In accordance with the terms of the Agreement, this Data Protection Annex applies to and is incorporated into the Agreement to the extent that Ovid Processes any Personal Data about Data Subjects located in the European Economic Area (“EEA”) when performing its obligations under the Agreement.
Capitalized terms used but not defined in this Annex will have the same meanings as set forth in the Agreement. In this Annex, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
|“Agreement”||means the Ovid Technologies, Inc. Master License Agreement entered into between Ovid and Licensee;|
|“Data Protection Laws”||means the GDPR, as implemented into domestic legislation of each Member State and as amended, replaced, supplemented or superseded from time to time, including by the UK Data Protection Act 2018;|
|“EEA”||means the European Economic Area;|
|“GDPR”||means EEA General Data Protection Regulation 2016/679;|
|“Licensee Personal Data”||means any Personal Data about Data Subjects located in the EEA that is Processed by Ovid as part of the use of the Online Tools under the Agreement and that is provided to Ovid by Licensee or Licensee’s Authorized Users when Licensee or the Authorized Users use the Online Tools;|
|“Ovid Personal Data”||means any Personal Data about Licensee, Licensee’s Authorized Users, or Data Subjects working for Licensee that is obtained by Ovid as part of the administration and performance of its obligations under the Agreement;|
|“Standard Contractual Clauses”||means the contractual clauses set out here;|
|“Subprocessor”||means any person (including any third party but excluding an employee of Ovid or any of its subcontractors) appointed by or on behalf of Ovid to Process Personal Data on Licensee’s behalf in connection with the Agreement.|
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Roles and Scope
2.1 Licensee’s Personal Data. For the purposes of this Annex, to the extent the Online Tools are used to Process Licensee’s Personal Data, the Parties Process such Personal Data as separate Controllers pursuant to or in connection with this Agreement.
2.2 Ovid Personal Data. For the purposes of this Annex, Ovid is a separate Controller of Ovid Personal Data Processed by it.
2.3 International Transfers. Licensee acknowledges that Ovid is located in the United States of America and that Ovid may process Ovid Personal Data and Licensee Personal Data at a destination outside the EEA and that such Ovid Personal Data and Licensee Personal Data may be processed by Ovid personnel or a Processor of Ovid operating outside the EEA in countries that the European Commission has not yet decided offer adequate data protection in accordance with European Union data protection law (“Third Countries”). Where Licensee is located in the EEA, Licensee (as “data exporter”) and Ovid (as “data importer”) hereby enter into the Controller to Controller Standard Contractual Clauses, which are incorporated into, and made part of, the Agreement.
2.4 Assistance. Licensee agrees that Licensee shall provide all information and documents reasonably requested of Licensee by Ovid or Ovid’s representatives to allow Ovid to satisfy its obligations under this Annex and Data Protection Laws relating to Licensee Personal Data and Ovid Personal Data.
3. Processing of Licensee Personal Data
3.1 Licensee’s responsibilities. Licensee shall have sole responsibility for:
(a) ensuring that Licensee Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subjects, including by ensuring that all necessary fair processing information has been provided in writing to, and all necessary consents obtained from, the Data Subjects in relation to the Processing of such Personal Data by the Parties and by third parties on their behalf.
(b) ensuring that Licensee Personal Data is collected for specified, explicit and legitimate purposes based on legal grounds for Processing as may be required from time to time by applicable Data Protection Laws and not further processed in a manner that is incompatible with those purposes.
3.2 Ovid’s responsibilities. Ovid shall, in determining the extent to which Licensee Personal Data is required in relation to the purposes for which Licensee Personal Data is to be Processed by Ovid, only request Licensee Personal Data that is relevant, adequate and not excessive in accordance with Data Protection Laws. Ovid shall have sole responsibility for using reasonable efforts to ensure that Licensee Personal Data, at the time it is first made available to Licensee or Licensee’s Authorized Users through the Online Tools, accurately reflects the data that Licensee or Licensee’s Authorized Users provided to Ovid. At all times thereafter, Licensee or Licensee’s Authorized Users shall be solely responsible for ensuring that Licensee Personal Data remains accurate and up-to-date in accordance with Data Protection Laws.
3.3 Each Party’s responsibilities. Each Party shall:
(a) ensure that Licensee Personal Data that is in its possession or control is kept for no longer than is necessary for the purposes for which Licensee Personal Data is processed in accordance with Data Protection Laws.
(b) in relation to Licensee Personal Data that is in its possession or control, be responsible for ensuring that Licensee Personal Data is Processed in a manner that ensures appropriate security of Licensee Personal Data including protection against Personal Data Breaches as required by Data Protection Laws.
(c) in relation to Licensee Personal Data, inform the other Party without undue delay after it becomes aware of any Personal Data Breach in relation to Licensee Personal Data that was in its possession or control, providing a clear description of the nature of the breach and the information referred to in Article 33(3)(a)-(d) of the GDPR as soon as it becomes available. In addition, each Party shall consult in good faith with the other and provide the other with assistance, information and cooperation in the investigation, notification, mitigation and remediation of each such Personal Data Breach. While Ovid may take any information provided by Licensee into account, only Ovid shall determine the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Supervisory Authorities in connection with a Personal Data Breach in relation to Licensee Personal Data.
Except to the extent that this Section 3 (Processing of Licensee Personal Data) allocates responsibility for compliance with particular provisions of Data Protection Laws to a particular Party, each Party shall comply with its respective obligations under Data Protection Laws in relation to Licensee Personal Data.
4. Processing of Ovid Personal Data
4.1 Use of Ovid Personal Data. Ovid may process such Ovid Personal Data for the following purposes:
(a) managing and making decisions about this Agreement and any matters (such as invoicing and fee arrangements) arising in connection with this Agreement;
(b) communicating with Licensee and the Data Subjects that work for Licensee in relation to matters arising under or in connection with the Agreement and in connection with services that Ovid may offer from time to time;
(c) complying with regulatory and legal obligations to which Ovid is subject;
(d) establishing, exercising and defending legal rights and claims;
(e) client relationship management purposes;
(f) risk management and quality reviews;
(g) improving the content of its database, marketing, advertising, sending reports to Licensee, or conducting research; and
(h) Ovid’s internal financial accounting, information technology and other administrative support services
(collectively, “Processing Purposes”).
Licensee will ensure that (i) there is no prohibition or restriction in relation to Ovid’s use thereof that would prevent or restrict Ovid from Processing the Ovid Personal Data for the Processing Purposes; and (ii) Licensee has obtained all necessary consents, provided all necessary notices and done all other things required under Data Protection Laws to disclose the Ovid Personal Data to Ovid to enable Ovid to process it in connection with the Processing Purposes as a separate Controller.
5. General Terms
5.1 Governing law and Jurisdiction. The Parties to this Annex hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Annex, including disputes regarding its existence, validity or termination or the consequences of its nullity and this Annex and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
5.2 Severance; Order of Precedence. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of a conflict or discrepancy between this Data Protection Annex and any term of the Agreement, this Data Protection Annex shall take precedence.