Form P.8
Use of Personal Data
In the course of providing Services pursuant to the Software License Agreement with Customer (the “Agreement”), Licensor may gain access to “Personal Data,” which shall mean any information which identifies or is capable of identifying a living individual, or as otherwise defined as “Personal Data” by applicable laws, including without limitation, Customer or Customer’ customers, consumers, patients, employees, personnel, shareholders, physicians, suppliers, consultants and competitors, whether verbal or recorded in any form or medium, disclosed to the Licensor by or collected from the Licensor, on Customer’s behalf including, without limitation, (a) an individual’s name, address, phone number, e-mail address, social security number, or credit card information; and (b) all information, data and materials, including without limitation, demographic, medical and financial information, that relate to (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of health care to an individual; or (iii) the past, present, or future payment for the provision of health care to an individual.
Collection, use, disclosure, retention and other processing of Personal Data may be regulated by certain privacy and data security laws.
When collecting, using, disclosing, retaining or otherwise processing Personal Data, the Licensor agrees to comply with all applicable privacy and data security laws, rules and regulations in those respective jurisdictions where the Licensor provides Services and/or collects, uses, discloses or otherwise processes Personal Data. Applicable privacy and data security laws, rules, and regulations include, but are not limited to, those laws related to the transmission or communication of Personal Data via mail, telephone, computer, wireless technology, facsimile, or other such means. Without limiting the foregoing and in addition to any other obligations under the Agreement, the Licensor further agrees as follows:
a. The Licensor agrees to collect, use, disclose, retain and otherwise process Personal Data solely as required and limited to that which is necessary for the purpose of performing the Services, subject to the requirements of applicable Laws;
b. When collecting, using, disclosing, retaining or otherwise processing Personal Data for or on behalf of Customer, the Licensor will comply with Customer privacy policies and any other applicable policies, including, without limitation, ones related to confidentiality and data security;
c. Any and all consents collected by the Licensor from individuals on behalf of Customer relating to collection, use, disclosure, retention and other processing of the individual's Personal Data, must be retained by the Licensor for at least two years after termination or expiration of the Agreement;
d. The Licensor agrees to establish commercially reasonable controls to prevent unauthorized access, use or disclosure of Personal Data. The Licensor will implement all safeguards that reasonably and appropriately protect the confidentiality, integrity, and security of Personal Data. Such safeguards shall include the encryption of sensitive Personal Data that includes United States Social Security Numbers (or the comparable identifiers in other countries), Driver’s License numbers, Medical Information, Bank Account numbers and/or Credit Card information, when such data is transmitted or at rest, including but not limited to data located on laptops, back-up tapes, USB flash drives and other portable devices. For purposes of this Attachment, Licensor shall consider the standards set forth in ISO/IEC 27002:2005 as commercially reasonable data protection controls and safeguards unless and until other such standards are supplied to the Licensor by Customer;
e. The Licensor shall promptly report to Customer any and all breaches of data security of which it becomes aware with respect to any Personal Data, including any attempted unauthorized access, use, or disclosure of such Personal Data. The Licensor agrees to use its best efforts to mitigate the effects of any breach, to promptly propose corrective action to Customer, and to promptly undertake all corrective action as approved or requested by Customer;
f. The Licensor agrees to provide Customer and/or its representatives with a right to audit at Customer’ discretion the Licensor’s business processes, books, records and practices relating to collection, use, disclosure, retention and other processing of Personal Data. Customer shall be responsible for Customer's costs associated with any such audit. In no event shall Customer be responsible for paying any of the Licensor’s fees and expenses associated with any such audit;
g. Upon expiration or termination of the Agreement, or at any time upon request of Customer, Licensor shall return to Customer and/or destroy all Personal Data held in any form or medium whatsoever, collected or received from or on behalf of Customer. The Licensor shall promptly send Customer a written certification signed by an authorized representative of the Licensor acknowledging that all Personal Data has been returned and/or destroyed;
h. Any collection, use, disclosure, retention and other processing of the Personal Data other than as contemplated by the Agreement or in violation of this Attachment is a material breach of the Agreement; and
i. The Licensor agrees to amend this Attachment in order to comply with any applicable laws relating to privacy and data security in those respective jurisdictions where the Licensor provides Services and/or collects, uses, discloses or otherwise processes Personal Data pursuant to the Agreement.
1