1. DEFINITIONS
1.1. This Data Sharing Agreement ("DSA") and any other written agreement between the Customer and Moodbeam (collectively, the "Agreements") reflect the Parties’ agreement with regard to the Processing of Personal Data pursuant to the Customer’s distribution and use of devices, data and reporting provided by Moodbeam (collectively, the "Service").
1.2. "Applicable Data Protection Law" means all laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreements as amended, replaced or updated from time to time, including but not limited to:
- 1.2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR");
- 1.2.2. the Data Protection Act 2018 ("DPA");
- 1.2.3. the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)("PECR");
- 1.2.4. the Freedom of Information Act 2000 ("FOIA").
1.3. "Processing", "Personal Data", "Data Controller", "Data Processor", "Sub-Processor", "Personal Data Breach", "Data Protection Impact Assessment", "Data Subject", "Data Subject Rights", "Third Countries" and "Supervisory Authority" have the meaning ascribed to them in Applicable Data Protection Law.
2. SCOPE
2.1. This DSA applies to the sharing of Personal Data by Moodbeam with the Customer ("Data Sharing") as set out in Agreements executed by the parties insofar as the Processing (including sharing) of that Personal Data is subject to Applicable Data Protection Law.
2.2. The subject matter, nature and purpose of the Data Sharing, the categories of Personal Data, and the types of Data Subjects are those set out in Schedule 2.
2.3. The Personal Data shall not be shared or re used by the Customer for any purpose incompatible with the purpose for which it has been shared with the Customer by Moodbeam.
3.ROLES OF THE PARTIES
3.1. The Parties hereby agree that they are separate Data Controllers of the Personal Data obtained and shared pursuant to this DSA.
3.2. Each party will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed for their own purposes.
3.3. The Parties are separately responsible for the lawful processing of Personal Data, informing Data Subjects about the use, including sharing, of their Personal Data, the security of Personal Data, ensuring Data Subjects can exercise their rights and applying any other relevant provisions of Applicable Data Protection Law.
3.4. The Parties must ensure that appropriate agreements are in place with any Data Processor that Processes Personal Data on their behalf in connection with the means by which Personal Data is shared.
3.5. Each party must immediately inform the other if, in its opinion, a request for Personal Data to be shared infringes Applicable Data Protection Law or other Union or Member State data protection provisions.
3.6. The Customer warrants that it has all necessary rights, including consents, to request that the Personal Data are shared with it by Moodbeam.
4. DATA SUBJECT CONSENT TO THE SHARING
4.1. To the extent required by Applicable Data Protection Law, the Customer is responsible for ensuring that any necessary Data Subject consents to the Data Sharing are obtained, and for ensuring that a record of such consents is maintained.
4.2. The Parties agree that the Customer:
- 4.2.1. shall issue a privacy notice to all affected Data Subjects explaining the Data Sharing and the purpose(s) for which the Personal Data will be Processed by the Customer; and
- 4.2.2. shall obtain specific and explicit consent to the Data Sharing from each affected Data Subject; and
- 4.2.3. is aware that Moodbeam’s privacy notice for users refers only to categories of organisation with whom Personal Data may be shared; and
- 4.2.4. is aware that Moodbeam may, at its discretion, seek to obtain confirmation of the nature of any consent to the Data Sharing obtained from affected Data Subjects on an individual or collective basis.
4.3. Should consent to the Data Sharing be revoked by the Data Subject in any communication with Moodbeam, Moodbeam will immediately stop sharing that Data Subject’s Personal Data with the Customer.
4.4. Should consent to the Data Sharing be revoked by the Data Subject in any communication with the Customer, the Customer is responsible for promptly communicating the fact of such revocation to Moodbeam.
4.5. Except for the Personal Data the Customer has a lawful purpose under Applicable Data Protection Law to retain after consent to the Data Sharing has been revoked by the Data Subject:
- 4.5.1. the Customer shall, at the discretion of Moodbeam, either delete, destroy or return all Personal Data to Moodbeam and destroy or return any existing copies.
4.6. For all Personal Data it has a lawful purpose to retain under Applicable Data Protection Law, the Customer will notify Moodbeam and the Data Subject in writing of:
- 4.6.1. the Personal Data which will be retained;
- 4.6.2. the lawful basis for retention;
- 4.6.3. the period for which the Personal Data will be retained; and
- 4.6.4. a specific timeline for destruction once the retention period ends.
5. MANAGEMENT AND REVIEW
5.1. At least once a year the Parties shall consider whether this DSA requires review.
5.2. The Parties agree to each nominate a representative to liaise with the other party. Both representatives are authorised to act on behalf of the Parties on all matters relating to the management of this DSA. The names and contact details of the representatives are given in Schedule 1.
5.3. In the event of any named individuals being replaced, their successor will assume responsibility under this Agreement.
5.4. Each party’s representative shall have the following responsibilities, as a minimum, under this Data Sharing Agreement:
- 5.4.1. Ensuring that their organisation has, unless it is exempt, paid the appropriate fee to the Information Commissioner’s Office ("ICO") and that their organisation is listed on the Register of Fee Payers or its successors as a Data Controller;
- 5.4.2. Ensuring that their organisation’s board, or other appropriate body, is aware of the organisation’s participation in this DSA and of the attendant responsibilities;
- 5.4.3. Ensuring that their organisation has in place measures to comply with their obligations under this DSA;
- 5.4.4. Consulting the other party in any case where a breach of confidentiality (for overriding reasons) is contemplated;
- 5.4.5. Informing the other party of any breach of security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data they become aware of.
6. CONFIDENTIALITY
6.1. Without prejudice to any existing contractual arrangements between the Parties, each party must treat all Personal Data obtained and shared pursuant to this DSA as strictly confidential.
6.2. The obligations of confidentiality will apply during the term of this DSA and will survive indefinitely upon termination of this DSA.
7. CUSTOMER PERSONNEL
7.1. The Customer must make the Personal Data shared with it by Moodbeam available only to those personnel performing services in connection with the research project(s) in which Moodbeam devices are in use.
7.2. The Customer must take commercially reasonable steps to ensure the reliability of any personnel engaged in the processing of the Personal Data shared with it by Moodbeam.
7.3. The Customer must ensure that all personnel engaged in the processing of the Personal Data shared with it by Moodbeam have:
- 7.3.1. been informed of the confidential nature of the Personal Data;
- 7.3.2. received appropriate training on their responsibilities;
- 7.3.3. signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. The obligation to treat Personal Data pursuant to such confidentiality obligations must survive the termination of the engagement of those personnel.
8. SECURITY
8.1. Each Party must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Personal Data shared with it. These measures will include as appropriate:
- 8.1.1. the pseudonymisation and encryption of personal data;
- 8.1.2. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- 8.1.3. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the shared Personal Data;
- 8.1.4. measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to process the Personal Data shared with it.
- 8.1.5. those around the means and process of Data Sharing described in Schedule 3.
8.2. Each Party will, at all times, have in place an appropriate written security policy with respect to the processing of Personal Data.
9. COMPLIANCE DOCUMENTATION AND AUDITS
9.1. Each party will maintain records of Processing activities documenting the Data Sharing. The Parties shall cooperate to fulfil the obligation to maintain such records. Any material change made by a party shall be notified to the other party without undue delay. Each party shall bear its own costs for its own records of Processing Activities.
9.2. At the request of the other, each Party must make available all relevant information necessary to demonstrate compliance with Applicable Data Protection Law and shall allow for and contribute to audits, including inspections, by the other (or an independent, third-party auditor appointed by them) in relation to the Processing of Personal Data shared pursuant to the provision of the Service.
9.3. Any audit shall be carried out on reasonable prior written notice of no less than 30 days and shall not be carried out more than once a year.
9.4. Third-party auditors appointed by the Customer must be independent and must not be competitors of Moodbeam.
10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
10.1. The Customer must immediately notify Moodbeam of any permanent or temporary transfers of Personal Data shared with it by Moodbeam to a country outside of the European Economic Area without an adequate level of protection within the meaning of Applicable Data Protection Laws.
10.2. To the extent that the Parties are relying on a specific statutory mechanism to normalise international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid; the Parties agree to co-operate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
11. PERSONAL DATA BREACH NOTIFICATION
11.1. Each Party must notify the other without undue delay after becoming aware of any breach of security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
11.2. Any notifications made under this clause 11 shall contain:
- 11.2.1. a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- 11.2.2. the name and contact details of a contact point where more information can be obtained;
- 11.2.3. a description of the likely consequences of the incident; and
- 11.2.4. a description of the measures taken or proposed to be taken by the notifying Party to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
11.3. Each Party must make reasonable efforts to identify the causes of such a breach and must take necessary and reasonable steps in order to remediate the cause the breach.
11.4. Upon request, each Party shall provide the other with reasonable co-operation and assistance to fulfil the Parties’ obligations under GDPR to notify a Personal Data Breach to the Supervisory Authority and to communicate a Personal Data Breach to the Data Subject. Provided the Personal Data Breach is not due to Moodbeam’s breach of its obligations under this Data Sharing Agreement, the Customer will be responsible for any cost arising from
Moodbeam’s provision of such assistance.
12. DATA SUBJECT RIGHTS
12.1. Each party must, to the extent legally permitted, promptly notify the other if it receives a request from a Data Subject to exercise any of the Data Subject’s rights under Applicable Data Protection Law.
12.2. To the extent the Customer, in its use of the Service, does not have the ability to address a Data Subject request, Moodbeam shall, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such requests, to the extent Moodbeam is legally permitted to do so and the response to such Data Subject request is required under Applicable Data Protection Law. The Customer will be responsible for any cost arising from Moodbeam’s provision of such assistance.
13. ASSISTANCE TO THE CUSTOMER
13.1. Upon the Customer’s request, Moodbeam shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligations under the Applicable Data Protection Law to carry out a Data Protection Impact Assessment related to the Service and the Data Sharing to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to Moodbeam. The Customer will be responsible for any cost arising from Moodbeam’s provision of such assistance.
13.2. Upon the Customer’s request, Moodbeam shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligations under Applicable Data Protection Law to implement and maintain appropriate organisational and technical measures insofar as this relates to Moodbeam’s services in scope of this Data Sharing Agreement. The Customer will be responsible for any cost arising from Moodbeam’s pro-
vision of such assistance.
14. COOPERATION WITH SUPERVISORY AUTHORITIES
14.1. Moodbeam shall assist the Customer in ensuring compliance with the obligations pursuant to prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of Personal Data being shared and the information
available to Moodbeam. The Customer will be responsible for any cost arising from Moodbeam's provision of such assistance.
14.2. The Parties will cooperate with competent Supervisory Authorities as required by the GDPR.
14.3. If a party is subject to investigative or corrective powers of a Supervisory Authority, it must inform the other without undue delay, insofar as it relates to the Processing of Personal Data covered by this Data Sharing Agreement.
14.4. Parties shall provide reasonable assistance to each other to fulfil the obligation to cooperate with Supervisory Authorities. Each party is responsible for its own costs arising from the provision of such assistance.
15. LIABILITY AND INDEMNITY
15.1. Moodbeam indemnifies the Customer and holds the Customer harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Customer and arising directly or indirectly out of or in connection with a breach of this Data Sharing Agreement and/or the Applicable Data Protection Law by Moodbeam.
15.2. The Customer indemnifies Moodbeam and holds Moodbeam harmless against all claims, actions, third party claims, losses, damages and expenses incurred by Moodbeam and arising directly or indirectly out of or in connection with a breach of this Data Sharing Agreement and/or the Applicable Data Protection Law by the Customer.
16. RETURNING OR DESTRUCTION OF PERSONAL DATA
16.1. Except for the Personal Data the Customer has a lawful purpose under Applicable Data Protection Law to retain after the effective date of termination of the Main Service Agreement:
16.1.1. the Customer shall, at the discretion of Moodbeam, either delete, destroy or return
all Personal Data to Moodbeam and destroy or return any existing copies.
16.2. For all Personal Data it has a lawful purpose to retain under Applicable Data Protection Law, the Customer will notify Moodbeam in writing of:
- 16.2.1. the categories and approximate number of data subjects concerned and the categories of Personal Data records concerned;
- 16.2.2. the lawful basis for retention;
- 16.2.3. the period for which the Personal Data will be retained; and
- 16.2.4. a specific timeline for destruction once the retention period ends.
17. MISCELLANEOUS
17.1. In the event of any inconsistency between the provisions of this DSA and the provisions of any other agreement, the provisions of this DSA shall prevail.
17.2. In this DSA the singular includes the plural and vice versa, as the context admits or requires.
17.3. If any provision or part-provision of this DSA is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provi-
sion shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of the DSA.
17.4. This DSA is governed by the laws of England. Any disputes arising from or in connection with this DSA shall be brought exclusively before a competent court of the Jurisdiction.