Whole Genome DNA Methylation

DATA TRANSFER AGREEMENT

DATA TRANSFER AGREEMENT BETWEEN Institut Curie State-approved non-profit foundation 26, rue d'Ulm - 75005 Paris Represented by Prof Thierry PHILIP, Chairman of the Executive Board, and by delegation Mr Julien Guérin, Chief Data Officer, duly authorized. Hereinafter referred to as "INSTITUT CURIE ON THE ONE HAND, AND […] Hereinafter referred to as the "RECIPIENT” ON THE OTHER HAND, INSTITUT CURIE and RECIPIENT are hereinafter referred to individually as the "PARTY" and collectively as the "PARTIES". IT IS PREVIOUSLY STATED THAT Institut Curie is a foundation recognised as of public interest, which develops (i) fundamental and applied scientific research in physics, chemistry, biology, radiobiology and medicine, to have science serve humankind to help fight disease, particularly cancer; and (ii) existing or future medical equipment necessary to this purpose. The RECIPIENT is […] The RECIPIENT wishes to undertake research on uveal melanoma hereinafter referred to as the "RESEARCH", the details of which are set out in Appendix 1. In order to carry out the RESEARCH, the RECIPIENT wishes to obtain access to personal data from the INSTITUT CURIE as defined below. The PARTIES have therefore decided to enter into this agreement (the "AGREEMENT") to define their respective roles in the processing of personal data. IT HAS THEREFORE BEEN AGREED AND DETERMINED AS FOLLOWS Article 1 - Definitions "DATABASE": means the database, within the meaning of Article L. 112-3 of the French Intellectual Property Code, created by the INSTITUT CURIE, containing the DATA made available as part of the RESEARCH in accordance with the terms of the AGREEMENT. "DATA" means the personal information as listed below and grouped in the DATABASE. "CONFIDENTIAL INFORMATION" means all documents, data, software, databases, results, all information, in whatever form and of whatever nature, regardless of the medium used for their communication, by whatever means, whether patentable or not, disclosed by one PARTY to the other PARTY under the AGREEMENT. The DATABASE and the DATA sent by INSTITUT CURIE are CONFIDENTIAL INFORMATION of INSTITUT CURIE. "CONTROLLER", within the meaning of the GDPR, is the person "who, alone or jointly with others, determines the purposes and means of the processing". "RESULTS": refers to all results obtained during the course of the RESEARCH, studies, analyses, specifications, databases, know-how, software, patents, information, regardless of their nature, form and medium developed and whether or not they are protected or protectable by an intellectual property right and/or title. Article 2 - Purpose of the AGREEMENT The purpose of the AGREEMENT is to define the conditions under which the INSTITUT CURIE transfers the DATA to the RECIPIENT for the performance of the RESEARCH. In the context of their contractual relationship, the PARTIES undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as from 25 May 2018 (hereinafter, "RGPD"), as well as any national regulations made in its application. The definitions of terms in Article 4 of the GDPR shall apply by operation of law. Article 3 - Qualification of the PARTIES in the processing of DATA INSTITUT CURIE and the RECIPIENT are independent PROCESSORS of the DATA within the meaning of Article 26 of the GDPR. As such, they determine separately the means and purposes of their respective processing. The INSTITUT CURIE is designated as the "SENDER" of the data. The RECIPIENT is referred to as the "RECIPIENT" of the data. Article 3 - Description of the processing operations The RECIPIENT is authorized to process the DATA provided by the SENDER necessary to carry out the RESEARCH. The nature of the operations carried out on the DATA by the SENDER is: Make available the DATA. The nature of the operations carried out on the data by the RECIPIENT is: recording, structuring, modification, extraction, consultation, conservation, use, destruction. The purpose of the processing is to carry out the RESEARCH described in Appendix 1. Under no circumstances shall the RECIPIENT be authorised to process the DATA for any other purpose than that mentioned above. The DATA processed are: […] The RECIPIENT shall refrain from proceeding, or attempting to proceed, with the re-identification of the persons concerned by any means whatsoever. The categories of persons concerned are the patients of the INSTITUT CURIE. Article 4 - Obligations of the SENDER towards the RECIPIENT The SENDER undertakes to : a. Make available the DATA to the RECIPIENT; b. to ensure, beforehand and throughout the duration of the processing, that the RECIPIENT complies with the obligations provided for by the RGPD. Article 5 - General obligations of the RECIPIENT The RECIPIENT agrees to: 1. process the DATA only for the sole purpose(s) specified in the "Description of processing" article; 2. guarantee the confidentiality of the DATA processed under this AGREEMENT ; 3. ensure that persons authorized to process DATA under this AGREEMENT : o are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality; o receive the necessary training in the protection of personal data ; 4. take into account the principles of data protection by design and data protection by default for its tools, products, applications or services. 5. Subcontracting : The RECIPIENT may use a subcontractor (hereinafter, "SUBCONTRACTOR") to carry out specific processing activities subject to obtaining the specific and express prior consent of the SENDER. The RECIPIENT shall inform the SENDER in advance and in writing of any contemplated change concerning the addition or replacement of SUBCONTRACTORS. This information must clearly indicate the processing activities for which subcontracting is envisaged, the identity and contact details of the SUBCONTRACTOR and the expected duration of the subcontract. No authorised subcontracting shall be tacit. The SUBCONTRACTOR is required to fulfil the obligations of the AGREEMENT on behalf of and in accordance with the instructions of the SENDER. It is the RECIPIENT's responsibility to ensure that the SUBCONTRACTOR presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the RGPD. The RECIPIENT shall remain fully responsible to the SENDER for the performance by the SUBCONTRACTOR of its obligations. 6. Right to information of data subjects It is the SENDER's responsibility to provide information to the persons concerned by the processing operations at the time of data collection. 7. Exercising the rights of individuals Unless technical impossibility to be demonstrated by the RECIPIENT, the latter shall assist the SENDER in fulfilling its obligation to comply with the requests for exercising the rights of the data subjects: right of access, rectification, erasure and opposition, right to the limitation of the processing, right to the portability of the data, right not to be subject to an automated individual decision (including profiling). Where data subjects make requests to the RECIPIENT to exercise their rights, the RECIPIENT shall send such requests immediately upon receipt by e-mail to dpo@curie.fr; 8. Notification of personal data breaches The RECIPIENT shall notify the SENDER of any personal data breach within a maximum of twenty-four (24) hours after having become aware of it by writing to dpo@curie.fr. This notification shall be accompanied by all useful documentation in order to allow the SENDER, if necessary, to notify this breach to the competent control authority and possibly to the persons concerned. The notification made by the RECIPIENT to the SENDER shall at least describe : • The nature of the breach, including, if possible, the categories and approximate number of individuals affected by the breach, and the approximate number of data records affected; • The name and contact details of the Data Protection Officer, or failing that another contact point from which information can be obtained; • The likely consequences of the violation; • The measures taken or proposed to be taken by the RECIPIENT to remedy the said violation, including, where appropriate, measures to mitigate any negative consequences. 9. Assistance of the RECIPIENT in the framework of the SENDER's compliance with its obligations The RECIPIENT shall assist the SENDER in carrying out data protection impact assessments. The RECIPIENT shall assist the SENDER in carrying out the prior consultation with the supervisory authority. 10. Security measures The RECIPIENT undertakes, prior to any processing of the DATA, to implement all security measures appropriate to the risk, allowing in particular: o Ensure the continued confidentiality, integrity, availability and resilience of DATA processing systems and services; o To preserve the confidentiality, integrity, availability and resilience of the DATA, in particular to prevent it from being distorted, damaged or communicated to persons not authorized by the SENDER ; o Restore availability and access to DATA in a timely manner in the event of a physical, logical or technical incident. The RECIPIENT undertakes to implement the security measures provided for in its security policy and at least the following technical and organisational measures: - Physical access control - System access control - Data access control - Disclosure Control - Input control - Order control - Availability check - Control of separations The RECIPIENT undertakes to implement a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of the data and the processing, taking into account in particular the risks presented by the latter. When assessing the appropriate level of security, the RECIPIENT shall take into account in particular the risks that the processing operation(s) presents, which may result from the loss, destruction, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed, whether accidental or unlawful. 11. Data Output At the latest ten (10) working days after the end of the AGREEMENT, and for whatever reason, the RECIPIENT shall proceed, according to the SENDER's choice, to the restitution and/or destruction of all DATA in its possession or that of its authorized SUBCONTRACTORS. In the event of destruction requested by the SENDER, the RECIPIENT shall provide written proof thereof, without prejudice to any retention of personal data that may be required by applicable law. In the latter case, the RECIPIENT guarantees that he will ensure the confidentiality of the stored data files and that he will no longer actively process them. The SENDER then reserves the right to proceed to any verification which would seem useful to him to note the compliance of the RECIPIENT with his obligations at the end of the AGREEMENT. 12. Data Protection Officer The RECIPIENT shall inform the SENDER of the name and contact details of its data protection officer, if it has appointed one in accordance with Article 37 of the European Data Protection Regulation: […] The SENDER shall communicate to the RECIPIENT the name and contact details of its data protection officer: Astrid LANG, dpo@curie.fr. Any change in the Data Protection Officer shall be communicated in a timely manner in writing to the other Party. 13. Register of categories of processing activities The RECIPIENT represents that it maintains a written record of all categories of processing activities performed hereunder including: o the name and contact details of the SENDER, any SUBCONTRACTORS and, where applicable, the data protection officer; o the categories of processing carried out in the context of the present ; o where appropriate, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards ; o a general description of the technical and organizational security measures. 14. Documentation The RECIPIENT shall make available to the SENDER the documentation necessary to demonstrate compliance with all of its obligations in order to allow audits, including inspections, to be carried out by the SENDER or another auditor appointed by it, and to contribute to such audits. Article 6 - Audit rights The SENDER may, when it so wishes, audit the RECIPIENT's compliance with its obligations, in particular those relating to: - Compliance of processing with security policies ; - Maintaining appropriate security measures to ensure the protection, integrity and resilience of personal data; - Data processing and storage locations ; - Data transfers ; - Fighting data breaches. The RECIPIENT undertakes, on his own behalf and on behalf of the authorised SUBCONTRACTORS, to allow, throughout the duration of the AGREEMENT, audits, including inspections, to be carried out by the SENDER or by any other auditor he may have appointed. The RECIPIENT therefore undertakes to cooperate and collaborate fully in such audits, and undertakes to ensure that its SUBCONTRACTORS comply with these provisions. This obligation to cooperate implies in particular allowing access to all reasonably necessary information, as well as to the sites, premises, personnel, physical and technical environments, software, documentation, data, systems and registers relating to the processing of personal data entrusted to it under the AGREEMENT. These audits may be carried out, subject to ten (10) working days' notice, on site or on the premises. All costs and expenses incurred by the RECIPIENT or the SENIOR in connection with any audits of the SENIOR shall be borne by the SENIOR upon justification, unless the audit reveals a non-compliance of the RECIPIENT or its SUBCONTRACTORS. In this case, the whole of the audit costs will be borne by the RECIPIENT, without prejudice to any damages to which the SENDER could claim otherwise. Article 7 - Place of data processing The RECIPIENT undertakes not to disclose, make accessible or transfer any data to any entity or SUBCONTRACTOR established in a country outside the European Union (EU) and not presenting a level of data protection deemed sufficient, except with the prior written consent of the SENDER, and in a framework presenting adequate safeguards and complying with the requirements of the GDPR. In the event that after express consent of the SENDER the DATA is transferred outside the European Economic Area (EEA), or to a country whose level of data protection is not deemed adequate, the RECIPIENT shall ensure that appropriate and compliant safeguards allowing such transfer are put in place. Appropriate safeguards are provided in particular where the RECIPIENT or a SUBCONTRACTOR has entered into the "standard" data protection clauses adopted by the European Commission under the review procedure stipulated in Article 93 (2) of the GDPR ("standard contractual clauses"). The SENDER reserves the right to carry out any verification it deems necessary in order to ensure the proper performance of the obligations arising from this article. Where the transfer of personal data is necessary to respond to requests from judicial or administrative authorities in countries outside the EEA, the RECIPIENT undertakes to ensure that such transfer is based on an international agreement, such as a mutual legal assistance treaty, between the third country and the European Union or a Member State. Upon receipt of such a request, the RECIPIENT shall inform the SENDER without delay and shall obtain the SENDER's prior express consent, unless the law concerned prohibits such information. Article 8: Confidentiality Each PARTY undertakes to maintain the confidentiality of the CONFIDENTIAL INFORMATION transmitted by a Party during the term of the AGREEMENT and for five (5) years after its expiration or completion. However, in the event that the CONFIDENTIAL INFORMATION relates to know-how, such know-how shall be kept confidential by the Party that received it, until such time as the Party that owns it decides to place it in the public domain. The DATA shall remain confidential for the period of time imposed by the applicable regulations. The Party receiving CONFIDENTIAL INFORMATION from the other Party agrees that the CONFIDENTIAL INFORMATION it receives: - be protected and kept strictly confidential and be treated with the same degree of care and protection as it accords to its own CONFIDENTIAL INFORMATION ; - be disclosed internally only to members of its staff who need to know it for the purposes of carrying out the RESEARCH and be used by them only in the context of the AGREEMENT; - not be used, in whole or in part, for any purpose other than that defined in the SEARCH, without the prior written consent of the disclosing PARTY; - not be transmitted to third parties by any means without the prior written consent of the disclosing PARTY. In the event of disclosure of CONFIDENTIAL INFORMATION to a third party expressly authorised by the disclosing PARTY, the receiving PARTY shall ensure in advance that such third party is bound by obligations of confidentiality at least as stringent as this Article. The receiving PARTY shall remain responsible for the third party's compliance with the confidentiality obligations. The Party receiving CONFIDENTIAL INFORMATION shall have no obligation and shall not be subject to any restriction with respect to CONFIDENTIAL INFORMATION received from the other Party for which it can provide evidence: - that it was publicly available prior to or after disclosure, but in this case in the absence of any wrongdoing or fraud attributable to it; - they are already known to it, without any obligation of confidentiality, such prior knowledge being demonstrated by the existence of appropriate documents in its files ; - that it has been independently developed by that Party and in the absence of any use of the CONFIDENTIAL INFORMATION provided by the other Party; - that they have been received from a third party, in a lawful manner, without restrictions or violation of these provisions; - that the use or disclosure has been authorized in writing by the owning PARTY; - the disclosure of the CONFIDENTIAL INFORMATION has been compelled by the application of a mandatory legal or regulatory provision or by the application of a final court decision. Nevertheless, in the latter cases, the liability of the Party that was compelled to disclose the CONFIDENTIAL INFORMATION may be engaged if one of the following conditions has not been met: o the disclosure of the information shall be subject to prior written notice to the disclosing Party of the obligation to disclose, so that the disclosing Party has sufficient time to object or to limit the scope of the disclosure, if any; o The PARTY will have to limit the disclosure to what was strictly necessary to meet their obligations. It is expressly agreed between the PARTIES that the disclosure by the PARTIES to each other of CONFIDENTIAL INFORMATION under the AGREEMENT shall in no way be construed as conferring any right (whether by license or otherwise) in such CONFIDENTIAL INFORMATION on the receiving PARTY. Article 9: Intellectual Property - Use of name/logo 9.1 The DATABASE, including the associated intellectual property rights, is the property of INSTITUT CURIE. In no event shall the AGREEMENT be construed as conferring upon the RECIPIENT any right, title or interest in the DATABASE. The AGREEMENT does not confer upon the RECIPIENT any right, title or interest in the DATA, but only a limited right to use the DATA for the sole purpose of conducting the RESEARCH. The RECIPIENT shall not describe or claim the DATABASE and/or the DATA in any patent application or any intellectual property right/title. The AGREEMENT does not restrict the right of the INSTITUT CURIE to transfer the DATABASE and/or the DATA to a third party or to grant any third party rights to the DATABASE and/or the DATA. The transfer of the DATABASE and the DATA by the INSTITUT CURIE to the RECIPIENT shall not constitute a sale of the DATABASE and the DATA, nor shall it constitute an option or license to any rights or interests therein. INSTITUT CURIE shall not be obliged to grant any license to RECIPIENT. 9.2 The RESULTS are owned by the RECIPIENT. 9.3 Each PARTY undertakes not to use the name and logo of the other PARTY, or the name and logo of their employees or those on whose behalf they are acting, without their prior written consent. Article 10: Publications 10.1 The RECIPIENT agrees to submit to the INSTITUT CURIE for review the draft of any proposed publication relating to the RESEARCH prior to its first submission for publication, at least thirty (30) days in advance in the case of a manuscript and at least seven (7) days in advance in the case of an abstract. 10.2 Neither INSTITUT CURIE nor RECIPIENT shall deposit for oral or written publication any manuscript, abstract, etc., containing CONFIDENTIAL INFORMATION or other information generated and provided by the other PARTY without obtaining the prior written consent of such other PARTY, which consent shall not be unreasonably withheld. 10.3 The contribution of each of the PARTIES (including the provision of DATA by the INSTITUT CURIE) shall be acknowledged in all publications or presentations. Where appropriate, mention of co-authorship shall be discussed in good faith between the PARTIES. Article 11: Duration - Termination/Cancellation 11.1 The AGREEMENT shall come into force on the date of the last signature of the Parties and shall remain in force until the end of the RESEARCH and no later than […]. The AGREEMENT may be extended by means of an amendment concluded between the PARTIES. 11.2 For greater certainty, for the purposes of this Article, the effects of termination may be those of a rescission. 11.3 The AGREEMENT may be terminated by one of the PARTIES by operation of law in the event of non-performance by the other PARTY of any of its obligations under the AGREEMENT or of a default by the other PARTY. This termination shall only become effective one (1) month after the complainant PARTY(S) has sent a registered letter with acknowledgement of receipt setting out the reasons for the dispute, unless, within this period, the defaulting PARTY has fulfilled its obligations or has provided proof of an impediment resulting from an event of force majeure. 11.4 The exercise of this right of termination shall not relieve the defaulting PARTY from fulfilling the obligations entered into until the date on which the termination takes effect. This shall not deprive the complaining PARTY of the right to claim damages for any losses it may have suffered as a result of the early termination of the AGREEMENT or the non-performance and/or default of the other PARTY. 11.5 In the event of early termination or cancellation for any reason whatsoever of the AGREEMENT or upon its expiry, the RECIPIENT shall cease to use the DATABASE and the DATA and shall return the remaining DATABASE and the DATA or destroy them (where applicable in accordance with the applicable legislation), at its own expense, upon instruction from the INSTITUT CURIE, and shall justify such destruction in writing. Article 12 - Warranty - Liability 12.1 The RECIPIENT acknowledges that no express or implied warranty of any kind whatsoever is given by the INSTITUT CURIE on the DATABASE and the DATA, in particular with regard to their fitness for a particular purpose. 12.2 The RECIPIENT acknowledges that no express or implied warranty of any kind whatsoever is granted by INSTITUT CURIE on the RESULTS, in particular as to their suitability for a particular purpose. Furthermore, INSTITUT CURIE does not guarantee that the use of the DATABASE and/or the DATA and/or the RESULTS does not infringe the intellectual property rights of third parties. 12.3 The RECIPIENT acknowledges and warrants that any use of the DATABASE and the DATA is solely his or her own responsibility, without INSTITUT CURIE, its agents, officers and employees being associated with or incurring any liability whatsoever in connection with such use. The RECIPIENT acknowledges and warrants that any use of the RESULTS shall be the sole responsibility of the RECIPIENT and that INSTITUT CURIE, its agents, officers and employees shall not be associated with or incur any liability whatsoever in connection with the use, dissemination and exploitation of the RESULTS. 12.4 The RECIPIENT shall indemnify, defend and hold harmless INSTITUT CURIE and its officers, agents and employees from and against any and all liability, loss or damage that they may incur as a result of any claims, demands, costs or judgments against them arising out of or in connection with the RESEARCH. 12.5 The RECIPIENT undertakes to use the DATABASE and the DATA in accordance with the regulations, standards and good practices applicable to the DATABASE and the DATA, in particular during the use, storage, transfer and destruction of the DATABASE and the DATA. 12.6 The RECIPIENT warrants that he/she has obtained, prior to the start of the RESEARCH, all necessary authorisations for the RESEARCH and the processing of the DATABASE and the DATA. 12. 7 The provisions of this Article shall remain in force notwithstanding the expiry or termination of the AGREEMENT. Article 13: Applicable law 13.1 The AGREEMENT is governed by French law. 13.2 The PARTIES shall endeavour to resolve amicably any disputes that may arise under the AGREEMENT within a period of three (3) months from the notification sent by the most diligent PARTY. In the event of persistent disagreement, the courts of Paris shall have exclusive jurisdiction. INSTITUT CURIE Julien GUERIN Chief Data Officer Date : THE RECIPIENT ……………. ……………. Date : APPENDIX 1 : RESEARCH PROJECT Details of dataset requested i.e., EGA Study and Dataset Accession Number Brief abstract of the Project in which the Data will be used (500 words max)