IDEXX CUSTOMER DATA PROCESSING AGREEMENT
(Revision May 18, 2023)
This Data Processing Agreement (“DPA”) and the applicable Data Processing Agreement Schedules found here (each a “DPA Schedule”) apply to the Processing of Personal Data (“Customer Personal Data”) by IDEXX on behalf of the customer (“Customer”) subject to the General Data Protection Regulation 2016/679 (“GDPR”) or any of the other data protection law identified here (together, “Data Protection Laws”) in order to provide services (“Services”) pursuant to an agreement between IDEXX and Customer (“Agreement”). Where IDEXX is referenced in this DPA, it shall mean IDEXX B.V. or an Affiliate of IDEXX B.V. that entered into the Agreement with Customer. Customer and IDEXX will be collectively referred to as “Parties”, or separately as a “Party”. This DPA and applicable DPA Schedule is incorporated into the applicable Agreement for the applicable Service. In the event of a conflict, the DPA Schedule prevails over the DPA, which prevails over the rest of the Agreement, unless explicitly stipulated otherwise in this DPA.
1 Definitions
1.1 All definitions included in the Agreement shall also apply to this DPA, unless stipulated otherwise in this DPA. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws. In addition, thereto, the following definitions apply to this DPA:
1.2 Affiliate: any person or entity controlling, controlled by or under common control with another person or entity. For these purposes, "control" shall refer to (i) the possession, directly or indirectly, of the power to direct the management or policies of the subject entity, whether through the ownership of voting securities, by contract, or otherwise, or (ii) the ownership, directly or indirectly, of at least fifty percent (50%) of the voting securities or other ownership interest of the subject entity, or in the event such entity resides in a country where such level of ownership is not permitted, the maximum percentage ownership therein allowed;
1.3 Third Country: any country that does not provide an adequate level of data protection according to the applicable Data Protection Laws;
1.4 Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed.
2 Subject of this Data Protection Agreement
2.1 In connection with the processing of Customer Personal Data in relation to the applicable Services and applicable Agreement, IDEXX shall be the Processor, and Customer shall by the Controller. The Processing of Personal Data to which this DPA applies are described in the relevant DPA Schedules.
2.2 This DPA complements the Agreement and sets aside any (oral and/or written) arrangements of an earlier date relating to the processing of Personal Data between Customer acting as Controller, and IDEXX acting as a Processor in respect of the Personal Data, if applicable.
3 Processing of the Personal Data
3.1 IDEXX will comply with all Data Protection Laws with respect to the Services applicable to IDEXX as a Processor. Customer warrants that it processes or shall have processed the Customer Personal Data in accordance with the applicable law. Customer shall upon first request of IDEXX promptly provide all relevant information requested to IDEXX in writing, which may include in electronic form. IDEXX is not responsible or liable for compliance with Customer's obligations under the applicable law, including without limitation Customer’s obligations to its own customers or clients, such as Customer’s obligation to inform its customer or clients of recipients of the Processing of their Personal Data. IDEXX is not responsible for determining the requirements or laws or regulations applicable to Customer’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Customer is responsible for the lawfulness of the Processing of Customer Personal Data. Customer will not use the Services in a manner that would violate applicable Data Protection Law.
3.2 The applicable DPA Schedule for a Service contains a list of categories of Data Subjects, types of Customer Personal Data, and any Special Categories of Personal Data. The duration of the processing corresponds to the duration of the Service, unless otherwise stated in the DPA Schedule. The purpose and subject matter of the processing is the provision of the Service as described in the Agreement.
3.3 IDEXX shall only process Customer Personal Data on behalf of Customer and in accordance with Customer’s documented instructions, unless otherwise required by the applicable Data Protection Law. The scope of Customer’s instructions for the processing of Customer Personal Data is defined in the Agreement, and, if applicable, Customer’s and its authorized users’ use and configuration of the features of the Service. IDEXX shall immediately inform Customer if, in its opinion, any of the instructions of Customer infringes the applicable Data Protection Laws, and IDEXX may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form.
3.4 IDEXX shall ensure that its employees and other persons engaged in the Processing of Customer Personal Data have committed themselves to confidentiality to the extent these persons are not bound by an appropriate statutory confidentiality obligation. IDEXX shall ensure that these employees or other persons engaged by it comply with all the obligations laid down in this DPA and the Agreement. IDEXX shall ensure that IDEXX' access to Customer Personal Data is limited to those employees and other persons performing Services in accordance with the Agreement.
4 Security Measures
4.1 IDEXX shall implement appropriate technical and organizational security measures to ensure an appropriate level of security in relation to the Personal Data. The technical and organizational security measures to be implemented by IDEXX, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, are described on the Technical and Organization Measures included with the DPA Schedules. IDEXX may update or modify its security measures from time to time, provided that such updates and modifications do not result in a reduction of the overall security of the Services.
5 Reporting of Personal Data Breaches
5.1 The obligation of IDEXX to notify Customer of a Personal Data Breach and to take action in relation to a Personal Data Breach does not lead to an acknowledgment of any defect or liability on the side of IDEXX in relation to that Personal Data Breach.
5.2 As soon as IDEXX becomes aware of a Personal Data Breach of which Customer was not yet informed, IDEXX shall inform Customer without undue delay thereof in a manner determined by IDEXX. IDEXX shall inform the Customer contact provided by Customer in connection with the Services. Customer shall be responsible to ensure that the contact details of contact persons of Customer communicated to IDEXX are up-to-date. Should IDEXX not reach the given contact person(s) of Customer in time, this shall be at risk of Customer.
5.3 When Customer itself is aware of a Personal Data Breach relevant for the provision of the Services by IDEXX, Customer shall inform IDEXX without undue delay thereof, including which measures have been or will be taken by Customer.
5.4 Upon detection of a Personal Data Breach by IDEXX, IDEXX shall provide all reasonable feedback to Customer about the possible impact of the Personal Data Breach on Customer and the affected Data Subjects. The feedback includes a description of the nature and extent of the Personal Data Breach, the measures planned and already taken to address the Personal Data Breach.
5.5 On request of Customer, IDEXX will also provide reasonably needed assistance in composing the relevant documentation in relation to the Personal Data Breach. Customer will however remain responsible for the obligation to keep an internal overview of Personal Data Breaches that have occurred.
5.6 Customer is responsible for informing the competent governmental authority and/or affected Data Subjects on the Personal Data Breach, insofar this is required under the applicable Data Protection laws. If Customer requests IDEXX to inform the affected Data Subject(s) and/or the competent governmental authority on the Personal Data Breach, IDEXX shall only do so upon receiving a written and full instruction of Customer and approval of such written instruction by IDEXX. This does not lead to any responsibility or liability for IDEXX in relation to the (notification of) the Personal Data Breach.
6 Assistance
6.1 Taking into account the nature of the data processing and the information available to Parties, Parties shall provide each other with all necessary assistance in complying with the obligations that rest upon the Parties under the applicable Data Protection Law, in particular the obligations in relation to the security of Personal Data, Personal Data Breach notification duties, information duty and the execution of data protection impact assessments, including prior consultation of the relevant governmental authority.
6.2 Customer will make a written request for any assistance referred to in this DPA. IDEXX may charge Customer to perform such assistance or an additional instruction; such charges will be no more than a reasonable charge and shall be set forth in a quote and agreed in writing by the parties.
7 Audit rights of Customer
7.1 Customer may at its own expenses and upon prior consultation with IDEXX perform an audit on the data processing system used by IDEXX to process Customer Personal Data to examine whether the reasonable technical and organizational security measures that have been taken in relation to the Personal Data processed in the context of this DPA are in line with the measures described in Section 4 of this DPA.
7.2 IDEXX shall make available to Customer all information reasonably necessary to demonstrate compliance with Customer's obligations to conclude a data processing agreement in line with the relevant requirements in this respect under the applicable Data Protection Law, and allow for and contribute to audits, including inspections, conducted by Customer. In consultation with IDEXX, Customer may engage a third party (expert) to perform its audit rights, provided that such third party will be bound by an adequate confidentiality obligation.
7.3 The execution of an audit by Customer or on behalf of Customer shall not cause any delay in the business activities of IDEXX or any of its Subprocessors.
8 Subprocessors
8.1 Customer authorizes the engagement of other Processors to process Customer Personal Data by IDEXX, including but not limited to Affiliates of IDEXX (“Subprocessors”). A list of the current third party Subprocessors is set forth here, as may be updated by IDEXX from time to time. IDEXX shall inform Customer in a manner determined by IDEXX of any intended changes concerning the addition or replacement of such Subprocessors. Customer may object to any new Subprocessor by terminating the Agreement upon written notice to IDEXX, provided that Customer provides such notice to IDEXX within 60 days of IDEXX informing Customer of the engagement of the Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
8.2 IDEXX shall enter into and enforce a written data processing agreement with its Subprocessors with substantially similar but not less protective privacy and data security obligations as those set forth in this DPA. IDEXX shall remain liable for fulfilment of its obligations under the Agreement, this DPA, and applicable Data Protection Laws.
9 Cross-Border Transfer of the Personal Data
9.1 Customer Personal Data may be transferred to a Third Country by IDEXX or Subprocessors engaged by IDEXX.
9.2 In the case of a transfer of Customer Personal Data to a Third Country, the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set forth in the following Sections.
9.3 By entering into the Agreement, Customer is entering into the Standard Contractual Clauses for international transfers (Commission Implementing Decision (EU) 2021/914 or any updated version or replacement thereof) ("SCCs"), completed as detailed in Section 9.3.1 below, unless a different data transfer instrument has been declared applicable to the relevant transfer of Customer Personal Data in the applicable Data Protection Law identified here, which identified data transfer instrument shall then apply and govern the transfer of Customer Personal Data to the Third Country. To the extent provided under Data Protections Laws other than GDPR, the SCCs shall also apply to the transfer of Customer Personal Data from Customers not located in the EEA or Switzerland to an IDEXX entity located in a Non-Adequate Country.
9.3.1 The SCCs will apply completed as follows:
a ) Module 2 – controller to processor – will apply.
b ) In Clause 7, the optional docking clause, will apply.
c ) In Clause 9, option 2 will apply and the prior notification period will be 14 days.
d ) In Clause 11, the optional language will not apply.
e ) In Clause 17, option 1 will apply and the law of the Netherlands shall apply.
f ) In Clause 18(b), disputes shall be resolved before the courts of the Netherlands
g ) Annex I (A. List of Parties, B. Description of Transfer, C. Competent Supervisory Authority) of the SCCs shall be deemed completed with the information set forth in Section B of the DPA Schedule applicable the Services.
h ) Annex II (Technical and Organizational Security Measures) of the SCCs shall be deemed completed with the information set forth in Section B of the DPA Schedule applicable the Services.
i ) Annex III (List of Subprocessors) shall be deemed completed with the Subprocessor list identified in Section 8.1 above.
9.4 IDEXX will enter into the SCCs Module Three (Processor-to-Processor) with each Subprocessor located in a Third Country as listed in the respective DPA Exhibit where required under the applicable Data Protection Laws. IDEXX may transfer and store Personal Data to and in its locations in the United States or other countries where its Affiliates are located. Such transfers are subject to an intercompany agreement between Affiliates of IDEXX that include the applicable module three (Processor-to-Processor) SCCs. 9 . 5 Nothing in the Agreement or this DPA shall be construed to prevail over any conflicting clause of the SCCs. Customer acknowledges it has had the opportunity to review the SCCs and to obtain a copy from IDEXX.
10 Requests of Data Subjects
Upon reasonable written request of Customer, IDEXX shall provide the reasonable assistance to facilitate that Customer is able to comply with its obligations as data controller if a Data Subject exercises any of its rights under the applicable Data Protection Laws.
11 General
11.1 Costs: The costs IDEXX may incur in performing its obligations under this DPA (for example, providing assistance to Customer in responding to data subject requests) may result in IDEXX charging Customer for additional work. If this is the case, IDEXX will inform Customer thereof.
11.2 Indemnity: Customer shall fully indemnify IDEXX against any claim by a third party, including by any of the Data Subjects, imposed against IDEXX as result of a breach of the applicable law, which can be attributed to Customer or any of its employees or contractors.
11.3 Term and Termination: This DPA enters into force on the date that IDEXX first processes the Personal Data on behalf of Customer in the performance of the Agreement. This DPA shall remain in effect for the duration of the Agreement. In the event the Agreement ends, this DPA ends as well by operation of law, without further legal action. Unless IDEXX is required by the applicable law to retain the Personal Data, IDEXX shall upon termination of this DPA, ensure that (i) the Personal Data will be returned or provided to Customer, or (ii) the Personal Data will be destroyed, on Customer's request in writing, which may include in electronic form. Any obligation arising from this DPA that by nature has post-contractual effect, including but not limited to this Section DPA, shall continue to be in effect after the termination of this DPA.
11.4 Deviations and Renegotiation: Deviations from and additions to this DPA shall only be valid if they have been expressly agreed in writing, including in electronic form.
Customer shall promptly inform IDEXX on any changes that are or could be relevant for the Agreement and the processing of the Personal Data.
If this DPA is translated into several languages, the English text shall be deemed authentic for the purpose of the interpretation or in the event of conflict or inconsistency between the various translations