In accordance with the terms of the Agreement, this Data Protection Annex applies to and is incorporated into the Agreement to the extent that Ovid Processes any Personal Data about Data Subjects located in the European Economic Area (“EEA”) or the United Kingdom (“UK”) when performing its obligations under the Agreement.
1. Definitions
Capitalized terms used but not defined in this Annex will have the same meanings as set forth in the Agreement. In this Annex, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
| “Agreement” | means the Ovid Technologies, Inc. Master Subscription Agreement, Master License Agreement, Online License Agreement or other applicable agreement, entered into between Ovid (or its applicable affiliate) and Subscriber; |
| “Data Protection Laws” | means the EU GDPR and any applicable national laws made under it, and the UK GDPR where applicable; |
| “EEA” | means the European Economic Area; |
| “EU GDPR” | means EU General Data Protection Regulation 2016/679 and any applicable national laws made under it; |
| "EU Standard Contractual Clauses" | means the MODULE ONE, Controller to Controller, European Commission standard contractual clauses set out in https://www.ovid.com/standard-contractual-clauses; |
| “Ovid Personal Data” | means any Personal Data about Subscriber, Subscriber’s Authorized Users, or Data Subjects working for Subscriber that is obtained by Ovid as part of the administration and performance of its obligations under the Agreement; |
| “Retained EU Law” | means as defined in the European Union (Withdrawal) Act 2018; |
| “Subprocessor” | means any person (including any third party but excluding an employee of Ovid or any of its subcontractors) appointed by or on behalf of Ovid to Process Personal Data on Subscriber’s behalf in connection with the Agreement. |
| “Subscriber” | means the Subscriber or Licensee, as applicable, under the Agreement; |
| “Subscriber Personal Data” | means any Personal Data about Data Subjects located in the EEA or the UK that is Processed by Ovid as part of the use of the Online Tools under the Agreement and that is provided to Ovid by Subscriber or Subscriber’s Authorized Users when Subscriber or the Authorized Users use the Online Tools; |
| “UK GDPR” | means the UK Data Protection Act 2018 (“DPA 18”) and the EU GDPR as it forms part of Retained EU Law; |
| “UK Model Clauses” | means the UK data transfer addendum to the EU Standard Contractual Clauses adopted by the UK Information Commissioner’s Office under UK law (as amended, superseded or replaced from time to time). |
The terms, "European Commission", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the EU GDPR, and their cognate terms shall be construed accordingly.
Where there is a reference to a specific article or provision of the EU GDPR such reference shall be taken to include (and extend to) any equivalent provision or obligation set out in the UK GDPR as applicable.
The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. ROLES AND SCOPE.
2.1 Subscriber’s Personal Data. For the purposes of this Annex, to the extent the Online Tools are used to Process Subscriber’s Personal Data, the Parties Process such Personal Data as separate Controllers pursuant to or in connection with this Agreement.
2.2 Ovid Personal Data. For the purposes of this Annex, Ovid is a separate Controller of Ovid Personal Data Processed by it.
2.3 International Transfers. Subscriber acknowledges that Ovid is located in the United States of America and that Ovid may process Ovid Personal Data and Subscriber Personal Data at a destination outside the EEA or UK and that such Ovid Personal Data and Subscriber Personal Data may be processed by Ovid personnel or a Processor of Ovid operating outside the EEA or UK in countries that the European Commission (or in relation to the UK, the UK Government) has not yet decided offer adequate data protection in accordance with European Union data protection law (“Third Countries”). Where Subscriber is located in the EEA and/or the UK, Subscriber (as “data exporter”) and Ovid (as “data importer”) hereby enter into the EU Standard Contractual Clauses, and/or the UK Model Clauses as applicable, which are incorporated into, and made part of, the Agreement. The UK Model Clauses are determined by reference to the Annexes to the EU Standard Contractual Clauses (which identifies the specifics of the transfer). Table 4 and section 19 of the UK Model Clauses does not apply, and the relevant UK Model Clauses may not be terminated in the event that the UK Information Commissioner’s Office issues a revised UK data transfer addendum, without prejudice to other termination rights.
2.4 Assistance. Subscriber agrees that Subscriber shall provide all information and documents reasonably requested of Subscriber by Ovid or Ovid's representatives to allow Ovid to satisfy its obligations under this Annex and Data Protection Laws relating to Subscriber Personal Data and Ovid Personal Data.
3. PROCESSING OF SUBSCRIBER PERSONAL DATA
3.1 Subscriber’s responsibilities. Subscriber shall have sole responsibility for:
1. Ensuring Subscriber Personal Data is Processed in accordance with the applicable Data Protection Laws, including:
(a) ensuring that Subscriber Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subjects, including by ensuring that all necessary fair processing information has been provided in writing to, and all necessary consents obtained from, the Data Subjects in relation to the Processing of such Personal Data by the Parties and by third parties on their behalf.
(b) ensuring that Subscriber Personal Data is collected for specified, explicit and legitimate purposes based on legal grounds for Processing as may be required from time to time by applicable Data Protection Laws and not further processed in a manner that is incompatible with those purposes.
3.2 Ovid's responsibilities. Ovid shall, in determining the extent to which Subscriber Personal Data is required in relation to the purposes for which Subscriber Personal Data is to be Processed by Ovid, only request Subscriber Personal Data that is relevant, adequate and not excessive in accordance with the applicable Data Protection Laws. Ovid shall have sole responsibility for using reasonable efforts to ensure that Subscriber Personal Data, at the time it is first made available to Subscriber or Subscriber’s Authorized Users through the Online Tools, accurately reflects the data that Subscriber or Subscriber’s Authorized Users provided to Ovid. At all times thereafter, Subscriber or Subscriber’s Authorized Users shall be solely responsible for ensuring that Subscriber Personal Data remains accurate and up-to-date in accordance with the applicable Data Protection Laws.
3.3 Each Party’s responsibilities. Each Party shall:(a) ensure that Subscriber Personal Data that is in its possession or control is kept for no longer than is necessary for the purposes for which Subscriber Personal Data is processed in accordance with the applicable Data Protection Laws.
(b) in relation to Subscriber Personal Data that is in its possession or control, be responsible for ensuring that Subscriber Personal Data is Processed in a manner that ensures appropriate security of Subscriber Personal Data including protection against Personal Data Breaches as required by the applicable Data Protection Laws.
(c) in relation to Subscriber Personal Data, inform the other Party without undue delay after it becomes aware of any Personal Data Breach in relation to Subscriber Personal Data that was in its possession or control, providing a clear description of the nature of the breach and the information referred to in Article 33(3)(a)-(d) of the EU GDPR as soon as it becomes available. In addition, each Party shall consult in good faith with the other and provide the other with assistance, information and cooperation in the investigation, notification, mitigation and remediation of each such Personal Data Breach. While Ovid may take any information provided by Subscriber into account, only Ovid shall determine the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Supervisory Authorities in connection with a Personal Data Breach in relation to Subscriber Personal Data.
Except to the extent that this Section 3 (Processing of Subscriber Personal Data) allocates responsibility for compliance with particular provisions of Data Protection Laws to a particular Party, each Party shall comply with its respective obligations under Data Protection Laws in relation to Subscriber Personal Data.
4. PROCESSING OF OVID PERSONAL DATA
4.1 Use of Ovid Personal Data. Ovid may process such Ovid Personal Data for the following purposes:
(a) to make certain features of the Online Tools available to Subscriber and its Authorized Users,
(b) at an Authorized User's request, to disclose such information to accredited organizations to redeem such Authorized User's accumulated continuing medical education credits,
(c) managing and making decisions about this Agreement and any matters (such as invoicing and fee arrangements) arising in connection with this Agreement;
(d) communicating with Subscriber and the Data Subjects that work for Subscriber in relation to matters arising under or in connection with the Agreement and in connection with services that Ovid may offer from time to time;
(e) to ensure compliance with applicable conditions of use (as set forth in the Master Subscription Agreement), laws, and/or regulations,
(f) establishing, exercising and defending legal rights and claims;
(g) client relationship management purposes;
(h) to provide support for Subscriber and its Authorized Users,
(i) risk management and quality reviews;
(j) to improve or modify the Online Tools and to create derivative or new products and services; marketing; advertising; sending reports to Subscriber and its Authorized Users, or conducting research; and
(k) Ovid's internal financial accounting, information technology, system administration, and other administrative support services
(collectively, "Processing Purposes").
Subscriber will ensure that (i) there is no prohibition or restriction in relation to Ovid's use thereof that would prevent or restrict Ovid from Processing the Ovid Personal Data for the Processing Purposes; and (ii) Subscriber has obtained all necessary consents, provided all necessary notices and done all other things required under the applicable Data Protection Laws to disclose the Ovid Personal Data to Ovid to enable Ovid to process it in connection with the Processing Purposes as a separate Controller.
5. GENERAL TERMS.
5.1 Governing law and Jurisdiction. Except to the extent set out otherwise in the EU Standard Contractual Clauses and the UK Model Clauses, and as necessary to comply with Data Protection Law, the Parties to this Annex hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Annex, including disputes regarding its existence, validity or termination or the consequences of its nullity and this Annex and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
5.2 Severance; Order of Precedence. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of a conflict or discrepancy between (i) this Data Protection Annex and any term of the Agreement, this Data Protection Annex shall take precedence (ii) the EU Standard Contractual Clauses or and the provisions of the Data Protection Annex, the EU Standard Contractual Clauses shall prevail (iii) this Protection Annex and the UK Model Clauses, the UK Model Clauses shall prevail.