PROCESSING OF PERSONAL DATA
Article 1. Purposes
The purpose of these provisions is to define the conditions under which ABIONYX undertakes to carry out personal data processing operations in performance of contractual obligations, where applicable, within the meaning of:
• Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms, as amended (hereinafter the "Data Protection Act") and all recommendations issued by the Supervisory Authority in application of the Data Protection Act,
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the directive 95/46/EC [General Data Protection Regulation] (hereinafter the “GDPR”) and any recommendations issued by the European Data Protection Board pursuant to the GDPR,
• The Data Protection Act and the GDPR, and the aforementioned recommendations being jointly referred to as the “Regulations” within these provisions.
• Deliberation no. 2018-155 of 3 May 2018 approving the reference methodology relating to the processing of personal data implemented in the context of research not involving the human person, studies and evaluations in the field of health (MR-004)
As part of its contractual relations, ABIONYX and its employees, agents, legal representatives, subcontractors and co-contractors undertake to comply with the Regulations.
Article 2. Definitions
The terms reproduced below will be understood within these provisions as defined in Article 4 of the GDPR.
"Supervisory authority": the CNIL, an independent public authority responsible for monitoring the application of the Regulations, in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of personal data within the European Union.
"Consent" of the Data Subject: any free, specific, informed and unambiguous manifestation of will by which the Data Subject accepts, by a statement or by a clear positive act, that Personal Data concerning him/her be the subject of 'a treatment ;
“Recipient”: the natural or legal person, public authority, service or any other body that receives communication of Personal Data, whether or not it is a Third Party;
“Personal data”: any information relating to an identified or identifiable natural person;
“Third country”: country outside the European Union and not subject to an adequacy decision by the European Commission within the meaning of Article 45 of the GDPR;
“Data subject”: an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to a or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity;
“Data Controller”: the legal entity which, alone or jointly with others, determines the purposes and means of the Processing;
“Services”: operations entrusted to ABIONYX by any client in execution of a contract where applicable, involving in particular the Processing of Personal Data;
“Subcontractor”: the legal entity that processes Personal Data on behalf of ABIONYX, if applicable;
“Third party”: any natural or legal person, public authority, service or body other than the data subject, the Data Controller, the persons who, placed under the direct authority of the Data Controller or the processor, are authorized to process personal data;
“Processing”: any operation or set of operations whether or not carried out using automated processes and applied to data or sets of Personal Data, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, linking or interconnection, limitation, erasure or destruction; the Processing implemented in the context of the provision of the Services is described in Article 3 of this agreement;
“Personal Data Breach”: a breach of security, accidentally or unlawfully resulting in the destruction, loss, alteration, unauthorized disclosure of Personal Data transmitted, stored or processed by another manner, or unauthorized access to such data.
Article 3. Description of Process by ABIONYX
The Processing carried out by ABIONYX within the framework of the Services is described in a current data retention charter with a trusted third party or any other document meeting the cyber security requirements deemed necessary and sufficient by ABIONYX.
Article 4. Obligations of ABIONYX
ABIONYX declares and guarantees that it has sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the Processing of Personal Data meets the requirements of the Regulations and guarantees the protection of the rights of the Persons concerned.
ABIONYX undertakes to process Personal Data solely within the framework of the Services defined in the contract, for the only Processing provided for in Article 3 "Description of the Processing of Personal Data".
ABIONYX undertakes to:
• Provide prior notice of any transfer of Personal Data outside of an Approved Processing Location prior to any transfer operation;
• Inform any person if he considers that a Processing instruction constitutes a violation of the Regulations;
• Ensure that any natural person placed under its authority, regardless of their status, who has access to Personal Data in the context of the Services provided by ABIONYX is authorized to process them either subject to:
o To an obligation of confidentiality,
o Training in the protection of Personal Data.
ABIONYX also undertakes to help anyone in carrying out any impact analysis relating to the protection of data required by the Processing related to the Services.
Article 5. Place of Process of Personal Data
Any Personal Data which is the subject of Processing or which is intended to be the subject of such Processing in accordance with the framework of the Services must, unless otherwise specified, be processed:
at. In the European Economic Area (“EEA”);
b. In a third country or an international organization of which the European Commission has determined by decision that the third country or international organization in question ensures an adequate level of protection, insofar as such a decision is in force at the time of the Transfer (“Appropriate Countries”);
Article 6. Audits et controls
ABIONYX undertakes to make available to any person it deems useful, all the information necessary to demonstrate compliance with its obligations of compliance with the Regulations and this agreement, and to allow audits to be carried out, including inspections and contributions to an audit.
Article 7. Modalities of exercise of any person rights
BIONYX guarantees that it implements all measures to allow a Data Subject whose Personal Data is collected as part of the Services, to effectively and fully exercise the rights available to him or her under the Regulations.
ABIONYX undertakes, as far as possible, to help any person it deems useful in the processing of any request from a Data Subject relating to the exercise of the rights available to it under the Regulations.
ABIONYX undertakes to keep an up-to-date register for monitoring requests for the exercise of rights by the Data Subject or any person that ABIONYX deems appropriate.
Article 8. Notice of infringement of any person rights
ABIONYX undertakes to document any Personal Data Breach that has been notified to it by any person in the context of the performance of the Services and to keep this documentation at its disposal, without prejudice to its notification obligation defined below.
ABIONYX notifies, in writing, to any person that it deems useful any Personal Data Breach as soon as possible after becoming aware of it, and in any case no later than within forty-eight (48) calendar hours.
Article 10. Safety measures
ABIONYX undertakes and guarantees to implement the appropriate technical and organizational measures in order to guarantee a level of security of the Personal Data adapted to the risks attached to the implementation of the Processing within the framework of the Services.
In addition, the appropriate technical and organizational measures intended for the protection of Personal Data subject to Processing within the framework of the Services are described internally at ABIONYX.
Article 11. Confidentiality
ABIONYX is subject to the most absolute secrecy including confidentiality, professional secrecy and business secrecy (hereinafter the "Secret") on the Processing including in particular Personal Data, implemented within the framework of the Services provided in execution of the contract.
ABIONYX undertakes, for the duration provided for in the contract, to keep the Secret nature of all Personal Data and, consequently:
To communicate Personal Data only to members of its staff who need to know it for the performance of the Services in the context of the contract;
To take the measures that it takes itself with regard to its own confidential information to prevent its publication or disclosure to Third Parties.
Article 12. Register of processing activities
ABIONYX undertakes to set up and implement a register in electronic format containing all the information required by article 30.2 of the GDPR.
Article 13. Regulatory compliance guarantee
ABIONYX declares that it is fully aware of the legal and regulatory constraints to which it is subject as well as its employees and co-contractors with regard to the protection of Personal Data.
Article 14. Regulatory compliance guarantee
ABIONYX may appoint to any person it deems useful a natural person within its staff as a point of contact for all questions relating to issues related to the protection of personal Data in the context of the Services. This person must have all the necessary skills for all questions related to the obligations defined in this Agreement involving Personal Data and, where applicable, in the reports of ABIONYX, agents, employees, representatives and co-contractor with the Authority of control.
The contact point designated by ABIONYX, delegate for the protection of personal data: Mr. Emmanuel de Fougeroux.