider will ensure Client may also exercise in relation to any such Subcontractor with respect to the obligations set forth under this Appendix.
DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This appendix includes certain details of the Processing of Company Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of the Company Personal Data are set out in the Agreement and this appendix.
The nature and purpose of the Processing of Company Personal Data
[Include description here]
The types of Company Personal Data to be Processed
[Include list of data types here]
The categories of Data Subject to whom the Company Personal Data relates
[Include categories of data subjects here]
The obligations and rights of Boston Scientific and Boston Scientific Affiliates
The obligations and rights of Boston Scientific and Boston Scientific Affiliates are set out in the Agreement and this appendix.