MBL2 genetic variation in critical Covid-19

Data access and processing agreements

Institutional data transfer agreement can be established and data may be shared if the aims and means of data use by the applicant are covered by ethical approval and patient consent. DATA ACCESS AGREEMENT In response to the Recipient's request for access to the Data (as defined below), Data Provider and the Recipient agree as follows: 1. Definitions “Data” shall mean all and any human genetic data obtained from the Data Provider including associated metadata regarding the Data Subjects. Explicitly, Data does not include samples or biological materials; “Data Subject” shall mean the person (irrespective of state of health) to whom Data refers and who has been informed of the purpose for which the Data is held and has given his/her informed consent thereto; “Intellectual Property” means (i) patents, designs, trademarks and trade names (whether registered or unregistered), copyright and related rights, database rights, know-how and confidential information; (ii) all other intellectual property rights and similar or equivalent rights anywhere in the world which currently exist or are recognised in the future; and (iii) applications, extensions and renewals in relation to any such rights; “Registered User” shall mean a Researcher (or an individual conducting Research under the supervision of a Researcher) that is employed by the Recipient and is bound by confidentiality and non-use obligations in respect of Data and who has signed this Agreement and has received acknowledgement of its acceptance. For the avoidance of doubt, “Registered User” may also include students, visiting academics, contractors, sub-contractors or independent consultants provided that any such individual is bound by confidentiality and non-use obligations no less onerous then those binding the Recipient’s employees; “Research” shall mean research that is seeking to advance the understanding of mediators of organ dysfunction in COVID-19 “Researcher(s)” shall mean an individual or individuals carrying out Research who has authored a relevant peer-reviewed article that Data Provider can locate on PubMed and who is still working in the field. 2. Purpose The Recipient agrees to use Data only for the Research. 3. Confidentiality The Recipient agrees to preserve, at all times, the confidentiality of Data pertaining to identifiable Data Subjects. In particular, the Recipient undertakes not to use, or attempt to use the Data to deliberately compromise or otherwise infringe the confidentiality of information on Data Subjects and their right to privacy. 4. Data Protection The Recipient agrees that it, and its Registered Users, are covered by and shall comply with the obligations contained in the General Data Protection Regulation (EU) 2016/679 ("GDPR"), or equivalent national provisions no less onerous than those contained in the GDPR. In particular, the Recipient and its Registered Users understand their duties under such legislation in relation to the handling of Data and the rights of Data Subjects. The Recipient agrees that it, and its Registered Users, shall not analyse or make any use of the Data in such a way that has the potential to: (a) lead to the identification of any Data Subject; or (b) compromise the protected identity of any Data Subject in any way. 5. Access and Governance The Recipient agrees that it shall take all reasonable security precautions to keep the Data confidential. The Recipient agrees to that under no circumstances give access to Data to any third party, except to Registered Users (as described below). The Recipient agrees to only give access to Data, in whole or part, or any identifiable material derived from the Data, to a Registered User. The Recipient agrees that before it gives any Registered User access to Data, it shall first show the Registered User a copy of this Agreement and shall inform the Registered User that he or she must comply with the obligations contained in this Agreement and sign up to the provisions of this Agreement in the form set out at the end of this Agreement. The Recipient shall provide Data Provider with a copy of the Registered User’s acceptance form within thirty (30) days of the date of acceptance by the Registered User. The Recipient agrees that it shall only give Registered Users that are not Researchers (including but not limited to students or new researchers to the field) access to the Data if they are supervised by a Researcher who will take responsibility for such Registered Users’ use of the Data. Data Provider reserves the right to request and inspect data security and management documentation to ensure the adequacy of data protection measures in countries that have no national laws comparable to that pertaining in the European Economic Area (EEA). 6. Errors The Recipient agrees to notify the Data Provider of any errors detected in the Data. 7. Intellectual Property The Recipient recognises that nothing in this Agreement shall operate to transfer to the Recipient or its Registered Users any Intellectual Property rights in or relating to the Data. The Recipient and its Registered Users shall have the right to develop Intellectual Property based on comparisons with their own data. 8. Publications The Recipient agrees to acknowledge in any work based in whole or part on the Data, the published paper or the Data Provider from which the Data derives. With the exception of aggregated summary statistics the data may not be shared, published or distributed without written permission of the Data Provider via Robert Frithiof. 9. Termination of Agreement This Agreement will terminate immediately upon any breach of the provisions of this Agreement by the Recipient or by the Recipient’s Registered Users. The Recipient accepts that the changing ethical framework of human genetic research may lead to: (i) alteration to the provisions of this Agreement, in which case the Recipient may accept such alterations or terminate this Agreement; or (ii) the withdrawal of this Agreement in extreme circumstances. Either party shall have the right to terminate this Agreement with immediate effect upon giving written notice of termination to the other party. In the event that the recipient will no longer use the Data in their Research this Agreement will terminate. In the event that this Agreement is terminated in accordance with this Clause 9 the Recipient shall return or destroy all Data at the direction of Data Provider. 10. Legal statement The Recipient acknowledges that Data Provider and all other parties involved in the creation, funding or protection of the Data: (a) make no warranty or representation, express or implied as to the accuracy, quality or comprehensiveness of the Data; and (b) exclude to the fullest extent permitted by law all liability for actions, claims, proceedings, demands, losses (including but not limited to loss of profit), costs, awards damages and payments made by the Recipient that may arise (whether directly or indirectly) in any way whatsoever from the Recipient’s use of the Data, or from the unavailability of, or break in access to the Data for whatever reason. The Recipient understands that all the Data is protected by copyright and other intellectual property rights, such that duplication or sale of all of or part of the Data on any media is not permitted under any circumstances, except with the prior written consent of Data Provider. 11. Governing Law This Agreement (and any dispute, controversy, proceedings or claim of whatever nature arising out of this Agreement or its formation) shall be construed, interpreted and governed by the laws of Sweden and shall be subject to the exclusive jurisdiction of the Swedish courts. DATA PROCESSING AGREEMENT Agreement in accordance with Article 28(3) of the General Data Protection Regulation (EU) 2016/679 1. PARTIES, POSITIONS OF THE PARTIES, CONTACT DETAILS AND CONTACT PERSONS 2. DEFINITIONS In addition to the terms defined in the running text of this Data Processing Agreement, the following terms, whether in singular or plural, with definite or indefinite article, shall have the meaning defined below whenever they are capitalised. "Processing" Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Data protection legislation" Refers to all privacy and personal data legislation, along with any other legislation (including regulations and directives) applicable to the Processing carried out in accordance with this Agreement, including national legislation and EU legislation. "Controller" A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. "Instruction" The written instructions that more specifically define the object, duration, type and purpose of Personal Data, as well as the categories of Data Subjects and special requirements that apply to the Processing. "Log" A Log is the result of Logging "Logging" Logging is a continuous collection of information about the Processing of Personal Data that is performed according to this Agreement and which can be associated with an individual natural person. "Processor" A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. "Personal Data" Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "Personal Data Breach" A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed "Data Subject" Natural person whose Personal Data are Processed. "Third Country" A state that is not a member of the European Union (EU) or the European Economic Area (EEA). "Subprocessor" A natural or legal person, public authority, agency or other body which, in the capacity of subcontractor to the Processor, Processes Personal Data on behalf of the Controller. 3. BACKGROUND AND AIM 3.1 Through this Agreement, the Instructions and a list of possible Subprocessors (hereafter jointly referred to as “the Agreement”), the Controller regulates Processor’sProcessing of Personal Data on behalf of the Controller. The aim of the Agreement is to safeguard the freedoms and rights of the Data Subject during Processing, in accordance with what is stipulated in Article 28(3) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). 3.2 When this Agreement is one of several contractual documents comprising another agreement, the other agreement is referred to as the “Main Agreement” in this Agreement. 3.3 In the event that anything stipulated in items 1, 16, 17, 18.2, 19–22 of this Agreement is regulated otherwise in the Main Agreement, the Main Agreement shall take priority. 3.4 Any reference in this Agreement to national or union legislation refers to the provisions applicable at any given time. 4. PROCESSING OF PERSONAL DATA AND SPECIFICATION 4.1 The Controller hereby appoints the Processor to carry out Processing on behalf of the Controller, pursuant to the provisions of this Agreement. 4.2 The Controller shall give written Instructions to the Processor as to how the Processor shall carry out the Processing. 4.3. The Processor may only perform the Processing in accordance with this Agreement and the Instructions applicable at any given time. 5. OBLIGATIONS OF THE CONTROLLER 5.1 The Controller undertakes to ensure that there is a legal basis for the Processing at all times, and to issue correct instructions so that the Processor and any Subprocessors can carry out their duties in accordance with this Agreement and the Main Agreement, where applicable. 5.2 The Controller undertakes to inform the Processor without undue delay of any changes in the Processing that may affect the Processor’s obligations pursuant to the Data Protection Legislation. 5.3 The Controller is responsible for informing Data Subjects of the Processing and to safeguard the rights of Data Subjects in accordance with the Data Protection Legislation, as well as to take every other measure required of the Controller pursuant to the Data Protection Legislation. 6. OBLIGATIONS OF THE PROCESSOR 6.1 The Processor undertakes to only perform the Processing in accordance with this Agreement and the Instructions and to comply with the Data Protection Legislation. The Processor also undertakes to stay informed of currently applicable laws and regulations in this area. 6.2 The Processor shall take measures to protect the Personal Data against all kinds of Processing that is not in compliance with this Agreement, the Instructions and the Data Protection Legislation. 6.3 The Processor undertakes to ensure that all natural persons who work under its supervision comply with this Agreement and the Instructions, and that these natural persons are informed about relevant legislation. 6.4 At the request of the Controller, the Processor shall assist the former in ensuring compliance with the obligations pursuant to Articles 32–36 of GDPR, and shall respond to requests regarding the exercise of Data Subjects’ rights pursuant to Chapter III of GDPR, taking into consideration the type of Processing and the information available to the Processor. 6.5 In the event that the Processor finds the Instructions to be unclear, in violation of the Data Protection Legislation or non-existent, and the Processor is of the opinion that new or supplementary Instructions are necessary in order to fulfil its undertakings, the Processor shall inform the Controller of this without delay, temporarily suspend the Processing and await new Instructions. 6.6 In the event the Controller provided the Processor with new or amended Instructions, the Processor shall inform the Controller, without undue delay after receiving them, whether the implementation of the new Instructions will entail any changed costs for the Processor. 7. SECURITY MEASURES 7.1 The Processor is obligated to take all technical and organisational security measures required by the Data Protection Legislation in order to prevent Personal Data Breaches, by ensuring that the Processing complies with the requirements of GDPR and that the rights of the Data Subjects are protected. 7.2 The Processor shall continuously ensure that the technical and organisational security relating to the Processing maintains an appropriate level of confidentiality, integrity, availability and resilience. 7.3 Any future or modified requirements for protective measures coming from the Controller once the Parties have entered this Agreement shall be considered new Instructions in accordance with this Agreement. 7.4 The Processor shall use an authorisation control system to allow access to the Personal Data only for such natural persons who work under the supervision of the Processor and who need such access in order to perform their duties. 7.5 The Processor undertakes to continuously Log access to the Personal Data pursuant to this Agreement, to the extent required according to the Instruction. Logs may not be purged until at least five (5) years after the time of Logging, unless otherwise specified in the Instruction. Logs shall be subject to the necessary protective measures pursuant to the Data Protection Legislation. 7.6 The Processor shall systematically test, examine and evaluate the effectiveness of the technical and organisational measures that are intended to ensure the security of the Processing. 8. SECRECY/DUTY OF CONFIDENTIALITY 8.1 The Processor and all natural persons who work under its supervision shall observe both secrecy and the duty of confidentiality during Processing. Personal Data may not be used or disseminated for other purposes, neither directly or indirectly, unless otherwise agreed. 8.2. The Processor is required to ensure that all natural persons working under its supervision who participate in the Processing are bound by a confidentiality agreement regarding the Processing. However, this is not required if those persons are already subject to a statutory duty of confidentiality with criminal liability. The Processor also undertakes to ensure that there is a confidentiality agreement with its Subprocessor, as well as between the Subprocessor and all natural persons working under its supervision who participate in the Processing 8.3 The Processor shall immediately inform the Controller of any contacts with the supervisory authority regarding the Processing. The Processor shall not be entitled to represent the Controller or act on behalf of the Controller vis-à-vis supervisory authorities in matters relating to the Processing. 8.4 If the Data Subject, supervisory authority or a third party requests information from the Processor regarding the Processing, the Processor shall inform the Controller thereof. Information regarding the Processing may not be divulged to the Data Subject, supervisory authority or third party without the written consent of the Controller, unless the obligation to disclose the information is prescribed by law. The Processor shall assist in the communication of such information as is the subject of consent or legal requirement. 9. INSPECTION, SUPERVISION AND AUDITING 9.1 At the request of the Controller, the Processor shall without undue delay provide information, as part of its undertakings in accordance with Article 28(1) of GDPR, regarding the technical and organisational security measures used to ensure that the Processing complies with the requirements of this Agreement and Article 28(3)(h) of GDPR. 9.2 The Controller has the right to inspect, or to appoint a third party (who must not be a competitor of the Processor) to inspect the Processor’s compliance with the requirements of this Agreement, the Instruction and the Data Protection Legislation. In connection with such inspection, the Processor shall assist the Controller or the person carrying out the inspection on behalf of the Controller, with documentation, access to premises, IT systems and other assets required to verify the Processor’s compliance with this Agreement, the Instructions and the Data Protection Legislation. The Controller shall ensure that the personnel carrying out the inspection are subject to secrecy or duty of confidentiality pursuant to law or contract. 9.3 The Processor, as an alternative to the provisions of item 9.2, may offer other approaches to inspection of the Processing, such as inspection by an independent third party. In that case, the Controller shall be entitled, but not obligated, to apply this alternative approach to the inspection. In the event of this kind of inspection, the Processor shall give the Controller or the third party the assistance needed to perform the inspection. 9.4 The Processor shall enable the supervisory authority, or other government agency with legal authority, to conduct supervision at the authority’s request and pursuant to the applicable legislation at any given time, even if such an supervision would otherwise violate the provisions of the Agreement. 9.5 The Processor shall ensure that the Controller has rights in relation to the Subprocessor which correspond to all the rights that the Controller has in relation to the Processor pursuant to item 9 of the Agreement. 10. HANDLING OF CORRECTIONS, DELETIONS, ETC. 10.1 In the event that the Controller has requested a correction or deletion as a result of incorrect Processing by the Processor, the Processor shall take appropriate measures, without undue delay, no later than thirty (30) days from the date on which the Processor received the required information from the Controller. When the Controller has requested deletion, the Processor may only perform Processing of the Personal Data in question as a part of the correction or deletion process. 10.2 If technical and organisational measures (e.g. upgrades or troubleshooting) are taken by the Processor with regard to the Processing, and these can be expected to affect the Processing, the Processor shall inform the Controller in writing in accordance with the provisions on notifications set out in Section 19 of the Agreement. This information shall be communicated well in advance of the measures being taken. 11. PERSONAL DATA BREACHES 11.1 The Processor shall have the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident as defined in Article 32(1)(c) of GDPR. 11.2 In considering the nature of the Processing and the information available to the Processor, the Processor undertakes to assist the Controller in fulfilling its obligations in the event of a Personal Data Breach involving the Processing. At the request of the Controller, the Processor shall also assist in investigating suspicions of possible unauthorised Processing of and/or access to Personal Data. 11.3 In the case of a Personal Data Breach that the Processor has been made aware of, the Processor shall, without undue delay, notify the Controller in writing of the incident. In considering the nature of the Processing and the information available to the Processor, the Processor shall provide the Controller with a written description of the Personal Data Breach. The description shall include: 1. The nature of the Personal Data Breach, and, if possible, the categories and the number of Data Subjects affected, as well as the categories and number of personal data items affected, 2. the probable consequences of the Personal Data Breach, and 3. measures that have been taken or proposed, as well as measures to mitigate the potential negative effects of the Personal Data Breach. 11.4 If it is not possible for the Processor to provide the entire description as set out in item 11.3 of the Agreement at the same time, the description may be provided in stages without undue additional delay. 12. SUBPROCESSOR 12.1 The Processor is entitled to hire the Subprocessor(s) listed in the Subprocessor appendix. 12.2 The Processor undertakes to enter a written agreement with the Subprocessor to regulate the Processing that the Subprocessor carries out on behalf of the Controller and to only hire Subprocessors who provide adequate guarantees to carry out appropriate technical and organisational measures to ensure that the Processing fulfils the requirements of GDPR. When it comes to data protection, such an agreement shall entail the same obligations for the Subprocessor as are set out for the Processor in this Agreement. 12.3 The Processor is fully responsible in relation to the Controller for any Processing carried out by a Subprocessor. 12.4 The Processor is entitled to hire new subprocessors and to replace existing subprocessors. 12.5 When the Processor intends to hire a new subprocessor or replace an existing one, the Processor shall verify the Subprocessor’s capacity and ability to meet their obligations in accordance with the Data Protection Legislation. The Processor shall notify the Controller in writing of 1. the Subprocessor’s name, corporate identity number and head office (address and country), 2. which type of data and categories of Data Subjects are being processed, and 3. where the Personal Data will be processed. 12.6 The Controller is entitled within thirty (30) days of the notice pursuant to item 12.5 to object to the Processor’s hiring of a new subprocessor and, due to such an objection, to cancel this Agreement to be terminated in accordance with the provisions of item 17.4 of this Agreement. 12.7 When the Processor stops using the Subprocessor, the Processor shall notify the Controller in writing that they will no longer be using the Subprocessor. 12.8 At the Controller’s request, the Processor shall send a copy of the agreement regulating the Subprocessor’s Processing of Personal Data in accordance with item 12.2. 13. LOCALISATION AND TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY 13.1 The Processor shall ensure that the Personal Data will be handled and stored within the EU/EEA by a natural or legal person who is established in the EU/EEA, unless the parties to this Agreement agree otherwise. 13.2 The Processor is only entitled to transfer Personal Data to a Third Country for Processing (e.g. for service, support, maintenance, development, operations or other similar handling) if the Controller has given advance written approval of such transfer and has issued Instructions to this end. 13.3 Transfer to a Third Country for Processing pursuant to item 13.2 of the Agreement may be carried out only if it complies with the Data Protection Legislation and fulfils the requirements for the Processing set out in this Agreement and the Instructions 14. LIABILITY FOR DAMAGES IN CONNECTION WITH THE PROCESSING 14.1 In the event that compensation for damages in relation to Processing is payable to the Data Subject, through a legally binding judgement or settlement, due to a violation of the Agreement, Instructions and/or applicable provision of the Data Protection Legislation, Article 82 of GDPR is applicable. 14.2 Fines in accordance with Article 83 of GDPR or Chapter 6, Section 2 of the Data Protection Act (2018:218) shall be paid by the party to this Agreement that has been levied such a fee. 14.3 If either party becomes aware of circumstances that could be detrimental to the other party, the first party shall immediately inform the other party of this and work actively with the other party to prevent and minimise the damage or loss. 14.4 Notwithstanding any of the provisions of the Main Agreement, items 14.1 and 14.2 of this Agreement take precedence over other rules regarding the allocation between the parties of claims regarding the Processing. 15. CHOICE OF LAW AND DISPUTE RESOLUTION 15.1 Swedish law shall apply to this agreement. Any interpretation or dispute arising from the Agreement which the parties cannot resolve on their own shall be settled by a Swedish general court. 16. CONCLUSION, TERM AND TERMINATION OF THE AGREEMENT 16.1 The Agreement shall enter into force from the time the Agreement has been signed by both parties and until further notice. Either party has the right to terminate the Agreement with thirty (30) days’ notice. 17. AMENDMENTS, TERMINATION WITH IMMEDIATE EFFECT, ETC. 17.1 Each party to the Agreement shall be entitled to invoke a renegotiation of the Agreement if there is a major change of the ownership of the other party or if applicable legislation or interpretation thereof changes in a way that significantly affects the Processing. The invoking of a renegotiation pursuant to the first sentence does not mean that any part of the Agreement will cease to be in effect, but only means that a renegotiation of the Agreement will commence. 17.2 Additions and amendments to the Agreement must be made in writing and signed by both parties. 17.3 If either party becomes aware that the other party is acting in violation of the Agreement and/or Instructions, the first party shall inform the other party without delay of the actions in question. The party is then entitled to suspend the performance of its obligations pursuant to the Agreement until such time as the other party has declared that the actions have ceased, and the explanation has been accepted by the party that made the complaint. 17.4 If the Controller objects to the Processor using a new subprocessor, pursuant to item 12.6 of this Agreement, the Controller is entitled to terminate the Agreement with immediate effect. 18. MEASURES IN THE EVENT OF TERMINATION OF THE AGREEMENT 18.1 Upon termination of the Agreement, the Controller shall, without undue delay, request that the Processor transfers all Personal Data to the Controller or deletes them, according to the preference of the Controller. If the Personal Data are transferred, this must take place in an open and standardised format. “All Personal Data” means all Personal Data that have been the subject of Processing, as well as other related information such as Logs, Instructions, system solutions, descriptions and other documents that the Processor received through an exchange of information pursuant to the Agreement. 18.2 Transfers and deletions pursuant to item 18.1 of the Agreement shall be carried out no later than thirty (30) days from the time notice of termination was given in accordance with item 16.1 of this Agreement. 18.3 Processing performed by the Processor after the time specified in item 18.2 shall be considered unauthorised Processing. 18.4 The provisions regarding secrecy and confidentiality in item 8 of this Agreement shall remain in effect even if the Agreement otherwise ceases to apply. 19. NOTIFICATIONS WITHIN THE PURVIEW OF THIS AGREEMENT AND THE INSTRUCTIONS 19.1 Notifications regarding the Agreement and its administration, including termination, shall be sent to the respective party’s contact person for the Agreement. 19.2 Notifications within the purview of the Agreement and Instructions shall be sent in writing. A notification shall be considered to have been received by the addressee no later than one (1) working day after the notification has been sent. 20. CONTACT PERSONS 20.1 Each party shall appoint one contact person for the Agreement. 21. RESPONSIBILITY FOR INFORMATION REGARDING PARTIES, CONTACT PERSONS, AND CONTACT INFORMATION 21.1 Each party is responsible for ensuring that the information provided in item 1 of the Agreement is up to date. Changes to the information in item 1 shall be communicated in writing pursuant to item 19.1 of the Agreement.