The following are the data processing terms between SMART-TRIAL ApS (also referred to as “Data Processor”, “Processor, “Company”, “we”, “our”, or “us”) and Data Controller (also referred to as “Controller”). Jointly referred to as Party or Parties in the following.
These terms are interlinked with the Online Service Terms and Conditions and apply to usage of the SMART-TRIAL services and our relationship to Data Controller when using SMART-TRIAL services, unless otherwise agreed in a superseding written Data Processing Agreement.
- PII: Personal Identifiable information
- Personal Data: Data about a Data Subject processed in SMART-TRIAL services
- Data Subject: As defined in the EU GDPR
- Data Controller: SMART-TRIAL Licensee
- Data Processor: SMART-TRIAL ApS
1.1. These terms are designed for the Parties to comply with the Personal Data Regulation 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of individuals regarding the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
1.2. The Online Service Terms and Conditions and the present Online Data Processing Terms (DPA) are interdependent and cannot be terminated separately.
2.0 PROCESSING OF PERSONAL DATA
2.1. The Processor guarantees that it has implemented and will continue to implement under the term of this DPA appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject.
2.2. The Processor shall solely be permitted to process personal data on documented instructions from the Controller unless processing is required under EU or national laws to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
2.3. The Processor shall immediately inform the Controller if the Processor does not have an instruction for how to process Personal Data in a particular situation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Law.
2.4. If Data Subject, competent authorities or any other third parties request information from the Processor regarding the Processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Processor may not in any way act on behalf of or as a representative of the Controller.
2.5. The Processor may not, without prior instructions from the Controller, transfer of in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party.
3.0 THE ASSISTANCE OF THE DATA PROCESSOR
3.1. The Processor shall, as far as possible, assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law, including but not limited to the Controller’s obligation to respond to requests for exercising the Data Subject’s right to request information (register extracts) and for Personal Data to be corrected, blocked or erased.
3.2. Further the Data Processor shall assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law, including but not limited to the Controller’s obligation to;
(i) implement appropriate technical and organizational measures to ensure a proper level of security,
(ii) report personal data breach to the supervisory authority without undue delay and latest within 72 hours after notification of the breach,
(iii) notify – without undue delay – the people registered about the data breach,
(iv) conduct an impact-assessment report on the data protection if one type of processing is likely to involve a high risk to the freedoms of natural persons,
(v) consult the supervisory authority before processing if the data protection impact assessment rapport shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk.
4.0 TECHNICAL AND ORGANIZATIONAL SECURITY
4.1. The Data Processor shall implement technical, physical and organizational measures to ensure a high level of security of the Personal Data processing and to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. The Data Processor’s aforementioned security measures shall at all times meet or exceed the (i) requirements of any applicable laws and regulations; and (ii) security measures then prevalent in the Data Controller’s industry to which the processing of Personal Data relates to.
4.2. The Data Processor shall implement at least the following measures:
(i) pseudonymizing and encrypting of the Personal Data,
(ii) ensure at all times the confidentiality, integrity, availability and resilience of systems and services processing Personal Data,
(iii) restore the availability and access to Personal Data in a timely manner in the event of a physical or technical Disaster,
(iv) regularly test, assess and evaluate the effectiveness if technical and organizational measures for ensuring the security of the processing.
4.3. The Data Processor shall ensure that any person acting under the authority of the Data Processor who has access to Personal Data shall not process them except on instructions from the Data Controller, unless he or she is required to do so by Laws.
4.4. The Data Processor shall document the activities taken to ensure it compliance with its obligations under this Section 4 and ensure such activities have been completed before starting to process the Personal Data. This documentation is freely available to the Data Controller for review at any time from the SMART-TRIAL Security & Service Level Statement.
4.5. The Data Controller is responsible for reviewing the information made available by the Data Processor relating to data security and making an independent determination as to whether the services meet the Data Controller’s requirements and legal obligations under data protection laws. The Data Controller acknowledges that the security measures are subject to technical progress and development and that Data Processor may update or modify the documentation from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services purchased by the Data Controller.
4.6. Notwithstanding the above, the Data Controller agrees that except as provided by this DPA, Data Controller is responsible for its secure use of the Data Processor’s services, including securing its account authentication credentials, protecting the security of any customer data when in transit to and from the services and taking any appropriate steps to securely encrypt or backup any data downloaded from the services.
5.1. The Data Processor shall maintain documented processes for selecting, evaluating, qualifying and maintaining used sub-processors and third parties involved in provision of services to Data Processor.
5.2. The Data Controller has specifically approved the utilize of the following Sub-Processors. The Data Processor cannot without prior specific or general written consent of the Data Controller change the task of the Sub-Processor or allow another Sub-Processor to perform the described processing.
|Company registration no.
|Description of Processing
|Dublin, Ireland and Netherlands (secondary backup location)
|Data hosting services. For further information on the usage of Microsoft as a Sub-Processor please review http://www.smart-trial.com/legal/security-service-statement
|SEC CIK #0001447669
|San Francisco, USA
|Used for 2-step-verification login and identity validation of users. Used for delivery of SMS to questionnaire participants in the case that a study sponsor has the consent from participants to collect information through a URL accessed via SMS.
|Company no. 0802653513
|San Francisco, USA
|Used for delivery of e-mail to participants in the case that a study sponsor has the consent from participants to collect questionnaire data through a URL accessed via e-mail. Also used for all other e-mail delivery from SMART-TRIAL to its users.
|Rocket Science Group LLC d/b/a, MailChimp
|Company no. 0028959
|Used to deliver mandatory services update e-mails and other important information to registered SMART-TRIAL users.
|USA and Germany
|Used for business account management, marketing data management, and sales data management. Also used to receive and keep track of all support tickets/requests from SMART-TRIAL users and customers.
5.3. The Data Processor will inform the Data Controller of any planned changes regarding the addition or replacement of sub-processers at least two months before the addition/replacement takes effect. The Data Controller has the opportunity to object to such changes.
5.4. The Data Processor has entered into separate Data Processing Agreements with all of its Sub-Processors. A copy of such a Sub-Processor agreement and subsequent amendments shall – at the Data Controller’s request – be submitted to the Data Controller, thereby giving the Data Controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the Sub-Processor. Clauses on business related issues that do not affect the legal data protection content of the Sub-Processor agreement, shall not require submission to the Data Controller.
5.5. Once the Data Processor has approved the above, the Data Processor shall provide the Sub-Processor with the same data protection obligations as those specified in this Data Processing Agreement.
5.6. If the Sub-Processor does not fulfil its obligations, the Data Processor remains fully responsible for the fulfilment of the Sub-Processor's obligations.
5.7. The Data Processor may only transfer personal data to third-party Sub-Processors after documented instructions from the Data Controller, unless otherwise required by EU-law or other national laws to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
6.0 TRANSFER OF DATA TO THIRD COUNTRIES
6.1. Any transfer of Personal Data to third countries by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V of the GDPR.
6.2. In case transfers to third countries, which the Data Processor has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
6.3. Without documented instructions from the Data Controller, the Data Processor therefore cannot within the framework of this Agreement:
a. transfer Personal Data to data sub-processors located in a third country, other than those sub-processors mentioned in this Agreement;
b. transfer the processing of Personal Data to a sub-processor in a third country, other than those sub-processors mentioned in this Agreement;
c. have the Personal Data processed in by the Data Processor in a third country, other than those sub-processors mentioned in this Agreement.
7.0 LOCAL LAWS AFFECTING COMPLIANCE WITH THE DPA
7.1. The parties warrant that they have no reason to believe that the laws in the country of destination applicable to the processing of the Personal Data by the Data Processor, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent the Data Processor from fulfilling its obligations under this DPA. This is based on the understanding that laws that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the DPA.
8.1. Data Processor’s employees, collaborators, sub-contractors, and external consultants will be bound by confidentiality in relation to eventual processing of data in relation to the Agreement. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to Personal Data can be withdrawn if access is no longer necessary, and Personal Data shall consequently not be accessible anymore to those persons. The Data Processor shall at the request of the Data Controller demonstrate that the concerned persons under the Data Processor’s authority are subject to the abovementioned confidentiality.
8.2. The Data Processor and its Sub Data Processors are responsible for informing employees, collaborators, sub-contractors, and external consultants of the confidentiality and subsequent consequences of the breach of confidentiality.
8.3. The Data Processor shall hold all PII confidential and is solely entitled to process PII in relation to fulfilling its obligations to Data Controller.
8.4. The Data Processor is responsible for limiting access to PII to employees so that only individuals with a purpose related to obligations for Data Controller can process PII.
8.5. Data processor’s obligations on secrecy and confidentiality shall also apply upon and after the termination of this agreement
9.1. The Parties shall provide the data subject with a copy of this DPA upon request. To the extent necessary to protect business secrets or other confidential information, the parties may redact the text of the appendices to this Agreement prior to sharing a copy but shall provide a meaningful summary where otherwise the data subject would not be able to understand the content of the appendices. This is notwithstanding the obligations of the Data Controller under Articles 13 and 14 Regulation (EU) 2016/679, in particular to inform the data subject about the transfer of special categories of data.
10.0 PERSONAL DATA BREACH
10.1. In case of a Personal Data Breach involving Personal Data processed on behalf of the Controller, the Processor shall take into account the nature of Processing and the information available to the Processor, and assist the Controller in ensuring compliance with the relevant data regulations without undue delay, but no later than 24 hours after becoming aware of such a Personal Data Breach. The notification shall at least:
(i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned,
(ii) communicate the name and contact details of the contact point where more information can be obtained, describe the likely consequences of the Personal Data Breach,
(iii) describe the measures taken or proposed to be taken by the Controller to address the Person Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
10.2. Should the Data Controller's security-team need additional logs for investigation of an incident determined to affect the Controllers organization, the Processor's security team will responsibly provide access as needed.
10.3. The Data Processor shall take all the necessary steps to protect the Data after having become aware of the Breach. After having notified the Controller in accordance with the above, the Processor will, in consultation with the Controller, take appropriate measures to secure the Data and limit any possible detriment effect to the Data Subjects. The Processor will cooperate with the Controller, and with any third parties designated by the controller, to respond to the Breach. The objective of the Breach response will be to restore the confidentiality, integrity, and availability of the Services, to establish root causes and remediation steps, preserving evidence and to mitigate any damage cause to Data Subjects or the Controller.
11.1. Each party shall be liable to the other party/ies for any material or non-material damages it causes the other party/ies by any breach of this Agreement. Liability as between the parties is limited to actual damage suffered. Punitive damages are excluded.
11.2. Where more than one party is responsible for any damage caused to the data subject resulting from a breach of this, both parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against either of these parties.
11.3. Data Processor may not invoke the conduct of a Sub-Processor to avoid its own liability.
12.1. Upon termination or expiry of this DPA, the Processor shall cease its processing activities, and, at the choice of the Controller, delete or return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law or national laws requires storage of the Person Data. In that case, the Data Processor warrants that it will guarantee, to the extent possible, the level of protection required by this Agreement and will only process it to the extent and for as long as required under that Applicable Data Protection Law.
12.2. Both parties shall be entitled to require this Data Processing Agreement renegotiated if changes to the law or inexpediency of this Agreement should give rise to such renegotiation. This DPA shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the DPA cannot be terminated unless other agreement governing the provision of personal data processing services have been agreed between the parties.
12.3. The Processor shall ensure that any Sub-Processor does the same.
12.4. Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Personal Data upon the completion of the Processing.
13.1. Once a year, Licensee shall have the right to request a copy of an internal audit report from Licensor, in order to verify compliance of the Licensor with the T&C and the technical, service, and security measures described in the SMART-TRIAL Security & Service Level Statement. and SMART-TRIAL’s GCP, FDA 21 CFR Part 11, and HIPAA Compliance Statement.
14.0 GOVERNING LAW AND JURISDICTION
14.1. If one or more provisions of this DPA is declared to be invalid, illegal or unenforceable in any respect under applicable law, the validity, legality or enforceability of the remaining provisions contained therein shall not in any way be affected. In such event, the Parties, meaning the Controller and the Processor, shall use its best effort to immediately and in good faith negotiate a legally valid provision in replacement, without affecting the spirit of this Agreement.
14.2. Danish law governs this DPA. Any dispute regardless of form, arising from the DPA and amendments is to be resolved by City Court of Aalborg, Denmark, in accordance with applicable Danish civil procedure.
APPENDIX A: Information about the processing
From SMART-TRIAL users
- Full name
- Mobile number and country code
- initials (optional)
- Staff ID (optional)
- Organization name (optional)
- Department (optional)
- Timestamps of user login (year-month-date-time-minute-second)
- All interactions that a user executes within SMART-TRIAL and on Data Processor’s server(s), hereunder for example input search words, clicks on links, print outs, copying, etc.
From Data Controller’s costumers/clients/subjects/patients the following information can be collected and managed in SMART-TRIAL for each Data Subject. The details of what to be collected must be determined on a project-to-project basis and be mirrored in the consent collected from each subject/participant – or other agreements that Data Controller makes with its collaborators.
- Full name (optional)
- E-mail (optional)
- Mobile number and country code (optional)
- IP-address (optional)
- initials (optional)
- SubjectID (optional)
- Birth date / Year (optional)
- Gender (optional)
- Address (optional)
- Clinical / healthcare information, such as physiological variables, laboratory results etc. (optional) - shall be defined in data processing consent between Data Controller and Data Subjects