Frequently Asked Questions
What is a Data Processing Agreement or “DPA”?
A Data Processing Agreement or “DPA” is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. A DPA must satisfy a number of requirements in order to be compliant with applicable data privacy laws, including the EU General Data Protection Regulation (“GDPR”).
What is a data Controller? What is a data Processor?
A data Controller determines the purposes and means of processing of personal data. A data Processor processes personal data on behalf of a data Controller, and only on the documented instructions of the Controller.
- For example, IDEXX customers will typically act as the data Controller for any personal data they provide to IDEXX in connection with their use of IDEXX diagnostic products and services and software solutions.
- In turn, IDEXX also acts independently as a data Controller with respect to personal data provided to us in connection with selling and providing our diagnostic products and services, but we act as a data Processor for certain software solutions.
See “What IDEXX products and services are covered by the IDEXX DPA?” and “I order diagnostic products and laboratory services from IDEXX. Why does my relationship with IDEXX not require a DPA?” Some countries data protection laws use different terminology than “Controller” and “Processor” to describe the same processing positions. Please refer to Local Data Protection Laws Covered by DPA for countries where different terminology is used.
What IDEXX products and services are covered by the IDEXX DPA?
IDEXX acts as a Processor and our DPA covers our processing activities for the following software solutions: Animana, ezyVet, Vet Radar, SmartFlow, VetConnect PLUS, SmartService. Please refer to the DPA Schedules for further details.
What countries’ data protection laws require a DPA?
In addition to the EU General Data Protection Regulation, several other countries have similar privacy laws that require a DPA. Please refer to Local Data Protection Laws Covered by DPA for the countries covered by our DPA.
If I am in a country where a DPA is required and I use an IDEXX product or service covered by the DPA, how do I enter into a DPA with IDEXX?
Our DPA is incorporated in and forms part of IDEXX’s terms of service for the applicable product or service. Please see our terms of service for the applicable products and services, as well as the DPA related information on the IDEXX Terms and Conditions page.
What are the Standard Contractual Clauses?
The Standard Contractual Clauses (“SCCs”) are a data transfer mechanism issued by the European Commission that are used for the transfer of personal data from the European Economic Area (EEA) and Switzerland to those countries which the EU has determined do not have adequate data protection laws, including the United States ("Non- Adequate Countries"). The updated SCCs published in 2021 are incorporated into our DPA and form part of your agreement with IDEXX for the products and services covered by our DPA. Transfers of personal data from the United Kingdom to Non-Adequate Countries may occur using the EU SCCs subject to a UK Addendum. In addition, where other countries require a contractual transfer mechanism to Non-Adequate countries but have not adopted their own clauses, we rely on the EU SCCs. Please refer to Local Data Protection Laws Covered by DPA for specifics on the UK Addendum and other countries where the EU SCCs apply.
What is a subprocessor? Does IDEXX use subprocessors?
When IDEXX engages third party service providers in our capacity as a data processor for our customers’ personal data, applicable privacy laws call these third parties subprocessors. Subprocessors are service providers who have or potentially will have access to personal data that IDEXX processes for, and on behalf of, IDEXX’s customers. Before engaging subprocessors, we perform due diligence, including a security assessment on such subprocessors. Our subprocessors are subject to contract terms that ensure they process personal data only for the purpose of providing their services to IDEXX and in accordance with IDEXX’s commitment to our customers and applicable data protection laws. You may find list of our subprocessors here.
I order diagnostic products and laboratory services from IDEXX. Why does my relationship with IDEXX not require a DPA?
Not every type of customer relationship requires a DPA under applicable privacy laws. A Controller determines the purpose and means of processing personal data. When IDEXX acts as a Controller, a DPA is not required. The following are examples of when IDEXX qualifies as a Controller:
- When IDEXX processes personal data in connection with supplying diagnostic products we determine what data is needed to fulfill the order and hence qualify as a Controller.
- In the context of providing reference laboratory test services, IDEXX has in practice (substantial) influence on the purposes and essential means of the processing of personal data when preparing, conducting, and generating the results of the test. When our reference laboratory customers submit an order - which may include personal data – IDEXX is simply processing that personal data in order to perform the requested laboratory test and provide the result.
As Controller, our GDPR requirement is to meet certain information requirements (Article 13) to disclose, among other things, the purposes of our processing, our legitimate interest of the processing, data subject rights, and our adequacy basis for cross-border transfer. We meet these information requirements with our Privacy Policy.
My practice had developed our own DPA template that we are asking our vendors to sign. Will IDEXX agree to my template DPA?
We appreciate that some customers have developed their own Data Processing Agreements/Data Protection Agreements. We fully understand that customers as data controllers have concerns about meeting their responsibilities under the applicable data protection laws as far as the processing of their data is concerned. To help you meet this purpose, IDEXX has developed our own standard DPA. Because we need to ensure we comply with GDPR in a consistent and reliable way across our customer base we are unable to agree to different DPA arrangements with each of our customers.