GENERAL DATA PROTECTION REGULATION OBLIGATIONS (GDPR)
1. PRIVACY AND DATA SECURITY
1.1 SK biotek Ireland Limited Data
For purposes of this Schedule, “Customer Data” shall mean: (i) any information provided by Customer relating to an identified or identifiable individual, including, but not limited to, social security number or other unique identifier, health or medical information, credit or debit card numbers, bank account numbers or other financial information, driver’s license numbers, and other types of sensitive personal information; (ii) all Customer information defined as “Confidential” under the Agreement; and (iii) any structured or unstructured information (including, without limitation, text, images, data files, and software) provided by Customer for capture, storage, analysis, processing, extraction, retrieval, management, and/or distribution, including any information that can be generated or derived from such information provided by Customer. For the avoidance of doubt, information related to Customer’s customers, vendors, employees or other third parties provided by Customer to Contractor and described in sections (i) through (iii) above, shall also be considered Customer Data for purposes of this Schedule.
1.2 Control of Customer Data
Customer Data shall be and remain under the ownership and control of Customer for purposes of all applicable laws, including, but not limited to, data privacy, trans-border data transfer, intellectual property and export control laws, rules and regulations (“Data Protection Laws”). Contractor shall only process Customer Data on documented instructions from Customer and in accordance with the specified duration, purpose, type and categories of data and data subjects as set out in the Agreement. Upon Customer’s request, Contractor shall promptly retrieve and deliver to Customer a copy of all Customer Data, or such portions as may be specified by Customer, under Contractor’s control or in its possession, in an industry-standard format and on the media reasonably requested by Customer. At any time, Customer may request, in writing, that Contractor destroy or erase all copies of Customer Data under Contractor’s control or in its possession, and Contractor shall comply with all such requests and certify the same in writing. Under no circumstances shall Contractor withhold any Customer Data and Contractor shall not (and shall not permit any third party to) possess or assert any lien, encumbrance or other interest against or to any Customer Data.
1.3 Privacy Requirements
Contractor will: (i) not collect, use or disclose any Customer Data except solely as necessary to carry out its obligations under the Agreement and this Schedule; (ii) hold all Customer Data in trust and confidence and not disclose such information to any third party, or use (directly or indirectly) any Customer Data for its own benefit or the benefit of others, unless authorized by the Agreement or this Schedule; and (iii) only disclose Customer Data to its employees on a “need to know” basis for the sole purpose of complying with Contractor’s obligations under the Agreement and this Schedule. Contractor shall ensure the reliability of any employee who may have access to the Customer Data to comply with Contractor’s obligations under the Agreement and this Schedule, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality no less onerous that those contained in the Agreement and this Schedule.
1.4 Security Requirements
Contractor shall have a written comprehensive security program that protects Customer Data and includes industry-standard best practices in administrative, technical, procedural and physical controls, policies, procedures and systems necessary to protect all Customer Data from threats or hazards: (i) to the privacy, confidentiality or integrity of the information; (ii) from unauthorized or unauthenticated access to the information; (iii) from unauthorized disclosure, destruction, loss or alteration; and (iv) from viruses, worms and other malicious code. Contractor shall not (and shall not permit any third party to) use any open source software in a manner that subjects Customer Data to terms which are inconsistent with or additional to the terms stated in the Agreement or this Schedule. Contractor agrees to encrypt any electronic transmission and storage of Customer Data and any backup data stored as part of a resumption plan. Any dedicated electronic connection (such as a business-to-business (B2B) connection) between Customer and Contractor must be reviewed and approved in writing by the Customer.
1.5 Access and Rectification
Contractor shall reasonably cooperate with Customer to provide individuals with the ability to effectively exercise any right to access and correct, amend or delete any personal information about the individual maintained by Contractor.
1.6 Security Vulnerabilities
Contractor shall disclose to Customer in a timely manner, and without unreasonable delay, any known security vulnerability within any system component (or their configuration) provided by or supported by Contractor under the Agreement. Customer may, upon learning of a security vulnerability, (i) request that Contractor resolve the vulnerability promptly, at Contractor’s expense, in a manner acceptable to Customer, or (ii) terminate the Agreement for cause.
1.7 Business Resumption Plan
Contractor will develop and maintain a business resumption plan that ensures business continuity of Customer’s mission critical and business critical systems and processes and protection of Customer Data. At least annually, Contractor will submit to Customer any updates to its resumption plan, including results of annual tests certifying that its business processes adequately comply with the resumption plan.
1.8 Security Breach Notification
Contractor shall, at its expense: (i) immediately notify Customer of any actual or suspected impact to the confidentiality, integrity or availability of any Customer Data, any actual or attempted unauthorized access to Contractor’s facilities, systems or network, or any vulnerability related to Contractor’s system or their configuration (each considered a “Security Breach”); (ii) investigate such Security Breach immediately; (iii) promptly furnish to Customer full details of the Security Breach and assist Customer with its own investigation; (iv) take steps to mitigate the effects and minimize the damage resulting from the Security Breach; and (v) make necessary changes to minimize the likelihood that such a Security Breach will reoccur. Contractor will pay for or reimburse Customer for all reasonable costs, losses, expenses and penalties related to a Security Breach, including without limitation, Customer’s costs of providing notices and credit monitoring. Notification of a Security Breach must be immediately made to the Customer.
2. COMPLIANCE WITH LAWS
2.1 Compliance with Laws
Contractor represents and warrants that its collection, use and disclosure of Customer Data is, and will at all times, be conducted in full compliance with the Agreement and this Schedule, Contractor’s privacy and security policies and all Data Protection Laws. Contractor further represents and warrants that it shall not cause Customer to be in violation of any applicable laws, rules or regulations. Contractor shall cooperate with Customer to the extent required to enable Customer to discharge its responsibilities under Data Protection Laws. Contractor shall provide Customer with such assistance as Customer requires in relation to the security of processing and preparation of data privacy impact assessments. Contractor shall immediately notify Customer if, in the Contractor’s opinion, any instruction or direction from Customer infringes Data Protection Laws.
2.2 Trans-border Data Transfer
Unless specifically required under the terms of the Agreement or as specifically authorised by Customer in writing, neither Contractor, nor any parties acting on Contractor’s behalf, will transfer Customer Data outside of the country of origin. Any trans-border data transfers approved by Customer will incorporate the EU Standard Contractual Clauses attached hereto as Schedule A and Contractor agrees to comply with all obligations imposed on a “data importer” set out in such clauses.
Contractor agrees to defend, indemnify, and hold harmless Customer from and against any and all liabilities, obligations, claims, damages, fines, penalties, assessments, costs and expenses (including court costs, reasonable costs of investigation and reasonable attorneys’ fees and expenses) incurred by Customer arising out of or in connection with Contractor’s performance or non-performance under this Schedule. This indemnity shall not be subject to any disclaimer or limitation of liability set forth in the Agreement.
4. USE OF THIRD PARTIES
Contractor will not disclose Customer Data to any third parties without Customer’s prior written authorization. To the extent permitted by Customer, if Contractor discloses Customer Data to any third party, Contractor will enter into a written agreement with such third party containing confidentiality, privacy and data security provisions no less stringent than those contained in the Agreement and this Schedule. Contractor will remain liable for the actions or omissions of any third parties to the same extent as if such obligations were performed by Contractor.
5. AUDIT RIGHTS
Contractor shall, upon request of Customer, participate in a security due diligence audit with the Customer to assess the adequacy of Contractor’s privacy and security controls used to provide the services under the Agreement. Contractor agrees to provide Customer with all information necessary to demonstrate compliance with the Agreement and this Schedule, including, but not limited to, security vulnerability scans and compliance checklists, network connections, network diagrams, data flows, data elements, and protocols between Customer systems and facilities and Contractor’s systems and facilities. Contractor agrees to allow Customer or its auditors to perform physical facility audits upon reasonable advanced notice to Contractor. Contractor agrees to provide documentation regarding any relevant third party audits performed on Contractor’s facilities or systems, including an annual SSAE 16 (or equivalent) attestation report. Contractor shall also cause its subcontractors performing services under the Agreement to submit to an equivalent attestation report. Contractor agrees to correct any security deficiencies or vulnerabilities affecting Customer Data revealed by these audits, at its own expense, within a timeframe reasonably requested by Customer.
6. REGULATORY INVESTIGATIONS
Contractor and Customer shall cooperate in any regulatory investigation or in any internal investigation by either party arising from the Schedule. In addition, both parties shall cooperate in responding to any inquiry by an individual relating to the individual’s personal information. Contractor shall promptly notify Customer if Contractor receives a request from such an individual and ensure that the Contractor does not, unless required by Data Protection Laws, respond to that request except on the documented instructions of Customer.
7. RETENTION AND DESTRUCTION OF CUSTOMER DATA
Contractor shall retain Customer Data only for the period necessary to complete the purposes for which the Customer Data was provided to Contractor. Upon the expiration or termination of the Agreement, Contractor will cease processing and will, upon the direction of Customer, either permanently destroy all copies of Customer Data according to Customer specifications or return the Customer Data to Customer.
In order to assist Customer with its electronic discovery obligations, as they may arise in pending or threatened litigation, Contractor agrees to: (i) provide Customer with documentation of Contractor’s system architecture, operating policies, backups, data deletion practices, and other relevant information sufficient to enable Customer to accurately represent what Contractor can and cannot produce for discovery purposes; (ii) provide search capability to assist in identifying potentially relevant data maintained by Contractor; (iii) produce potentially relevant data in both native and human-readable format, including any metadata, upon written notice and in the timeframe requested by Customer; and (iv) preserve potentially relevant data in its native format, including any metadata, upon receiving written notice and as instructed by Customer, until such time as the suspension is released in writing by Customer.