In order for Swedish Orphan Biovitrum AB (“Sobi”) to be able to provide the EDUPK tool to physicians, Sobi will have to process patient Personal Data that you provide Sobi with. You are Controller of the patient Personal Data provided to Sobi. European data protection legislation requires a contract be entered into between you (the Controller) and Sobi (the Data Processor).
This online Data Processor Agreement (DPA) governs the processing of patient Personal Data you provide to Swedish Orphan Biovitrum AB, necessary to use the EDUPK tool. Prior accessing the tool we ask you to read this Agreement carefully. By clicking “I Agree” below you agree to the terms of this Agreement. If you have any questions regarding this Agreement, please contact Sobi using the email address [email protected]
Sobi’s contact for matters relating to Processing of Personal Data is Sobi’s Group Data Protection Officer, who shall be contacted on the following email address: [email protected]
Definitions and terms (whether capitalized or not) used in this Agreement which are not otherwise defined herein shall have the same meaning as in the GDPR.
“Applicable Law” means all international, national, federal, state, provincial and local laws, statutes, codes, rules, regulations, ordinances, orders, decrees or other pronouncements of any governmental, administrative or judicial authority having the effect of law. As used herein, Applicable Law specifically includes GDPR and other EU data protection laws and, to the extent applicable, the data protection or privacy laws of any other country (“Data Protection Laws”).
“EEA” means the European Economic Area.
“GDPR” means the EU General Data Protection Regulation 2016/679.
"Standard Contractual Clauses" means the standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism set forth in GDPR and then adopted by the Commission.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“Subprocessor” means any person (including any third party and any Processor Affiliate) appointed by or on behalf of Processor to Process Personal Data on behalf of Sobi or any of Sobi or any of Sobi’s affiliates in connection with the Main Agreement.
You are the Controller of patient Personal Data, provided directly or indirectly to Sobi, and which is Processed by Sobi when providing the EDUPK tool.
Sobi shall be regarded as the Personal Data Processor. In its capacity as Personal Data Processor, Processor shall process all Personal Data on behalf of Controller in accordance with this Agreement, GDPR and other Applicable Laws.
The Personal Data processed under this Agreement will comprise of Personal Data necessary to be Processed in order to make the EDUPK available to you.
Sobi shall not be entitled to take measures in respect of Personal Data received from Controller for purposes other than to make the EDUPK tool available to you, unless Processing is required by Applicable Laws to which Processor is subject.
Sobi will allow for Personal Data to be transferred outside of the EU/EEA by way of you accessing the tool from outside of EU/EEA. Controller confirm that consent has been obtained for such transfer.
Sobi shall take reasonable steps to ensure the reliability of any employee, agent or contractor (“Personnel”) of Sobi who may have access to the Personal Data Processed under this Agreement, ensuring in each case that access is strictly limited to Personnel who need to know or access the relevant Personal Data, as strictly necessary for the purposes of providing the EDUPK tool, and to comply with Applicable Laws in the context of that individual's duties to the Processor.
Sobi shall ensure that all its Personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Considering the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. Sobi will apply the following technical and organizational security measures to protect and safeguard the confidentiality, integrity, correctness and access to Personal Data:
Access Control and Access Authorization Control
Use of systems to Process Personal Data which facilitate and allow access control, including controls that ensure that access to systems on which Personal Data is processed is only possible after the authorised person has been identified and successfully authenticated (e.g. with a user name and password). Access is denied in the case of lack of authorization.
Ongoing availability, resilience and security of systems and services
Use of systems that allow for discovery, recovery, prevention and reporting of personal data incidents, including availability control.
Ensure the ongoing resilience of systems and services through e.g. vulnerability monitoring and testing, anti-virus and malicious code and security event monitoring.
Ensure possibility of restoring availability and access to Personal Data in the event of a technical or physical incident.
Ensure sufficient availability and security control, e.g. protection against fire and measures in case of power outages, including backup and offsite storage, as well as physical controls that protect against the physical penetration of unauthorised people.
Integrity of Personal Data
Procedures are in place to mitigate risks that the Personal Data stored, received, controlled or otherwise processed is not compromised and remains intact. Inspections are, or can be, carried out in order to validate the integrity of the Personal Data.
Encryption
Adequate levels of encryption of information, in transit and/or at rest, as applicable and appropriate considering the categories and nature of Personal Data. All Personal Data is encrypted on any server that is removed from the premises for backup or off-site storage (where applicable) or device that can be used to access systems containing Personal Data.
Pseudonymization of Personal Data
Personal Data made available to Processor by Controller must be in pseudonymised form. Personal Data in EDUPK will remain pseudonymised until deletion.
Regular evaluation of systems and procedures
Continuous evaluation of the effectiveness of implemented technical and organisational measures, including documented operational procedures and may include internal security audits, and ensuring that the measures are kept up to date considering the state of the art, the nature of processing of Personal Data under this Agreement and requirements under Applicable Law. Ensure by regular evaluation that only the minimum amount of Personal Data required to perform the Services is processed.
Storage limitation
Personal Data will only be stored in the EDUPK tool during an active session. Once a session is terminated Personal Data used during the session will be deleted.
In the event of any Personal Data Breach affecting Personal Data being Processed pursuant to this Agreement, Sobi shall promptly, without undue delay but no later than one business day, notify Controller in writing with further information about the breach provided in phases as more details become available. Sobi shall provide Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Laws.
With respect to each Subprocessor, Sobi shall: ensure that the arrangement between on the one hand (a) Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Agreement; if that arrangement involves a transfer to a third country, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor; and provide to Controller for review such copies of Sobi’s agreements with Subprocessors (which, for the avoidance of doubt, may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as Controller may request from time to time. Sobi shall be fully responsible to ensure that any Subprocessor performs its obligations of Processing of Personal Data in accordance with this Agreement and Applicable Law, as if it were party to this Agreement in place of Processor.
Each Party shall indemnify the other Party for any damage or loss arising as a result of Processing of Personal Data in contravention or violation of this Agreement and Data Protection Laws.
Without delay after Sobi’s cessation of Processing of Personal Data on behalf of Controller (“Cessation Date”), Sobi shall destroy all Personal Data connected to the Agreement. Sobi may retain Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Sobi shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
This Agreement shall be governed by and construed in accordance with the laws of Sweden without regard to its principles of conflict of laws.
Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The proceedings shall take place in Stockholm, Sweden, and be conducted in the English language. The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the prior consent by the other Party
