04 December 2023
These Jurisdiction Specific Terms are an integral part of the Data Processing Addendum (“Addendum”) entered into between the Parties. By signing the Addendum, the Parties have agreed to comply with these Jurisdiction Specific Terms which apply to the extent that a Party Processes Personal Data originating from or protected by Applicable Data Protection Laws in a jurisdiction identified herein.
The terms and definitions specified in these Jurisdiction Specific Terms shall apply with respect to the applicable jurisdiction in addition to the terms of the Addendum. Capitalized terms which are used but not defined shall have the meaning given to those terms in the Addendum.
1. Argentina
1.1. Wherever the Processing pursuant to this Addendum falls within the scope of the Argentine Republic’s Personal Data Protection Law 25,326, Regulatory Decree 1558/2001, or any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in Argentina (collectively “Argentine Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
1.2. Any Restricted International Transfer subject to Argentine Data Protection Laws from Splash Clinical to Service Provider must comply with the Applicable Data Protection Laws, and the transfer mechanism shall be one of the following, in the stated order of precedence:
-
- (a) Where the Restricted International Transfer both originates from and terminates in a country, a sector within a country, or an international organization which the Argentine National Bureau of Personal Data Protection (“NBPDP”) has determined provides an adequate level of protection to Personal Data, such adequacy determination shall be the transfer mechanism.
- (b) Where it is not possible to rely on an NBPDP adequacy determination, the transfer mechanism shall be the Parties’ accession to Annex II of the Standard Contractual Clauses promulgated by the NDPDP in its Provision 60-E/2016, or, in the event the NBPDP updates or amends such Standard Contractual Clauses, the transfer mechanism shall be the Parties’ accession to the appropriate module of the updated or amended Standard Contractual Clauses, as promulgated by the NDPDP.
1.3. Where it is necessary to do so, this Addendum therefore incorporates by reference Annex II of the Standard Contractual Clauses. The contents required to be set forth in Annex A to Annex II of the Argentine Standard Contractual Clauses are set forth in Exhibit A to this Addendum. For the purposes of Annex II of the Argentine Standard Contractual Clauses and this Section, the Data Importer and Data Exporter roles are set out in Part A of Exhibit A to this Addendum. The Parties are deemed to have accepted, executed, and signed Annex II of the Standard Contractual Clauses where necessary in its entirety.
1.4. In cases where Annex II of the Standard Contractual Clauses applies and there is a conflict between the terms of this Addendum and the terms of Annex II of the Standard Contractual Clauses, the terms of Annex II of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.
2. Australia
When applicable, the Processing of Splash Clinical Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), or any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.
3. Brazil
When applicable, the Processing of Splash Clinical Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 and any corresponding decrees, regulations, or guidance.
4. Bulgaria
4.1. Wherever the Processing pursuant to this Addendum falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019) (“PDPA”), the Electronic Communications Act, or any other corresponding decrees, regulations, or guidance, the provisions of this Addendum and this Section shall apply to such Processing.
4.2. The Parties agree and acknowledge that, when Service Provider acts as a Processor, Service Provider shall comply with Article 25a of the PDPA which requires Service Provider to:
-
- (a) Return to Splash Clinical any Personal Data Processed pursuant to this Addendum within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6 (1) of the GDPR, or (ii) contrary to the principles under Article 5 of the GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and
- (b) If the Personal Data is erased or destroyed in accordance with Section 4.2(a) of these Jurisdiction Specific Terms above, document such erasure and destruction.
5. Canada
When applicable, the Processing of Splash Clinical Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable Canadian privacy or data protection laws.
6. Columbia
6.1. Wherever the Processing pursuant to this Addendum falls within the scope of Colombia’s Data Protection Law No. 1581 of 2012 (“Data Protection Law No. 1581”), Data Protection Decree No. 1377 of 2013 (“Data Protection Decree”), and any corresponding decrees, regulations, or guidance (collectively “Colombian Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
6.2. Definitions
-
- (a) “Information Processing Policy” (“Política de Tratamiento de la información”) (as used in this Section) shall have the meaning set forth in Article 13 of the Data Protection Decree.
- (b) “Personal Data Breach” (as used in this Addendum) includes “violations of security codes” [that] “result in risks to the administration of Data Subjects’ information” (“violaciones a los códigos de seguridad y existan riesgos en la administración de la información de los Titulares”), as that phrase is construed under Articles 17(n) and 18(k) of the Data Protection Law No. 1581.
- (c) “Rights of the Data Subjects” (as used in this Addendum) include such Data Subjects’ hábeas data rights, as that phrase is construed under the Constitution of Colombia and Colombian Data Protection Laws.
- (d) “Supervisory Authority” (as used in this Addendum) includes Colombia’s Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio).
6.3. When acting as a Processor or Sub-Processor in connection with the Processing of Splash Clinical Personal Data, Service Provider shall comply with all requirements applicable to Processors under the Columbian Data Protection Laws, including but not limited to obligations under Article 18 of Data Protection Law No. 1581 and Articles 11, 23, and 25 of the Data Protection Decree. Service Provider shall also comply with Splash Clinical’s Information Processing Policy, if any.
6.4. This Addendum sets out the additional required contractual elements under Article 25 of the Data Protection Decree, such as the scope of Processing, the activities that Service Provider is authorized to perform on Splash Clinical’s behalf, Service Provider’s obligations relative to Splash Clinical and Data Subjects, and Service Provider’s obligations to safeguard the security and confidentiality of Personal Data.
7. European Economic Area
7.1. Definitions
-
- (a) “EEA” (as used in this Section) means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
- (b) “EEA Data Protection Laws” (as used in this Section) means the GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Splash Clinical Personal Data.
- (c) “EU 2021 Standard Contractual Clauses” (as used in these Jurisdiction Specific Terms) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
7.2. With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Splash Clinical to Service Provider, one of the following transfer mechanisms shall apply, in the following order of precedence:
-
- (a) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR
- (b) The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.
- (c) Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
7.3. Standard Contractual Clauses:
-
- (a) This Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto)
- (b) The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 8.3 of these Jurisdiction Specific Terms, shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to this Addendum.
- (c) For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:
-
-
- i. Annex I(A): The content of Annex I(A) is set forth in Part A of Exhibit A, except that the details of the Parties’ Data Protection Officers and Data Protection Representatives in the EU (if applicable) are specified in Sections 19 and 20, respectively, of this Addendum.
- ii. Annex I(B): The content of Annex I(B) is set forth in Part B of Exhibit A.
- iii. Annex I(C): The content of Annex I(C) is set forth in Section 8.3(d) of these Jurisdiction Specific Terms.
- iv. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
- v. Annex III: The contents of Annex III is set out in Appendix II to Exhibit A.
- vi. The Parties agree to apply the following module:
-
- (A) With respect to any Processor-to-Sub-Processor Restricted International Transfers of EEA Personal Data, the Parties agree to implement Module Three of the EU 2021 Standard Contractual Clauses.
-
- (d) With respect to any Processor-to-Sub-Processor Restricted International Transfers of EEA Personal Data, the Parties agree to implement Module Three of the EU 2021 Standard Contractual Clauses.
-
-
- i. Clause 7: The Parties choose not to include the optional docking clause.
- ii. Clause 9(a): The Parties choose Option 2, “General Written Authorization,” and the time period set forth in Section 6.4 of this Addendum. The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of this Addendum.
- iii. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
- iv. Clause 13 (Annex I.C): The Data Exporter is not established within an EU member state, but the Data Exporter falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a Data Protection Representative established in Ireland pursuant to Article 27(1) of the GDPR, whose supervisory authority shall be the competent Supervisory Authority and be responsible for ensuring compliance by the Data Exporter with the GDPR as regards to the data transfer.
- v. Clause 17: The clauses shall be governed by the laws of Country/ the Republic of Ireland.
- vi. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Country / the Republic of Ireland.
-
7.4. The terms contained in Exhibit B to this Addendum supplement the Standard Contractual Clauses.
7.5. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.
8. Israel
8.1. Wherever the Processing pursuant to this Addendum falls within the scope of Israel’s Protection of Privacy Law, 1981, the Protection of Privacy Regulations (Data Security) 5777-2017 (“PPL Regulations”), and any corresponding decrees, regulations, or guidance (collectively “Israeli Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
8.2. For purposes of Article 15 of the PPL Regulations, to the extent that Service Provider acts as an external service provider (ספק שירות) as that term is construed under Israeli Data Protection Laws, Exhibit A to this Addendum contains information about the Personal Data that Service Provider shall Process, the purposes of the Processing, the database systems (if any) that Service Provider will access in connection with the Processing, the types of Processing that Service Provider will perform, the duration of the Processing, and the security measures that Service Provider has implemented to protect Personal Data.
8.3. Service Provider shall notify Splash Clinical in the event of a Security Incident and shall notify Splash Clinical, at least once annually (and in a format to be agreed upon by the Parties), on the manner in which Service Provider has implemented its obligations in this Section.
9. Switzerland
9.1. Definitions
-
- (a) “FDPIC” (as used in this Section) means the Swiss Federal Data Protection and Information Commissioner.
- (b) “Swiss Data Protection Laws” (as used in this Section) includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.
9.2. With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from Splash Clinical to Service Provider within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
-
- (a) The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Splash Clinical Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Splash Clinical Personal Data within the meaning of the FADP.
- (b) The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).
- (c) Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
9.3. Standard Contractual Clauses:
-
- (a) This Addendum hereby incorporates by reference the Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
- (b) The Parties incorporate and adopt the Standard Contractual Clauses for Restricted International Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 8.3 of these Jurisdiction Specific Terms, subject to the following:
-
-
- i. Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.
- ii. Clause 17: The clauses shall be governed by the laws of Country / Switzerland.
- iii. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Country / Switzerland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.
- iv. References to “Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted International Transfers subject to Swiss Data Protection Laws.
- v. The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
-
9.4. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.
10. Turkey
When applicable, the Processing of Splash Clinical Personal Data shall be compliant with Turkey’s Personal Data Protection Law No. 6698 of 2016, and any corresponding decrees, regulations, or guidance.
11. United Kingdom
11.1. Definitions
-
- (a) “UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
- (c) “UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- (d) “UK ICO” (as used in this Section) means the UK Information Commissioner’s Office.
- (e) “UK IDTA (as used in this Section) means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
- (f) “UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
11.2. With regard to any Restricted International Transfer subject to UK Data Protection Laws from Splash Clinical to Service Provider within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
-
- (a) A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.
- (b) The UK IDTA.
- (c) The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws, and the Processing activities of the Data Importer are not subject to the UK GDPR by virtue of application of Article 3(2) of the UK GDPR), as they have been adopted for use by the relevant authorities within the United Kingdom, including the UK ICO, using the UK Transfer Addendum.
- (d) Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
11.3. EU 2021 Standard Contractual Clauses and UK Transfer Addendum:
-
- (a) This Addendum hereby incorporates by reference any additional modifications and amendments required by the UK Transfer Addendum as they have been adapted for use by the relevant authorities within the United Kingdom to make the EU 2021 Standard Contractual Clauses applicable to Restricted International Transfers subject to UK Data Protection Laws. The Parties are deemed to have accepted, executed, and signed the adapted EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures and any addenda thereto).
- (b) For the purposes of the tables to the UK Transfer Addendum:
-
-
- i. Table 1: The content of Table 1 is set forth in Part A of Exhibit A.
- ii. Table 2: The content of Table 2 is incorporated and adopted as to Restricted International Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 8.3 of these Jurisdiction Specific Terms.
- iii. Table 3: The content of Table 3 (Annexes 1A, 1B, II, and III) is set forth as follows:
-
- (A) Annex 1(A): The content of Annex 1(A) is set forth in Part A of Exhibit A, save the details of the Parties’ Data Protection Officers and Data Protection Representatives in the UK, which are specified in Sections 19 and 20, respectively, of this Addendum.
- (B) Annex 1(B): The content of Annex 1(B) is set forth in Part B of Exhibit A.
- (C) Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
- (D) Annex III: The contents of Annex III is set out in Appendix II to Exhibit A.
- iv. Table 4: The Parties agree that the Data Exporter may terminate the UK Transfer Addendum.
-
- (c) The Parties incorporate and adopt the Standard Contractual Clauses as to Restricted International Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 8.3 of these Jurisdiction Specific Terms, with the following distinctions:
-
-
- i. Clause 13 (Annex I.C): The competent authority shall be UK ICO.
- ii. Clause 17: The Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
- iii. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses, or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales. A Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.
-
- (d) The terms contained in Exhibit B to this Addendum supplements the Standard Contractual Clauses.
- (e) In cases where the Standard Contractual Clauses, in conjunction with the UK Transfer Addendum, apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses or UK Transfer Addendum, the terms of the UK Transfer Addendum shall prevail with regard to the Restricted International Transfer in question.
11.4. UK IDTA:
-
- (a) This Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
- (b) For the purposes of the tables to the UK IDTA:
-
-
- i. Table 1: The information required by Table 1 appears within Part A of Exhibit A.
- ii. Table 2:
-
- (A) The UK IDTA, shall be governed by the laws of England and Wales.
- (B) The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.
- (C) The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A.
- (D) The UK GDPR does not apply to the Data Importer’s Processing of Splash Clinical Personal Data.
- (E) This Addendum and the Agreement set out the instructions for Processing Splash Clinical Personal Data.
- (F) The Data Importer shall Process Splash Clinical Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Exporter may terminate the UK IDTA before the end of such time period by serving one month’s written notice.
- (G) The Data Importer may only transfer Splash Clinical Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of this Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.
- (H) Each Party must review this Addendum at regular intervals, to ensure that this Addendum remains accurate and up-to-date and continues to provide appropriate safeguards to Splash Clinical Personal Data. Each Party will carry out these reviews as frequently as at least once [each 6 months / each year / each time there is a change to Splash Clinical Personal Data, purposes for Processing, Data Importer information, or risk assessment or sooner.
- iii. Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
- iv. Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
-
- (c) Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout this Addendum.
-
- (d) The terms contained in Exhibit B to this Addendum supplement the UK IDTA.
- (e) In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.
12. United States of America
12.1. Wherever the Processing pursuant to this Addendum falls within the scope of the United States Data Protection Laws, as defined below, the provisions of this Addendum and this Section shall apply to such Processing.
12.2. Definitions
-
- (a) “United States Data Protection Laws” includes all the enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Splash Clinical Personal Data, as they may be amended from time to time. Such laws include, without limitation:
-
-
- i. the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (codified as Cal. Civ. Code § 1798.100 et seq.);
- ii. the Colorado Privacy Act (codified as Colo. Rev. Stat. § 6-1-1301 et seq.);
- iii. the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (codified as Conn. Pub. Act No. 22-15);
- iv. the Virginia Consumer Data Protection Act (codified as Va. Code Ann. § 52-59.1 et seq.);
- v. the Utah Consumer Privacy Act (codified as Utah Code Ann. §§ 13-2-1 and 13-61-101 et seq.); and
- vi. the state data breach notification laws of each state of the United States of America.
-
- (b) “Business Purpose” and “Commercial Purpose” (as both are used in this Section) shall have the meanings given to those terms by the United States Data Protection Laws that define those terms.
- (c) “Controller” (as used in the Addendum) includes “Business” as defined under the United States Data Protection Laws that define that term.
- (d) “Data Subject” (as used in the Addendum) includes a “Consumer” as defined under the United States Data Protection Laws that define that term.
- (e) “Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the United States Data Protection Laws that define that term.
- (f) “Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under the United States Data Protection Laws that define that term.
- (g) “Processor” (as used in the Addendum) includes “Service Provider” as defined under the United States Data Protection Laws that define that term.
- (h) The terms “Sell”, which for the purposes of this Section includes “Sale of Personal Data” as defined under the United States Data Protection Laws, and “Share” (as used in this Section) shall have the meanings given to those terms by the United States Data Protection Laws that define those terms.
12.3. Splash Clinical discloses Splash Clinical Personal Data to Service Provider solely for: (i) valid Business Purposes; and (ii) to enable Service Provider to perform the Services.
12.4. Service Provider shall not: (i) Sell or Share Splash Clinical Personal Data; (ii) retain, use, or disclose Splash Clinical Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise required by the United States Data Protection Laws; (iii) retain, use, or disclose Splash Clinical Personal Data except where permitted under the Agreement between Splash Clinical and Service Provider; or (iv) combine Splash Clinical Personal Data with other information that Service Provider Processes on behalf of other persons or that Service Provider collects directly from the Data Subject, with the exception of Processing for Business Purposes. Service Provider certifies that it understands these prohibitions and agrees to comply with them.