Citeline Data Protection Terms

1. Definitions

1. “Adequate Country” means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.
2. “Agreement” means the agreement between the Customer and Citeline governing the provision of the Licensed Products and Services.
3. “Agreement Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Agreement in connection with the Licensed Products and Services. Such information pertains to the following categories of Data Subjects;
   1. The Customer’s employees, contractors and representatives;
   2. Personal Data made available to the Customer by Citeline through the licenced products, which may include personal data relating to healthcare professionals;
   3. Personal Data relating to clinical trial recruits and online community subscribers.
4. "Customer Personal Data” means Personal Data that is processed by Citeline on behalf of the Customer under the Agreement in connection with the Licensed Products and Services.
5. “Data Protection Law” means all applicable laws governing the handling of Personal Data, including without limitation EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”) and the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Law”), the California Consumer Privacy Act (“CCPA”) including as modified by the California Privacy Rights Act.
6. “Personal Data” “Controller”, “Processor”, “Sub-processor”, “Data Subject” and “Supervisory Authority” have the meanings given to under Data Protection Law.
7. “Process, Processing and Processed” means any operation or set of operations which is performed on Personal Date or on subsets thereof, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
8. “Personal Data Breach” means an unauthorised, accidental or unlawful Processing, access, loss, or disclosure of Personal Data.
9. “Purpose” means the provision of Licensed Products and Services by Citeline to the Customer.
10. “Restricted Transfer” means a transfer of Agreement Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect the Agreement Personal Data for the transfer to be lawful under Data Protection Law.
11. “EU Standard Contractual Clauses” means the standard contractual clauses for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
12. “UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

 

2. Role of the Parties

1. Each Party is an independent Controller of the Agreement Personal Data that it processes under the Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Law.
2. Citeline shall process Customer Personal Data on behalf of the Customer. The parties agree that Citeline shall be a Processor and the Customer is a Controller of Customer Personal Data.

 

3. Obligations of the Parties

3.1       Agreement Personal Data

1. Each Party will:
   1. process Agreement Personal Data only as necessary for the Purpose and only provide employees, agents or contractors with access to Agreement Personal Data where it is necessary to provide such access for the Purpose;
   2. to the extent that the processing of Agreement Personal Data is subject to the CCPA, not: (i) retain, use, or disclose Agreement Personal Data other than as provided for in the Agreement, as needed to provide the Licensed Products and Services, or as otherwise permitted by the CCPA; (ii) combine Agreement Personal Data with personal data relating to other customers or individuals (except as permitted by the CCPA); or (iii) sell Agreement Personal Data;
   3. process Agreement Personal Data in accordance with its respective obligations under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;
   4. provide information to Data Subjects as required under Data Protection Law to ensure sufficient transparency of the Processing of Agreement Personal Data;
   5. implement appropriate technical and organisational measures to protect the Agreement Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction;
   6. ensure that Agreement Personal Data is accurate and, where necessary, kept up to date;
   7. retain Agreement Personal Data for no longer than necessary for the purpose(s) for which it is processed;
   8. provide the other Party with reasonable details of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority relating to its processing of Agreement Personal Data, and act reasonably in co-operating with the other Party in respect of its response to the same;
   9. act reasonably in providing such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law;
   10. process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the parties, the parties will collaborate to honour such objections or opt-out requests;
   11. ensure that any person who is authorised to process Agreement Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);
   12. enter into a written agreement with any Data Processor used to process Agreement Personal Data containing data protection obligations that provide at least the same level of protection for Agreement Personal Data as those in these Data Protection terms and in accordance with Data Protection Law. Citeline may disclose Agreement Personal Data for (i) security, fraud detection, fraud modelling and related purposes; and (ii) the provision of website, application, development, cloud hosting, maintenance and other services for Citeline. Citeline will limit the Agreement Personal Data provided to only what is reasonably necessary;
   13. remain responsible for such Data Processor compliance with the obligations contained in these Data Protection terms and for any acts or omissions of any such Data Processors that cause the Party to breach any of its obligations under these Data Protection terms;
   14. notify the other Party without undue delay, but in any event within forty-eight (48) hours of suffering a Personal Data Breach. Both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay;
   15. to the extent that Agreement Personal Data relates to individuals in the EEA or the UK, not transfer any personal data received from the other Party outside the EEA/UK unless;
       • the transfer is to an Adequate Country;
       • there are appropriate safeguards in place pursuant to Article 46 GDPR;
       • Binding corporate rules are in place; or
       • one of the derogations for specific situations in Article 49 GDPR applies to the transfer.
2. A Party that has made Agreement Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to: (i) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such Agreement Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and (ii) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such Agreement Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.

3.2       Customer Personal Data

1. If Citeline Processes any Customer Personal Data in connection with the Agreement, Citeline will;

1. only Process the Customer Personal Data on the written instructions of the Customer, including with regard to transfers of personal data to a third country or international organisation, and otherwise as necessary to perform its obligations under the Agreement or as required by any applicable law (provided that Citeline first informs the Customer of that legal requirement before processing unless that law prohibits this on important grounds of public interest);
2. ensure that any person who is authorised to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty);maintain all appropriate technical and organisational measures to ensure security of Customer Personal Data including protection against unauthorised or unlawful Processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction or damage and so that the Processing of the Customer Personal Data shall meet the requirements of Data Protection Law and ensure the protection of the rights of Data Subjects. At all times, such measures shall ensure compliance with industry standard security and Data Protection Law;
3. taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the Data Subject's personal data; (for the avoidance of doubt, Citeline will only assist and enable the Customer to meet the Customer’s obligations to satisfy Data Subjects' rights, but Citeline will not respond directly to Data Subjects);
4. not engage any Sub-processor or transfer and/or disclose any Customer Personal Data to any Sub-processor or third party service provider, without the general written authorisation of the Customer. Citeline will enter into a written agreement with all authorised Sub-processors containing obligations which provide at least the same level of protection as those set out in these Data Protection terms and Citeline shall remain liable to the Customer for the performance of that Sub-processor. Citeline may disclose Customer Personal Data to Sub-processors for (i) security, fraud detection, fraud modelling and related purposes; and (ii) the provision of website, application, development, cloud hosting, maintenance and other services for Citeline, provided that Citeline will limit the Customer Personal Data provided to what is reasonably necessary;
5. to the extent applicable, participate in, and provide all reasonable assistance with, a privacy impact assessment, a data protection impact assessment or prior consultation including under Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the GDPR in respect of the new type of processing proposed, in accordance with Data Protection Law;
6. at the choice of Customer, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and deletes existing copies unless applicable law requires storage of the personal data;
7. make available to Customer all information necessary to demonstrate compliance with these Data Protection terms and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
8. notify Customer without undue delay, but in any event within forty-eight (48) hours of suffering a Personal Data Breach. Citeline shall cooperate with the Customer in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits Citeline from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Law prior to notification of the Customer so long as Citeline provides notification to the Customer without undue delay.

4. International Transfers

4.1       Agreement Personal Data

1. To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows;
   1. in Clause 7, the optional docking clause applies;
   2. in Clause 11, the optional language is deleted;
   3. in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law of the Netherlands
   4. The information contained in the table in Annex 1 of these Data Protection Terms shall populate the Appendix to the EU Standard Contractual Clauses accordingly
2. To the extent a transfer of Agreement Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which are incorporated herein by reference and as follows;
   1. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;
   2. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

   4.2       Customer Personal Data

3. To the extent that Citeline’s processing of Customer Personal Data constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby conclude Module 2 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows;
   1. in Clause 7, the optional docking clause applies;
   2. in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with Annex 2 of these Data Protection terms;
   3. in Clause 11, the optional language is deleted;
   4. in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be determined by Customer
   5. The information contained in the table in Annex 1 of these Data Protection Terms shall populate the Appendix to the EU Standard Contractual Clauses accordingly.
4. To the extent that Citeline’s processing of Customer Personal Data constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which are incorporated herein by reference and as follows;
   1. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;
   2. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

5. Limitation of Liability

To the extent that the Customer has an entitlement under Data Protection Law to claim from Citeline compensation paid by the Customer to a Data Subject as a result of a breach of Data Protection Law to which Citeline contributed, Citeline shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant Data Subject.

 

Annex 1 Standard Contractual Clauses Information

Product	Data Exporter	Data Importer	SCCs Module	Categories of data subjects whose personal data is transferred	Categories of personal data transferred	Sensitive data transferred	The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Nature of the processing	Purpose(s) of the data transfer and further processing	The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Subscription	Customer	Citeline	Module 1	Customer’s employees, contractors and representatives with access to the licenced products	Name, business email address, company, job title, notification preferences	N/A	One-off	To provide the services as stated in the Agreement	To provide a login and user account to the Products	For the duration of the Agreement
Subscription	Citeline	Customer	Module 1	Personal data made available to Customer by Citeline through the licenced products, such as;   - investor relations or media contact   - Drug company contacts   - Investigator data   - contact information from company websites and direct submissions	Name, business phone number, business email address, job title, contact information	N/A	One-off	To provide the services as stated in the Agreement	Made available to Customer in the Product content	For the duration of the Agreement
Disclose (SaaS)	Customer	Citeline	Module 1	Customer’s employees, contractors and representatives with access to the Products	Name, business email address, company, job title, notification preferences	N/A	One-off	To provide the services as stated in the Agreement	To provide a login and user account to the Products	For the duration of the Agreement
Disclose (SaaS)	Customer	Citeline	Module 2	Names and contact information for investigators, clinical site staff entered into the platform at the discretion of Customer	Name, job title, email address	N/A	One-off	To provide the services as stated in the Agreement	Added at the discretion of the Customer as part of using the Product	For the duration of the Agreement
Trialscope Professional Services	Customer	Citeline	Module 2	Clinical study subjects   Investigators and clinical site staff   Customer staff and contractors	Pseudonymized Clinical Study subject numbers;   Other Study subject Personal Data provided by or on behalf of Controller to the Processor in the course of the Project;   Names, job titles, email addresses for investigators, clinical site staff, and Customer staff and contractors	Health data (medical history, disorder and disorder severity, genetic data, data from examinations, data from participation in the Study, etc.);	One-off	To provide the services as stated in the Agreement	Made available to Citeline by Customer during the provision of Trialscope Professional Services	For the duration of the Agreement
Citeline Connect	Customer	Citeline	Module 1	Customer/Customer’s employees, contractors and representatives with access to the Products	Name, business email address, company, job title, notification preferences	N/A	One-off	To provide the services as stated in the Agreement	To provide a login and user account to the Products	For the duration of the Agreement
Citeline Connect	Citeline	Customer	Module 1	Healthcare Professionals	Name, email address, location, phone number, availability/scheduling, genotype (if applicable) and eligibility of patients (anonymized) and desired method of contact	N/A	One-off	To provide the services as stated in the Agreement	Shared with the Customer as part of the HCP Outreach process	For the duration of the Agreement
Citeline Connect	Citeline	Customer	Module 1	Clinical trial recruits and online community subscribers	Name, email address, phone number, date of birth, location, sex, ethnicity, health information	Health information (various health conditions, medications related information), ethnicity	Continuous	To provide the services as stated in the Agreement	To the extent shared with Customer as part of the clinical trial recruitment and online community processes	For the duration of the Agreement
Consultancy Services	Customer	Citeline	Module 1	Customer’s employees, contractors and representatives	Name, business email address, company, job title	N/A	One-off	To provide the services as stated in the Agreement		For the duration of the Agreement

 

Annex 2  Sub-Processors

Citeline will provide details of transfers to Sub-Processors on request, including subject matter, nature and duration of the Processing.

 

_{Version 1: April 2023}