Skip to main content

Accessibility Tools

Breaking News: Myonex appoints Greg Lavin as Chief Executive Officer as James Lovett retires, joins Board of Directors

READ MORE
Clinical Trial and Commercial Services for Pharmaceutical Companies, Biotechs and CROs

Myonex Data Processing Terms

These Myonex Data Processing Terms apply to the Processing of Personal Data by Myonex or any relevant Subprocessor as specified in the relevant Work Order.  References to “Myonex” in these Data Processing Terms includes “Myonex Affiliates”, as applicable.

1)   DEFINITIONS

The following defined terms apply to these Data Processing Terms. Terms not defined in these Data Processing Terms have the meaning set out in the Agreement.

“Agreement” means the agreement between Myonex and the Customer for the provision of Services. This will usually be a Master Supply and Services Agreement, or similar master agreement.

“Authority” means the public authority or authorities competent under applicable Privacy Law.

Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by the European Commission implementing decision (EU) 2021/914, and a “Clause” means the relevant clause in the Clauses.

Commencement Date” means, for each Service, the Effective Date indicated in the Agreement, or the applicable Work Order designated for the commencement of such Service.

“Data Processing Terms” or “DPA” mean these terms, including all schedules and appendices referred to herein or documents expressly incorporated by reference in this DPA, as they may be amended or supplemented from time to time pursuant to the terms of this DPA.

“Myonex Personnel” means the employees, consultants, representatives, agents, and contractors of Myonex and its Subprocessors and any of their Affiliates who perform any Services under the Agreement or this DPA.

“Personal Information” or “Personal Data” mean any information relating to an identified or identifiable natural person and legal persons (in jurisdictions where legal persons have the benefit of, or are protected by, Privacy Law), an identifiable natural person being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as Sensitive Personal Information, which are all subject to Privacy Law.

“Privacy Law” means all applicable local, domestic, state, national and/or foreign laws that relate to:  (a)  the confidentiality, collection, use, handling, processing, retention, security, protection, disclosure, transfer or free movement of Personal Data, (b) data privacy, (c) trans-border data flow, or (d) data protection, including relevant national laws implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the GDPR as it forms part of the domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 as amended (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and the Ordinance of 14 June 1993 to the Federal Act on Data Protection (“OFADP”), each as may be updated, amended or replaced from time to time.

“Processing” or “Process” mean any operation or set of operations which is performed on or concerning Personal Data or on sets of Personal Data, whether or not by automated means, such as the production, classification, access to, reproduction, filing, evaluation, extraction, control, receipt, collation, collection, obtaining, recording, organization, structuring, storage, adaptation or alteration, updating, modification, retrieval, consultation, use, disclosure or dissemination by transmission, distribution or otherwise making it accessible or available in any other form, alignment or combination, merging, linking as well as blocking, restricting, erasure, deletion, destruction, degradation of, or rendering the Personal Data anonymous.

Security Breach” means any breach of security that has led to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Myonex or its Subprocessors on behalf of Customer.

“Sensitive Personal Information” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.

“Services” shall have the meaning given in the Agreement, or if not defined therein, shall mean the supply of products and/or provision of services by Myonex for or on behalf of Customer.

“Subprocessor” means any person, consultant, representative, agent, Myonex Affiliate or third party engaged by Myonex, or by any other subprocessor of Myonex, who receives Personal Data from Myonex, or from any other subprocessor of Myonex, to be Processed on behalf of Customer, or to whom Myonex has delegated or subcontracted any of its obligations regarding the Services or the Processing of Personal Data.

System(s)” means an interconnected grouping of manual or electronic processes, including equipment, Software and associated attachments, features, accessories, peripherals and cabling, and all additions, modifications, substitutions, upgrades, or enhancements to such System, to the extent a party has financial or operational responsibility for such System or System components under the applicable supplement. System shall include all Systems in use as of the Effective Date, all additions, modifications, substitutions, upgrades or enhancements to such Systems and all Systems installed or developed by or for Customer or Myonex following the Effective Date.

“Valid Transfer Mechanism” means a data transfer mechanism recognized by the European Commission or relevant Authority as a legitimate basis for the transfer of Personal Data outside the European Economic Area, UK, Switzerland, or other country.

“Work Order” shall have the meaning given in the Agreement, or if not defined therein, shall mean any individual mutually agreed statement of work, work order, proposal, quotation, or other written order for Services between Myonex and the Customer which is subject to the terms of the Agreement.

2) INCORPORATION OF THE CLAUSES

Subject to section 3)a) below and the amendments set out in sections 3)b) and 3)c) below, the Clauses are hereby incorporated into this DPA and apply to the Processing of Personal Data by Myonex or any Subprocessor, and any associated transfer. For the purposes of the Clauses:

  1. The parties’ signature to the Agreement shall be considered as signature to the Clauses;
  2. References to the Clauses mean references to this DPA as it incorporates, amends and supplements the Clauses;
  3. References to “the contract” mean references to the Agreement;
  4. The applicable module is module 2 (transfers from controller to processor);
  5. Clause 3 (Third-party beneficiaries) applies only to Personal Data originating from or otherwise subject to the Privacy Law of the EU, the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland;
  6. Clause 7 (Docking clause) is included;
  7. At Clause 9 (Use of subprocessors), option 2 is selected, and intended changes to the list of subprocessors shall be submitted 30 days prior to the engagement of a subprocessor;
  8. At Clause 11 (Redress), the optional language is excluded;
  9. At Clause 13(a) (Supervision), all three options are retained and apply, as relevant, to Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA. Personal Data originating from or otherwise subject to the Privacy Law of Switzerland or the UK shall be supervised by the applicable Authority. Personal Data originating from any other country or otherwise subject to the Privacy Law in that country, shall be supervised by the applicable Authority in that country;
  10. At Clause 17 (Governing law), option 1 is selected, and the governing law shall be the law of Ireland for Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA. For Personal Data originating from or otherwise subject to the Privacy Law of Switzerland or from the UK, the governing law shall be the law of Switzerland, or England and Wales, as applicable;
  11. At Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved by the courts of Ireland for Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA. For Personal Data originating from or otherwise subject to the Privacy Law of Switzerland or the UK, disputes shall be resolved by the courts of Switzerland, or England and Wales, as applicable;
  12. At Annex I.A (List of parties), the data exporter is Customer acting as a controller, the data importer is Myonex or any Subprocessor acting as a processor, and their respective details are as set out in the Agreement;
  13. At Annex I.B (Description of transfer), the description of the transfer is as set out in the Record of Processing Schedule of this DPA;
  14. At Annex I.C (Competent Supervisory Authority), the competent supervisory authority is the authority determined in accordance with Clause 13, and section 2(a)(ix) above;
  15. At Annex 2 (Technical and organizational measures including technical and organizational measures to ensure the security of the data), the technical and organizational measures to ensure an appropriate level of security are those available at: myonex.com/legal/data-security-schedule
  16. At Annex 3 (List of subprocessors), the current list of Subprocessors is available at myonex.com/legal/subprocessors
  17. References to Regulation (EU) 2018/1725 are removed; and
  18. The footnotes are removed.

 

3) AMENDMENTS FOR APPLICABLE PRIVACY LAW

  1. For the purposes of transfers of Personal Data originating from or otherwise subject to the Privacy Law of the UK, the parties agree to comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree that the information included in Part 1 of the UK Addendum is as set out in sections 2)a)xii) to 2)a)xvi) above and that the key contacts are as set out in the Agreement. The parties also agree that the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
  2. The Clauses are amended to the extent necessary in order to provide all safeguards required under Privacy Law in relation to:
    1. The transfer of Personal Data by Customer to Myonex or a Subprocessor; and
    2. The subsequent Processing of Personal Data by Myonex and Subprocessors.
  3. Such amendments include (but are not limited to):
    1. References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “Privacy Law”, and references to specific article(s) of Regulation (EU) 2016/679 are replaced with the equivalent provision of each relevant Privacy Law;
    2. References to the “European Union”, “Union”, “Member State”, “EU Member State” and to any specified EU Member State are replaced by reference to the jurisdiction mandated by applicable Privacy Law; and
    3. References to the “supervisory authority” are replaced by “Authority”.

4) HIERARCHY

  1. The remaining paragraphs of this DPA below supplement and particularize the Clauses as incorporated and amended. In the event of a conflict between the Clauses as incorporated and amended and the remaining provisions of this DPA, the Clauses as incorporated and amended shall prevail.
  2. In the event of a conflict between the provisions of this DPA (including the Clauses as incorporated and amended) and any other agreement, Schedule or document between the parties including the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations.

5) PERSONAL DATA

  1. Ownership of Data. Personal Data is and shall remain, as between parties, the property of Customer regardless of whether Myonex or Customer is in possession of the Personal Data.; .
  2. Safeguarding of Data. Further to Clause 8.6(a), Myonex and Subprocessors shall comply with all other specific requirements as set out in the Myonex Data Security Schedule available at: myonex.com/legal/data-security-schedule
  3. Security Breach.
    Further to Clause 8.6(c)

    1. Myonex and Subprocessors shall notify Customer without undue delay after Myonex or Subprocessors having confirmed a Security Breach.
    2. Myonex and Subprocessors shall thereafter:
      1. take reasonable steps to mitigate any harmful effects of each Security Breach; and
      2. without undue delay (and in any event within forty-eight (48) hours of the notification in paragraph (i) above) describe in detail to Customer the nature and circumstances of the Security Breach (including the day or period of the Security Breach, the duration of the Security Breach and geographical spread), the type of Personal Data affected, the number of records involved and persons affected, the cause and likely consequences of the Security Breach and the measures taken by Myonex and/or Subprocessors to contain and mitigate any adverse effects of the Security Breach.
    3. Myonex and Subprocessors shall provide Customer with the name and contact information of Myonex Personnel who shall serve as Customer’s primary security contact regarding the Security Breach.
    4. For each Security Breach, Myonex and Subprocessors shall promptly (and in any event as soon as reasonably practicable):
      1. Perform a root cause analysis and forensic investigation report protected by legal privilege and prepare a corrective action plan;
      2. provide Customer with written reports referred to in Section 5)d)iv)(1) above, and detailed information, including how and when such Security Breach occurred, and what actions Myonex is taking to remedy and mitigate the impact of such Security Breach; and
      3. cooperate with Customer in any investigation or provisions of notices that Customer deems appropriate regarding such Security Breach, and not notify authorities without Customer’s prior consent if legally permitted.
  4. Correction of Data.
    1. Further to Clause 8.4, Myonex shall perform the correction of any errors or inaccuracies in or with respect to the Personal Data discovered by Customer at its sole cost and expense if:
      1. Myonex is operationally responsible for inputting such data; or
      2. the errors or inaccuracies are due to the failure of Myonex or Myonex Personnel to comply with Myonex’s obligations under this DPA, including a Security Breach.
  5. Limitations on Processing.
    1. Further to Clause 8.6(b), Myonex shall take appropriate action to ensure that only Myonex Personnel who are strictly required to ensure it fulfills its obligations under the Agreement or this DPA have access to Personal Data, and it shall take reasonable steps to ensure the reliability of Myonex Personnel having access to Personal Data, including by ensuring they are appropriately trained in the handling and security of Personal Data and that they are bound by a non-disclosure agreement, confidentiality agreement, or a code of conduct that prohibits them from Processing any Personal Data except as required for the performance of the Agreement or this DPA.  
  6. Data Subject Requests and Communications.
    1. Further to Clause 10(b), Myonex shall notify Customer promptly and no later than within seventy-two (72) hours if it receives any request, objection, complaint, or communication from an individual or data subject (having the meaning given to it in the Privacy Law) or anyone acting on the individual’s or data subject’s behalf relating to Personal Data or:
      1. a data subject access request;
      2. a request to rectify any inaccurate Personal Data;
      3. a request to have any Personal Data erased;
      4. a request to restrict the Processing of any Personal Data;
      5. a request to obtain a portable copy of Personal Data, or to transfer such a copy to any third party;
      6. an objection to any Processing of Personal Data; or
      7. any other request, complaint or communication relating to the Customer’s or Myonex’s obligations under Privacy Law.
    2. Myonex will provide reasonable co-operation and assistance to Customer in relation to any of the matters covered by this DPA.

6) CROSS-BORDER DATA SHARING RESTRICTIONS

  1. Myonex and Subprocessors shall be permitted to Process (including accessing and remotely accessing) Personal Data at or from (i) the United States, the EEA, Switzerland, the United Kingdom, and any other location identified in the Work Order or (ii) any other location notified to Customer not less than 30 days prior to the transfer.
  2. Further to Clause 8.8, where Personal Data Processed in relation to the Services is subject to cross-border transfer restrictions under applicable Privacy Law, and provided Customer has not reasonably objected to such transfer after the notification in section 6(a) above, Myonex and its Subprocessors shall:
    1. ensure an adequate level of protection of Personal Data transferred in accordance with the Privacy Law;
    2. comply with any reasonable instructions of Customer, including promptly entering into with Customer a Valid Transfer Mechanism; and
    3. maintain a detailed written record of the transfer which shall include the information referred to in Clause 8.9 and Section 9) (Record Keeping), details of the destination country or international organization and, if applicable, the safeguards put in place to ensure an adequate level of protection for the Personal Data.

7) USE OF SUBPROCESSORS

Further to Clauses 8.8 and Clause 9(a), if Customer reasonably objects, on grounds concerning Privacy Law, to (i) the location in which Personal Data is to be transferred, or (ii) the engagement of a Subprocessor, then Customer and Myonex shall in good faith seek reasonably suitable alternatives, and any associated amendments to the Work Order failing which Customer may discontinue using the relevant portion of the Service(s) and may either terminate the relevant portion of the Service(s) and/or the Agreement with no less than thirty (30) days’ notice.

8) CHANGES

If any of the provisions in this DPA need to be updated, supplemented or revised as a result of a change of any Valid Transfer Mechanism or any Privacy Law (including any Authority-approved guidance or codes of practice that relate to the Privacy Law which come into effect after the Effective Date), then either party may provide the other with a written notice of the changes to the relevant Article(s) or Section(s) (the “Updated Terms“) and the parties shall meet to negotiate and agree on the Updated Terms and/or the alternative Valid Transfer Mechanism in good faith.

9) GOVERNING LAW / JURISDICTION

Where permitted by applicable Privacy Law, and except with respect to Personal Data originating from or otherwise subject to Privacy Law of the EU, the EEA, Switzerland, or the UK:

  1. this DPA shall be governed by, interpreted, and construed in accordance with the governing law of the country specified for the same purpose as set forth in the Agreement, without regard to principles of conflicts of law that would impose a law of another jurisdiction; and
  2. the parties attorn to the exclusive jurisdiction of the courts of the country specified for the same purpose as set forth in the Agreement in respect of any dispute arising from or in relation to this DPA that is not otherwise settled by the parties.

10) SEVERABILITY

If any provision of this DPA is held to be invalid, illegal, or unenforceable for any reason, such provision shall be deemed to be restated to reflect as nearly as possible the original intention of the parties in accordance with applicable Law.  The remaining provisions hereof shall remain valid and in full force and effect.

Record of Processing Schedule

Listed below are categories of personal data and data subjects that are utilized in respect of the full range of Services provided by Myonex. However, the precise categories of personal data processed will be dependent on the nature of the Services as described in the Agreement (or, as applicable, the Work Order), which may identify additional categories. Where Services are not provided in respect of identified or identifiable study subjects, any subject-specific categories of data would not ordinarily be processed.

As used herein, “System” means Myonex’s online platform (currently known MyCTCentral®) enabling study subjects and clinical sites of Myonex’s sponsor clients to order and record receipt of authorized medicinal products through Myonex’s contracted pharmacy network located in various countries.

  1. Nature and purpose of the transfer and further Processing
    In furtherance of the Services under the Agreement (as may be more specifically defined in each Work Order).
  2. Duration of ProcessingThe Term (including any renewal term and transition periods) of the Agreement.
  3. Categories of Personal Data
    • Dispensing/shipment date
    • Recipient name
    • Recipient title or position
    • Recipient mailing address
    • Recipient phone number
    • Recipient email address
    • Study subject number
    • Study subject full name
    • Study subject gender
    • Study subject date of birth
    • Study subject address and postal code
    • Study subject email and phone number
    • Next anticipated requirement of the product
    • Prescribed treatment regimen
    • Prescription, including a copy of the prescription issued by the System (if utilized)
    • Inference of health condition by reference to the prescription
    • Shipping details associated with the prescription, including medication lot number
    • User log-in details (email and password) stored in the System for administration purposes.
  4. Categories of Data Subjects
    • Study subjects (patients / study participants)
    • System users
    • Customer or customer service provider staff
    • Clinical trial site staff
  5. Transfers of Personal Data to Authorized Subprocessors and/or to Third Countries
    As available at myonex.com/legal/subprocessors
  1. Frequency of transfer
    Continuous.