Data processing agreement

This data processing agreement (hereinafter referred to as “DPA”) applies when no data processing agreement has been put in place between a client of A+A ordering an ad-hoc market research (hereinafter referred to as the “Client”) and A+A, a simplified joint stock company (société par actions simplifiée) with its registered office at 159 Rue Galliéni, 92100 Boulogne-Billancourt, France (hereinafter referred to as “Service Provider” or “A+A”). This DPA sets forth the respective obligations of Client and A+A regarding the processing of personal data in the context of the said ad-hoc market research services.

The Client and Service Provider shall be individually referred to as a “Party” or collectively as the “Parties”.

WHEREAS:

This DPA is automatically annexed to the agreement governing the provision of the Services (as defined below).

Under this DPA, the Parties agree that the terms “Personal Data Breach”, “Data Subject”, “Personal Data”, “Data Controller”, “Controller”, “Data Processor”, “Processor”, “Subprocessor(s)”, “Processing(s)”, “Supervisory Authority” and, any other personal data related relevant terms, shall have the meaning assigned to them in the GDPR.

In addition, the following terms shall have the meaning set out below:

Agreement: means the agreement governing the provision of the Services, and in particular the master service agreement, statement of work, or service agreement signed between the Parties.

GDPR: means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as well as any of its amendments and replacement laws and regulations.

Personal Data Laws: means any applicable laws, rules and regulations regarding personal data protection.

Services: means the ad-hoc services provided by Service Provider to the Client within the framework of the Agreement regardless how they are named in the Agreement.

Syndicated Market Research: unlike ad hoc market research, which are conducted exclusively for the benefit of only one client in view of its specific expressed needs, syndicated market research as referred to in the EphMRA code of conduct (https://www.ephmra.org/code-conduct-aer), are conducted by a market research company as the sponsor of such project for the benefit of several clients and their results are intended to be sold to several clients. For these syndicated studies, and in contrast to ad hoc studies, the market research company is responsible for the processing of the personal data concerned, and as such data controller, and holds all intellectual property rights to their results.

Unless defined otherwise in the DPA, capitalized terms have the meaning attributed to them under the Agreement.

THEREFORE, IT IS AGREED AS FOLLOW:

Scope of the DPA and status of the Parties

This DPA does apply for ad-hoc market research only, and not for Syndicated Market Research. Indeed, for such Syndicated Market Research Service Provider will act as the sole Data Controller and the Client as a third party to the processing performed for such Syndicated Market Research.

Regarding ad-hoc market research, Service Provider, who acts as Data Processor, will process the Personal Data on behalf of and in accordance with the lawful documented instructions it receives from the Client, who acts as Data Controller, and that exclusively for the purpose of providing the Services to the Client.

In any case, each Party shall comply with its obligations under GDPR and the Personal Data Laws.

Personal data processing

Service Provider is authorised to process, on behalf of the Client, the Personal Data required to provide the Services, as defined in Appendix 1.

Service Provider undertakes to:

process the Personal Data solely for the purposes of providing the Services covered by the Agreement and for the duration defined in this DPA;
process the Personal Data in accordance with the Client’s written documented lawful instructions, which may be specific instructions or general instructions as set out in this DPA and its appendixes or as otherwise notified in writing (including by email) by the Client to Service Provider;
comply with any lawful request from the Client requiring Service Provider to rectify or delete Personal Data.

If Service Provider cannot comply with an instruction of the Client and/or considers that an instruction constitutes a breach of the Personal Data Laws, Service Provider shall promptly inform the Client and wait for the Client to provide lawful written instructions.

In addition, if Service Provider is required by any law to which it is subject to process Personal Data for any other purpose, Service Provider will inform the Client of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest.

Service Provider undertakes also to:

ensure that its personnel and authorized Subprocessors (as defined below) that will Process Personal Data under the Agreement:
- undertake to respect confidentiality or are subject to appropriate obligations of confidentiality;
- are contractually bound to comply with similar obligations as Service Provider’s obligations set out in this DPA.
take into account, with regard to its tools, products, applications or services, the principles of data protection by design and data protection by default;
co-operate fully with the Client in the implementation of any measures or provisions that may be required in relation to the protection of Personal Data in accordance with the obligations of the Personal Data Laws, or of any court order, or of any competent supervisory authority that the Client may reasonably require.

Service Provider shall maintain a record of all categories of Processing activities carried out for the conduct of the Services for the duration stated in the DPA.

Moreover, the Parties will regularly train their personnel having access to Personal Data with applicable Personal Data Laws, including in particular data security and data privacy measures.

Assistance

Service Provider shall, at the Client’s reasonable written request, promptly cooperate and assist the Client as required by the Client to comply with the Client’s obligations under Personal Data Laws.

In particular, Service Provider undertakes to assist the Client, taking into account the information available to Service Provider, to ensure compliance with the Client’s obligations regarding the conduct of data protection impact assessments. Where applicable, Service Provider shall assist the Client in carrying out the prior consultation with the supervisory authority.

Service Provider undertakes to provide the Client with the necessary information to demonstrate Service Provider’s compliance with the obligations set out in Personal Data Laws and in this DPA.

Data Subjects information/consent and requests to exercise their rights

In accordance with the rules of market research:

Service Provider will be in charge of i) informing Data Subjects of the Processing performed by Service Provider, and its authorized Subprocessors if any, for the conduct of the Services and ii) collecting their prior consent with Service Provider’s consent form. The information details and consent form will be prior reviewed and validated by the Client before being used.

Service Provider will directly manage Data Subjects’ request to exercise their rights under Personal Data Laws regarding the Processing of Personal Data made for the Services. Service Provider undertakes to manage such requests in accordance with Personal Data Laws, in particular regarding the timeframe within which such request shall be treated.

By exception, when Data Subjects are on a list of potential respondents to be recruited for the Services, and that such list has been provided to Service Provider by the Client or a third party on behalf of the Client, Service Provider will promptly notify the Client of such request in order the Client and the Service Provider manage this request in accordance with Personal Data Laws.

Termination of the processing and deletion of Personal Data

The duration of the Processing shall not exceed the term of the Services for the project concerned.

Upon termination of the Services for the project concerned, for whatever reason, Service Provider shall cease processing any Personal Data on behalf of the Client.

At the Client’s written request at any time and, nevertheless three (3) years after the end of the Services for the project concerned, Service Provider shall destroy all Personal Data collected and processed for the Services, and keep no evidence of them, except limited to the Personal Data that have to be kept for a longer duration for Service Provider to fulfil its obligations under any applicable law. The Personal Data shall be entirely deleted when such obligations have been fulfilled.

A certificate of destruction may be provided to the Client upon its written request.

Security measures

Service Provider undertakes to implement and maintain appropriate technical and organisational measures to ensure the security and confidentiality of Personal Data and to prevent any unlawful or unauthorised processing, accidental or unlawful destruction, damage, accidental loss, alteration, disclosure or unauthorised access to Personal Data, in accordance with the Personal Data Laws.

Additionally, Service Provider undertakes to comply with good practice and the state of the art in this area.

In particular, Service Provider has put in place the security measures provided in its policy attached in Appendix 4.

Violation of personal data

If Service Provider becomes aware of a Personal Data Breach, it undertakes to:

notify the Client within forty-eight (48) hours of becoming aware of it, providing a detailed description of the Personal Data Breach, including the type of Personal Data that is the subject of the Personal Data Breach and the categories of Data Subjects affected. If this information is not available within forty-eight (48) hours, it will be provided to the Client in a staggered manner, without undue delay;
take immediate action to promptly investigate such a Personal Data Breach and identify the effects of the Personal Data Breach;
take steps to prevent and mitigate further effects and take any other actions to remedy the Personal Data Breach;
continue to promptly provide the Client with all reasonable assistance required to investigate the causes and implement mitigating and remedial measures with respect to the personal data breach.

Subprocessing

Service Provider will ask the prior written approval of the Client before involving Subprocessors for the Services. The Subprocessors listed within Exhibit 3 of this DPA are approved by the Client for the conduct of Services under the Agreement and this DPA.

For any Subprocessors not listed within this DPA, Service Provider will send a written request to the Client for the Services concerned. The Client shall provide its prior written approval within three (3) business days after the receipt of such written request by Service Provider. In case this approval is provided after such time period or the proposed Subprocessor is refused by the Client, Service Provider will not be liable of any delay regarding the conduct of the Services that is due to such delay or refusal.

Service Provider remains responsible for the Subprocessors’ performance of the Services under the Agreement and this DPA to the same extent Service Provider is responsible for its own performance.

Service Provider commits that such Subprocessors will be bound by at least similar obligations as those to which Service Provider is bound to under this DPA.

Data transfer

The Client acknowledges and agrees that, for some Services, Service Provider may transfer and process Personal Data processed for the Services anywhere in the world where Service Provider and/or its affiliates and/or its Subprocessors maintain data processing operations, provided that i) Service Provider will at all times provide an adequate level of protection of Personal Data processed, and ii) provided that the Client prior approved such transfer in accordance with the requirements of GDPR, the Agreement and this DPA.

If, for the performance of the Services, Personal Data are transferred outside of the European Economic Area (hereinafter referred to as “EEA”), the UK or the Switzerland, to a country without an equivalent data protection standard and without appropriate safeguards, or where such country do not ensure an adequate level of data protection within the meaning of GDPR, the Parties will comply with the provisions of the EU Standard Contractual Clauses between Data Controllers and Data Processors as adopted by the European Commission under GDPR as amended or replaced at any time, including when applicable, the UK’s International Data Transfer Addendum to the Standard Contractual Clauses or the Switzerland Addendum to the Standard Contractual Clauses (hereinafter referred to as “SCC”).

The SCC shall apply to the transfers of Personal Data outside of the EEA where Service Provider is data exporter and the Client data importer, and where Service Provider is data importer and the Client data exporter.

MODULE TWO of the SCC applies to transfers of Personal Data from the Client (as Data Controller) to Service Provider (as Data Processor), and MODULE FOUR of the SCC applies to transfers of Personal Data from Service Provider (as Data Processor) to the Client (as Data Controller).
Clause 7 (Docking Clause – MODULE TWO & MODULE FOUR of the SCC) shall apply.
Under Clause 9 (Use of sub-processors – MODULE TWO of the SCC), OPTION 1 (Specific prior authorization) does apply with a time period as defined in article 8 of this DPA. The list of authorized Subprocessors is set forth in i) Appendix 2 of this DPA and ii) in the corresponding Agreement on a project per project basis as well in writing.
Under Clause 11 (Redress – MODULE TWO & MODULE FOUR of the SCC), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
Under Clause 13 (Supervision – MODULE TWO of the SCC), where the data exporter is established in a member state of the European Union or the EEA, the French competent authority for Data Protection (CNIL) shall act as competent supervisory authority.
Under Clause 17 (Governing law – MODULE TWO & MODULE FOUR of the SCC), the SCC shall be governed by the law of France.
Under Clause 18 (Choice of forum and jurisdiction – MODULE TWO & MODULE FOUR of the SCC), it is agreed that any dispute arising from the SCC shall be resolved by the courts of France.
Annex I of the SCC (MODULE TWO & MODULE FOUR of the SCC) is set forth hereinafter within Appendix 3 of this DPA.
Annex II of the SCC (MODULE TWO & MODULE FOUR of the SCC) is set forth hereinafter within Appendix 3 of this DPA.
Annex III of the SCC (MODULE TWO of the SCC) is set forth hereinafter within Appendix 3 of this DPA.

By exception to the above, when UK’s International Data Transfer Addendum or the Switzerland Addendum do apply, governing law and competent court shall be respectively the law of UK and the courts of UK, or the law of Switzerland and the courts of Switzerland.

The Parties warrants that the SCC will remain in full force and effect for the duration of the DPA.

10. List of respondents and panels

10.1. List of potential respondents: If Service Provider and/or its authorized Subprocessors receives a file containing Personal Data directly from the Client or from a third party on behalf of the Client in order to use such Personal Data for the Services (for example: a list of potential respondents), the Client warrants to Service Provider that such file complies with the requirements of the Personal Data Laws, and in particular that:

– the Client has the necessary rights and authorisations to transmit such file to Service Provider and/or Service Provider’s authorized Subprocessors for processing in connection with the Services and;

– Service Provider and/or Service Provider’s authorized Subprocessors can process the Personal Data for the Services

10.2. Personal Data of Respondents who are part of Panels belonging to Service Provider or to its Subprocessors: if for the conduct of the Services, it is necessary regarding law, and in particular regarding pharmacovigilance obligations of Client, that directly identifiable personal data of respondents who are part of Service Provider’s or its Subprocessors’ panel, have to be disclosed to the Client and/or its Affiliates, the Client undertakes that it and/or its Affiliates, will :

– Process such Personal Data in accordance with Personal Data Law(s) and market research industry guidelines and codes of conduct, in particular, not retain the concerned Personal Data for a duration longer than the duration required by applicable law as defined in the corresponding privacy notices provided to the respondents concerned.

– Ensure that the intellectual property rights attached to Service Provider’s and its Subprocessors’ panel, as well as the confidentiality of the Personal Data part of the said panel are respected. In particular, ensure that such Personal Data are only used for the purpose of the data processing within the project concerned and for no other purpose. In particular, the creation of a panel of respondents with the Personal Data concerned is forbidden and would constitute an infringement of Service Provider’s and its Subprocessors’ property rights.

Liability

11.1. Service Provider undertakes to perform the Services with the due diligence and care specific to a professional specializing in the Services offered. Service Provider shall be responsible for direct damages that may be caused to the Client and/or its Affiliates arising from or in connection with the performance of Services either by Service Provider and/or its subcontractors and that are found admissible by a competent court.

11.2. In the event that Service Provider’s liability is incurred regarding data it deal with in the conduct of the market research concerned, Service Provider’s maximum aggregate liability towards Client for all claims shall be limited to the amount of the budget paid for the Services under the Agreement concerned and shall not exceed the amount provided for in the Service Provider’s cyber insurance.

11.3. Under no circumstances will either Party be liable for: (a) any loss of business, revenue, profits, anticipated savings, opportunity, goodwill, use, data, whether arising directly or indirectly, or (b) for any indirect, punitive, special, incidental or consequential damages.

Applicable law and jurisdiction

This DPA is governed by and construed in accordance with French Laws.

In the event of any disputes, misunderstandings and/or differences arising out of or in connection related to this DPA, the Parties shall make their best efforts to settle amicably any such disputes, misunderstandings and/or differences. However, if such settlement cannot be reached on an amicable basis within a period of sixty (60) days, such disputes, misunderstanding and/or differences shall be definitively settled by the competent Court of Lyon, France

Appendix 1 – Description of the Processing

Categories of Data Subjects whose Personal Data is processed:

The Personal Data processed for the Services relates to the following categories of Data Subjects: (tick the box as appropriate):

☒ Health care professionals

☒ Patients

☒ Patients’ family, relatives and care givers

☒ Collaborators of the Client

☒ Prospects, customers, business partners and vendors of the Client

☐ Agents, advisors, freelancers or any other partners of the Client

☒ Any other Data Subject that should be involved for the Services

Categories of Personal Data processed:

The Personal Data processed for the Services relates the following types of Personal Data: (tick the box as appropriate):

☒ Contact details (e.g., name, email, phone number, postal address, email address, job position, title, employer)

☒ Device and usage information (e.g., IP address, unique device identifiers)

☒ Demographic and interests data (e.g., information about a person’s age, preferences, hobbies, likely income bracket, advertising segments)

☒ ID data, Government identifiers (e.g., SSN, driver’s license, passport)

☒ Professional life data

☒ Personal life data

☒ Financial data (e.g., financial account information)

☐ Localization data (e.g., GPS coordinates)

☒ Any other personal data that should be collected for the Services

Special Category of Personal Data processed and to which specific restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures, shall be taken, are the following (tick the box as appropriate):

☒ Racial or ethnic origin

☐ Political opinions

☒ Religious or philosophical beliefs

☐ Trade union membership

☒ Genetic data

☐ Biometric data (where used for identification purposes)

☒ Health data

☒ Sex life

☒ Sexual orientation

☒ Any other special category of personal data that should be collected for the Services

To the extent that Service Provider processes Special Category Data, Service Provider shall protect it in accordance with Personal Data Laws and the sensitivity of such Personal Data.

Type of Processing

The Processing of the Personal Data includes the following types of Processing:

☒ Collection ☒ Consultation ☒ Recording ☒ Use

☒ Organization ☒ Disclosure ☒ Structuring

☒ Making available ☒ Storage ☒ Alignment / Combination / Matching

☒ Adaptation/Update ☒ Restriction of use/access

☐ Retrieval ☒ Erasure or destruction ☒ Remote access

☐ Media handling (e.g. transportation of media containing Personal Data)

☒ Other. Please specify: Any other Processing as required for the Services.

Nature of the processing/transfer: The nature of the processing/transfer is as set forth in the Agreement.

Purpose(s) for which the Personal Data is processed/transferred: Allowing Service Provider to provide the Services pursuant to the Agreement.

Duration of the processing / Frequency of the transfer: On a continuous basis for as long as the Client is engaging Service Provider to provide the Services under the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: The term of the provision of the Services according to the Agreement.

For transfers to and processing by Subprocessors, also specify subject matter, nature and duration of the processing: Subprocessors will process Personal Data as necessary to perform the Services for the duration of the Agreement, unless otherwise agreed in writing.

Appendix 2 – List of authorized Subprocessors (including Service Provider’s Affiliates) involved in the processing of the Personal Data for the Services

Name of the subprocessors

Location

Services subprocessed

EURL STPEM-SOC TERRAIN ETUDES MARCHE

(affiliate of Service Provider, 100 % owned by Service Provider)

France

Fieldwork related services

Excel Fieldwork Limited (affiliate of Service Provider, 100 % owned by Service Provider)

United Kingdom

Fieldwork related services

*As all the Subprocessors that could be required to conduct the Services cannot be known during the set of this DPA, when required for the Services concerned, Service Provider will submit to the Client in writing, for the Client’s prior written approval, any other Subprocessors that Service Provider requires to involve for the Services (emails are authorized).

Appendix 3 – Standard Contractual Clauses

List of Parties

MODULE TWO: Transfer controller to processor
MODULE FOUR: Transfer processor to controller

For the purposes of this section, the name of the Parties and their details are those stated in the preamble of DPA and in the Agreement.

The Client’s DPO email address is the one given on Client’s website.
Service Provider’s DPO email address is the following: dpo@aplusaresearch.com.

Activities relevant to the data transferred under these SCC: the conduct of the Services as defined in the Agreement.

Roles: the Client will act as Controller and Service Provider will act as the Processor.

Description of Transfer

MODULE TWO: Transfer controller to processor
MODULE FOUR: Transfer processor to controller

For the purposes of this section, the Parties shall refer to article 9 and Appendix 1 of this DPA, as well as to the Agreement.

Competent Supervisory Authority

MODULE TWO: Transfer controller to processor
MODULE FOUR: Transfer processor to controller

The Parties shall refer to article 9 of this DPA.

Technical and organizational measures including technical and organizational measures to ensure the security of the relevant Personal Data

MODULE TWO: Transfer controller to processor
MODULE FOUR: Transfer processor to controller

Service Provider will maintain organizational, administrative, physical and technical safeguards for protection of the security of Personal Data in connection with the Services, in accordance with article 6 and Appendix 4 of this DPA.

List of Subprocessors

MODULE TWO: Transfer controller to processor

The Parties shall refer to article 8 and Appendix 2 of this DPA.

Appendix 4 – Service Provider’s security measures

Service Provider’s security measures are defined within Service Provider’s standard operating procedure named “CS_POL_03: IT Security measures – AplusA”. Service Provider will provide a copy of such standard operating procedure to the Client promptly upon written request of the Client.

APPENDIX 5 – SWISS AND UK ADDENDUM

SWISS ADDENDUM TO EU SCCS

This addendum is applicable to the extent that personal data originating from Switzerland are provided to the data importer identified under the SCC above.

1. Scope

To the extent that Swiss data protection law, in particular the Federal Act on Data Protection of 19 June 1992 or, after its entry into force, the Federal Act on Data Protection of 25 September 2020 in its last version (“FADP”) applies, the amendments set forth in this addendum shall apply to the SCCs.

2. Amendments

2.1. The term “personal data” as used in the SCCs shall include personal data as defined in the FADP.

2.2. All references to the GDPR shall be considered to be references to the provisions of the FADP regulating the same and/or similar issues.

2.3. The term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs. Swiss courts shall be an alternative place of jurisdiction for data subjects which have his/her habitual residence in Switzerland.

2.4. Clause 13 and Annex I, sec. C of the SCC: The supervisory authority concerning the FADP shall be the Federal Data Protection and Information Commissioner.

UK ADDENDUM TO EU SCCS

This addendum is applicable to the extent that personal data originating from the UK are provided to the data importer identified under the SCC above.

1. Part 1: Tables

Please refer to the information within the relevant provisions, including the ones of the SCC, above.

2. Part 2: Mandatory Clauses

Please refer to “Part 2: Mandatory Clauses” of the “Standard Data Protection Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses – Version B1.0, in force 21 March 2022”.