In the course of processing Buyer Personal Data (defined below) in connection with the Underlying Agreement, PoolText and Buyer agree to comply with this Addendum, each acting reasonably and in good faith.
This Addendum has been drafted taking into account the nature of the Personal Data actually Processed including the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons to whom the Personal Data relates.
The following capitalized terms used in this Addendum shall have the meanings given to them below:
“App” means PoolText’s mobile application provided by PoolText for use with the Products.
“appropriate technical and organizational measures,” “Commission” “Controller,” “Data Protection Impact Assessment,” “Data Subject,” “Member State,” “Processor,” “Processing,” “Personal Data,” “Personal Data Breach” and “Supervisory Authority,” have the meaning given to them by GDPR, and their cognate terms shall be construed accordingly.
“Data Protection Laws” means: (a) EU Directive 95/46/EC, together with any national implementing laws in any Member State of the European Union and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and (b) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each only as and to the extent as applicable to either party and each as amended, repealed, consolidated or replaced from time to time.
“EEA” means European Economic Area.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Buyer Personal Data” means, only to the extent it is Personal Data under applicable Data Protection Laws, Buyer Data processed by PoolText in connection with the Underlying Agreement.
“Privacy Shield Principles” means the data protection principles established under the EU-US Privacy Shield Framework, as administered by the US Department of Commerce, accessible at https://www.privacyshield.gov/article?id=Requirements-of-Participation.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC pursuant to the European Commission Decision of 5 February 2010. A copy of the Standard Contractual Clauses shall be attached hereto upon request.
“Sub-processor” means any Processor (including vendors, subcontractors, hosting service providers) engaged by PoolText to Process Buyer Personal Data in accordance with and as permitted by the Underlying Agreement.
The word "include" shall be construed to mean include without limitation, and cognate Underlying Agreement shall be construed accordingly.
Buyer acknowledges that PoolText is reliant on Buyer for direction as to the extent to which PoolText is entitled to use and process Buyer Personal Data. Consequently, PoolText will not be liable for any claim brought by a user or any other third party arising from any action or omission by PoolText, to the extent that such action or omission resulted directly from Buyer’s instructions, or from Buyer’s request to process categories of Buyer Personal Data outside of those categories identified below.
This provision includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR, as set forth below:
Subject matter and duration of the Processing of Buyer Personal Data
The subject matter and duration of the Processing of the Buyer Personal Data are set out in the Underlying Agreement and this Addendum.
The nature and purpose of the Processing of Buyer Personal Data
The nature and purpose of the Processing of the Buyer Personal Data are set out in the Underlying Agreement and this Addendum, and include the provision of the Products, Software, Firmware and App by PoolText (and its Subprocessors) pursuant to the Underlying Agreement.
The types of Buyer Personal Data to be Processed
The types of Buyer Personal Data to be Processed may include:
No other Buyer Personal Data will be provided to PoolText without PoolText’s express written consent. Specifically, and without limitation, Buyer will not provide any patient names or other personally identifiable information related to any such patients. Buyer is responsible and liable for any breach of the Data Protection Laws resulting from Buyer providing additional Buyer Personal Data without PoolText’s express written consent, and any damages for the same.
The categories of Data Subjects to whom the Buyer Personal Data relates
Buyer may submit Buyer Personal Data to the Website and App, the extent of which is determined and controlled by Buyer in its sole discretion, relating to the following categories of data subjects: Buyer’s customers, and users of the Website and App. Buyer will obtain all required consents from Buyer’s customers and users of the Website and App.
The obligations and rights of Buyer
The obligations and rights of Buyer are set out in the Underlying Agreement and this Addendum.
Buyer authorises PoolText to appoint (and permit each Sub-processor appointed in accordance with this Section 4 to appoint) Sub-processors in accordance with this Section 4 and any restrictions in the Underlying Agreement.
PoolText may continue to use those Sub-processors already engaged by PoolText as at the date of this Addendum.
PoolText shall give Buyer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor, as it relates to Buyer. If, within 10 days of receipt of that notice, Buyer notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment, then PoolText shall not appoint (or disclose any Buyer Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by Buyer, and Buyer has been provided with a reasonable written explanation of the steps taken.
With respect to each Sub-processor, PoolText shall:
Upon request and at Buyer’s expense, PoolText shall provide reasonable assistance to Buyer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Buyer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Buyer Personal Data by, and taking into account the nature of the Processing and information available to PoolText.
Upon termination or expiration of the Underlying Agreement, PoolText shall delete (or, at the election of Buyer pursuant to the paragraph below, return) all Buyer Personal Data in the possession or control of PoolText, within one (1) year after the termination or expiration of the Underlying Agreement, unless otherwise required by any applicable EU Data Protection Law; and (ii) request that its Sub-processors shall do the same. This requirement shall not apply to Buyer Personal Data that is archived on back-up systems, which PoolText shall isolate and protect from any further Processing, except to the extent required by law, and which shall be subject to appropriate confidentiality restrictions.
Subject to the paragraph below in this Section 7, Buyer may in its absolute discretion by written notice to PoolText within 180 days of termination or expiration of the Underlying Agreement require PoolText to (a) return a copy of all Buyer Personal Data to Buyer by secure file transfer in such format as is reasonably agreed upon. PoolText shall comply with any such written request within 60 days of the request.
PoolText (and its Sub-processors) may retain Buyer Personal Data to the extent required by applicable Data Privacy Laws and any other applicable laws, and only to the extent and for such period as required by such applicable laws and always provided that PoolText shall ensure the confidentiality of all such Buyer Personal Data and shall ensure that such Buyer Personal Data is only Processed by PoolText as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Upon Buyer’s written request, PoolText shall provide written certification to Buyer that it has complied with this section 7, within 30 days following the first anniversary of the termination date.
Subject to the provisions below, PoolText shall make available to Buyer, upon written request, copies of all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Buyer or an independent third party auditor, solely in relation to the Processing of the Buyer Personal Data in accordance with this Addendum.
The foregoing information and audit rights of the Buyer only arise to the extent that the Underlying Agreement does not otherwise set forth information and audit rights meeting the relevant requirements of the applicable Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR). Buyer acknowledges that in all cases PoolText shall first provide copies of information, and only (a) in the event of a Buyer Personal Data Breach, (b) if PoolText is unable to provide such information, may Buyer request an on-site audit, or (c) if required under the applicable Data Protection Laws.
Buyer shall give PoolText reasonable notice of any audit or inspection to be conducted hereunder and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to PoolText’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. PoolText need not give access to its premises for the purposes of such an audit or inspection:
This provision only applies to certain transfers of data outside the European Economic Area that are permitted without breach of the applicable Data Protection Law.
The Standard Contractual Clauses will apply only to Buyer Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Buyer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
Buyer and PoolText hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Buyer to PoolText. The Standard Contractual Clauses shall come into effect on the later of either party becoming a party to them or the commencement of the relevant Restricted Transfer.