In accordance with the terms of the Agreement, this Data Protection Annex applies to and is incorporated into the Agreement to the extent that UpToDate Processes any Personal Data about Data Subjects located in the European Economic Area ("EEA") when performing its obligations under the Agreement.
1. Definitions. Capitalized terms used but not defined in this Annex will have the same meanings as set forth in the Agreement. In this Annex, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- "Your Personal Data" means any Personal Data about Data Subjects located in the EEA that is Processed by UpToDate as part of the use of the Licensed Materials under the Agreement and that is provided to UpToDate by You or Your Authorized Users when You or they use the Licensed Materials;
- "UpToDate Personal Data" means any Personal Data about You, Your Authorized Users, or Data Subjects working for You that is obtained by UpToDate as part of the administration and performance of its obligations under the Agreement;
- "Data Protection Laws" means the GDPR, as implemented into domestic legislation of each Member State and as amended, replaced, supplemented or superseded from time to time, including by the UK Data Protection Act 2018;
- "EEA" means the European Economic Area;
- "GDPR" means EEA General Data Protection Regulation 2016/679;
- "Agreement" means the UpToDate, Inc. Subscription and License Terms entered into between UpToDate, Inc. and You;
- "Standard Contractual Clauses" means the contractual clauses set out in https://www.uptodate.com/home/standard-contractual-clauses;
- means any person (including any third party but excluding an employee of UpToDate or any of its subcontractors) appointed by or on behalf of UpToDate to Process Personal Data on Your behalf in connection with the Agreement.
The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. ROLES AND SCOPE.
2.1 Your Personal Data. For the purposes of this Annex, to the extent the Licensed Materials are used to Process Your Personal Data, the parties Process such Personal Data as separate Controllers pursuant to or in connection with this Agreement.
2.2 UpToDate Personal Data. For the purposes of this Annex, UpToDate is a separate Controller of UpToDate Personal Data Processed by it.
2.3 International Transfers. You acknowledge that UpToDate is located in the United States of America and that UpToDate may process UpToDate Personal Data and Your Personal Data at a destination outside the EEA and that such UpToDate Personal Data and Your Personal Data may be processed by UpToDate personnel or a Processor of UpToDate operating outside the EEA in countries that the European Commission has not yet decided offer adequate data protection in accordance with European Union data protection law ("Third Countries"). Where You are located in the EEA, You (as "data exporter") and UpToDate (as "data importer") hereby enter into the Controller to Controller Standard Contractual Clauses, which are incorporated into, and made part of, the Agreement.
2.4 Assistance. You agree that You shall provide all information and documents reasonably requested of You by UpToDate or UpToDate's representative(s) to allow UpToDate to satisfy its obligations under this Annex and Data Protection Laws relating to Your Personal Data and UpToDate Personal Data.
3. PROCESSING OF YOUR PERSONAL DATA
3.1 Your responsibilities. You shall have sole responsibility for:
- ensuring that Your Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subjects, including by ensuring that all necessary fair processing information has been provided in writing to, and all necessary consents obtained from, the Data Subjects in relation to the Processing of such Personal Data by the parties and by third parties on their behalf.
- ensuring that Your Personal Data is collected for specified, explicit and legitimate purposes based on a legal grounds for Processing as may be required from time to time by applicable Data Protection Laws and not further processed in a manner that is incompatible with those purposes
3.2 UpToDate's responsibilities. UpToDate shall, in determining the extent to which Your Personal Data is required in relation to the purposes for which Your Personal Data is to be Processed by UpToDate, only request Your Personal Data that is relevant, adequate and not excessive in accordance with Data Protection Laws. UpToDate shall have sole responsibility for using reasonable efforts to ensure that Your Personal Data, at the time it is first made available to You or Your Authorized Users through the Licensed Materials, accurately reflects the data that You or Your Authorized Users provided to UpToDate. At all times thereafter, You or Your Authorized Users shall be solely responsible for ensuring that Your Personal Data remains accurate and up-to-date in accordance with Data Protection Laws.
3.3 Each party's responsibilities. Each party shall:
- ensure that Your Personal Data that is in its possession or control is kept for no longer than is necessary for the purposes for which Your Personal Data are processed in accordance with Data Protection Laws.
- in relation to Your Personal Data that is in its possession or control, be responsible for ensuring that Your Personal Data is Processed in a manner that ensures appropriate security of Your Personal Data including protection against Personal Data Breaches as required by Data Protection Laws.
- in relation to Your Personal Data, inform the other party without undue delay after they become aware of any Personal Data Breach in relation to Your Personal Data that was in its possession or control, providing a clear description of the nature of the breach and the information referred to in Article 33(b)-(d) of the GDPR as soon as it becomes available. In addition, each party shall consult in good faith with the other and provide the other with assistance, information and cooperation in the investigation, notification, mitigation and remediation of each such Personal Data Breach. Whilst UpToDate may take any information provided by You into account, only UpToDate shall determine the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Supervisory Authorities in connection with a Personal Data Breach in relation to Your Personal Data.
Except to the extent that this Section 3 (Processing of Your Personal Data) allocates responsibility for compliance with particular provisions of Data Protection Laws to a particular party, each party shall comply with its respective obligations under Data Protection Laws in relation to Your Personal Data.
4. PROCESSING OF UPTODATE PERSONAL DATA
4.1 Use of UpToDate Personal Data. UpToDate may process such UpToDate Personal Data for the following purposes:
- managing and making decisions about this Agreement and any matters (such as invoicing and fee arrangements) arising in connection with this Agreement;
- communicating with You and the Data Subjects that work for You in relation to matters arising under or in connection with the Agreement and in connection with services that UpToDate may offer from time to time;
- complying with regulatory, and legal obligations to which UpToDate is subject;
- establishing, exercising and defending legal rights and claims;
- client relationship management purposes;
- risk management and quality reviews;
- improving the content of its database, marketing, advertising sending reports to You, or conducting research; and
- UpToDate's internal financial accounting, information technology and other administrative support services (collectively, "Processing Purposes").
You will ensure that (i) there is no prohibition or restriction in relation to UpToDate's use thereof that would prevent or restrict UpToDate from Processing the UpToDate Personal Data for the Processing Purposes; and (ii) You have obtained all necessary consents, provided all necessary notices and done all other things required under Data Protection Laws to disclose the UpToDate Personal Data to UpToDate to enable UpToDate to process it in connection with the Processing Purposes as a separate Controller.
5. GENERAL TERMS.
5.1 Governing law and Jurisdiction. The parties to this Annex hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Annex, including disputes regarding its existence, validity or termination or the consequences of its nullity and this Annex and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or
5.2 Severance; Order of Precedence. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of a conflict or discrepancy between this Data Protection Annex and any term of the Agreement, this Data Protection Annex shall take precedence.