Data Processing Agreement

AGREEMENT REGARDING PROCESSING OF PERSONAL DATA (DATA PROCESSING AGREEMENT)

BETWEEN

The clients of Billev Pharma ApS
(hereinafter ”Data Controller”)

AND

Billev Pharma ApS
Slotsmarken 10
DK-2970 Hørsholm
Denmark
Business registration no.: DK81814813
(hereinafter “BP”)

The Data Controller and BP are hereinafter jointly referred to as the “Parties”.

1 INTRODUCTION

1.1 This Data Processing Agreement (the “Data Processing Agreement”) has been made in connection with and is related to the agreement regarding delivery of consultancy services (hereinafter referred to as the “Consultancy Agreement”) entered into between the Data Controller and BP concerning BP’s delivery of these services etc. (the ”Services”).

1.2 This Data Processing Agreement sets out the obligations and responsibilities in relation to BP’s processing of Personal Data.

1.3 The Consultancy Agreement and its appendices govern all ordinary matters relating to services, pricing, compensation/indemnification, governing law, jurisdiction, liability and liability limitations, breach of contract, intellectual property rights etc. between the Parties. Notwithstanding the contents of this Data Processing Agreement, the Consultancy Agreement and its appendices is confidential between the Parties to the effect that any sub-processors (third-party data processor engaged by The Data Controller who has or potentially will have access to or process Personal Data) may only be informed of the contents of this Data Processing Agreement and only to the extent necessary.

2 PERSONAL DATA AND DATA PROCESSING

2.1 “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 This Data Processing Agreement governs the Personal Data, the Data Subjects, the Purposes and the Processing Activities and other matters and obligations relating to the processing, as defined and stated in Appendix 1.

2.3 Appendices 1 – 3 form part of both Parties’ documentation obligations under data protection legislation and must always reflect the actual circumstances.

3 ROLES AND INSTRUCTIONS

3.1 BP is the Data Processor as defined under applicable legislation (see clause 5.1) and processes Personal Data on behalf of the Data Controller who is the data controller under applicable legislation.

3.2 The Data Controller has the rights and obligations imposed on data controllers pursuant to the applicable legislation.

3.3 The Data Controller decides for which purposes and how BP may process the Personal Data. BP is not entitled to process the Personal Data for its own purposes and may not use Personal Data on an aggregated or anonymized level unless otherwise expressly agreed in this Data Processing Agreement including the appendixes.

3.4 BP shall, in its provision of the Services, process Personal Data only pursuant to documented instructions from the Data Controller, see Appendix 1. If, as the exception, BP is instructed to process/transfer Personal Data and this is not upon instruction of the Data Controller but according to EU or EU member state law to which BP is subject, BP shall inform the Data Controller of such legal requirement before the processing takes place unless the aforesaid law prohibits such information on important grounds of public interest.

3.5 BP may only modify, delete and dispose Personal Data from systems and records upon instructions from the Data Controller.

3.6 The Data Controller guarantees that the Personal Data transferred to BP is processed and transferred in accordance with applicable data protection legislation in respect of for example the legal grounds for processing and the requirement to provide data subjects with certain information.

3.7 Further, the Data Controller guarantees (i) that BP is entitled to process Personal Data pursuant to the Data Processing Agreement for the purpose of providing the Services and such use will comply with the General Data Protection Regulation;(ii) that all Personal Data provided by the Data Controller to BP is necessary, accurate and up-to-date; and (iii) that processing instructions at all times are in accordance with data protection legislation.

4 CONFIDENTIALITY

4.1 The Personal Data provided to BP by the Data Controller or otherwise obtained by BP in the course of carrying out the Services is subject to the Parties’ confidentiality obligations set out in the Consultancy Agreement.

4.2 BP must ensure that only employees who, at any given time, are required to process the Personal Data as part of their job have been authorized to do so.

4.3 BP must ensure that the individuals performing work for BP and get access to Personal Data only process such information as instructed by the Data Controller unless processing is required under the EU law or EU member state law.

4.4 BP must ensure that the individuals authorized to process the Data Controller’s Personal Data have undertaken a duty of confidentiality for all Personal Data to which they have access or that they are subject to an appropriate statutory duty of confidentiality.

5 ASSISTANCE TO THE DATA CONTROLLER

5.1 General assistance

Taking into account the nature of processing and the information available to BP, BP must assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of EU Regulation 2016/679 on General Data Protection (“General Data Protection Regulation”), i.e. with regard to security measures, notification of supervisory authorities, notification of individuals, preparation of data protection impact assessments and prior consultation with supervisory authorities.

5.2 Rights of the Data Subjects

5.2.1 If a person submits a request to BP for the exercise of his rights under the General Data Protection Regulation and such request is related to the Personal Data of the Data Controller, BP must immediately forward the request to the Data Controller.

5.2.2 Taking into account the nature of processing and the information available to BP, BP shall take appropriate technical and organizational measures to assist the Data Controller in the fulfillment of the Data Controller’s legal obligations under Chapter III of the General Data Protection Regulation, i.e. to respond to requests from the Data Subjects exercising their legal rights, including, but not limited to, access to Personal Data, rectification of Personal Data, deletion of Personal Data, restriction of processing of Personal Data, data portability and the right to object to automated individual decision-making and profiling.

6 SECURITY

6.1 BP shall assist the Data Controller in ensuring compliance with the Data Controller’s statutory obligations with respect to security as set out in the Consultancy Agreement, this Data Processing Agreement and applicable legislation.

6.2 BP shall implement appropriate technical and organizational measures to ensure protection of Personal Data to a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedom of natural persons. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

6.3 BP must implement the security measures and checks set out in the Consultancy Agreement.

6.4 By entering into the Data Processing Agreement, the Data Controller has assessed that the security precautions specified in Appendix 3 (Security) are appropriate for BP’s processing of Personal Data.

7 PERSONAL DATA BREACHES

7.1 A “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

8 NOTIFICATION OF THE DATA CONTROLLER

8.1 In case of a Personal Data Breach relating to the Personal Data of the Data Controller, BP shall without undue delay notify the Data Controller.

8.2 Taking into account the nature of processing as well as the information available to BP, following a Personal Data Breach, BP shall assist the Data Controller in ensuring compliance with the Data Controller’s legal obligations in connection with the notification of Personal Data Breaches to Supervisory Authorities and to Data Subjects.

9 INFORMATION

9.1 BP shall immediately inform the Data Controller if, in its opinion, an instruction infringes the General Data Protection Regulation, EU legislation or other applicable legislation.

9.2 Further, BP shall without undue delay inform the Data Controller of any request from a Supervisory Authority for the disclosure of Personal Data covered by the Agreement, unless BP’s information of the Data Controller of the request is explicitly prohibited by law.

9.3 To the extent relevant, the Data Controller must inform BP of any legislation other than the General Data Protection Regulation, as for example any special, local requirements for the storage of Personal Data or sector-specific legislation in the country of the Data Controller. If such special legislation flows down and imposes more obligations on BP than the General Data Protection Regulation, the Parties must discuss the additionally required adaption to systems and processes and the payment for any such adaption.

10 FEES TO BILLEV PHARMA APS

10.1 Based on the time spent and BP’s at any time applicable hourly rate, the Data Controller must pay for BP’s fulfillment of the following provisions:

Clause 5.1 (General assistance)

Clause 5.2 (Rights of the Data Subjects)

Clause 8 (Notification of the Data Controller)

Clause 9 (Information)

Clause 12 (Demonstration of compliance, audits etc.)

Clause 13 (Term and Termination)

10.2 The Data Controller shall indemnify BP for increased, documented additional costs for modifications made to IT systems, implementation, etc. as a result of legislation applicable to the Data Controller as well as changes thereto, including interpretations thereof. BP shall notify the Data Controller 1 month before initiating such changes, whereby the Data Controller will have the opportunity to object before the commencement of the changes. For the avoidance of doubt, this clause does not oblige BP to make any changes to IT-systems, processes, etc.

11 SUB-PROCESSORS

11.1 BP is hereby given general authorisation to engage sub-processors without obtaining any further written, specific authorisation from the Data Controller.

11.2 If BP engages a sub-processor, BP must enter into a written Data Processing Agreement with each sub-processor on similar terms as set out in this Data Processing Agreement including BP’s obligation to implement appropriate technical and organizational measures in a way that satisfies the requirements of the General Data Protection Regulation.

11.3 BP shall remain liable for the acts and omissions of such sub-processors.

11.4 As a basis for transfers to third countries BP is hereby authorized on behalf of the Data Controller to enter the European Commission’s standard contractual clauses for the transfer of personal data from data controllers to data processors in countries outside the EU in accordance with the European Commission decision of 5 February 2010 as amended (or later versions of the standard contractual clauses).

11.5 If the European Commission or other relevant authority adopts standard contracts which can be entered into directly between data processors respectively data exporter and data importer to ensure a transfer basis, the Data Controller may choose to enter into these standard contracts.

11.6 The Data Controller may at any time request documentation from BP for the existence and content of any sub-data processing agreements for the sub-processors used by BP in the performance of its obligations under this Data Processing Agreement.

11.7 BP is accountable to the Data Controller for any sub-processor in the same way as for its own actions and omissions. However, if the Data Controller bypasses BP in the instructions to a sub-processor, BP is not accountable for such instructions.

12 DEMONSTRATION OF COMPLIANCE, AUDITS ETC.

12.1 BP must upon request make available to the Data Controller all information necessary to demonstrate compliance with the obligations stipulated in this Data Processing Agreement.

12.2 BP must make a declaration available to the Data Controller with information indicating whether BP complies with this Data Processing Agreement if the Data Controller requests this declaration. The declaration must be requested by the Data Controller 2 months in advance. The declaration shall be based on applicable, acknowledged standards.

12.3 Furthermore, BP must allow for and contribute to audits, including inspections, conducted by the Data Controller, auditors mandated by the Data Controller, or Supervisory Authorities to the extent it is relevant in order to inspect BP’s compliance with this Data Processing Agreement and applicable General Data Protection Regulation. The auditor in question must be subject to confidentiality, either contractually or by law and must be approved by BP prior to the audit. Audits and inspections are subject to payment in accordance with clause 10.

13 TERM AND TERMINATION

13.1 This Data Processing Agreement terminates without notice at the time of termination/expiry of the Consultancy Agreement.

13.2 Notwithstanding Clause 13.1, the Data Processing Agreement, including relevant provisions in the Consultancy Agreement, shall remain in full force and effect for as long as BP processes Personal Data for the Data Controller, also if such processing takes place after termination of the Consultancy Agreement.

13.3 BP must after the end of the provision of the Services and at the termination of this Data Processing Agreement (whichever time is the latest), at the discretion of the Data Controller, delete or return all existing copies of the Personal Data on a medium of the choice of the Data Controller and delete all existing copies of the Personal Data.

13.4 If the Data Controller has not given BP instruction to delete or return all existing copies of the Personal Data within 2 months after the end of the provision of Services, this shall be construed to constitute an instruction to delete all copies of Personal Data. The deletion of Personal Data is subject to payment in accordance with clause 10.

13.5 Following return/deletion of the Personal Data to the Data Controller, BP may only keep a copy thereof if EU or EU member state law requires storage of the Personal Data by BP. In such case, BP must notify the Data Controller thereof, including a reference to the legal ground for continued storage.

14 BREACH, DAMAGES AND LIABILITY

14.1 The provisions of the Consultancy Agreement on breach, damages and limitation of liability apply correspondingly to BP’s liability under the Data Processing Agreement.

APPENDICES

Appendix 1 Information and instructions about the processing operations

Appendix 2 Contact Persons

Appendix 3 Security

APPENDIX 1

INFORMATION AND INSTRUCTIONS ABOUT THE PROCESSING OPERATIONS

  • 1 INSTRUCTION

The Data Controller hereby instructs BP to process the Personal Data as set out below in connection with BP’s provision of the Services under the Consultancy Agreement.

  • 2 PURPOSE

BP’s processing of Personal Data for the Data Controller is carried out for the following purpose:

Fulfillment of the Consultancy Agreement between the Data Controller and BP.

  • 3 DATA PROCESSING ACTIVITIES/NATURE OF PROCESSING OPERATION

BP’s processing of Personal Data for the Data Controller is carried out through the following activities:

  • DATA PROCESSING, DATA STORING, DATA TRANSMISSION

DATA SUBJECTS

BP processes personal data about the following categories of data subjects (“Data Subjects”) for the Data Controller:

  • Employees of the Data Controller
  • Customers, Suppliers, Service Providers and other Partners of the Data Controller
  • Sub-processors of the Data Controller
  • Patients
  • Health care professionals and veterinary professionals

PERSONAL DATA

BP processes the following checked off categories of personal data of the Data Subjects on behalf of the Data Controller:

(X) General categories of personal data in the form of:

(X) Name

(X) Address

(X) Email address

(X) Telephone number

(N/A) Financial information

(X) Other information: Age, gender

(X) Special categories of personal data in the form of:

(N/A) Data revealing racial or ethnic origin

(N/A) Data revealing political opinions

(N/A) Data revealing religious beliefs

(N/A) Data revealing philosophical beliefs

(N/A) Data revealing trade union membership

(N/A) Genetic data for the purpose of uniquely identifying a natural person

(N/A) Biometric data for the purpose of uniquely identifying a natural person

(X) Data concerning health (only applicable to Data Controllers on whose behalf Billev Pharma ApS carries out pharmacovigilance services)

(N/A) Data concerning a natural person’s sex life or sexual orientation

(N/A) Data regarding individuals’ purely private matters in the form of:

(N/A) Data about criminal convictions and criminal offenses

(N/A) Material social problems

(N/A) Other information: _____________________________

(N/A) Data regarding personal identification number (in Danish “cpr-nummer”)/national identification number

The personal data under the categories above are collectively referred to as the “Personal Data”.

  • Duration: The Parties expect that BP will be processing the Personal Data for as long as the Consultancy Agreement is in force.
  • Deletion: During the term of the Data Processing Agreement, BP is to delete the Personal Data based on the following principles:
    We delete Personal Data when they are no longer necessary and as instructed by the Data Controller.
    To ensure adherence of laws and regulations and correct processing of continual client relations and potential complaint cases and to live up to our obligations we have deemed it necessary to store data for as long as a legitimate interest persists.
  • Recipients: BP may disclose Personal Data to sub-processors in connection with the processing operation.

APPENDIX 2

CONTACT PERSONS

  • Contact information of BP’s contact persons in respect of this Data Processing Agreement
Title Email addressTelephone numberPostal address
Director and Ownerulrikke.jensen@billevpharma.dk+45 47 52 26 00Slotsmarken 10 DK-2970
Hoersholm Denmark
Regulatory Affairs Manager, GDPR Ambassadormette.pedersen@billevpharma.dk+45 47 52 26 00Slotsmarken 10 DK-2970
Hoersholm Denmark
Translator, GDPR Ambassadormaria.brogaard@billevpharma.dk+45 47 52 26 00Slotsmarken 10 DK-2970
Hoersholm Denmark

APPENDIX 3

SECURITY

INFORMATION SECURITY POLICY

Technical and organisational measures are implemented at BP to ensure a secure processing of personal data. Encryption is one appropriate technical measure to ensure that personal data are processed securely. BP uses encryption in Microsoft 365, where appropriate, for data storage and data transfer.