Supplier Data Privacy Requirements

1. Definitions

(a)    “Agreement” means the Purchase Order issued by the Parexel entity stated therein and accepted by Supplier pursuant to the terms thereof and referencing and incorporating these Requirements.   

(a)    “Company” means Parexel or any Parexel affiliate on behalf of which Provider Processes Personal Data pursuant to the Agreement.  Company may be acting as a Controller or as an authorized Processor on behalf of a Sponsor (the Controller) that contracted Company as Processor.

 (b)    “Controller” means the natural or legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

(c)    “Data Subject” means any information relating to an identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly.  Legal entities are Data Subjects where required by applicable Data Protection Law. 

(d)    “Data Protection Law” means all applicable data protection law, including GDPR and other privacy laws as applicable (e.g. 201 CMR 17.00, applicable only to the personal data of Massachusetts inhabitants).

(e)    “Personal Data” means any information relating to Data Subject, as more fully described in applicable Data Protection Law.    

(f)    “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

(g)     “Process(ing)” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or, alteration, retrieval, consultation, use, disclosure by transmission,, dissemination or otherwise  making available, alignment, combination, restriction, erasure or destruction.

(h)    “Processor” means a natural or legal person which processes Personal Data on behalf of the Data Controller

(i)    “Provider” means Supplier or any Supplier entity or affiliate that Processes Personal Data on behalf of Company pursuant to this Agreement.

(j)    “Special Categories of Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,  trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or  sexual orientation and any other categories of data such as personal bank account and payment card information and any national identifiers to the extent considered by Data Protection Law to be particularly sensitive.

(k)    “Technical and Organizational Security Measures” means measures aimed at preventing a Personal Data Breach, including but not limited to such breach resulting from or arising out of Provider’s internal use, Processing or other transmission of Personal Data, whether between or among Provider’s affiliates or any other person or entity subcontracted by or acting on behalf of Provider.

2. Processing Obligations of Provider

In Processing Personal Data, Provider agrees that:

(a)    Provider shall abide by all applicable Data Protection Law.  

(b)    Provider shall Process Personal Data only in accordance with the documented instructions of Company and strictly as necessary to perform its obligations under the Agreement and Data Protection Law and for no other purpose.   Provider shall inform Company immediately if, in its opinion, it receives an instruction from Company which infringes Data Protection Law. 

(c)    Ensure that the persons authorized by Provider to Process Personal Data are bound by appropriate confidentiality obligations.

(d)    Provider shall implement appropriate and reasonable Technical and Organizational Security Measures, such measures designed to protect Personal Data from unauthorized use or disclosure consistent with the type of Personal Data being Processed and the services being provided by Provider, all in accordance with applicable Data Protection Law.  Documentation of such measures shall be furnished to Company upon request.   

(e)    Assist Company in ensuring compliance with its obligations in respect of security of Personal Data, data protection impact assessments and prior consultation requirements under Data Protection Law. 

(f)    Provider shall (1) obtain Company’s prior written consent prior to engaging any sub-processors, and where Company has provided consent for such sub-processor, Supplier shall not replace or engage other sub-processors without the prior written consent of Company, (2) ensure that a written contract exists between Supplier and the sub-processor containing clauses equivalent to those imposed on Supplier in these Requirements, and (3) remain liable to Company for the performance of the sub-processor’s obligations.  

(g)    Inform Company immediately in the event of receiving a request from a data subject to exercise their rights under Data Protection Law and provide such co-operation and assistance as may be required to enable Company to deal with such request in accordance with the provisions of Data Protection Law.

(h)    Notify Company within one (1) day after discovery of any Personal Data Breach at or at such contact details communicated to Provider from time to time.  Provider shall at its cost and expense assist and cooperate with Company concerning any disclosures to affected parties and other remedial measures as requested by Company or required under Data Protection Law.  The notification shall include a detailed description of the Personal Data Breach, the type of Personal Data that was the subject of the Personal Data Breach, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Personal Data Breach. Provider shall designate an individual responsible for management of the Personal Data Breach and shall identify such individual to Company with notification of the breach.          
(i)     Make available to Company all information necessary to demonstrate compliance with the obligations laid down in these Requirements; and (ii) allow for and assist with audits, including inspections, conducted by Company or another auditor mandated by Company, of its relevant facilities, equipment and processes in order to ensure compliance with the obligations laid down in these Requriements and applicable Data Protection Law, provided, however, that adherence by Provider to an approved code of conduct or an approved certification mechanism authorized by applicable data protection authority shall be sufficient to demonstrate compliance by Provider with the provisions of these Requirements and Data Protection Law.  

(j)    Supplier shall: (i) at the choice of Company, delete or return the Personal Data to Company when Supplier ceases to provide Services relating to Personal Data processing and, if requested by Company, certify the fact of such deletion, and (ii) not retain any copies of such Personal Data unless applicable Data Protection Law or other applicable law requires storage of the Personal Data.  
(k)     Not by act or omission place Company in violation of any Data Protection Law.

(l)     Upon becoming so aware, notify Company promptly if Supplier receives or Processes Special Categories of Data and follow Company’s documented instructions with respect thereto.  

3. Certain Transfers of Personal Data

(a)    Supplier shall not (i) transfer Personal Data from any jurisdiction to any other jurisdiction (the EEA constituting a single jurisdiction for this purpose); (ii) move Personal Data from its Parexel-approved hosting jurisdiction to a different hosting jurisdiction; or (iii) provision remote access to such Personal Data from any location other than the hosting jurisdiction or other Parexel-approved jurisdiction without the prior written consent of Parexel.  The parties recognize and agree that such consent by Parexel may, at Parexel’s option, apply to all similar data transfers of similar data between the designated parties and jurisdictions if Parexel so elects.

(b)    To the extent Supplier is relying on a specific mechanism for lawful international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Supplier shall promptly notify Parexel and agrees to pursue a suitable alternate mechanism that can lawfully support the transfer as soon as practicable.

(c)    If requested by Parexel in order to enable Parexel to comply with any Data Protection Law, Supplier also agrees to execute the EU Standard Contractual Clauses in the prescribed form.