Shortcuts

Local Data Protection Laws Covered by the DPA

(Revision March 07, 2024)


The IDEXX Customer Data Processing Agreement here ("DPA") and its applicable Data Processing Agreement Schedules (each a "DPA Schedule") apply to the Processing of Personal Data ("Customer Personal Data") by IDEXX on behalf of the customer ("Customer") under the agreement between IDEXX and Customer ("Agreement") in order to provide IDEXX Services, if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (GDPR); or ii) any other data protection laws identified below apply.


European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Article 28 of the GDPR.

United Kingdom:
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act of 2018), the UK Data Protection Act of 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations of 2019, as amended, superseded or replaced. For the purpose of Section 9 of the DPA, the following will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation. The parties rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to the completion of a “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (the “UK Addendum”). The EU SCCs, completed as set forth in Section 9 of the DPA shall also apply to transfers of such Personal Data. The UK Addendum shall be deemed executed between IDEXX and Customer, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.

Switzerland:
The Swiss Federal Act on Data Protection of 19 June 1992; as of September 1, 2023, its totally revised version of 25 September 2020 (“FADP”), as amended, superseded or replaced. For the purpose of Section 9 of the DPA, the EU SCC will be implemented for transfers to Non-Adequate Countries subject to the FADP, as amended and adapted, as follows:

  1. the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority in accordance with Clause 13 and Annex I.C of the EU SCC; and
  2. the governing law in accordance with Clause 17 of the EU SCC shall be Swiss law in case the data transfer is exclusively subject to the FADP; and
  3. the term "member state" must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EU SCC; and
  4. references to the GDPR in the EU SCC shall also include the reference to the equivalent provisions of the FADP (as amended or replaced)


Brazil:
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados Pessoais (“LGPD”). For the sake of clarity, IDEXX’s obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Controller (controlador) (including new Section 3.5 below), as “Processor (operador)” and “Controller (controlador)” are defined by the LGPD:

  • 3.5 Each party is responsible to fulfill its respective obligations under the LGPD, and Customer will only issue Processing instructions, as set forth in Section 3 of the DPA, that enable IDEXX to fulfill its LGPD obligations. For the purposes of Section 9 of the DPA, the EU SCCs will apply to transfers to Third Countries as per GDPR.


South Africa:
South African Protection of Personal Information Act 4 of 2013 (“POPIA”). For the sake of clarity, IDEXX’s obligations to Customer under the DPA are those express obligations imposed by POPIA on an “Operator” (equivalent to “Processor”) for the benefit of a “Responsible Party” (equivalent to a “Controller”). Each party is responsible to fulfill its respective obligations under POPIA. For the purposes of Section 9 of the DPA, the EU SCCs will apply to transfers to Third Countries as per GDPR.

Japan:
The Japanese Act on the Protection of Personal Information no. 57 of 2003 (“APPI”), as amended. For the sake of clarity, IDEXX’s obligations to Customer under the DPA are those that the APPI requires Customer to have in place as a “Personal Information Handling Business Operator”, to entrust the processing of Customer Personal Data to IDEXX as an “entrusted person”, as such terms are used in the APPI.

California:
The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any related regulations (“CCPA”). IDEXX’s obligations to Customer under the DPA are those that the CCPA requires that a "Business" (being the Customer and equivalent to “Controller” under the DPA) have in place with a "Service Provider" (being IDEXX and equivalent to “Service Provider under the DPA) as those terms are defined by the CCPA.  In addition:

The terms “sell” and “share” shall have the meaning given to them in the CCPA.  The term “Personal Data” as used in the DPA shall be replaced with “Personal Information.” The term “Data Subject” as used in the DPA shall be replaced with “consumer.” The term “Special Categories of Personal Data” as used in the DPA shall be replaced with “Sensitive Personal Information.” “De-identified information” shall mean data that cannot be reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such person.

New Section 3.5 are added as follows:

  • 3.5.  IDEXX shall:
  1. not sell or share Personal Information;
  2. not further combine Personal Information, or retain, use, or disclose the Personal Information: (A) outside the direct business relationship between IDEXX and Customer; or (B) for any purpose other than for the business purposes specified in the Agreement, unless otherwise permitted by the CCPA;
  3. upon instruction by Customer, stop using Sensitive Personal Information for any purpose other than providing the Services to the extent Supplier has actual knowledge that the Personal Information is Sensitive Personal Information;
  4. refrain from attempting to re-identify any de-identified information disclosed by Customer to IDEXX under the Agreement;
  5. refrain from complying with consumer deletion requests submitted directly to IDEXX to the extent that IDEXX has collected, used, processed, or retained the Personal Information in its role as Service Provider to Customer;
  6. promptly notify Customer if IDEXX determines that it can no longer meet its obligations under California Data Protection Law or under this Section; and
  7. remain liable for IDEXX’s own violations of the CCPA.