OMNEA DATA PROCESSING ADDENDUM
This Data Processing Addendum ("Addendum") is incorporated into and forms part of the Omnea Platform Terms or other written or electronic agreement governing the Customer's use of the Omnea platform (the "Agreement"). By accepting the Agreement, Customer agrees to the terms of this Addendum. Except as modified below, the terms of the Agreement shall remain in full force and effect. In the event of a conflict between this Addendum and the Agreement, this Addendum will prevail.
In this Addendum, the following terms have the following meanings:
1.1 "Affiliate" of a Party means any other entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such Party, where control is the direct or indirect ownership of more than 50% of the entity’s voting securities, or if there are no voting securities, the ability to control and direct the management of the entity.
1.2 "Controller" means the entity which determines the purposes and means of the Processing of Personal Information.
1.3"Customer Personal Information" means Personal Information Processed by Omnea as Processor on behalf of the Customer pursuant to the performance of the Agreement.
1.4 "Data Protection Laws" means the data protection, privacy and data security laws and regulations of any jurisdiction directly applicable to Omnea's Processing of Customer Personal Information under the Agreement, including, as and where applicable, the GDPR and State Privacy Laws.
1.5 "Data Subject" means the identified or identifiable person to whom Personal Information relates.
1.6 "GDPR" means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”).
1.7 "Laws" means any law applicable to this Agreement.
1.8 "Personal Information Breach" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information, transmitted, stored or otherwise Processed by Omnea or its Sub-processors of which Omnea becomes aware.
1.9 "Personal Information" means any information relating to (i) a Data Subject; and (ii) an identified or identifiable legal entity (where such information is protected similarly under the Data Protection Laws).
1.10 "Process" means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.11 "Processor" means an entity which Processes Personal Information on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
1.12 "Services" means the services to be provided by Omnea to the Customer under the Agreement.
1.13 "Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Information to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").
1.14 "State Privacy Laws" means the California Consumer Privacy Act of 2018 ("CCPA"), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case only if and to the extent applicable to Omnea's Processing of Customer Personal Information under the Agreement.
1.15 "Sub-Processor" means another Processor engaged by Omnea for carrying out Processing activities in respect of Customer Personal Information.
1.16 "Supervisory Authority" means the relevant regulatory body with authority for the enforcement of the relevant Data Protection Laws.
2.1 The Parties acknowledge that in respect of Customer Personal Information, the Customer is the Controller and Omnea the Customer's Processor. Where the Customer is itself a Processor of the Customer Personal Information, Omnea will be the Customer's Sub-Processor. Nothing in the preceding sentence alters the obligations of either Omnea or the Customer under this Addendum, as Omnea acts as a Processor with respect to the Customer in all events. In any instance where the Customer is a Processor or Sub-Processor, the Customer warrants to Omnea that the Customer’s instructions, including appointment of Omnea as a Processor or Sub-Processor, have been authorized by the relevant Controller.
2.2 Each Party shall comply with its obligations under the Data Protection Laws as relates to Customer Personal Information.
2.3 The details of Customer Personal Information Processed by Omnea under the Agreement are as follows:
a) Purpose of Processing. Omnea’s provision of the Services under the Agreement.
b) Nature of Processing. Storage, analysis and reconfiguration.
c) Duration of Processing. Processing of Customer Personal Information by Omnea shall be for the term of the Agreement and in accordance with Omnea’s retention obligations under the Agreement and Addendum, provided that Customer Personal Information shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
d) Categories of Personal Information. The categories of Personal Information to be Processed in connection with the Services are determined by the Customer in its sole discretion and may include but are not limited to: name, email address, address, and phone number.
e) Special categories of Personal Information. The Customer will not provide Omnea with any special categories of Personal Information for Processing.
f) Category of Data Subjects. The categories of Data Subjects whose Personal Information may be Processed in connection with the Services are determined and controlled by the Customer in its sole discretion and may include but are not limited to: Customer personnel (employee, contractors, etc.) and Customer associated parties and suppliers.
3.1 The Parties agree that this Addendum and the Agreement constitute the Customer’s documented instructions regarding Omnea’s Processing of Customer Personal Information ("Documented Instructions").
3.2 Omnea shall Process Customer Personal Information only on the Documented Instructions, unless required to otherwise Process Customer Personal Information by applicable Laws. In such an event, prior to such Processing and to the extent permitted by applicable laws, Omnea shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Information.
3.3 Omnea shall immediately inform the Customer if Omnea becomes aware that the Documented Instructions, in Omnea’s reasonable opinion, infringe the Data Protection Laws. In such a case, Omnea may suspend the relevant Processing without penalty or liability until the Customer gives Omnea relevant written instructions that in Omnea’s opinion do not infringe the Data Protection Laws.
4.1 Omnea shall ensure that all Omnea Personnel authorized to Process Customer Personal Information:
a) are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Information confidential;
b) have undertaken training on the Data Protection Laws relating to handling the Customer Personal Information and how it applies to their particular duties; and
c) are aware of both Omnea's and their personal duties and obligations under Data Protection Laws and this Addendum.
5.1 In addition to Omnea's Affiliates, the Customer authorizes Omnea to engage the Sub-Processors listed at https://trust.omnea.co/subprocessors ("Sub-Processor List").
5.2 Unless otherwise agreed by the Parties, at least 10 days before authorizing any new Sub-Processor to access Customer Personal Information, Omnea shall provide notice of such change by posting to the Sub-Processor list, which shall have a mechanism allowing the Customer to subscribe to notifications of new Sub-Processors. Within 10 days of such notice being posted, the Customer may object to the appointment of an additional Sub-Processor on reasonable grounds related to the Data Protection Laws, provided in writing to Omnea, in which case Omnea shall have the right to cure the objection through one of the following options (to be selected at Omnea’s sole discretion):
a) Omnea will cancel its planned use of Sub-Processor or will offer an alternative plan to provide the Services without using such Sub-Processor;
b) Omnea will take the corrective steps, if any, identified by the Customer in its objection as sufficient to remove the Customer’s objection, and proceed to use the Sub-Processor; or
c) Omnea may cease to provide, or the Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Sub-Processor, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering the reduced scope of the Services.
5.3 Omnea shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Information, the Sub-Processor has entered into a binding written agreement with Omnea that contains obligations substantially equivalent to the obligations imposed on Omnea as a Processor under this Addendum. Omnea shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Information in the event the Sub-Processor fails to fulfil those obligations.
6.1 Omnea shall implement and maintain at all times appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Customer Personal Information and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information, as detailed in Schedule 1 of this Addendum.
6.2 Omnea may review and update the security measures from time to time, provided they do not result in a reduction in the security of the Customer Personal Information to which they apply.
7.1 Omnea shall notify the Customer without undue delay after becoming aware of a Personal Information Breach affecting the Customer Personal Information.
7.2 Where Omnea becomes aware of such a Personal Information Breach, Omnea shall provide the Customer with details of the Personal Information Breach, and where available, such details shall include:
a) findings from Omnea's investigation, such as the nature of the Personal Information Breach, including where possible, the categories and approximate number of Data Subjects affected, and the categories and approximate number of Customer Personal Information records involved;
b) the name and contact details of Omnea's data protection officer or another contact point for further information;
c) description of the likely consequences of the Personal Information Breach; and
d) a description of the measures taken or proposed to address the Personal Information Breach, including steps to mitigate its possible adverse effects.
7.3 In the event of a Personal Information Breach, Omnea will reasonably co-operate with the Customer to assist the Customer to handle the matter, including:
a) assisting with any investigation;
b) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer; and
c) taking reasonable steps to mitigate the effects and to minimize any damage resulting from any Personal Information Breach.
7.4 Omnea will not inform any third party of any Personal Information Breach and shall assist the Customer, by providing information, in fulfilling the Customer's obligation under applicable Data Protection Laws to notify the Supervisory Authority and Data Subjects about such Personal Information Breach. Omnea shall not, without first obtaining the Customer's prior written consent, except where required to do so by Laws, notify any third party regarding a Personal Information Breach, and agrees that Customer has the sole right to determine:
a) whether and to what extent to provide notice and/or other remedial action with respect to the Personal Information Breach or violation of Data Protection Laws to any third party, including Data Subjects and Supervisory Authorities; and
b) the timing, content and manner of effectuating any remedial action.
8.1 The Customer acknowledges that Omnea and its Sub-Processors may Process Customer Personal Information outside of the Customer's jurisdiction. The details of international transfers relating to our Sub-Processors' Processing activities are set out in our Sub-Processor List.
8.2 Omnea will abide by the requirements of the Data Protection Laws regarding the collection, use, transfer, retention and other Processing of Customer Personal Information that is subject to the GDPR or UK GDPR ("GDPR Territories"). All transfers of Customer Personal Information to a third country or an international organization (including any relevant Sub-Processor) that does not ensure an adequate level of protection will be subject to appropriate safeguards as described in Article 46 of the GDPR and UK GDPR.
8.3 Omnea and the Customer shall ensure that whenever the Customer Personal Information is transferred outside of the GDPR Territories they:
a) are Processing Customer Personal Information in a territory that is subject to a current finding by the European Commission (in the case of transfers made under the GDPR), or UK Secretary of State (in the case of transfers made under the UK GDPR) that the territory provides adequate protection for the privacy rights of Data Subjects;
b) participate in a valid cross-border transfer mechanism under the Data Protection Laws, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR and UK GDPR; or
c) otherwise ensure that the transfer complies with the Data Protection Laws.
8.4 The Customer authorizes Omnea to enter into the Standard Contractual Clauses with the Sub-Processor on the Customer's behalf, if required to ensure the relevant Processing of Customer Personal Information complies with Data Protection Laws.
9.1 Requests from Data Subjects
a) Omnea will assist the Customer, in a manner consistent with the functionality or performance of the Services and Omnea's role as a Processor, in respect of any Data Subject Requests to exercise one or more of their rights under applicable Data Protection Laws.
b) If Omnea receives a request from one of the Customer's Data Subjects to exercise one or more of their rights under applicable Data Protection Laws, Omnea will instruct the Data Subject to make its request directly to the Customer. The Customer will be responsible for responding to such request.
9.2 Supervisory Authorities. Omnea shall, to the extent permitted by Data Protection Laws, notify the Customer without undue delay if a Supervisory Authority makes any inquiry or request for disclosure regarding Customer Personal Information provided by the Customer to Omnea.
9.3 Other assistance. Taking into account the nature of Processing and the information available to Omnea, Omnea shall provide reasonable assistance to the Customer in ensuring compliance with obligations:
a) where required under applicable Data Protection Laws, to conduct data protection impact assessments of envisaged Processing operations on the protection of Customer Personal Information, at Customer's expense;
b) to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Information;
c) in cases of a Personal Information Breach, to provide appropriate notifications to Supervisory Authorities and Data Subjects, in accordance with applicable Data Protection Laws; and
d) to demonstrate compliance with the obligations concerning Processing of Personal Information carried out on behalf of a Controller and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor managed by the Customer in accordance with clause 13.
10.1 Omnea's total liability pursuant to this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement.
11.1 This Addendum takes effect on the Effective Date of the Agreement and remains in force until the earlier of (i) termination of the Agreement; or (ii) completion of the last Processing of Customer Personal Information carried out by or on behalf of the Customer under the Agreement.
11.2 Any provision of this Addendum that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Customer Personal Information will remain in full force and effect.
11.3 If a change in any Data Protection Laws prevents either Omnea or the Customer from fulfilling all or part of the Services, the Parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Customer Personal Information complies with the new requirements.
12.1 Omnea shall delete all Customer Personal Information on termination unless required by the Laws to retain some or all of the Customer Personal Information. In such event, Omnea shall extend the protections of this Addendum to such retained Customer Personal Information and limit any further Processing of such Customer Personal Information only to those limited purposes for which, and only for so long as, such retention is required by the Laws.
13.1 Omnea shall, on request from the Customer, make available to the Customer all information necessary to demonstrate Omnea’s compliance with its obligations under this Addendum. To the extent the Customer's audit requirements cannot reasonably be satisfied through (i) audit reports provided by Omnea; (ii) documentation; or (iii) other compliance information that Omnea makes generally available to its Customers, Omnea shall allow for audits (including inspections) conducted by the Customer or the Customer’s designated auditor on reasonable prior written notice, for the purpose of demonstrating Omnea’s compliance with its obligations under this Addendum.
13.2 Before the commencement of an audit, the Customer and Omnea shall mutually agree upon the scope, timing, duration, control and evidence requirements, provided that this requirement to agree will not permit Omnea to unreasonably delay performance of the audit.
13.3 For the avoidance of doubt, such audits shall be limited to once per calendar year. Any additional audit under this clause 13 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, including all reasonable costs and fees for any and all time Omnea expends for any such audit, in addition to the rates for services performed by Omnea.
13.4 Omnea’s obligations under Clause 13.1 of this Addendum are subject to the Customer:
a) giving Omnea reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;
b) ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by the Laws);
c) ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to Omnea’s business and the business of other customers of Omnea; and
d) ensuring that neither the Customer nor the audit shall have access to any data from Omnea's other customers or otherwise subject to confidentiality obligations to a third party, or to Omnea systems of facilities not involved in the Services.
13.5 If the audit report generated as a result of the Customer’s audit includes any finding of material non-compliance, the Customer shall share such audit report with Omnea and Omnea shall promptly address any material non-compliance.
13.6 Nothing in this section affects any Supervisory Authority's or Data Subject's rights under the Standard Contractual Clauses or Data Protection Laws.