VENDOR DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Agreement between Vapotherm and the party identified in the Agreement (as used in this Addendum, “Vendor’), and applies to the extent that (i) the Vendor processes Personal Data on behalf of Vapotherm in the course of providing services and (ii) the Agreement expressly incorporates this DPA by reference. For the avoidance of doubt, all references to the Agreement shall include this DPA (including the Standard Contractual Clauses (where applicable).
- Vapotherm and Vendor are parties to an agreement for services (the “Agreement”).
- The services to be provided by Vendor include Processing of Personal Data on behalf of Vapotherm. Accordingly, and as required by applicable Data Protection Legislation, Vapotherm and Vendor have agreed to enter into this Data Processing Addendum (the “Addendum”).
- Definitions and Interpretation
- In this Addendum:
“Agreement” has the meaning set out in Recital 1.
“CCPA Consumer” means a “consumer” as such term is defined in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Legislation” means (i) the General Data Protection Regulation (EU) 2016/679, and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, re-enacts or consolidates them and all other applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities (“GDPR”); (ii) California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”); and (iii) any other data protection laws which apply to the Processing of Personal Data under this Addendum.
“Data Subject” means an identified or identifiable natural person, including without limitation a CCPA Consumer.
“EU Model Clauses” means standard contractual clauses adopted or approved by the European Commission for transfers under the GDPR (and if more than one set of such clauses may apply to a transfer, the most recent such set) or any successor clauses approved for transfers by the Commission or a relevant supervisory authority under applicable Data Protection Legislation
“Personal Data” has the meaning assigned to it in the applicable Data Protection Legislation, including without limitation “personal information” as such term is defined in the CCPA, and refers to any such data Processed by Vendor on Vapotherm’s behalf in connection with the Agreement.
“Processor”, “Processing” or “Process” (or any variation thereof) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and “Process” will be interpreted accordingly.
“Security Breach” means any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that Vendor Processes in the course of providing the Services; and
“Sell” and “Sale” have the meaning assigned to them in the CCPA.
“Services” means the services to be provided by Vendor to Vapotherm pursuant to and as further set out in the Agreement.
“Sub-processor” means any third party appointed by Vendor in accordance with the Agreement or this Addendum (as applicable) to Process Personal Data.
- In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum.
- Relationship of the Parties
- Vendor agrees that Vapotherm is the data Controller and Vendor is the data Processor in relation to the Personal Data that Vendor Processes in the course of providing the Services.
- For the purposes of the CCPA, the parties acknowledge and agree that Vendor will act as a “Service Provider” and not as a “Third Party” as such terms are defined in the CCPA, in its performance of its obligations pursuant to the Agreement.
- When Vendor Processes Personal Data in the course of providing the Services. Vendor will:
- Process the Personal Data only in accordance with written instructions from Vapotherm, which may be specific instructions or instructions of a general nature as set out in this Addendum or as otherwise notified by Vapotherm to Vendor from time to time. If Vendor is required to Process the Personal Data for any other purpose by any Data Protection Legislation to which Vendor is subject, Vendor will inform Vapotherm of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
- at all times comply with applicable Data Protection Legislation and notify Vapotherm immediately if, in Vendor’s opinion, an instruction for the Processing of Personal Data given by Vapotherm infringes applicable Data Protection Legislation; and
- not Sell Personal Data;
- not retain, use or disclose any Personal Data for (a) any purpose other than for the specific purpose of performing the Services pursuant to this Agreement on behalf of Vapotherm or (b) outside of the direct business relationship between Vendor and Vapotherm or as otherwise permitted by applicable Data Protection Legislation.
- Details of the Personal Data Processing
- The Data Processing Annex of the Agreement sets out certain information regarding the Processing of Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Vapotherm may make reasonable amendments to Data Processing Annex of the Agreement by written notice to Vendor from time to time as Vapotherm reasonably considers necessary to meet those requirements. Nothing in the Data Processing Annex of the Agreement (including as amended pursuant to this section 3.1) confers any right or imposes any obligation on any party to this Addendum.
- Vendor shall assist Vapotherm, always taking into account the nature of the Processing:
- by using appropriate technical and organizational measures to protect the security of the Personal Data.
- in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Vendor; and
- if Vapotherm undertakes a data protection impact assessment in relation to the Processing of Personal Data, Vendor shall reasonably assist Vapotherm with such assessment and any subsequent consultation with the ICO in connection with such assessment in accordance with Articles 35 and 36 of GDPR;
- by making available to Vapotherm all information which Vapotherm reasonably requests to allow Vapotherm to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of Processors have been met; and
- by providing reasonable assistance to respond to a Data Subject request or a request from any data protection authorities related to the Processing of Personal Data.
- Vendor shall assist Vapotherm, always taking into account the nature of the Processing:
- Security Measures and Personal Data Breaches
- Vendor shall implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.
- In the event of a Security Breach, Vendor will:
- take action immediately to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and to remedy the Security Breach;
- notify Vapotherm without undue delay (but in no event longer than 24 hours) and provide Vapotherm with a description of the details of the Security Breach known at the time including:
- the likely impact of the Security Breach;
- the categories and approximate number of Data Subjects affected and their country of residence and the categories and approximate number of records affected;
- and the risk posed by the Security Breach to individuals; and
- the measures taken or proposed to be taken by Vendor to address the Security Breach and to mitigate its adverse effects
- and provide timely updates to this information as further details become known and any other information Vapotherm may reasonably request relating to the Security Breach; and
- not release or publish any filing, communication, notice, press release, or report concerning the Security Breach without Vapotherm’s prior written approval (except where required to do so by law).
- Vapotherm agrees that Vendor may appoint Sub-processors to assist it in providing the Services by processing Personal Data solely for the purpose of providing the Services, provided that such Sub-processors: (i) agree to act only on Vendor’s instructions when Processing the Personal Data (which instructions shall be consistent with Vapotherm’s Processing instructions); and (ii) agree to protect the Personal Data to a standard consistent with the requirements of this Addendum.
- Vendor shall provide a list of Sub-processors to Vapotherm prior to execution of this Addendum. Before authorizing any new Sub-processor, Vendor shall provide notification. Vapotherm may object to the change without penalty by notifying us within 14 days after the notice, provided such objection is based on reasonable grounds relating to data protection. The parties shall work together to resolve any objections. In the event such objections cannot be reasonably resolved, Vendor will either not appoint or replace the relevant Sub-processor or, if this is not possible, Vapotherm may suspend or terminate the Agreement.
- If Vendor is permitted to use any Sub-processors under this Addendum, any such Sub-processor used must qualify as a “Service Provider” under the CCPA. Vendor shall not make any disclosures of Personal Data to the Sub-processor that the CCPA defines as a Sale.
- Vendor shall allow Vapotherm and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement, which will include providing reasonable access to the premises, resources and personnel of Vendor used in connection with the provision of the Services, and provide all reasonable assistance in order to assist Vapotherm in exercising its audit rights under this paragraph. The purpose of an audit pursuant to this paragraph is solely to verify that Vendor is Processing Personal Data in accordance with Vendor’s obligations under these terms.
- Any third-party auditor or agent acting on Vapotherm’s behalf shall be subject to a confidentiality agreement.
- Any audits shall take place during reasonable business hours and shall not disrupt Vendor’s normal business practices.
- Term and Termination; Deletion or Destruction of Personal Data
- This Addendum will be effective as of the effective date of the Agreement and will terminate automatically upon termination or expiration of the Agreement without further action required by either party. The Vendor’s obligations and Vapotherm’s rights under this Addendum shall continue in effect so long as the Vendor Processes or maintains Personal Data, including any de-identified or aggregated data, if appropriate.
- At the end of the Services, upon Vapotherm’s request, Vendor shall securely destroy or return such Personal Data to Vapotherm, and delete existing copies unless Data Protection Legislation requires storage of such Personal Data.
- Data Transfers
- Vendor agrees to comply with the obligations of a data importer as set out in the EU Model Clauses for the transfer of Personal Data to Processors established in third countries adopted by the European Commission which are incorporated to this Addendum by reference. Vendor acknowledges that Vapotherm will be a data exporter. Data Processing Annex of the Agreement shall apply as Annex 1 to the EU Model Clauses.
- Indemnification and Limitation of Liability
- For the avoidance of doubt, any indemnification or limitation of liability provisions of the Agreement shall apply to this Addendum.