EX-10.39.1 24 ex10x39x1.htm EXHIBIT 10.39.1

Exhibit 10.39.1

Certain identified information has been excluded from this exhibit because it is both (i) not material and (ii) would likely cause competitive harm if publicly disclosed. [***] indicates that information has been redacted.

SERVICES FRAME AGREEMENT

between

Ares Genetics GmbH
Karl-Farkas Gasse 18
1030 Wien
Austria
(the “Service Provider/Institution”)

and

Sandoz International GmbH
Industriestrasse 25
D-83607 Holzkirchen
Germany
(“Sandoz”)

Effective Date:14 December 2018

Subject

Sandoz and Service Provider/Institution hereinafter also referred to as “Parties” and each individually as “Party”.

This Services Frame Agreement (“Agreement”) shall form the framework of contractual conditions under which the Service Provider/Institution will perform for Sandoz and/or its Affiliates services in the field of molecular microbiology techniques combined with advanced bioinformatics and artificial intelligence approaches (the “Services”) as specified in work orders which shall be similar in fashion to the example work order outlined in Annex 1 and shall be executed by the Parties (or by the Service Provider/Institution, and an Affiliate of Sandoz) and shall expressly refer to this Agreement (“Work Orders”). The general scope of the Services shall be outlined in each Work Order which shall form an integral part of this Agreement. The Service Provider/Institution is regularly engaged in conducting the Services. The Services may involve one or more chemical compounds (each a “Study Material”) and/or actual and/or potential pharmaceutical products identified in the Work Order. Service Provider/Institution shall not perform any Services and/or research beyond the scope of the Work Order without the prior written consent of Sandoz.

For the purpose of this Agreement, “Affiliate” shall mean any corporation or other business entity controlled by, controlling or under common control with Sandoz. “Control” for the purposes of this definition shall mean direct or indirect beneficial ownership of fifty percent (50%) or more of the voting interest in an entity, or such other relationship as, in fact, constitutes actual control.

For the purpose of this Agreement, “Personal Data” shall mean any information (as defined by local Data Protection Legislation) relating to a identified or identifiable person; It includes without limitation electronic data and paper-based files that include such information, such as name, home address, office address, e-mail address, age, gender, family information, profession, education, professional affiliations, salary and credit card numbers.

The Service Provider/Institution shall perform the Services in accordance with this Agreement and the relevant Work Orders, in compliance with state-of-the-art scientific standards and laboratory practice.

The Service Provider/Institution warrants that its employees and collaborators will comply with its obligations under this Agreement.

The Service Provider/Institution warrants that its employees and subcontractors/agents will comply with its obligations under this Agreement.

If requested, Service Provider/Institution shall negotiate in good faith Quality Agreements with Sandoz and/or any of Sandoz’ Affiliates. Service Provider/Institution represents and warrants that its performance hereunder, including without limits Service Provider/Institution’s provision of Services, shall be in accordance with any such Quality Agreement which shall become an integral part of this Agreement upon its/ their execution. For the avoidance of any doubts, any conflict between the provisions of this Agreement and any Quality Agreement shall be resolved in favour of this Agreement, except for conflicts that relate to quality assurance aspects, in which case the provisions of the relevant Quality Agreement shall prevail.

Term of this Agreement

This Agreement shall be deemed effective as of the effective date written above and shall remain in effect for a period of three (3) years from that date unless sooner terminated in accordance with the terms of this Agreement.

Termination

2.1

Sandoz may terminate this Agreement and/or any Work Order at any time and for any reason, by giving written notice to the Service Provider/Institution with immediate effect. Unless Sandoz terminates any Work Order because of a breach by the Service Provider/Institution, in which case Sandoz shall owe the Service Provider/Institution no further obligations, Sandoz shall make payment to the Service Provider/Institution for all reasonable costs incurred or accrued in performing the Services prior to receipt of the notice of termination of the Work Order and not yet paid for by Sandoz.

2.2

This Agreement may be terminated by either Party at any time by notice in writing to the other Party with immediate effect in any of the following circumstances:

(a)

if the other Party has breached any of its obligations hereunder and has failed to remedy such breach within 30 (thirty) days of receipt of notice in writing specifying the breach;

(b)

if the other Party has gone into liquidation otherwise than for the purpose of amalgamation or reconstruction; or has had a receiver or manager appointed in respect of any of its assets; or has entered into any composition with its creditors; or

(c)

if the other Party merges with a third party, or transfers beneficial ownership of more than fifty percent (50%) of its voting shares to a third Party.

2.3

Upon any termination or expiration of this Agreement, all outstanding rights and obligations between the Parties arising from or in connection with this Agreement shall immediately terminate, except:

(a)

any obligation that matured prior to the effective date of the termination or expiration;

(b)

Sections 4 (Intellectual Property Rights), 5 (Confidentiality and Non-use), 9 (Taxes and Social Security Contributions), 10 (Publications and Publicity), 12 (Retention of Materials Relating to Services), 16 (Indemnification and Liability), 24 (Jurisdiction), 25 (Data Protection and Security); and

(c)

any other provision which, by its terms, is understood to survive the termination or expiration of this Agreement.

2.4

Termination of this Agreement shall be without prejudice to any claim or right of action of either Party against the other Party for any prior breach of this Agreement.

2.5

Notwithstanding the foregoing, should any Work Order executed during the term of this Agreement require Services to be completed after the expiry or termination of this Agreement, the terms of this Agreement shall remain in effect with respect to such Work Order until the Work Order has been terminated or the Services thereunder have been completed.

Reports

3.1

Unless the Work Order specifies more detailed reporting requirements, the Service Provider/Institution shall submit a final written report to Sandoz within 60 (sixty) days after the completion of the Services under a particular Work Order, describing the work performed, the results obtained, and the interpretation of results and all raw data (the “Final Report”).

3.2

The Service Provider/Institution warrants that each Final Report (and any other report specified in the Work Order) submitted to Sandoz is true, complete and correct and accurately reflects the result of the corresponding Services.

Intellectual Property Rights

4.1

All data, information and documents provided to the Service Provider/Institution by or on behalf of Sandoz or its Affiliates in connection with this Agreement, whether in paper, oral, electronic or any other form, shall remain the sole property of Sandoz. The Service Provider/Institution shall acquire no rights therein.

4.2

All intellectual property owned by or licensed to Service Provider/Institution prior to the Services as documented in Annex 4 (the “Service Provider Background Intellectual Property”) and any improvements thereto shall remain the property of Service Provider/Institution or Service Provider/Institution’s licensor, as the case may be. Service Provider/Institution hereby grants Sandoz and its Affiliates a non-exclusive, irrevocable, perpetual, worldwide, royalty-free license to use the Service Provider Background Intellectual Property and any improvements thereto that is incorporated into, and/or necessary for the non-infringing use of any work or invention or any relating intellectual property rights with regard to a Work Order and/or the Results. “Non-infringing use” shall mean use that does not infringe any intellectual property other than the intellectual property owned by or licensed to Sandoz and its Affiliates.

4.3

Except for Service Provider Background Intellectual Property as defined above, all materials, data, results, information, documents, reports, inventions (whether patentable or not), know-how and discoveries resulting from or arising out of the Services or developed by the Service Provider/Institution in connection with this Agreement and all intellectual property rights therein (the “Results”) are hereby assigned to and shall be the exclusive property of Sandoz and its Affiliates (or their designees) and may be used and/or transferred by Sandoz and its Affiliates for any purpose at their sole discretion with no further payment or other obligation to the Service Provider/Institution. Results shall include without limitation all compounds and derivatives obtained, generated or developed in connection with any Services. The Service Provider/Institution shall have no rights whatsoever in the Results. Notwithstanding the aforesaid, Service Provider may include the primary sequencing and antibiotic resistance data into “ARESdb” (it’s database used to get the project data).

4.4

Except for Service Provider Background Intellectual Property as defined above and within the guard rails of German Employee Invention Law (“Arbeitnehmererfindungsgesetz”), the Service Provider/Institution agrees to cause any employees or collaborators to, assign all right title and interest in and to any such Results to Sandoz or its designee, and to execute promptly all documents and take all such other action as may be reasonably requested by Sandoz in order to permit Sandoz to obtain the benefit of its rights under this Agreement.

4.5

In so far as the assignment under clause 4.3 is not possible for legal reasons, the Service Provider/Institution grants Sandoz the exclusive right, which is unlimited in terms of

duration, territorial scope and content, as well as being capable of assignment and sub-licensing, to exploit the Results for all known or currently unknown types of exploitation to the broadest possible extent. This includes, in particular, the right to reproduce, disseminate, publish, exhibit, lecture on, perform, demonstrate, make available to the public, broadcast, re-broadcast and otherwise reproduce the Results in any form, in all media, in all services, via all methods of transmission and regardless of the method and apparatus used for the purpose. This also includes the right to change, translate, work on or otherwise alter the Results and to exploit the results obtained in these ways in the same ways as listed above.

4.6

The Service Provider/Institution shall be solely responsible for any payments due to its employees and collaborators for the assignment of any inventions or other Results according to the applicable law. Sandoz’ payments for the Services shall be deemed to include consideration for such payments.

4.7

The Service Provider/Institution shall grant Sandoz access to all primary data generated in the course of the Services, including without limitation electronic raw data and data contained in laboratory notebooks. Sandoz shall have the right to make copies of the Service Provider/Institution’s primary data at regular intervals in the case of laboratory data.

4.8

The Service Provider/Institution warrants that it is entitled to use the materials and technology which it will use to perform the Services.

Confidentiality and Non-Use

5.1

All information, including without limitation all Work Orders, data, results, reports, Materials and trade secrets, and all information about compounds which is disclosed to the Service Provider/Institution by or on behalf of Sandoz or its Affiliates or which is developed or generated by the Service Provider/Institution or its collaborators in connection with this Agreement or the Services conducted hereunder (collectively “Confidential Information”), shall be regarded as confidential. The terms of and the existence of this Agreement shall also constitute Confidential Information.

5.2

The Service Provider/Institution shall not use Confidential Information for any purpose other than the performance of Services under this Agreement.

5.3

The Service Provider/Institution shall not disclose or provide Confidential Information to any third party. Employees and collaborators of the Service Provider/Institution bound by confidentiality obligations not less strict than those set out herein, who are under the supervision and control of the Service Provider/Institution, shall not be regarded as third parties. Disclosure shall be made only to such employees and collaborators who need to know or to have the Confidential Information for the purpose of conducting Services under this Agreement.

5.4

The Service Provider/Institution shall only copy any documents containing Confidential Information or prepare any extracts from such documents for the purpose of this Agreement.

5.5

The Service Provider/Institution shall promptly destroy or provide to Sandoz, as per Sandoz’s request (which may be made at any time), all documents (including electronic files) containing or relating to Confidential Information (including all data and results generated in Services, which shall be provided in electronic form), except for one copy which is to be retained in the confidential files of the Service Provider/Institution for record purposes only. If requested by Sandoz, the Service Provider/Institution shall promptly confirm destruction of the documents to Sandoz in writing. Notwithstanding the aforesaid, Provider/Institution is not obliged to return or destroy Confidential Information contained in regular IT-Backups, provided those back-ups are not reopened/recovered to make further use or disclosure.

5.6

The above obligations shall not apply to:

(a)

Confidential Information which is, at the time of disclosure, in the public domain or thereafter becomes part of the public domain otherwise than by the act or omission of the Service Provider/Institution or its employees or agents;

(b)

Confidential Information that the Service Provider/Institution can demonstrate by written evidence was in its possession prior to its disclosure by Sandoz; or

(c)

Confidential Information which the Service Provider/Institution received from any third party not engaged in the Services conducted under this Agreement, where such information is not subject to an obligation of confidentiality or secrecy in favour of Sandoz or any of its Affiliates.

5.7

The Service Provider/Institution warrants that its employees and collaborators who will have access to Confidential Information will be bound by confidentiality and non-use obligations not less strict than those set out herein, and that they will comply with those obligations.

5.8

The Service Provider/Institution may disclose Confidential Information if requested pursuant to an order of a competent court or administrative agency, provided that the Service Provider/Institution has informed Sandoz thereof in writing, and has used reasonable efforts to limit the scope of the disclosure and to obtain confidential treatment by the court or administrative agency of Confidential Information disclosed pursuant to such order.

5.9

The obligations of confidentiality and non-use in this Section 5 shall survive the expiry or termination of this Agreement for 15 (fifteen) years.

This section intentionally blank

Audits, Inspections and Compliance with Laws

7.1

It is agreed that authorised representative(s) of Sandoz, and/or its Affiliates who are not direct competitors to Service Provider/Institution may arrange, with twenty (20) days advance notice, at no cost to Sandoz to during regular business hours examine, audit and

inspect the Service Provider/Institution’s facilities with respect to the Services, including, but not limited to, the facilities, systems, processes and documentation.

7.2

The Service Provider/Institution warrants that it has, and shall continue to have for the duration of this Agreement, all of the authorisations required under the applicable laws and regulations to perform the in-vitro experimental work involved in performing the Services at its facilities.

7.3

The Service Provider/Institution shall conduct the Services in compliance with all applicable laws, regulations, ordinances, and guidelines.

7.4

Service Provider/Institution represents and warrants that this Agreement and any Work Other thereunder will be performed in material compliance with all applicable laws and regulations, relating to health, safety, and environment, fair labour practices and unlawful discrimination.

7.5

Responsible Procurement. Sandoz promotes the societal and environmental values of the United Nations Global Compact to its Third Party Suppliers. Sandoz expect suppliers with whom it works to comply with the law and to adhere to ethical business practices set out in the Novartis Supplier Code referenced in Annex 2.

Service Provider/Institution shall:

Familiarize themselves with the requirements of the Novartis Supplier Code.

Provide information on request to Sandoz associates concerning labour, health and safety, environment, animal welfare, anti-bribery and fair competition, and data protection and privacy practices, in the form requested.

Allow Sandoz associates (or Sandoz-nominated third Party experts) adequate access for the purposes of auditing compliance with these standards.

Mediate identified non-compliances with the Novartis Supplier Code and report remediation progress to Novartis on request.

The Novartis Supplier Code, and other codes, policies and guidelines can be found at: https://www.novartis.com/about-us/corporate-responsibility/resources-news/codes-policies-guidelines

Service Provider/Institution acknowledges and agrees that the Novartis Supplier Code forms an integral part of this Agreement and understands that failure to adhere to these standards and/or obstructing/refusing Sandoz’ audit rights as stated in the Novartis Supplier Code shall constitute a material breach of this Agreement and entitle Sandoz to immediately terminate the Agreement by written notice without compensation.

Payment Terms

8.1

In consideration of the satisfactory performance of the Services, Sandoz will reimburse Service Provider/Institution in accordance with the Work Order. Service Provider/Institution bears the sole responsibility for compensation (including overtime to hourly employees, if applicable) of Service Provider/Institution’s employees. Sandoz shall make payment against every invoice within sixty (60) days of its receipt of the invoice (also if it is submitted electronically according to 8.9). Service Provider/Institution shall send the invoice to the address specified on the applicable Work Order/Purchase Order.

8.2

Should the Work Order state that Sandoz will reimburse Service Provider/Institution for out-of-pocket expenses incurred by Service Provider/Institution in performing the Services, Sandoz shall do so, provided that such expenses are necessary for the performance of the Services, are reasonable (i.e., not luxury or first-class) and have been approved in writing, and in advance, by Sandoz. Each such expense shall be billed to Sandoz promptly after it is incurred but no more frequent than monthly, at actual cost, i.e., without mark-up or surcharge, and each expense shall be supported by a receipt or other appropriate documentation.

8.3

Each invoice for payment shall clearly state the following

Name of the requisitioner in the subject line (not in the address) and Purchase Order (PO#) number

Logo/vendor name and address

Correct address

Invoice number

Invoice date

Delivery date

VAT %

Total invoice

Payment terms: 60 days or as defined with the vendor post arrival at Sandoz

Supplier’s VAT number

Bank account information (incl. IBAN/SWIFT)

8.4

If payments are to be made on a time and materials basis and Service Provider/Institution anticipates that the amounts to be billed may exceed the amounts set forth in the relevant Purchase Order or Work Order by ten percent (10%), then Service Provider/Institution

shall immediately notify Sandoz of this in writing and submit to Sandoz a revised proposal for consideration. If the payment set forth in the relevant Purchase Order or Work Order is a fixed sum, the amount billed shall not exceed such sum.

8.5

All costs and rates set forth in the Work Order shall remain firm for the duration of the Services, unless otherwise agreed to in writing by Service Provider/Institution and Sandoz.

8.6

Service Provider/Institution shall not perform any Services or incur any expenses prior to the execution of a Work Order or Purchase Order or that exceed the scope of the Purchase Order or Work Order without the prior written consent of Sandoz. Sandoz shall have no obligation to pay for Services performed or expenses incurred by Service Provider/Institution before a Work Order or Purchase Order is executed or for Services or expenses that exceed those set forth in the Purchase Order or Work Order.

8.7

Supplier shall submit invoices aligned with the Sandoz Purchase Order structure. Within 30 days upon Sandoz request (e.g. per E-mail), Supplier shall establish an electronic supplier account through Sandoz designated third party cloud network solution through which Supplier will receive Purchase Orders, submit invoices and any other relevant documents. It is agreed between the Parties that Sandoz is not obliged to pay any invoice unless the Supplier has submitted the invoice electronically through the network.

Taxes and Social Security Contributions

It shall be the Service Provider/Institution’s responsibility to comply with any obligations and requests in respect of taxes and social security contributions, if applicable, which relate to fees received under this Agreement.

10.

Publications and Publicity

10.1

The Service Provider/Institution shall not publish the results of any Services, or any information relating to any Services, without Sandoz’s prior written approval.

10.2

Neither Party shall issue any press release or other form of publicity concerning this Agreement without the prior written consent of the other Party

10.3

Furthermore, neither Party will use, or authorise others to use, the name, symbols, or marks of the other Party in any advertising or publicity material or make any form of representation or statement which would constitute an express or implied endorsement by the other Party of any commercial product or service without that other Party’s prior written approval.

11.

Review/Discussion/Visits

11.1

The Service Provider/Institution shall promptly respond to any request by Sandoz from time to time during the performance of Services that the Service Provider/Institution and its employers and collaborators review and discuss with representatives of Sandoz the progress of any Services and related matters.

11.2

If the Service Provider/Institution encounters any unanticipated problem or abnormal result during the conduct of the Services, the Service Provider/Institution shall report this to Sandoz without delay, and any further action to be taken shall be decided in consultation with Sandoz.

11.3

On reasonable prior notice, representatives of Sandoz may visit the facilities where the Services are being performed.

12.

Retention of Material relating to Services

The Service Provider/Institution shall retain all relevant material (including raw data and notes) related to the Services performed under a particular Work Order, including experiment records and specimens, for 10 (ten) years following completion of the Services. At the end of that period, the Service Provider/Institution shall request further instructions from Sandoz. The Service Provider/Institution shall not destroy any relevant material related to any Services without prior written approval from Sandoz. Payment for storage and retention beyond the 10 (ten) year period shall be negotiated by the Parties in good faith.

13.

Purchase Order or Work Order

Any Purchase Order or Work Order under this Agreement shall form a separate and distinct Agreement between the Parties to the Purchase Order or Work Order. In case of any inconsistency between the terms of this Agreement and any Purchase Order or Work Order, this Agreement shall prevail unless the Purchase Order or Work Order expressly specifies that it shall prevail over this Agreement. Where an Affiliate has executed a Purchase Order or Work Order, references to “Sandoz” shall be read as references to the relevant Affiliate. Sandoz shall not have any obligations in respect of Purchase Orders or Work Orders executed by Affiliates of Sandoz. Work Orders shall be substantially in the form of Annex 1 to this Agreement and Purchase Order and Work Orders shall specify the details of the Services to be performed, deliverables (with specifications), timelines, fees and the commercial conditions.

14.

Assignment

This Agreement shall not be assigned to any third party without the prior written consent of the other Party, except that Sandoz shall be entitled to assign this Agreement to any of its Affiliates, or to any third party in connection with the sale or merger of all or a substantial portion of its business, without the Service Provider/Institution’s consent.

15.

Subcontracting

15.1

The Service Provider/Institution shall not subcontract all or part of any Services without the prior written approval of Sandoz. Any such approval shall not relieve the Service Provider/Institution of its obligations under this Agreement.

15.2

Prior to engaging any subcontractor, Service Provider/Institution shall inform such subcontractor of all relevant obligations and restrictions relevant to the performance of

the Services, and enter into written contracts binding each subcontractor to terms no less strict than those in this Agreement, and shall, upon Sandoz’ request, provide written verification of the technical expertise and qualifications of all subcontractors. Service Provider/Institution shall be responsible for the selection, retention and compensation of such authorized subcontractors engaged to perform any Services under this Agreement. All such subcontractors shall be retained directly by Service Provider/Institution and no contractual relationship or financial obligation shall be created between Sandoz and any subcontractor. Service Provider shall bear the cost of any subcontracting of Services under this Agreement.

If a Work Order is executed, Subcontractors used in the performance of the Services described herein are detailed in Schedule C to Annex i.

16.

Indemnification and Liability

16.1

The Service Provider/Institution shall indemnify and hold harmless Sandoz, its Affiliates and their respective officers, directors, representatives, employees and agents, against all claims, actions, litigations, damages and liabilities (collectively, “Claims”) against any of the foregoing, to the extent arising from the negligence, omission, wrongful conduct or wilful misconduct by the Service Provider/Institution, its collaborators or its subcontractors, in connection with or relating to this Agreement or a Work Order, or breach of one of the foregoing, and the Service Provider/Institution agrees to bear all costs and expenses, including reasonable attorney’s fees, incurred by or on behalf of Sandoz or any other indemnified person in connection with the defence or settlement of such Claims. Sandoz shall promptly notify the Service Provider/Institution of any such Claim in writing.

16.2

Service Provider’s/Institution’s liability shall be governed by the German statutory provisions.

16.3

Sandoz’ and its Affiliate’s liability shall be unlimited (i) in respect of losses caused by acting intentionally or with gross negligence, (ii) in respect of breaching essential contractual obligations, namely those obligations which must be complied with in order to make it possible for the contract to be properly performed at all and which the Service Provider normally relies on being fulfilled and may so rely (cardinal obligations), (iii) in respect of defects which have been fraudulently concealed, (iv) in respect of losses arising from death, bodily injury, or harm to health, (v) in respect of claims under the Law on Product Liability (Produkthaftungsgesetz), and (vi) in the event that Sandoz expressly assumes a guarantee as to quality. Any more extensive liability on the part of Sandoz is excluded.

17.

Notices

17.1

Except as otherwise expressly provided, all notices issued in connection with this Agreement (“Notice”) shall be in writing and sent by registered mail, courier service, or facsimile (provided that such facsimile shall be confirmed by letter, sent by registered mail or courier service) to the other Party.

17.2

The Notice shall be deemed to have been properly served if addressed to:

Sandoz Intentional GmbH
Industriestrasse 25
D-83607 Holzlcirchen
Sandoz International
Attn: Head Legal Global Commercial Operations and D&R

and, if the Notice concerns a Work Order, to the person specified in the relevant Work Order.

Ares Genetics GmbH
Karl-Farkas Gasse 18
1030 Wien
Austria
Attention: Dr. Andreas Posch, Managing Director

or such other address or addresses of which such Party shall have given written notice not less than 7 (seven) days before the Notice is dispatched.

17.3

Any such Notice shall be deemed to be given as follows:

(a)

If in writing: when delivered by post or courier service;

(b)

If by facsimile: when received, provided it is followed by a letter by mail or courier service within 5 (five) working days.

17.4

A Notice given in accordance with the above but received on a non-working day or after business hours in the place it is received will only be deemed to be given on the next working day in the place of receipt.

18.

Entire Agreement, Amendments

18.1

This Agreement, including any Work Orders issued hereunder, represents the entire understanding between the Parties with regard to the Services.

18.2

No amendment to this Agreement or any Work Order will be effective or binding unless it is in writing signed by both Parties.

18.3

Neither this Agreement nor any Work Order shall be modified except by a written agreement signed by both Parties specifying that it is a modification to this Agreement or the Work Order, respectively.

18.4

The failure of a Party to insist upon strict adherence to any term of this Agreement or a Work Order on any occasion shall not be considered an amendment or deprive that Party

of the right to insist upon strict adherence to that term or any other term of this Agreement, the Work Order or any other Work Order.

19.

Debarment

The Service Provider/Institution hereby represents and warrants that neither the Service Provider/Institution nor any employee, collaborator or sub-contractor involved in performing the Services has been debarred under Section 306(a) or (b) of the U.S. Federal Food, Drug and Cosmetic Act, if applicable. If at any time after execution of this Agreement the Service Provider/Institution becomes aware that it or any employee, collaborator or sub-contractor involved in the Services is the process of being debarred, the Service Provider/Institution shall notify Sandoz without delay.

20.

Independent Contractor

The Service Provider/Institution shall perform the Services as an independent contractor and, as such, neither the Service Provider/Institution nor its employees shall be entitled to any benefits applicable to employees of Sandoz. Neither Party is authorised or empowered to act as agent for the other for any purpose and shall not on behalf of the other enter into any contract, warranty or representation as to any matter. Neither Party shall be bound by the acts or conduct of the other.

21.

Severability

If any term or provision of this Agreement is held to be invalid or unenforceable, in whole or in part, under any applicable enactment or rule of law, such illegality or unenforceability shall not affect the remainder of this Agreement, and the parties shall in good faith attempt to substitute a valid and enforceable provision which achieves to the nearest extent possible the same effect as would have been achieved by the invalid or unenforceable provision.

22.

Waiver

Any delay or omission on the part of either Party in the exercise of its rights hereunder will not impair those rights nor will it constitute a renunciation or waiver of those rights. Any waiver by either party of any term or condition of this Agreement in any one instance shall not be deemed or construed to be a waiver of such term or condition for any other instance in the future (whether similar or dissimilar) or of any subsequent breach hereof.

23.

Conflict of Interest

The Service Provider/Institution confirms that neither it nor its collaborators have any obligations to any third party, and that no third party has any rights, that might be in conflict with the obligations under this Agreement, and that neither the Service Provider/Institution nor its collaborators will enter into any such agreements during the term hereof without the prior written consent of Sandoz.

24.

Jurisdiction

This Agreement is construed in accordance with, and governed by, the substantive laws of Germany, without regard to the conflicts of law provisions thereof. Any disputes under or in connection with this Agreement that cannot be settled amicably shall exclusively be submitted to the competent courts of Munich, Germany, without restricting any rights of appeal.

25.

Data Protection and Security

25.1

In the event that the Parties determine that personal data is required for the performance of Services, the following regulations apply:

In the course of carrying out this Agreement and/or Purchase Order(s)/Work Order(s), the Parties shall comply with the applicable data protection laws and regulations at any given time and shall ensure that persons deployed by them comply with them. In particular, the Service Provider/Institution shall maintain adequate technical and organizational measures (Article 32 of the GDPR) to ensure a level of security of personal data appropriate to the risk.

The Service Provider/Institution shall design its internal organizational structures in such a way that they comply with the applicable data protection laws and regulations meet the special data protection requirements and that Sandoz’ personal data is to protected from misuse and loss. The Service Provider/Institution shall require any natural person acting under his authority who has access to personal data to maintain integrity and confidentiality as per Article 5 (i)(f) GDPR.

If, in the course of performing its obligations under this Agreement and/or Work Order(s), the Service Provider/Institution comes into contact with Sandoz’ personal data (in particular relating to employees or contractual partners) in accordance with the regulations, then to the extent that this is necessary according to the applicable data protection law, the Service Provider/Institution shall conclude an agreement on data processing with Sandoz (Article 28 of the GDPR) based on the Template Processing in accordance with Article 28 General Data Protection Regulation (GDPR) in Annex 3 attached to this Agreement.

In the course of the execution of this Agreement and/or Work Order(s), personal data of the Service Provider/Institution may be transferred to Sandoz, Sandoz’ affiliates or Sandoz’ service providers. In particular, Sandoz processes personal data contained in this Agreement and/or Work Order(s) for contractual execution and documentation purposes. Personal data may thereby be accessed by Sandoz’ affiliates in Switzerland and/or by IT-service providers providing hosting and support services to Sandoz. Where necessary, Sandoz ensures an appropriate level of data protection through appropriate contracts. Individuals whose personal data are processed, may claim their data subject rights as per Chapter 3 of the GDPR towards Sandoz.

Service Provider/Institution shall not use or disclose any health, medical, employee or other Personal Data, either in written or electronic form, that Service Provider/Institution

creates, receives, maintains, or transmits as a result of performing the Services, other than as expressly permitted or required by this Agreement.

25.2

At any time during the processing of Personal Data, Service Provider/Institution shall notify Sandoz immediately (but no later than (3) days from the date) of any data security breach involving Sandoz data. Service Provider/Institution agrees to assist and cooperate with Sandoz concerning any disclosures to affected parties, government or regulatory agencies and with any other remedial measures requested by Sandoz or required under any law. Data Security Breach shall mean:

(a)

the loss or misuse (by any means) of Personal Data;

(b)

the inadvertent, unauthorised and/or unlawful processing, access, disclosure, alteration, corruption, transfer, sale or rental, destruction or use of Personal Data; or

(c)

any other act or omission that compromises the security, confidentiality, and/or integrity of Personal Data.

25.3

Service Provider/Institution shall take reasonable steps to ensure that each individual whose personal data were, or are, in its possession is able to assert his or her rights of access to view and correct his or her Personal Data. Service Provider/Institution shall notify Sandoz promptly, but no later than five (5) days from its receipt of any communication received from an individual whose Personal Data were, or are, in its possession relating to said individual’s rights of access or to correct his or her Personal Data and shall comply with all instructions of Sandoz in responding to such communications.

IN WITNESS WHEREOF, the Parties intending to be bound have caused this Agreement to be executed by their duly authorised representatives as of the date of last signature below.

SANDOZ INTERNATIONAL GMBH	ARES GENETICS GMBH
By: /s/ NG Warwick	By: /s/ Andreas Posch
Name: NG Warwick	Name: Dr. Andreas Posch
Title: Chief Medical Officer	Title: Managing Director & CEO
Date: 17 December 2018	Date: 14 December 2018

By: /s/ Kristina Albert	By: /s/ Achim Plum
Name: Kristina Albert	Name: Dr. Achim Plum
Title: Head HR Global Product Development Functions	Title: Managing Director
Date: 17 December 2018	Date: 14 December 2018

Annex 1
(SAMPLE)

WORK ORDER AGREEMENT

between

[ ]

(the “Service Provider/Institution”)

and

Sandoz International GmbH
Industriestrafge 18
83607 Holzkirchen, Germany
(“Sandoz”)

This work order (“Work Order”) shall be effective as of the Effective Date below. It is subject to the terms of the Services Frame Agreement (“Agreement”) between Sandoz and Service Provider/Institution dated [ ].

CONTRACT RESEARCH-RELATED INFORMATION

Effective Date:
Test Compound and Study No.:
Expected Services Completion Date
Total Contract Value
Services Frame Agreement expiry date

RESPONSIBILITIES OF SERVICE PROVIDER/INSTITUTION

Sandoz and the Service Provider/Institution agree that the Service Provider/Institution, either exclusively or jointly with Sandoz or its Affiliates or its authorised agent(s), shall have the responsibilities and shall perform the tasks as specified in the Study Specifications attached hereto as Schedule B and incorporated herein by reference and other documents which are attached hereto or incorporated by reference.

Subcontracting by the Service Provider/Institution in the performance of the Services and the performance of the Services by the subcontractors shall be bound by the terms and conditions of the Agreement. Subcontractors used in the performance of the Services described herein are detailed in Schedule C.

3. NOTICE

Any notice required or permitted hereunder shall be in writing and shall be deemed given as of the date if it is (A) delivered by hand or (B) sent by registered or certified mail, postage prepaid, return receipt request, and addressed to the party to receive such notice at the address set forth below, or such other address as is subsequently specified in writing, as well as any persons so designated under the Agreement itself:

If to Sandoz:

Invoicing and Payment Matters:

Billing address:
Salutas Pharma GmbH
Zentrale
Kreditorenbuchhaltung
Otto-von-Guericke-Allee 1
39179 Barleben
Germany

Administrative / Contractual Matters:

Novartis Business Services
City Green Court
Hvezdova 1734/2c
140 00, Praha 4
Czech Republic
FAO Nina Sedlakova

[***]

Technical Matters:

Industriestr. 25
D-83607 Holzkirchen
Germany

If to Service Provider/Institution:

Technical Matters:
Contract / Payment Matters:

4. MODIFICATIONS AND ADDITIONAL TERMS FOR THIS CONTRACT SERVICES:

[CAUTION: The provisions of this section supersede any conflicting provisions of the Services Frame Agreement.]

5. LIST OF ATTACHMENTS:

Budget and Payment Schedule (Schedule A)

Study Specification Worksheet (Schedule B)

Subcontractors (Schedule C)

Service Provider/Institution Proposal and Budget (Schedule D)

Technical Protocol (Schedule F) [INCLUDE FOR REF LABS]

Quality and Compliance Questionnaire (Schedule G) [INCLUDE FOR REF LABS]

Press release (according to Art.17 EU Market Abuse Regulation) (Schedule H)

6. COST AND PAYMENT

Payment shall be made to the Service Provider/Institution according to Schedule A appended hereto and incorporated herein by reference. All costs outlined on Schedule A shall remain firm for the duration of the Services, unless otherwise agreed to in writing by the Service Provider/Institution and Sandoz.

In Witness Whereof, the parties hereto have executed this Work Order in duplicate by proper persons thereunto duly authorised

SANDOZ INTERNATIONAL, GMBH		(SERVICE PROVIDER/ INSTITUTION)
By: Name: Title: Date:		By: Name: Title: Date:

By: Name: Title: Date:		By: Name: Title: Date:

Schedule A

BUDGET AND PAYMENT SCHEDULE

INSERT/ATTACH BUDGET GRID

INSERT/ATTACH PAYMENT SCHEDULE

MINIMUM SPLIT OF REQUIRED INFORMATION TO BE INCLUDED IN BUDGET GRID:

Service Provider/Institution Fees and Direct Costs

Pass-Through Costs and Expenses

Total Contract Value

Schedule B

STUDY SPECIFICATIONS

Schedule C

Subcontractors

Subcontractors to Service Provider/Institution in the performance of the Services described herein.

[Please indicate if applicable - Yes/No. If Yes, complete table in full. If No, please enter N/A across first row of table]

Services performed by Subcontractor	Subcontractor Registered Name	Subcontractor Registered Address	Location of Services Performed by Subcontractor

Any change to the above information is considered a change in scope. Service Provider/Institution will prepare a contract amendment to update the information accordingly.

Schedule D

Service Provider/Institution Proposal and Budget

Schedule F

Technical Protocol

Schedule G

Quality and Compliance Questionnaire

Annex 2
NOVARTIS SUPPLIER CODE

https://www.novartis.com/sites/www.novartis.com/files/novartis-supplier-code-en-2017.pdf

Annex 3:

Processing in accordance with Article z8 General Data Protection
Regulation (GDPR)

[as of: May 2017]

Agreement

between

the Controller — hereinafter referred to as the Client -

and

the Processor - hereinafter referred to as the Supplier

[When applicable: Authorised Representative in accordance with Article 27 GDPR:

Please Note

The specific provisions according to Article 28 Paragraph 3 GDPR should be incorporated into the Agreement in their entirety and be used as a Checklist. The alternatives applicable for the specific service relationship should be ticked. Empty fields are to be filled in as applicable to the specific requirements of each individual Order or Contract. Systems of payment and liability conditions concerning the specific services of the Supplier should be agreed in the main contract.

Subject matter and duration of the Order or Contract

(1) Subject matter

□

The Subject matter of the Order or Contract results from the Service Agreement/SLA/ .……… dated ………., which is referred to here (hereinafter referred to as Service
Agreement).

□

The Subject matter of the Order or Contract regarding the processing of data is the execution of the following services or tasks by the Supplier……………………………………………..
(Definition of the services or tasks)

(2) Duration

□

The duration of this Order or Contract corresponds to the duration of the Service Agreement. or (specifically, if no Service Agreement regarding the Duration exists)

□

The Order or Contract will be authorised for one time execution only.

□ The Duration of this Contract is limited to

□

The Contract is authorised for an unlimited period and can be cancelled by either party with a notice period of ....... (time period) to ........ (deadline) . This does not prejudice the right to termination of the contract without notice.

Specification of the Order or Contract Details

(1) Nature and Purpose of the intended Processing of Data

□

Nature and Purpose of Processing of personal data by the Supplier for the Client are precisely defined in the Service Agreement dated……………

□

Detailed description of the Subject Matter with regard to the Nature and Purpose of the services provided by the Supplier: ……………..

The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled. The adequate level of protection in ............. (e.g. country, territory or specific sectors within a country)

□ has been decided by the European Commission (Article 45 Paragraph 3 GDPR);

□ is the result of binding corporate rules (Article 46 Paragraph 2 Point bin conjunction with Article 47 GDPR);

□

is the result of Standard Data Protection Clauses (Article 46 Paragraph 2 Points c and d GDPR);

□

is the result of approved Codes of Conduct (Article 46 Paragraph 2 Point e in conjunction with Article 40 GDPR);

□

is the result of an approved Certification Mechanism. (Article 46 Paragraph 2 Point f conjunction with Article 42 GDPR)

□ is established by other means……...(Article 46 Paragraph 2 Point a, Paragraph 3 Points a and b GDPR)

(2) Type of Data

□ The type of personal data used is precisely defined in the Service Agreement under

□

The Subject Matter of the processing of personal data comprises the following data types/categories (List/Description of the Data Categories)

□ Personal Master Data (Key Personal Data)

□ Contact Data

□ Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest)

□ Customer History

□ Contract Billing and Payments Data

□ Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories...

□ Other:... (Please specify)

(3) Categories of Data Subjects

□

The Categories of Data Subjects are precisely defined in the Service Agreement under ………

□

The Categories of Data Subjects comprise:

□ Customers

□ Potential Customers

□ Subscribers

□ Employees

□ Suppliers

□ Authorised Agents

□ Contact Persons

□ Other (Please specify)

Technical and Organisational Measures

(i) Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organisational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [Details in Appendix 1]

(3) The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

Rectification, restriction and erasure of data

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

(2) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.

Quality assurance and other duties of the Supplier

In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

□ Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR.

□ The Client shall be informed of his/her contact details for the purpose of direct contact. The Client shall be informed immediately of any change of Data Protection Officer.

□ The Supplier has appointed Mr/Ms [enter: given name, surname, organisational unit, telephone, e-mail] as Data Protection Officer. The Client shall be informed immediately of any change of Data Protection Officer.

□ His/Her current contact details are always available and easily accessible on the website of the Supplier.

□The Supplier is not obliged to appoint a Data Protection Officer. Mr/Ms [enter: given name, surname, organisational unit, telephone, e-mail] is designated as the Contact Person on behalf of the Supplier.

□As the Supplier is established outside the EU & EEA it designates the following Representative within the Union pursuant to Article 27 Paragraph 1 GDPR: Mr/Ms [enter: given name, surname, organisational unit, telephone, e-mail].

Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32, Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.

Implementation of and compliance with all Technical and Organisational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1]

The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.

The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.

h) Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.

The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

Verifiability of the Technical and Organisational Measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract.

Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.

(2) The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client.

a) □ Subcontracting is not permitted.

b) □ The Client agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR:

Company subcontractor	Address/country	Service

c) □ Outsourcing to subcontractors or

□ Changing the existing subcontractor

are permissible when:

The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and

The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and

The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.

(3) The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.

(5) Further outsourcing by the subcontractor

□ Is not permitted;

□ Requires the express consent of the main Client (at the minimum in text form);

□ Requires the express consent of the Supplier (at the minimum in text form);

All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

Supervisory powers of the Client

(1) The;Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.

(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

(3) Evidence of such measures, which concern not only the specific Order or Contract, may be provided by

□

Compliance with approved Codes of Conduct pursuant to Article 40 GDPR;

□

Certification according to an approved certification procedure in accordance with Article 42 GDPR;

□

Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor)

□

A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).

(4) The Supplier may claim remuneration for enabling Client inspections.

Communication in the case of infringements by the Supplier

(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result

of security vulnerabilities and that enable an immediate detection of relevant infringement events.

b) The obligation to report a personal data breach immediately to the Client

The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.

d) Supporting the Client with its data protection impact assessment

e) Supporting the Client with regard to prior consultation of the supervisory authority

(2) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

Authority of the Client to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).

(2) The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10.

Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Client or-subject to prior consent - destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

Place, Date

Client

(Name, Position)

(Signature)

Supplier

(Name, Position)

(Signature)

Client

(Name, Position)

(Signature)

Supplier

(Name, Position)

(Signature)

Appendix - Technical and Organisational Measures

Confidentiality (Article 32 Paragraph 1 Point b GDPR)

Physical Access Control

No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

Electronic Access Control
No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

Internal Access Control (permissions for user rights of access to and amendment of data) No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events

Isolation Control
The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;

Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

Integrity (Article 32 Paragraph 1 Point b GDPR)

Data Transfer Control
No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;

Data Entry Control
Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

Availability Control
Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy

(online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);

Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

Data Protection Management;

Incident Response Management;

Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);

Order or Contract Control
No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

Schedule H

Press Release

Annex 4:

Background-IP of Service Provider/Institution

Tbd., after signing of contract, but before start of project.