Evaluation of triple negative breast cancer with heterogeneous immune infiltration

Standard data policy

3. PROCESSING OF PERSONAL DATA For the purposes outlined in Section 2 and further detailed in Appendix 1, EMBL and CRG act as Joint Data Processors (hereinafter the Data Processor) of Personal Data of research participants (“Data Subjects”) embedded in the submitted dataset(s), and Data producer act as Data Controller (hereinafter the Data Controller). The Data Processor provides contact details of the Data Protection Officer or any other person mandated to give information on data protection matters of the Data Processor on its internet page https://ega- archive.org/ . 4. TRANSFER OF DATA AND APPLICABLE DATA PROTECTION LAWS Any Data Controller established within the European Economic Area, may transfer Personal Data to the Data Processor, partly being managed by an international organisation, upon relying on a derogation of the transfer being necessary for important reasons of public interest under Article 49(1)(d) and Article 49(4) of the GDPR. Any Data Controller, exempted from the applicability of GDPR and/or subject to any other national law on data protection, shall duly rely on the appropriate legal basis for transfer of Personal Data to the Data Processor, under the Data Controller's applicable law. Either party shall comply with Data Protection Laws applicable on its operations. 5. DATA PROCESSOR'S RESPONSIBILITIES: 1. The Data Processor shall only process Personal Data as instructed by the Data Controller as documented in this DPA, including with regard to transfers of Personal Data to a third country or an international organization, unless the Data Processor is required to do so by any applicable Data Protection Law; in such case, the Data Processor will inform the Data Controller of that legal requirement before Processing the relevant Personal data, unless that law prohibits such information on important grounds of public interest. 2. The Data Processor will use reasonable efforts to follow any other Data Controllers instructions aslong as they are required by the Data Protection Laws, applicable to Data Processor, technically feasible and do not require changes to the EGA Service. 3. The Data Processor shall as soon as reasonably possible, inform the Data Controller if the Data Page 3 of 11 Processor believes that any instruction of the Data Controller is in breach of Data Protection Laws, or is otherwise unable to implement it. 4. The Data Processor shall process Personal Data only for the purpose of providing it to the scientific community through the Data Processor. 5. The Data Processor shall implement and maintain appropriate technical and organisational measures as set out in Appendix 2. The Data Controller understands and agrees that these measures are subject to technical progress and development, and the Data Processor is therefore expressly allowed to implement alternative measures provided they maintain or exceed the general security level described in Appendix 2. 6. The Data Processor shall ensure that confidentiality applies to Personal Data and that access is strictly limited to the personnel who have committed themselves to confidentiality and have received appropriate training of their responsibilities. 7. The Data Processor shall not link or combine Personal Data to other information or archived data available in a way that could re-identify research participants. 8. Taking into account the nature of the Processing, Data Processor shall assist Data Controller by appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data subject's rights laid down in Chapter III of the GDPR. 9. The Data Processor shall keep all of the Personal data secure from any unauthorised or accidental use, access, disclosure, damage, loss or destruction. 10. The Data Processor shall without undue delay after becoming aware of and in accordance with Data Protection Laws, notify the Data Controller of any confirmed incident concerning unauthorized destruction, loss, alteration, disclosure of, or access to Personal data (“Security Incident”) via Data Controllers contact point, shared with the Data Processor at the time of the submission of data. The Data Processor shall together with the notification provide for contact details of the Data Protection Officer or other contact point where more information about the incident can be obtained. 11. Upon request of the Data Controller by way of re-submission, the Data Processor shall delete or return all Personal Data to the Data Controller. 12. The Data Processor shall make available to the Data Controller all information, where necessary and technically feasible, for the Data Controller to demonstrate compliance with its obligations. 13. Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of the processing and the information available to the Data Processor. 14. Data Processor shall redirect all third party requests regarding Personal Data or information about the Processing activities to the Data Controller, whether the request is made by a Data subject, the Supervisory Authority or any other third party, unless such requests cannot legally be redirected to the Data Controller. 15. Data Processor shall distribute Personal Data submitted by Data Controller only upon decision to grant access to specific dataset(s) made by the relevant DAC. 6. USE OF SUB-PROCESSORS The Data Processor may use one or more Sub-processors to process Personal Data during the course of submission and distribution of Personal Data. The Data Processor must enter into a written Page 4 of 11 agreement with each Sub-processor, requiring the Sub-processor to comply with terms no less protective than these Terms. Sub-processor(s) may only Process Personal Data for the purposes of these Terms. The Data Processor remains responsible for all Sub-processors it uses to carry out the Processing. The Data Processor shall keep record of the list of Sub-processors that will be provided to the Data Controller upon request. Any changes thereof will be notified on Data Processor's website. Unless the Data Processor receives an objection to a change within 30 days of the notification, that change will be deemed approved. In case of Data Controller's objection, both Data Controller and Data Processor shall use all reasonable endeavours in good faith to resolve the objection. 7. DATA CONTROLLER'S RESPONSIBILITIES Data Controller is responsible for ensuring that Personal Data embedded in datasets and transmitted to the Data Processor are pseudonymised and encrypted in transit and at rest. Data Controller is responsible at each time: - to demonstrate the existence of Data subject's informed consent for participation in the research project or any other suitable legal basis for processing Personal Data, - to obtain appropriate ethical or other approvals for collecting Personal Data embedded in the submitted datasets and - to comply with and to be able to demonstrate compliance with applicable Data Protection Laws - to control distribution of Personal Data. 8. AUDIT The Data Processor will contribute to audits conducted by the Data Controller by providing appropriate documentation. In exceptional cases and upon prior agreement with the Data Processor, the Data Controller may conduct on-site inspections. Any direct or indirect cost incurred by the Data Processor through an audit request will need to be reimbursed by the Data Controller, and any on-site inspection will need to be (i) pre-agreed in terms of objective, scope, timing and process, and (ii) without prejudice to the privileges and immunities granted to EMBL. 9. TERM AND TERMINATION This DPA takes effect on the Effective Date, on which the submission of data to the Data Processor will be processed and will remain in effect whilst any part of the Data Controller's data is stored by the Data Processor. It can be terminated by either party with 60 days’ notice, provided that any Personal data provided by the Data Controller will be returned or deleted upon expiration of the notice period. 10. LIABILITY AND INDEMNIFICATION Data Controller shall indemnify and hold harmless the Data Processor from and against any losses, damages and expenses (including without limitation legal fees) awarded against the Data Processor and arising from a claim brought as a result of the Data Controller's breach of its obligations under Page 5 of 11 these Terms or applicable Data Protection Laws (“Claim”); provided, however, that the indemnity shall not extend to any Claim arising from (i) a negligent act or omission of the Data Processor and/or its personnel, (ii) any misconduct by the Data Processor and/or its personnel and/or (iii) any breach of these Terms or applicable Data Protection Laws by the Data Processor. Each Party shall be deemed liable for the damage caused by any of its processing activities that do not comply with its obligations under these Terms and applicable Data Protection Laws. The Data Processor shall be exempt from any liability under the previous paragraph if it proves that it is not in any way responsible for the event giving rise to the damage. 11. DISPUTE RESOLUTION The Parties shall endeavor to settle their disputes amicably. Any controversy or claim arising out of, or relating to, this DPA (including the enforceability or breach thereof, any question regarding its existence, validity or termination) or relating to the EGA Service shall be resolved using the internal dispute resolution mechanisms of EGA including those related to Data Protection. Once those remedies have been exhausted they may be finally resolved by arbitration under the WIPO Expedited Arbitration Rules (“Rules”), which Rules are deemed to be incorporated by reference into this section. Notwithstanding the foregoing, the arbitrator shall not be authorized to award punitive damages with respect to any such claim or controversy, nor shall any party seek punitive damages relating to any matter under, arising out of or relating to this DPA or the EGA Service in any other forum. If any arbitration is commenced by either Party, the substantially prevailing Party in that arbitration or action is entitled to recover from the other Party its attorneys’ fees and costs (including arbitration fees and costs and expert witness fees) incurred in connection therewith. The entire arbitration shall be conducted and concluded in no later than ninety (90) days after service of the arbitration demand, unless the arbitrator has reasonable grounds to extend this deadline, and it may do so without the approval of either party. The extension and the reasoning thereof shall be notified to both parties. A written demand for arbitration must be delivered within one (1) year from the date on which the EGA Services to which the claim relates were provided. Failure to comply with this provision shall be a complete bar to any claim. The place of arbitration will be the legal seat of the defendant party and, in case of a collective claim against EMBL-EBI and CRG, the place of arbitration shall be Barcelona. The language to be used in the arbitral proceedings shall be English, unless otherwise agreed upon, and the governing substantive law to be used shall be of England and Wales. Nothing herein shall be deemed or interpreted as a waiver, express or implied, of any privileges or immunities accorded to EMBL, being one managing party of Data Processor by its constituent documents or international law. 12. DEFINITIONS Unless otherwise agreed or defined in these Terms, all capitalized terms used will have the meanings given to them below: 1. “Data Controller”, “Data Processor”, “Personal Data”, “Processing”, “Genetic data”, “Pseudonymisation” shall have the same meaning as described in the GDPR. 2. “Data Producer” shall mean an organization that collected the samples and generated any Page 6 of 11 associated analyses of the Personal Data, and submitted those data to the Data Processor, either alone or having mandated other institutions to complete the submission. 3. “DAC” means Data Access Committee, a body of one or more individuals, named by the Data Producer, granting data release to external requestors, these being Recipients. 4. “Data Protection Laws”, the GDPR and any national implementing laws, regulations and secondary legislation and any other laws and regulations relating to the processing of Personal Data and privacy which apply to a Party; and, if applicable, the guidance and codes of practice issued by any competent data protection supervisory authority; and for the Data Processor, partly managed by an intergovernmental institution, EMBL`s IP No 68 and any other rules regulating data protection, further provided that any reference to GDPR or any other national implementing law in relation to EMBL is simply for convenience and does not imply a waiver of any privileges and immunities applicable to EMBL. 5. “EGA service” means data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are under Data Processor's control and used to provide its ervices. 6. “EGA Security Standards” means the security standards attached to these Terms as Appendix 2. 7. “Security Incident” means a breach of Data Processors' security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Data Controller`s data on systems managed or otherwise controlled by Joint Data Processors. Security incidents do not include unsuccessful attempts or activities that do not compromise the security of Data Controller`s data (including unsuccessful log-in attempts, pings, port scans, denial of service attacks and other network attacks on system firewalls or networked systems). 8. “Sub-processor” shall mean any processor which the Data Processor engages to carry out specific processing activities on behalf of the Data Processor. 9. “Effective date” means the date on which the Data Controller accepted this DPA. 10. “Recipient” means any natural or legal person, to which the Personal Data are disclosed upon DAC granted access to the data. 11. “Supervisory Authority”; as long as GDPR applies, a supervisory authority of a Member State concerned pursuant to Article 55(2) of the GDPR, for EMBL, the Data Protection committee pursuant to Article 20 of the Internal policy No 68.