In accordance with the terms of the Agreement, this Data Protection Annex applies to and is incorporated into, and made part of, the Agreement to the extent that UpToDate Processes any Personal Data about Data Subjects located in the European Economic Area ("EEA") or the United Kingdom ("UK") when performing its obligations under the Agreement.
1. Definitions. Capitalized terms used but not defined in this Annex will have the same meanings as set forth in the Agreement. In this Annex, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- "Agreement" means the UpToDate, Inc. Subscription and License Terms entered into between UpToDate, Inc. and You;
- "Data Protection Laws" means the EU GDPR and any applicable national laws made under it, and the UK GDPR where applicable;
- "EEA" means the European Economic Area;
- "EU GDPR" means the EU General Data Protection Regulation 2016/679 and any applicable national laws made under it;
- "EU Standard Contractual Clauses" means the MODULE 1, Controller to Controller, European Commission standard contractual clauses set out in https://www.wolterskluwer.com/en/solutions/uptodate/standard-contractual-clauses;
- "Retained EU Law" means as defined in the European Union (Withdrawal) Act 2018;
- "Subprocessor" means any person (including any third party but excluding an employee of UpToDate or any of its subcontractors) appointed by or on behalf of UpToDate to Process Personal Data on Your behalf in connection with the Agreement.
- "UK GDPR" means the UK Data Protection Act 2018 ("DPA 18") and the EU GDPR as it forms part of Retained EU Law;
- "UK Model Clauses" means the UK data transfer addendum to the EU Standard Contractual Clauses adopted by the UK Information Commissioner's Office under UK law (as amended, superseded or replaced from time to time);
- "UpToDate Personal Data" means any Personal Data about You, Your Authorized Users (if applicable), or Data Subjects working for You that is obtained by UpToDate as part of the administration and performance of its obligations under the Agreement;
- "Your Personal Data" means any Personal Data about Data Subjects located in the EEA or the UK that is Processed by UpToDate as part of the use of the Licensed Materials under the Agreement and that is provided to UpToDate by You or Your Authorized Users (if applicable) when You or they use the Licensed Materials.
The terms, "European Commission", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the EU GDPR, and their cognate terms shall be construed accordingly.
Where there is a reference to a specific article or provision of the EU GDPR such reference shall be taken to include (and extend to) any equivalent provision or obligation set out in the UK GDPR as applicable.
The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. ROLES AND SCOPE.
2.1 Your Personal Data. For the purposes of this Annex, to the extent the Licensed Materials are used to Process Your Personal Data, the parties Process such Personal Data as separate Controllers pursuant to or in connection with this Agreement.
2.2 UpToDate Personal Data. For the purposes of this Annex, UpToDate is a separate Controller of UpToDate Personal Data Processed by it.
2.3 International Transfers. You acknowledge that UpToDate is located in the United States of America and that UpToDate may process UpToDate Personal Data and Your Personal Data at a destination outside the EEA or UK and that such UpToDate Personal Data and Your Personal Data may be processed by UpToDate personnel or a Processor of UpToDate operating outside the EEA or UK in countries that the European Commission (or in relation to the UK, the UK Government) has not yet decided offer adequate data protection in accordance with Data Protection Law ("Third Countries"). Where You are located in the EEA and/ or the UK, You (as "data exporter") and UpToDate (as "data importer") hereby enter into the EU Standard Contractual Clauses and/or the UK Model Clauses, as applicable, which are incorporated into, and made part of, the Agreement. The UK Model Clauses are determined by reference to the Annexes to the EU Standard Contractual Clauses (which identifies the specifics of the transfer). Table 4 and section 19 of the UK Model Clauses does not apply, and the relevant UK Model Clauses may not be terminated in the event that the UK Information Commissioner's Office issues a revised UK data transfer addendum, without prejudice to other termination rights.
2.4 Assistance. You agree that You shall provide all information and documents reasonably requested of You by UpToDate or UpToDate's representative(s) to allow UpToDate to satisfy its obligations under this Annex and Data Protection Laws relating to Your Personal Data and UpToDate Personal Data.
3. PROCESSING OF YOUR PERSONAL DATA
3.1 Your responsibilities. You shall have sole responsibility for ensuring Your Personal Data is Processed in accordance with the applicable Data Protection Laws, including:
- ensuring that Your Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subjects, including by ensuring that all necessary fair processing information has been provided in writing to, and all necessary consents obtained from, the Data Subjects in relation to the Processing of such Personal Data by the parties and by third parties on their behalf.
- ensuring that Your Personal Data is collected for specified, explicit and legitimate purposes based on a legal grounds for Processing as may be required from time to time by applicable Data Protection Laws and not further processed in a manner that is incompatible with those purposes.
3.2 UpToDate's responsibilities. UpToDate shall, in determining the extent to which Your Personal Data is required in relation to the purposes for which Your Personal Data is to be Processed by UpToDate, only request Your Personal Data that is relevant, adequate and not excessive in accordance with Data Protection Laws. UpToDate shall have sole responsibility for using reasonable efforts to ensure that Your Personal Data, at the time it is first made available to You or Your Authorized Users (if applicable) through the Licensed Materials, accurately reflects the data that You or Your Authorized Users (if applicable) provided to UpToDate. At all times thereafter, You or Your Authorized Users (if applicable) shall be solely responsible for ensuring that Your Personal Data remains accurate and up-to-date in accordance with Data Protection Laws.
3.3 Each party's responsibilities. Each party shall:
- ensure that Your Personal Data that is in its possession or control is kept for no longer than is necessary for the purposes for which Your Personal Data are processed in accordance with Data Protection Laws.
- in relation to Your Personal Data that is in its possession or control, be responsible for ensuring that Your Personal Data is Processed in a manner that ensures appropriate security of Your Personal Data including protection against Personal Data Breaches as required by Data Protection Laws.
- in relation to Your Personal Data, inform the other party without undue delay after they become aware of any Personal Data Breach in relation to Your Personal Data that was in its possession or control, providing a clear description of the nature of the breach and the information referred to in Article 33(b)-(d) of the EU GDPR as soon as it becomes available. In addition, each party shall consult in good faith with the other and provide the other with assistance, information and cooperation in the investigation, notification, mitigation and remediation of each such Personal Data Breach. Whilst UpToDate may take any information provided by You into account, only UpToDate shall determine the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Supervisory Authorities in connection with a Personal Data Breach in relation to Your Personal Data.
Except to the extent that this Section 3 (Processing of Your Personal Data) allocates responsibility for compliance with particular provisions of Data Protection Laws to a particular party, each party shall comply with its respective obligations under Data Protection Laws in relation to Your Personal Data.
4. PROCESSING OF UPTODATE PERSONAL DATA
4.1 Use of UpToDate Personal Data. UpToDate may process such UpToDate Personal Data for the following purposes:
- to make the Licensed Materials available to, or permit certain services requested by, individual data exporters or data exporters' Authorized Users (if applicable), including disclosing such information to accredited organizations to redeem an individual data exporter's or data exporter's Authorizer User's accumulated CME credits;
- managing and making decisions about this Agreement and any matters (such as invoicing and fee arrangements) arising in connection with this Agreement;
- communicating with You and the Data Subjects that work for You in relation to matters arising under or in connection with the Agreement and in connection with services that UpToDate may offer from time to time;
- ensuring compliance with (a) regulatory and legal obligations to which UpToDate is subject and (b) terms of use applicable to data exporters;
- establishing, exercising and defending legal rights and claims;
- client support and relationship management purposes;
- risk management and quality reviews;
- improving the content of its database and creating derivative or new products and service; marketing; advertising; sending reports to You; or conducting research; and
- UpToDate's internal financial accounting, information technology and other administrative support services (collectively, "Processing Purposes").
You will ensure that (i) there is no prohibition or restriction in relation to UpToDate's use thereof that would prevent or restrict UpToDate from Processing the UpToDate Personal Data for the Processing Purposes; and (ii) You have obtained all necessary consents, provided all necessary notices and done all other things required under Data Protection Laws to disclose the UpToDate Personal Data to UpToDate to enable UpToDate to process it in connection with the Processing Purposes as a separate Controller.
5. GENERAL TERMS.
5.1 Governing law and Jurisdiction. Except to the extent set out otherwise in the EU Standard Contractual Clauses and the UK Model Clauses, and as necessary to comply with Data Protection Law, the parties to this Annex hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Annex, including disputes regarding its existence, validity or termination or the consequences of its nullity and this Annex and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated in the Agreement.
5.2 Severance; Order of Precedence. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of a conflict or discrepancy between (x) this Data Protection Annex and any term of the Agreement, this Data Protection Annex shall take precedence, (y) the EU Standard Contractual Clauses and the provisions of the Data Protection Annex, the EU Standard Contractual Clauses shall prevail, and/or (z) this Data Protection Annex and the UK Model Clauses, the UK Model Clauses shall prevail.