Data Processing Addendum
This Data Processing Addendum (“DPA”) governs the processing of Personal Data, including without limitation EU and/or UK Personal Data, by Zomedica in connection with Zomedica’s provision of goods and services to Customer. This DPA becomes effective from the date (“Effective Date”) Customer purchases goods and services from Zomedica pursuant to a purchase agreement subject to Zomedica, Inc. Terms and Conditions of Sale (“Agreement”) and remains in effect for as long as Zomedica Processes Personal Data.
Definitions.
For purposes of this DPA, the following terms shall have the meanings set forth below.
- “Customer Personal Data” means any Personal Data Processed by Zomedica or by a Subprocessor, on behalf of Customer.
- “Data Protection Laws” means any local, national, or international laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, as amended, replaced, or superseded from time to time.
- “Personal Data” means information about an individual that (a) can be used to identify, contract or locate a specific individual; (b) can be combined with other information that is linked to a specific individual to identify, contact or local a specific individual; or (c) is defined as “personal data” or “personal information” by applicable Data Protection Laws relating to the collection, use, storage or disclosure of information about an identifiable individual. Zomedica. “EU Personal Information” means Personal data relating to data subjects located in the European Union, European Economic Area, and Switzerland (the “Designated Countries”).
- “Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data by Zomedica or any Subprocessor.
- “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following: (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and/or; (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and/or; (iii) “Swiss Addendum” means the EU SCCs as modified in Schedule 7 to Annex I of this DPA to address the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, including any implementing, supplementing, or successor legislation.
- As between the parties, with regard to EU Personal data, the Customer is the Data Controller and Supplier is a Data Processor. “Data Controller,” “Data Processor,” Subprocessor,” “Supervisory Authority,” “Data Subject,” and “Process” have the meanings given in the relevant Data Protection Laws.
Processing of Personal Data.
- For purposes of this DPA, Zomedica is the Data Processor and the Customer is the Data Controller.
- As between the parties, Customer is and remains the owner of Customer Personal Data and the holder of all rights relating to Customer Personal Data.
- Nature of Data Processing. The subject matter of the data processing, including the processing operations carried out by Zomedica on behalf of the Customer and the Customer’s data processing instructions for Zomedica, will be set forth in Annex 1.
- Compliance with Laws. The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to the Data Protection Laws. The Data Protection Laws may include, but are not limited to, Lei Geral de Protecao de Dados (Brazil’s General Data Protection Law), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”);
- The Customer in its capacity as Data Controller represents, warrants, agrees, and certifies that it shall comply with its Personal Data protection, security and other obligations prescribed by the Data Protection Laws for Data Controllers, without limitation, meeting its obligations under the applicable Data Protection Laws to:
- Establish and maintain a procedure for the exercise of the rights of the individuals whose Personal Data are Processed on behalf of the Customer;
- Process only data that has been lawfully and validly collected and ensure that such data will be relevant and proportionate to the respective uses; and
- Ensure compliance with the provisions of this DPA by its personnel and by any person accessing or using Personal Data on its behalf.
- Zomedica in its capacity as Data Processor represents, warrants, agrees, and certifies that:
- it understands, and will comply with, the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a service provider and/or processor.
- it shall notify Customer promptly if Zomedica determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.
- it shall Process Customer Personal Data only to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Agreements between the Customer and Zomedica, including any applicable EULA.
- it shall take reasonable steps to ensure that access to Customer Personal Data is limited to those employees, agents, and Subprocessors, who have a need to know or otherwise access Customer Personal Data to enable Zomedica to perform its obligations under the Agreement and this DPA, and who are bound in writing to protect the confidentiality of the Customer Personal Data.
- it shall inform Customer if, in its opinion, a Processing instruction infringes applicable Data Protection Laws.
- to the extent that it deidentifies Customer Personal Data it will (i) take reasonable measures to ensure that the information cannot be associated with an individual, (ii) publicly commit to maintain and use the information in deidentified form and not to attempt to reidentify it, (iii) implement technical safeguard that prohibit reidentification, (iv) implement business processes that specifically prohibit reidentification, (v) implement business processes that prevent inadvertent release of deidentified information, (vi) make no attempt to reidentify the information, and (vii) contractually obligate any recipients of the deidentified information to comply with all provisions in this paragraph.
- If it intends to engage one or more Sub-Contractors to help it to satisfy its obligation in accordance with this DPA or to delegate all or part of the Processing activities to such Sub-Processors, (i) remain responsible and liable to the Customer for the Sub-Processor’s acts and omissions with regard to Personal Data protection; and (ii) enter into contractual arrangements with such Sub-Processors requiring them to guarantee the same level of Personal Data protection compliance and information security to that provided for herein.
- Zomedica represents, warrants, agrees, and certifies that it shall not:
- retain, use, or disclose Customer Personal Data for any purpose other than for the limited and specified purpose of performing its obligations under the Agreement.
- share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Customer Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged; or
- combine Customer Personal Data with Personal Data Zomedica receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant applicable Data Protection Laws.
Customer Obligations.
- Customer is responsible for obtaining all necessary consents, permissions and rights required under Data Protection Laws for Zomedica to lawfully Process Customer Personal Data to provide the Zomedica Services.
- Customer shall not issue Processing instructions that would cause Zomedica to Process Customer Personal Data in violation of Data Protection Laws.
- Customer is responsible for making an independent determination as to whether its use of the Software and/or Devices will meet Customer’s requirements and legal obligations under Data Protection Laws. Zomedica shall have no obligation to assess the contents or accuracy of Customer Personal Data.
Security.
- Zomedica shall maintain administrative, technical and physical safeguards (the “Data Safeguards”) to: (i) ensure the security and confidentiality of Customer’s Confidential Information relating to any personally identifiable information (“Personal Information”); (ii) protect against any threats or hazards to the security or integrity of such Personal Information; and (iii) protect against the destruction, loss, alteration, and unauthorized access, use or disclosure of the Personal Information in the possession or control of Zomedica and during the electronic transmission, storage, and shipping thereof.
- Zomedica shall at all times comply with, and shall ensure that its employees and all Data Safeguards will be at all times in compliance with, any and all applicable laws and rules regarding privacy and data protection regulations (the “Regulations”), including rules, regulations and other requirements of the PCI Security Standards Council (including the most recent version of the Payment Card Industry Data Security Standards, as amended from time to time at the required compliance levels) or any payment network, including those of VISA, MasterCard, and the National Automated Clearing House Association, as amended from time to time. Notwithstanding the foregoing, in no event will the Data Safeguards be less rigorous than accepted security standards in the industry for services like the Services. Zomedica shall (i) provide Customer with any certifications related to any Regulation as requested by Customer, including a copy of Zomedica’s Attestation of Compliance and (ii) take those actions that are necessary for Customer to remain in compliance with the Regulations, as reasonably requested by Customer. Zomedica shall promptly notify Customer if Zomedica is no longer in compliance with any Regulation, if any certificate of Zomedica related to any Regulation is no longer in effect, and/or if Zomedica’s Attestation of Compliance to the PCI Security Standards Council is no longer in effect. If Zomedica is longer in compliance with any Regulation, Customer may terminate the data processing services under an Agreement immediately without penalty or liability of any nature to Customer. Zomedica shall remain liable for, and immediately remit payment to Customer for amounts owing to Customer, if any, at the time of termination of data processing services. Prior to Zomedica sharing Personal Information with any third party for compliance and certification requirements, Zomedica will obtain the written consent of Customer and have entered into a written agreement with any such third party such that the Personal Information is protected to at least the same degree as provided for by Zomedica.
Personal Data Breach.
- If Zomedica becomes aware of a Data Breach, it will notify Customer without undue delay and, in any case, where feasible, within 72 hours after becoming aware, so as to facilitate the parties’ compliance with Data Protection Laws (such as notification timelines set by GDPR Article 33 (1)). Zomedica shall notify Customer, to the extent known, about the nature of the Data Breach, the identities, categories and number of Data Subjects affected, and the number of data sets affected.
- Zomedica will, without undue delay, take all necessary and reasonable measures to mitigate or contain the Data Breach. Zomedica will inform Customer as soon as reasonably possible about such measures and keep Customer informed as reasonably practicable.
Subprocessors.
- With respect to any Subprocessor, Zomedica shall:
- carry out adequate due diligence to ensure that each Subprocessor can meet the requirements set forth in this DPA and provide evidence of such due diligence to Customer if requested.
- enter into a written agreement with each Subprocessor containing the same obligations imposed on Zomedica under this DPA and applicable Data Protection Laws with respect to Customer Personal Data; and
- remain fully liable to Customer for the acts or omissions of its Subprocessors.
- With respect to any Subprocessor, Zomedica shall:
Data Subject Rights and Requests.
- Zomedica shall promptly notify Customer if it receives a request from a Data Subject regarding Customer Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws. Zomedica shall await instructions from Customer concerning whether, and how, to respond to such a request, unless otherwise required to act by law.
- Zomedica shall assist Customer in fulfilling Customer’s obligations to respond to such requests, including at minimum, maintaining the ability to access, modify, remove from Processing, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Customer.
- Should Zomedica or any Subprocessor directly perform any data collection from Data Subjects in connection with the Customer’s instructions, Zomedica shall ensure that Data Subjects receive the Customer’s Privacy Policy at or before the point at which any information is collected about the Data Subject and obtain any required consents as may be legally necessary.
Deletion or Return of Customer Personal Data.
Zomedica shall promptly return or destroy (at Customer’s direction) all copies of Customer Personal Data in its possession, or in the possession of its Subprocessor (a) any time requested by the Customer, or (b) within sixty (60) calendar days of the effective date of termination, provided however that Zomedica and Subprocessor may retain an archival copy of Customer Personal Data in accordance with its records retention policies as required by applicable rules, regulations or laws.
Compliance and Audits.
- Upon Customer’s request, Zomedica shall provide such assistance as Customer reasonably requires ensuring compliance with Customer’s obligations under applicable Data Protection laws, with any Supervisor Authority (which has the same meaning as given by Article 51 of the GDPR)..
- In addition to any audit rights Customer may have under the Agreement and upon reasonable prior advance written notice, Zomedica shall make available to Customer all information necessary to demonstrate Zomedica’s compliance with this DPA, as well as any applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer (provided such third-party is not a competitor of Zomedica), in order to assess Zomedica’s compliance. Any such audit shall be reasonable in scope, take place during normal business hours, and shall not disrupt Zomedica’s normal operations. Zomedica shall fully cooperate with such audits or assessments by providing reasonable access to knowledgeable personnel; physical premises; and any relevant records, documentation, processes, and systems in order that Customer may satisfy itself of Zomedica’s compliance with this DPA.
Data Transfers.
Zomedica is based outside, and intends to transfer EU Personal data outside, the EEA and European Commission-approved countries, therefore, Zomedica agrees to (a) enter into the relevant Module of the Standard Contractual Clauses (“SCCs”) specified in Annex 1 of the Agreement. If Zomedica is unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a Member State of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of the Customer.
Audit.
- To the extent that the Agreement does not otherwise give the information and audit rights pertaining to the processing of Customer Personal Data and meeting the relevant requirements of Data Protection Laws (including, where applicable, GDPR Article 28(3)(h)), Zomedica will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor designated by Customer in relation to the Processing of Customer Personal Data. Zomedica will not unreasonably withhold or delay agreement to an auditor selected by Customer.
- The audits and inspections referred to in Section 12.1 are primarily carried out by Customer reviewing and inspecting audit reports resulting from an audit performed by an independent third-party information security expert at Zomedica’s expense and choice in accordance with Zomedica’s ISO 27001 compliant information security management system. Customer hereby instructs Zomedica to perform audits for purposes of privacy compliance under this DPA as described in this section 12.2
- If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to Zomedica in writing reasonably in advance of the requested audit. If the Parties fail to reach an amicable resolution on altered audit instructions, Zomedica may terminate its data processing obligations under the Agreement. Customer will take all reasonable endeavors to minimize disruption to Zomedica’s business. The audit and any information arising therefrom shall be considered Zomedica’s Confidential Information and may only be shared with a third-party with Zomedica’s prior written agreement.
- Customer will not carry out more than one audit per year unless: (i) Customer reasonably considers it necessary because of genuine and demonstrable concerns as to Zomedica’s compliance with this DPA or Data Protection Laws; or (ii) Customer is required to carry out an audit by Data Protection Laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or Data Protection Laws.
- Nothing herein limits any rights mandated by law, such as supervisory authority and Data Subject rights, including in accordance with the Standard Contractual Clauses.
Cooperation Obligations.
If Customer is required to provide information to a supervisory authority or to otherwise cooperate with a public authority, relating to Processing of Customer Personal Data, Zomedica will support Customer by providing such information reasonably available to it or otherwise reasonably cooperating with Customer, including as such information relates to technical and organizational measures taken in line with Article 32 GDPR.
To the extent necessary and reasonable, Service Provider will support Customer by providing reasonably requested information regarding Zomedica’s services to enable the Customer to carry out data protection impact assessments or consultation (if applicable) with data protection authorities as required by Data Protection Laws.
Liability.
Notwithstanding anything to the contrary in the Agreement, and without regard to any limitations of liability contained in the Agreement, Zomedica shall defend, indemnify, and hold harmless Customer and Customer Affiliates from and against any third-party claim arising out of or relating to Zomedica’s failure to comply with its obligations under this DPA.
Minimum Insurance Requirements.
Without limiting Zomedica’s liability under the Agreement or this DPA, Zomedica shall obtain and maintain throughout the course of the Agreement a cyber risk insurance policy with not less than $2 million in coverage for both potential first party and third-party losses. The cyber insurance requirements set forth in this paragraph are to be considered minimum requirements only.
Priority.
In the event of any conflict or inconsistency between the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs; (b) this DPA; and (c) the Agreement. Except as specifically amended in this DPA, the Agreement remains unchanged in in full force and effect.
Termination.
This DPA shall remain in effect as long as Zomedica Processes Personal Data in connection with Zomedica’s performance under the terms of the Agreement. Further, Zomedica’s failure to comply with any of the provisions of this DPA shall be considered a material breach of the Agreement. In such event, Customer may, without penalty to Customer, take steps to stop and remediate any unauthorized Processing of Customer Personal Data. Upon completion of Zomedica’s data processing obligations under the Agreement, Zomedica’s obligations under this DPA in relation to the Processing of Personal Data shall continue for as long as Zomedica has access to Customer Personal Data.
General Terms.
This DPA supersedes any prior data processing agreements, addenda, or similar terms between the parties. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of any conflict between the Agreement and this DPA, this DPA will govern. If any variation is required to this DPA because of a change in applicable Data Protection Laws this DPA shall be deemed modified to comply with such changes.
ANNEX I
STANDARD CONTRACTUAL CLAUSES
The Standard Contract Clauses consist of the following schedules:
Schedule 1: Description of the Parties
Schedule 2: Categories of Data
Schedule 3: Processing Operations
Schedule 4: Types of Personal Data Processed
Schedule 5: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of Data
Schedule 6: List of Subprocessors
Schedule 7: Customers from the European Economic Area, the United Kingdom or Switzerland
Schedule 8: California Consumer Privacy Act of 2018 as Amended by the California Privacy Rights Act Certification
Schedule 1: Description of the Parties
EU Personal Data
Data exporter(s):
Role: | Controller |
Persons or Legal Entity: | The individual accepting Zomedica’s EULA and/or the user or legal entity entering into a business agreement with Zomedica. |
Activities relevant to the data transferred under these Clauses: | A consumer of animal health products and services provided by the Data Processor acting as the Controller and data exporter engaging with the Service Provider, who is acting as the Data Processor.
|
Data importer(s):
Role: | Data Processor |
Name: | Zomedica |
Address: | 100 Phoenix Dr., Suite 190, Ann Arbor, MI 48108 |
Contact person’s name, position and contact details: | Contact: Data Privacy Email: dataprivacy@zomedica.com Phone: 1-800-245-4417
|
Activities relevant to the data transferred under these Clauses: | A provider of animal health products and services provided such services to data exporter engaging Service Provider as a Data Process on its behalf as data exporter for EU Personal Data. |
Modules of the Standard Contractual Clauses | Module Two: Transfer controller to processor
|
Zomedica’s Data Processing role in relation to the Customer with the Applicable Module | Module Two: Zomedica to the Customer |
Schedule 2: Categories of Data
- The Personal Data transferred to Zomedica (or that Zomedica will collect or gather as a result of the Services) concern the following categories of data:
- Personal Data generated, shared or uploaded by the Customer.
- Personal Data of the Customer’s employees, contractors or other personnel or candidates for employment collected or generated in the course of using Zomedica Product and Services.
Schedule 3: Processing Operations
Zomedica must process the data collected from or for the Customer or in connection with its Services provided to the Customer solely to provide the processing operations or Services specific below, in accordance with the Customer’s instructions:
Subject Matter of Processing | The Software allows for the processing of user and veterinary medical information. |
Nature and Purpose of Processing | Zomedica will Process Personal Data as necessary to perform the Services. |
Frequency of Processing | Zomedica will process the data on a continuous basis. |
Duration of the Processing | Zomedica will process Personal Data for the duration in which the Parties are doing business, unless otherwise agreed in writing by the Parties. |
Data Retention | Zomedica will retain Personal Data for a minimum of 5 years. |
Description of Data Processing:
Zomedica will process Personal Data solely in association with product and services purchased and/or accepted by the data exporter. The Personal Data will be processed for but not limited to authorizing access to software applications, purchasing product and services, providing customer support, monitoring product usage, and enhancing product and services.
Schedule 4: Types of Personal Data Processed:
Personal Data may include, but is not limited to, personal contact information such as name, business name, business address, business telephone or mobile number, business fax number, business email address, passwords, unique IDs collected from mobile devices, network carriers or data providers, geolocation data, IP addresses and online behavior and interest data.
Schedule 5: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHICAL AND ORGANIZATIONAL MEAUSRES TO ENSURE THE SECURITY OF DATA
Description of the technical and organizational measures implemented by the data import(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
In determining the technical and organizational security measures required in Clause 5 of the Data Processing Addendum, the Parties will take account of the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
As part of and without limiting the generality of the technical and organizational security measures required in the Agreement, data importer (and data importer’s subprocessor(s), if any) will implement the following specific security measures, as applicable:
- Data importer will comply with industry standard security measures (including with respectto personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Data Exporter’s Personal Data provided by Data Exporter to Data Importer), as well as with all applicable data privacy and security laws, regulations and standards.
- Personal data must be stored on secured servers and must be hashed or salted.
- Data importer’s employees and contractors must be trained in relation to specific and appropriate technical and organizational security measures.
- Data importer must take reasonable measures to meet or exceed security standards for cloud infrastructure and web applications.
- Data importer’s information systems infrastructure and databases must be password protected.
- Data importer’s data must be encrypted during transit and at rest.
- Data importer must secure public Application Programming Interfaces following industry standard authentication protocols.
- Data importer must segregate and limit employee access permissions.
- If applicable, data importer must rotate keys to credit card databases.
- Data importer must conduct monitoring of system access and anomaly detection.
- Data importer has implemented appropriate safeguards proportionate to the specific risks associated with data transfers to the data importer’s jurisdiction.
Schedule 6: List of Subprocessors
The controller has authorized the use of the following sub-processors:
Subprocessor | Location | Data Processing Agreement |
Shopify | Canada | |
Microsoft | United States | |
Amazon Web Services | United States | |
Salesforce | United States | |
United States | ||
Square Up | https://squareup.com/us/en/legal/general/data-processing-terms | |
Twilio | United States | |
Constant Contact | United States |
Schedule 7: Customers from EEA, UK or Switzerland
For data transfers by Customer from the European Economic Area, the United Kingdom or Switzerland to Zomedica in a country that does not ensure an adequate level of protection within the meaning of Data Protection Laws, the EU Ass and/or UK Addendum and/or Swiss Addendum, as applicable, shall govern such transfers.
EU SCCS
The EU SCCs will apply to any Processing of Customer Personal Data that is subject to the GDPR and any optional clauses not expressly selected are not incorporated. For the purposes of the EU SCCs:
- Module Two terms will apply in the case of Processing where Customer acts as a Controller and Module Three terms will apply in the case of Processing where Customer acts as a Data Processor.
- Clause 7 (the docking clause) will apply.
- Clause 9, Option 2 (General written authorization) will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 7 (Sub-processors) of this DPA.
- With regard to Clause 17 (Governing law), option 1 will apply and the governing law will be the governing law as set forth in the Agreement.
- With regard to Clause 18 (Choice of forum and jurisdiction), the jurisdiction shall be the jurisdiction as set forth in the Agreement.
- Annex I of the EU SCCs contains the specifications regarding the Processing and the competent supervisory authority and the following shall apply with respect to the Parties:
Data Exporter: The Customer listed in the DPA.
Contact Details: Customer’s account owner email address
Data Exporter Role: Controller for Module Two and Processor for Module Three
Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
Data Importer: Zomedica
Contact Details: As identified in the Agreement
Data Importer Role: Processor for Module Two and sub-processor for Module Three
Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
- Annex II of the EU SCCs contains the technical and organizational measures.
- The specifications for Annex III are determined by this DPA. The Sub-processors’ contact persons’ names, positions and contact details will be provided by Zomedica upon written request.
UK Addendum
The UK Addendum will apply to any Processing of Customer Personal Data that is subject to the UK GDPR or to both the UK GDPR and the GDPR. For purposes of the UK Addendum:
- The Parties are Services Provider and Customer, with contact details as set forth in this DPA.
- The Approved Standard Contractual Clauses are the EU SCCs as set forth in Section 1 (EU SCCs) of this Schedule 7 of Annex I to the DPA.
Swiss Addendum
For transfers of Customer Personal Data that are subject to the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993 (Swiss Data Protection Laws), the EU SCCs form part of this Swiss Addendum, but with the following differences to the extent required by the Swiss Data Protection Laws.
- References to the GDPR in the EU SCCs shall be references to Swiss Data Protection Laws to the extent the data transfers are subject exclusively to Swiss Data Protection Laws and not to the GDPR.
- References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
- The “competent supervisory authority” is the Federal Data Protection and Information Commissioner insofar as the transfers are governed by Swiss Data Protection Laws.
- References to “personal data” in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions of Swiss Data Protection Laws that eliminate this broader scope.
- Clause 18 of the EU SCCs is replaced to state: “Any dispute arising from these Clauses relating exclusively to Swiss Data Protection Laws will be resolved by the courts in Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence.
Schedule 8: CALIFORNIA CONSUMER PRIVACY ACT OF 2018 AS AMENDED BY THE CALIFORNIA PRIVACY RIGHTS ACT CERTIFICATION
This California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, is issued by Zomedica provided by Zomedica to the Customer and Zomedica’s use of Personal Data on behalf of the Customer. This Certification is issued pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”).
The CCPA requires that companies acting as “Zomedicas” are prohibited from retaining, using, or disclosing personal information for any purpose other than providing services to its customers pursuant to a written contract and within Zomedica’s and the Customer’s direct business relationship.
The Customer and Zomedica have entered into one or more written agreements under which Zomedica may receive or process Personal Data on behalf of the Customer.
Zomedica will process Personal Data solely in association with product and services purchased and/or accepted by the Customer. The Personal Data will be processed for but not limited to authorizing access to software applications, purchasing product and services, providing customer support, monitoring product usage, and enhancing product and services. Personal Data may include, but is not limited to, personal contact information such as name, business name, business address, business telephone or mobile number, business fax number, business email address, passwords, unique IDs collected from mobile devices, network carriers or data providers, geolocation data, IP addresses and online behavior and interest data.
By the Customer accepting Zomedica’s End User License Agreement (EULA),
- Zomedica certifies that it does not receive Customer Personal Data as considered for any services and does not otherwise derive value from the processing or use of Customer Personal Data other than the value derived as a result of Zomedica’s direct business relationship with the Customer. Zomedica certifies that it does not and will not sell and share Customer Personal Data, as the terms “sell” and “share” are defined under the CCPA, and acknowledges that it may not retain, use or disclose Customer Personal Data except as is necessary to provide services to the Customer.
- Zomedica certifies that it understands the rules, requirements and definitions of the CCPA and shall refrain from taking any action that may qualify as selling or sharing Customer Personal Data under the CCPA.
- Zomedica acknowledges that it acts a “Service Provider” of Customer Personal Data under the CCPA. To the extent authorized by the Agreement and/or this DPA, Zomedica will have the right to use Customer Personal Data for the business purposes described by the CCPA and its corresponding regulations. Zomedica certifies that it does not combine Customer Personal Data with Personal Data that Zomedica collects itself or receives from another source, except to perform any business purpose permitted by the CCPA or its regulations.
- Zomedica shall comply with all requirements under the CCPA and other Data Protection Requirements for any de-identified that that it receives from the Customer.
- The Customer will inform Zomedica of any consumer requests made pursuant to the CCPA with which Zomedica must comply and provided Zomedica with the information within the Customer’s possession that is necessary for Zomedica to comply with the request.
- Zomedica agrees to allow the Customer to conduct reasonable assessments, as prescribed by the CCPA and its regulations, to ensure that Zomedica complies with the Customer’s CCPA obligations, the Agreement, and the DPA. If Zomedica determines that it can no longer meet its obligations under the Agreement, Zomedica agrees to notify the Customer no later than prescribed by the CCPA and to allow the Customer to take reasonable and appropriate steps to stop and remediate the unauthorized use of Customer Personal Data.