Whole genome sequencing data from whole genome amplified single cells and unamplified bulk samples

The terms and conditions for Data Access

This data processing agreement (the ”DPA”) has been entered into by (1) KAROLINSKA INSTITUTET, [name of department], org.nr 202100-2973, [department address], Sweden, (“KI”); and (2) XXZZYY, org.nr [**], [address], (the “Processor”) hereinafter jointly referred to as “Parties” and separately as “Party”. These persons shall be the Parties’ contacts in regard to this DPA. For KI Name: [x] Address: [x] Telephone: [x] E-mail: For Processor Name: [x] Address: [x] Telephone: [x] E-mail: 1. PURPOSE OF THE AGREEMENT KI is the Controller of Personal Data originating from containing information on [specify . The Parties have agreed that the Processor shall perform particular duties involving [specify] (the “Assignment”) for and on behalf of KI. In execution of the Assignment, KI shall furnish the Processor with Personal Data. In signing this DPA, the Processor becomes Personal Data Processor charged to process Personal Data for and on behalf of KI. This DPA forms part of the principal agreement between the Parties dated [date] ([insert full title of the agreement], the “Principal Agreement”), that governs the Assignment and further details the purpose of the Processing. This DPA applies where the Processor is processing Personal Data on behalf of KI. [x] [x] [specify] categories of personal data such as names, ages, health related data etc.] 1 (9) This DPA further defines the technical and organizational measures that the Processor implements and maintains to protect Personal Data, as set out in Schedule 1. 2. DEFINITIONS The following terms shall have the following meanings in this Agreement. “Collaborating Hospital” shall mean a hospital with an established contractual or other legal link with KI that may conduct activities in collaboration with KI. “Data Controller”, shall mean an entity that alone or jointly with others determines the purposes and means of the Processing of Personal Data. “Data Processor”, shall mean an entity that Processes Personal Data on behalf of the Data Controller. “Data Protection Laws”, shall mean the relevant data protection and privacy laws to which the Parties are subject, in particular (but not limited to) Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (and repealing Directive 95/46/EC) (General Data Protection Regulation), and any applicable laws and regulations relating to the processing of Personal Data in the field of research and development. “Model Clauses”, shall mean the model clauses for the transfer of Personal Data to Data Processors established in third countries as approved by the European Commission from time to time, at present the model clauses set out in the European Commission’s Decision 2010/87/EU of 5 February 2010. “Personal Data”, shall mean any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as name, an identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing”, shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, organisation, structuring, storage, use, dissemination or otherwise making available, erasure or destruction. “Subprocessor”, shall mean any processor which the Data Processor engages to carry out specific Processing activities on behalf of the Data Controller, such as a subcontractor. 3. PROCESSING OF PERSONAL DATA 3.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, KI is the Data Controller and the Processor is the Data Processor. 3.2 All Processing of Personal Data under this DPA shall be carried out in accordance with all applicable Data Protection Laws. 2 (9) 3.3 The Processor shall: a) Comply with all Data Protection Laws and other laws generally applicable to the Assignment. b) Process the Personal Data only in accordance with the written instructions from KI, as may be further set out in the Principal Agreement, and this DPA. The Processor will not use or disclose the Personal Data for any other purposes. c) Notify KI if it considers an instruction from KI to be in violation of Data Protection Laws. Processor shall follow and comply with any additional instructions received from KI provided that they are legally required, technically feasible and do not require any material modifications of the Assignment. If the Processor is unable to comply with an additional instruction, it shall promptly notify KI hereof. d) Process the Personal Data only to the extent, and in such manner, as is necessary for the Assignment. e) Implement and maintain appropriate technical and organisational measures as set out in Schedule 1. KI understands and agrees that these measures are subject to technical progress and development and the Processor is therefore expressly allowed to implement alternative measures provided that they maintain or exceed the general security level described in Schedule 1. f) Ensure that confidentiality applies to Personal Data and that access is strictly limited to the personnel who require access for the Assignment. g) Ensure that all of its personnel engaged in the Processing of Personal Data (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training of their responsibilities and (iii) have executed written confidentiality agreements or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that such confidentiality obligations survive the termination of their personnel arrangement. h) Assist KI in meeting the obligations KI is made subject to by Data Protection Laws, in particular to facilitate the exercise of the data subjects' rights under such laws. That includes but is not limited to an obligation for the Processor to (i) block, erase or anonymize Personal Data, (ii) provide information about the Processing activities, (iii) furnish Data Subjects with information about and access to their Personal Data, (iv) rectify incorrect Personal Data and (v) provide KI with Personal Data in a structured, commonly used and machine-readable format. The Processor undertakes to perform such actions when required and as instructed by KI. i) Without undue delay and in accordance with Data Protection Laws notify KI of any incident concerning unauthorised disclosure of Personal Data (“Incident”). Such notification shall in any event be given KI within forty-eight (48) hours of first discovering an Incident. 3 (9) 3.4 The Processor shall indemnify and hold harmless KI from and against any and all losses, damages, and expenses (including without limitation legal fees) awarded against KI and arising from a claim brought as a result of the Processor’s breach of its obligations under this DPA or Data Protection Laws (“Claim”); provided, however, that the indemnity shall not extend to any Claim arising from (i) a negligent act or omission of KI and/or its personnel, (ii) any misconduct by KI and/or its personnel and/or (iii) any breach of this DPA by KI. 3.5 The Processor shall not be entitled to any additional payment for performing the obligations set out in this DPA. 3.6 In case a Collaborating Hospital or any other third parties shall also benefit from the Assignment and KI acts in this respect on behalf of and in the name of its Collaborating Hospital and/or third parties (in their capacity as Data Controllers), KI shall enter into such data processing agreements as is required (with its Collaborating Hospital and /third parties in their capacity as Data Controllers) to allow the Processor and its Subprocessors to process Personal Data as described in this DPA. KI shall serve as a single point of contact for Processor and shall be solely responsible for the internal coordination, review and submission of instructions or requests (of other Data Controllers) to Processor. 4. THIRD PARTY REQUESTS FOR PERSONAL DATA All third party requests regarding Personal Data or information about the Processing activities under the Principal Agreement shall be redirected to KI, whether the request is made by a data subject, the data protection authority or any other third party, unless such requests cannot legally be redirected to KI. The Processor shall promptly notify KI of all third party requests for information related to this DPA. The Processor further undertakes to assist KI to make Personal Data and information about the Processing activities under the Principal Agreement available to any third party making a request for such information. 5. USE OF SUBCONTRACTORS 5.1 Always subject to all applicable laws and regulations (including but not limited to Data Protection Laws) and provided that KI has given prior written approval, the Processor may use one or more Subprocessors to Process Personal Data during the course of carrying out the Assignment. In such case, the Processor must enter into a written agreement with each Subprocessor which requires the Subprocessor to comply with terms no less protective than the terms that the Processor is made subject to under this DPA. 5.2 The Subprocessor(s) may only Process Personal Data in order to carry out the Assignment. The Subprocessors are bound by KI’s written instructions and may under no circumstances Process Personal Data for any other purpose. The Processor remains responsible for all Subprocessors it 4 (9) uses to carry out the Assignment. The Processor’s responsibility for its Subprocessor(s) includes ensuring Subprocessors’ compliance with the obligations of this DPA. 5.3 KI shall receive a list of all Subprocessors used by the Processor. Such list shall include particulars such as the name, corporate form, contact information, address and role of each Subprocessor. The information shall be communicated to KI by e-mail. The Processor must obtain prior written approval from KI before exchanging or adding any Subprocessor(s) to the list. 5.4 The Processor may not transfer Personal Data to a Subprocessor in a country outside of the EU/EEA (“Third Country”) unless KI has approved such transfer in writing, and the Processor has entered into the Model Clauses with the Subprocessor. The Processor may also transfer Personal Data to the US, with KI’s prior written consent, if the recipient is registered under the Data Privacy Shield according to the decision of the EU Commission 2016/1250. 6. AUDIT 6.1 KI shall be entitled, through follow-up, to verify the Processor's compliance of this DPA and the measures in Schedule 1. In conjunction with such follow-up, the Processor shall provide KI, or the third-party examiner engaged by KI, such access to premises or systems as are necessary. The Processor will on a regular basis audit the security of the computers and computing environment that it uses in Processing Personal Data when carrying out the Assignment. 6.2 Upon written request by KI, the Processor will, without undue delay, provide KI with a summary of the results of any audit so that KI can reasonably verify the Processor's compliance with the obligations under this DPA. 6.3 The Processor shall ensure that a data inspection authority may perform audits as provided for according to Data Protection Laws. In the event Personal Data is requested from any data inspection authority, the Processor must without undue delay refer such requests to KI. 7. MISCELLANEOUS 7.1 No Party may assign, subcontract or otherwise transfer this DPA without the prior written consent of the other Party. 7.2 At the request of KI and/or upon termination of this DPA, the Processor shall either return or delete the Personal Data in such a way that it cannot be recovered, as instructed by KI. In case the Processor is unable to return or delete the Personal Data as instructed, the storage media where the Personal Data concerned is stored is to be destroyed. In the event KI directs that Personal Data is returned, it shall be returned within thirty (30) days of completion of the Assignment or termination of this DPA. 5 (9) 7.3 This DPA shall continue to apply for the duration of the Processing activities under the Principal Agreement, notwithstanding any termination or expiration of the same. The Processor’s obligation to ensure that confidentiality applies to Personal Data continues to apply even after the termination of this DPA. 7.4 If there is any conflict between any provision of this DPA and any provision of the Principal Agreement, the provisions of this DPA shall prevail. 7.5 Except for changes made by this DPA, the Principal Agreement remains unchanged and in full force and effect. 7.6 KI shall always have a one-sided right to change any terms and conditions in this DPA to ensure that Data Protection Laws are complied with. Such changes shall enter into force within thirty (30) days after the Processor has received a notification from KI unless the Processor promptly notifies KI that it is unable to comply with the changes. In case the Processor is unable to comply with such changes, KI shall have a one-sided right to terminate all agreements with the Processor that include Processing of KI’s Personal Data, with immediate effect. Any other changes to the terms and conditions in this DPA shall be made in writing and duly signed by the Parties to come into effect. 7.7 KI reserves the right to terminate all agreements with the Processor that include Processing of KI’s Personal Data upon written notification with immediate effect in the event of a serious breach by the Processor and/or any Subprocessor. 7.8 This DPA is governed by the laws of Sweden. Any dispute arising out of or in connection with this DPA shall be settled by the courts of Sweden with the district court of Stockholm as first instance. 8. SIGNATURES This DPA has been drawn up in two originals of which the parties have taken one each. KAROLINSKA INSTITUTET Printed name: Title: Head of Department of [name] Date: XXZZYY Printed name: Title: Date: 6 (9) Printed name: Title: Principal Investigator Date: