Data Processing Addendum (DPA)

Data Processing Addendum

This Data Processing Addendum (“DPA”) applies to the processing of Personal Data by BLUBEE HOLDING BV, a private limited company incorporated under the laws of the Netherlands, with registered offices at Laan van Zuid Hoorn 57, 2289 DC Rijswijk (the Netherlands) on behalf of the customer (as defined in the relevant order form, hereafter “Customer”).

1. PREAMBLE

This DPA sets out the rights and obligations of the Parties regarding the processing of personal data under the Applicable data protection legislation, including Regulation (EU) 2016/679.

One or more agreements have been concluded between BLUEBEE and the Customer (referred to as “the Agreement”) on the basis of which Personal Data needs to be processed by BLUEBEE on behalf of the Customer. This DPA forms an integral part of the Agreement and replaces all clauses relating to the Processing of Personal Data, if any.

The Parties agree that the Customer shall be controller and BLUEBEE shall be processor processing personal data on behalf of the Customer or, as the case may be, the Customer shall be processor processing personal data on behalf of its own client and then BLUEBEE shall be sub-processor of the Customer.

In case of conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

2. DEFINITIONS

For the purpose of this DPA, the following definitions apply.

  • Applicable data protection legislation“: all applicable laws and regulations relating to the processing of personal data and privacy including:
    • before 25 May 2018, the applicable law(s) transposing Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data;
    • as of 25 May 2018, the General Data Protection Regulation of 27 April 2016, the applicable laws implementing the GDPR and any amendment or modifications that may occur;
    • any other applicable European Directive or Regulation and/or any other applicable law or decree relating to the processing and protection of personal data (e.g. the E-privacy Directive 2002/58/EC).
  • Data Subject“: a directly or indirectly identifiable natural person to whom the Personal Data relates;
  • DPA”: this Data Processing Addendum, including its appendices;
  • Party” / “Parties”: BLUEBEE or the Customer / Bluebee and the Customer;
  • Personal data“: any information about an identified or identifiable natural person;
  • Processing”: any process, or sequence of processes, relating to Personal Data whether executed by automatic processes or not, such as the collection, recording, organizing, structuring, storing, updating or amending, retrieving, consulting, using, providing by transfer, dissemination or otherwise making available, aligning or combining, protecting, deleting or destroying of data;
  • Sub-Processor“: a processor who is contracted by BLUEBEE or another sub-processor working for BLUEBEE, and who agrees to process Personal Data solely for the purposes of the processing activities that are being performed on behalf of BLUEBEE after their transfer, in line with the instructions of the Customer and the conditions defined in writing in the sub-processing contract.
  • “Technical and organizational security measures”: measures that are intended to protect Personal Data adequately from destruction, whether in error or unlawfully, from loss, falsification, unauthorised distribution or access, especially where the processing includes transmission of the Personal Data over a network, or any other type of illegal processing.
  1. SCOPE OF APPLICATION

2.1 Appendix A (scope of Processing) defines the scope of the Processing of Personal Data categories of the Data Subjects, types of Personal Data, and the processing activities.

2.2 BLUEBEE shall process the Personal Data solely on behalf of the Customer, on the basis of documented instructions from the Customer. Bluebee shall immediately confirm any instruction issued orally on a durable medium.

3. BLUEBEE’S OBLIGATIONS

3.1 Except where expressly permitted by Article 28(3)(a) of the GDPR, BLUEBEE shall process Personal Data only within the scope of the Agreement and the additional reasonable instructions issued by the Customer. If BLUEBEE cannot process Personal Data in accordance with the Customer’s instructions due to a legal requirement under any applicable European Union or Member State law, it will promptly notify the Customer of such inability and shall cease all Processing of the affected Personal Data until the Customer issues new instructions with which BLUEBEE is able to comply. If this clause is invoked, BLUEBEE will not be liable for failure to perform the contractually agreed services until the Customer issues new instructions that comply with Applicable data protection legislation.

3.2 BLUEBEE undertakes to reply without delay to all questions from the Customer relating to the Processing of the Personal Data, whether executed by himself or by a Sub-processor.

3.3 BLUEBEE shall organise its internal organisation so that it satisfies the specific requirements of Applicable data protection legislation. BLUEBEE shall implement Technical and organisational measures to ensure the adequate protection of the Personal Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32.

3.4 BLUEBEE shall support the Customer in fulfilling Data Subjects’ requests and claims, as detailed in Chapter III of the GDPR and in fulfilling the Customer’s obligations enumerated in Articles 32 to 36 of the GDPR. The Customer shall pay reasonable compensation to the BLUEBEE for this assistance based on BLUEBEE’s standard fee rates.

3.5 BLUEBEE warrants that all employees involved in the Processing of the Personal Data and other such persons as may be involved in the Processing within BLUEBEE’s scope of responsibility shall be prohibited from processing Personal Data outside the scope of the Customer’s instructions.

3.6 The Personal Data is strictly confidential. BLUEBEE shall not disclose and shall keep secret all Personal Data received from the Customer or a third-party controller in execution of the Agreement, unless it is authorized by the Customer or required by law. BLUEBEE warrants that any person entitled to process the Personal Data on behalf of the Customer (as an employee or agent of BLUEBEE) has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy.

3.7 BLUEBEE undertakes to ensure that the locations and databases which are used to process the Personal Data are adequately secured against access by unauthorised persons. BLUEBEE shall restrict access to the processed Personal Data to those members of staff who need the Personal Data to carry out their duties as assigned to them by BLUEBEE as part of the performance of the Agreement.

3.8 BLUEBEE shall notify without undue delay the Customer if BLUEBEE becomes aware of breaches of the protection of personal data, whether it occurred within its control or a Sub-Processor’s control. The report shall include at least the following information:

  • Type of breach;
  • Categories of Data Subjects and personal data registers affected;
  • Likely consequences of the breach for the fundamental rights of the Data Subjects;
  • Measures proposed or that have been taken by BLUEBEE to remedy the Breach;

3.9 BLUEBEE shall undertake all necessary measures to remedy to the Breach. The Customer shall pay reasonable compensation to BLUEBEE for such measures, unless it appears that the breach is the result of BLUEBEE’s negligent acts or omissions.

3.10 BLUEBEE shall not, in the event of a breach, proceed to notify the Supervisory Authority nor to inform the affected Data Subjects about the Breach, unless the law requires BLUEBEE to do so.

3.11 BLUEBEE shall, upon termination of the Agreement or upon termination of the relevant service, upon the Customer’s instruction, return all Personal Data, carrier media and other materials to the Customer or delete/destroy the same, unless European Union or Member State Law require storage of the Personal Data. The Customer shall pay reasonable compensation to BLUEBEE for the costs related to this assistance.

3.12 BLUEBEE shall not transfer any Personal Data to a country outside the European Economic Area (EEA), unless the Customer has expressly authorized such transfer in writing.

4. CUSTOMER’S OBLIGATIONS

4.1 The Customer is responsible for the lawfulness of the Processing of Personal Data and shall hold BLUEBEE harmless against any claim relating to the (alleged) unlawfulness of the Processing of Personal Data.

5. REQUESTS AND CLAIMS BY DATA SUBJECTS

5.1 To the extent permitted by law, BLUEBEE will inform the Customer of a request from Data Subjects exercising their rights (e.g. rectification, erasure, access,…) regarding their Personal Data. The Customer shall be responsible to answer to such requests of Data Subjects. BLUEBEE shall support the Customer with appropriate technical and organisational measures to meet its obligations to process requests by Data Subjects exercising their rights. The Customer shall pay reasonable compensation to BLUEBEE for this assistance.

5.2 BLUEBEE shall forward without undue delay Data Subjects claims to the Customer. Where a data subject asserts any claims against the Customer in accordance with Article 82 of the GDPR, BLUEBEE shall fully support the Customer in defending against such claims. The Customer shall pay reasonable compensation to BLUEBEE for this assistance.

5.3 If a Data Subject brings a claim directly against BLUEBEE for a violation of their Data Subject rights, the Customer will indemnify BLUEBEE for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that BLUEBEE has notified the Customer about the claim and given the Customer the opportunity to cooperate with BLUEBEE in the defence and settlement of the claim.

6. DOCUMENTATION

6.1 On request, BLUEBEE shall provide all information to the Customer that is required to demonstrate compliance with the provisions of this DPA and the Applicable data protection legislation.

6.2 Where, in individual cases, audits and inspections by the Customer or an auditor appointed by the Customer are necessary, such audits and inspections will be conducted upon prior notice. The Customer or an authorized auditor shall therefore have access during business hours for this purpose to BLUEBEE’s and Sub-processors’ premises and databases where the Processing is carried out. The costs of performing an audit shall be borne by the Customer, unless it becomes apparent that BLUEBEE or Sub-Processor are not complying with their obligations arising from this DPA, in which case the costs shall be borne by BLUEBEE.

7. SUB-PROCESSORS (FURTHER PROCESSORS ON BEHALF OF THE CUSTOMER)

7.1 BLUEBEE shall use sub-contractors as further processors on behalf of the Customer only with the Customer’s prior written consent. Appendix B contains the list of Sub-Processors that have been authorized by the Customer.

7.2 BLUEBEE shall notify the Customer of any change in the list of Sub-Processors. Within 30 days of this notification, the Customer can object to the intended change. The Customer’s objection shall be in writing and include the specific reasons of the objections. If the Customer does not object within such period, the intended Sub-Processor shall be considered as approved by the Customer. If the Customer objects to an intended change, for reasons other than a violation of Applicable data protection legislation, the Customer shall pay the additional costs resulting from the consequences of the Customer’s objection.

7.3 When the subcontracting is permitted under this Claude 8, BLUEBEE shall enter into a written sub-processing agreement with such Sub-Processor.

8. LIABILITY

8.1 No provision in this DPA shall serve to amend the provisions of the Agreement in relation to the limitation of the liability of the Parties.

Appendix A – Scope of the Processing

  1. DATA SUBJECTS

The Personal Data subject to Processing under this DPA belong to the following categories of Data Subjects: (a) patients and/or (b) persons undergoing DNA tests for medical or other purposes.

  1. PERSONAL DATA

The categories of Personal Data subject to Processing under the Agreement are the following: (a) identifying data and contact details, (b) genetic data and (c) health related data

  1. DESCRIPTION OF THE PROCESSING ACTIVITIES PERFORMED BY BLUEBEE

Processing and hosting the Personal Data as part of its accelerated genomics platform.

 

 

 

 

 

 

 

 

Appendix B – List of Sub-Processors

 

The Customer hereby agrees to the following list of Sub-Processors:

 

 

 

 

Name

 

Address

 

Processing activities

Free-lance consultants that are appointed from time to time by BLUEBEE and that perform services essentially full-time within BLUEBEE’s organisation.
SoftLayer Technologies, Inc.4849 Alpha Road, Suite 2000,
Dallas, TX 75244,
USA
IaaS – Infrastructure as a Service

Dedicated hosting and managed infrastructure services. (incl. object storage)

OVHRue Kellermann 2,
59100 Roubaix,
France
IaaS – Infrastructure as a Service

Dedicated hosting and managed infrastructure services. (incl. object storage)

Google1600 Amphitheatre Parkway, Mountain View, CA 94043,
USA
IaaS – Infrastructure as a Service

Dedicated hosting and managed infrastructure services. (incl. object storage)

Zoho Corporation Pvt. Ltd.Estancia IT Park,
Plot No. 140 & 151, GST Road,
Vallancherry Village,
Chengalpattu Taluk,
Kanchipuram District 603 202, India
Customer Relation Management
MailChimp675 Ponce De Leon Ave NE, Suite 5000
Atlanta, GA 30308

USA
Customer Relation Management
Request A Demo