Platform Software Licence

LumiraDx UK Ltd

LumiraDx Platform Software License

Applicable from January 2020

This licence agreement (together with LumiraDx UK Ltd’s privacy policy) (“Licence”) is a legal agreement between the Organization (as defined below) and LumiraDx UK Ltd a company registered in England and Wales with company number 09206123 whose registered office is at 3 More London Riverside, London, SE1 2AQ (“LumiraDx, we or us”) and governs the Organization’s use of:

  • the Instrument Software (as defined below);
  • Connect Manager, once the Organization has downloaded a copy of Connect Manager onto its Mobile Device or accessed Connect Manager (all as defined below) through a website browser;
  • the Services (as defined below); and
  • the Documentation (as defined below).

LumiraDx licences Connect Manager to the Organization on the basis of this Licence and subject to any rules or policies applied by any appstore provider or operator from whose site the Organization downloads Connect Manager (“Appstore rules”).

IMPORTANT NOTICE:

By using the Instrument Software and/or Connect Manager or ticking the “Accept” box, the Organization, and its Users, confirms that it agrees to the terms this Licence. The Organization shall be responsible for ensuring that its Users comply with the terms of this Licence. This Licence includes, in particular, limitations on liability in clause 11.

1.    INTERPRETATION

1.1    The definitions and rules of interpretation in this clause apply in the background and in this Licence:

Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Confidential Information: any information which has been designated as confidential by either party in writing or that ought to be considered as confidential (however it is conveyed or on whatever media it is stored) including information which would or would be likely to prejudice the commercial interests of any person, trade secrets, Intellectual Property Rights, know-how of either party and all Personal Data and sensitive data within the meaning of the Data Protection Legislation.

Connect Manager: the online software component known as Connect Manager (and any updates or supplements to it) which is owned and licensed by LumiraDx and may be used in connection with the Diagnostic Instrument when operating in a Managed Mode.

Data Protection Legislation: the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any national implementing laws, regulations and secondary legislation, the Data Protection Act 2018, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner.

Data Controller: has the meaning given to it in the GDPR.

Data Processor: has the meaning given to it in the GDPR.
Diagnostic Instrument: the diagnostic instrument supplied by LumiraDx to the Organization.

Documentation: physical and electronic documentation provided by LumiraDx which relates to the LumiraDx Platform Software.

FOIA: the Freedom of Information Act 2000 and any subordinate legislation made under that Act from time to time together with any guidance and/or codes of practice issued by the Information Commissioner or relevant government department in relation to such legislation.

Instrument Software: any software component installed on the Diagnostic Instrument (and any updates or supplements to it) which is owned and licensed by LumiraDx.

Intellectual Property Rights: patents, utility models, rights to inventions, copyright and neighbouring and related rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

Open-Source Software: open-source software as defined by the Open Source Initiative (http://opensource.org) or the Free Software Foundation (http://www.fsf.org).

Organization: the legal entity who requests a licence to use the LumiraDx Platform Software from LumiraDx, who is acting as Data Controller.

LumiraDx Group: means LumiraDx, any subsidiary or any holding company from time to time of LumiraDx, and any subsidiary from time to time of a holding company of that company. Each company in the LumiraDx Group is a member of the LumiraDx Group and the term “LumiraDx Group Company” shall be construed accordingly.

LumiraDx Platform Software: the Instrument Software and Connect Manager.

Managed Mode: the use of the Diagnostic Instrument and the Instrument Software with Connect Manager which allows the Organization to transfer Patient Data to Connect Manager.

Mobile Device: the Organization’s mobile telephone or handheld device.

Normal Business Hours: 9.00 am to 5.00 pm local UK time, each Business Day.

Patient(s): an individual or individuals accessing care/medical services from a relevant Organization.

Patient Data: the clinical information (including, but not limited to, Personal Data) collected by the Organization in the course of treating Patients which is inputted by its Users onto the LumiraDx Platform Software.

Personal Data: has the meaning given to it in the GDPR.

Requests for Information: means a request for information or an apparent request under the FOIA.

Services: any services accessible through Connect Manager and the content LumiraDx provides to the Organization through it.

Users: anyone authorised by the Organization to use the LumiraDx Platform Software which includes its employees, agents and independent contractors (namely clinicians).

1.2    Clause, Schedule and paragraph headings shall not affect the interpretation of this Licence.

1.3    The Schedules form part of this Licence and shall have effect as if set out in full in the body of this Licence. Any reference to this Licence includes the Schedules.

1.4    Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2.    INSTALLATION

LumiraDx shall ensure that one copy of the Instrument Software is pre-installed on each Diagnostic Instrument.

3.    GRANT OF LICENSE

3.1    In consideration of the Organization agreeing to abide by the terms of this Licence, LumiraDx hereby grants to the Organization, and the Users, a non-exclusive, non-transferable right to use the LumiraDx Platform Software, the Services and the Documentation within their Organization in the territory where authorized to use the Diagnostics Instrument for the treatment of Patients, for the period during which the Organization uses the Diagnostic Instrument, unless terminated in accordance with this Licence.

3.2    LumiraDx has the right to disable any password, whether chosen by the Organization or allocated by LumiraDx, at any time, if in its reasonable opinion the Organization, or the Users, have failed to comply with any of the terms of this Licence.

3.3    The Organization may be provided with updates of the LumiraDx Platform Software which includes the incorporation of “patches” and corrections of errors from time to time.

3.4    The Organization shall only:

(a)    allow Users to use the LumiraDx Platform Software, the Services and the Documentation if over 18 years of age;

(b)    use the LumiraDx Platform Software and the Services in connection with a Diagnostic Instrument supplied by LumiraDx; and

(c)    use the Documentation to support its use of the LumiraDx Platform Software and the Services as provided in clauses 3.5(a) and 3.5(b).

3.5    The Organization shall not, except as expressly set out in this Licence or as permitted by law:

(a)    copy the LumiraDx Platform Software, the Services or the Documentation;

(b)    make available or grant access to the LumiraDx Platform Software, the Services or the Documentation to anyone outside of the Organization;

(c)    rent, lease, sub-license, distribute, loan, translate, merge, adapt, vary or modify the LumiraDx Platform Software, the Services or the Documentation;

(d)    make alterations to, or modifications of, the whole or any part of the LumiraDx Platform Software, the Services or the Documentation;

(e)    permit the LumiraDx Platform Software, the Services or the Documentation or any part to be combined with, or become incorporated in, any other programs or documentation without obtaining the prior written consent of LumiraDx;

(f)    disassemble, decompile, reverse-engineer or create derivative works based on the whole or any part of the LumiraDx Platform Software or the Services;

(g)    access all or any part of the LumiraDx Platform Software, the Services or the Documentation in order to build a product which competes with the LumiraDx Platform Software or the Services;

(h)    provide or otherwise make available the LumiraDx Platform Software, the Services or the Documentation in whole or in part (including object and source code), in any form to any person other than provided for in clause 3 without prior written consent from LumiraDx; and

(i)    transfer or sell any Diagnostics Instrument on which the Instrument Software is installed, to any third party, without the prior written consent of LumiraDx. (together, the “Licence Restrictions”).

3.6    The Organization shall not:

(a)    use the LumiraDx Platform Software, the Services or the Documentation in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with this Licence, or act fraudulently or maliciously, for example, by hacking into or inserting malicious code, including viruses, or harmful data into Connect Manager, the Services or the Documentation or any operating system;

(b)    use the LumiraDx Platform Software for any purpose other than testing performed in connection with use of the Diagnostic Instrument in a professional setting;

(c)    infringe LumiraDx’s intellectual property rights or those of any third party in relation to its use of the LumiraDx Platform Software, the Services or the Documentation (to the extent that such use is not permitted by this Licence);

(d)    transmit any material that is defamatory, offensive or otherwise objectionable in relation to its use of the LumiraDx Platform Software, the Services or the Documentation;

(e)    use the LumiraDx Platform Software, the Services or the Documentation in a way that could damage, disable, overburden, impair or compromise LumiraDx’s systems or security or interfere with other users; and

(f)    subject to clause 12.2(d), not collect or harvest any information or data from Connect Manager, the Services or the Documentation, (together, the “Acceptable Use Restrictions”).

3.7    LumiraDx shall follow its archiving procedures for Patient Data processed by Connect Manager (as set out in its back-up policy, a copy of which is available on request). In the event of any accidental or unlawful loss, damage, alteration, unauthorised disclosure or access to Patient Data, LumiraDx will notify the Organization without undue delay on becoming aware of the event. The Organization’s sole and exclusive remedy shall be for LumiraDx to use reasonable commercial endeavours to restore the Patient Data from the latest back-up. LumiraDx shall not be responsible for any loss, destruction, alteration or disclosure of Patient Data caused by any third party except for a third party processor engaged by LumiraDx for the processing of Patient Data in accordance with clause 4.6.

4.    DATA PROTECTION

4.1    Each party shall duly observe all their obligations under the Data Protection Legislation, which arise in connection with this Licence. This clause 4.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

4.2    The Organization shall have sole responsibility for the Patient Data. Subject to this clause 4, LumiraDx shall have no rights in the Patient Data.

4.3    LumiraDx shall process Personal Data relating to the Organization’s employees, agents and independent contractors in accordance with its privacy policy as displayed on its website from time to time. For the purposes of this clause 4.3, LumiraDx is the Data Controller of such Personal Data.

4.4    The parties acknowledge that for the purposes of the Data Protection Legislation, the Organization is the Data Controller and LumiraDx is the Data Processor of the Patient Data and other related Personal Data provided by the Organization to LumiraDx for processing in accordance with clauses 4.5 and 4.6. Schedule 1 sets out the scope, nature and purpose of processing by LumiraDx, the duration of the processing and the types of Personal Data and categories of Data Subject (as defined in the Data Protection Legislation).

4.5    Notwithstanding the general obligation in clause 4.1, when processing Patient Data:

(a)    the Organization shall ensure that the relevant third parties, including, but not limited to Patients, have been informed of, and have given their specific consent to, such use (including the use set out at Schedule 1), processing, and transfer as required by Data Protection Legislation;

(b)    LumiraDx shall:

(i)    only process that Patient Data on the written instructions of the Organization, which are set out in Schedule 1, unless LumiraDx is required by the laws of any member of the European Union or by the laws of the European Union applicable to LumiraDx to process Patient Data (“Applicable Laws”). Where LumiraDx is relying on Applicable Laws as the basis for processing Patient Data, LumiraDx shall promptly notify the Organization of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit LumiraDx from so notifying the Organization;

(ii)    ensure that it has in place appropriate technical, contractual and organisational measures to protect against unauthorised or unlawful processing of the Patient Data and against accidental loss or destruction of, or damage to, the Patient Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

(iii)    ensure that all personnel who have access to and/or process Patient Data are obliged to keep the Patient Data confidential;

(iv)    assist the Organization, at the Organization's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(v)    notify the Organization without undue delay on becoming aware of a breach of Patient Data;

(vi)    ensure it does not knowingly or negligently do or omit to do anything which places the Organization in breach of the Organization’s obligations under the Data Protection Legislation;

(vii)    maintain complete and accurate written records and information of its Patient Data processing activities to demonstrate compliance with this clause 4; and

(viii)    not transfer any Patient Data outside the EEA unless appropriate safeguards have been put in place. The Organization agrees that Personal Data relating to the Organization’s employees, agents or independent contractors may be transferred outside the EEA provided that appropriate safeguards in relation to the transfer are in place and LumiraDx ensures that an adequate level of protection is provided to all Patient Data transferred.

4.6    The Organization consents to LumiraDx appointing third party data repository providers (which includes any member of the LumiraDx Group) and third party delivery providers, third party suppliers of devices (including the Diagnostic Instrument), third party services providers (who may provide telephone support services and technical support services) as a third party processor of Personal Data under this Licence. LumiraDx confirms that it has entered or (as the case may be) will enter with the third party processor into a written agreement substantially on that third party's standard terms of business. As between the Organization and LumiraDx, LumiraDx shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 4.6.

4.7    The Organization agrees that LumiraDx may create anonymised data from the Patient Data inputted into the LumiraDx Platform Software by the Organization provided that ISB1523 Anonymisation Standards for Publishing Health Care Data are observed.

5.    CONDITIONALITY CLAUSE

5.1    If the UK leaves the European Union without a withdrawal agreement on the day of exit (or the transitional period under a withdrawal agreement expires before the European Commission has adopted an adequacy decision for the UK) then:

(a)    the parties hereby enter into the standard contractual clauses (“SCCs”) in the EU Commission's decision 2010/87/EC annexed at Schedule 2 and agree, where no other appropriate safeguard or exemption applies, that the Patient Data subject to this Licence (and to which Chapter V of GDPR) applies) will be transferred in accordance with the SCCs exclusive of any optional clauses as of that date. The parties agree to use best endeavours to complete the annexes to the SCCs promptly and in any event within 30 days for the purpose of giving full effect to the clauses. If there is any conflict between this Licence and the SCCs the terms of the SCCs shall apply.

6.    FREEDOM OF INFORMATION

6.1    LumiraDx acknowledges that the Organization may be subject to the requirements of the FOIA and shall assist and co-operate with the Organization (at the Organization’s expense) to enable the Organization to comply with these information disclosure requirements.

6.2    LumiraDx shall:

(a)    transfer any Request for Information to the Organization as soon as practicable after receipt of a Request for Information;

(b)    provide the Organization with a copy of all Information in its possession or power in the form that the Organization requires as soon as practicable (or such other longer period as the Organization may specify) of the Organization requesting that Information; and

(c)    provide all necessary assistance as reasonably requested by the Organization to enable the Organization to respond to a Request for Information within the time for compliance set out in section 10 of the FOIA.

6.3    In no event shall LumiraDx respond directly to a Request for Information.

7.    ORGANISATION'S OBLIGATIONS

7.1    The Organization shall:

(a)    obtain permission from the owners of the Mobile Devices, on which it has downloaded or used a copy of Connect Manager which are controlled, but not owned, by it;

(b)    treat passwords, or any other information provided as part of LumiraDx’s security procedures, as confidential. The Organization shall not disclose it to any third party;

(c)    ensure that all its Users of the LumiraDx Platform Software act in accordance with this Licence and only use it for the purposes set out in clause 3;

(d)    ensure that all its Users of the LumiraDx Platform Software comply with the procedures and guidelines set out in the Documentation (including the user manual) relating to the use of the LumiraDx Platform Software;

(e)    at all times co-operate with LumiraDx and provide information reasonably required by LumiraDx;

(f)    supervise and control the use of the LumiraDx Platform Software in accordance with the terms of this Licence and ensure that the LumiraDx Platform Software is only used by suitably qualified and trained healthcare professionals;

(g)    immediately notify LumiraDx of any adverse event where the LumiraDx Platform Software may have been a contributory factor. The Organization further agrees to provide written details of the event and co-operate with LumiraDx in its investigation of the event. The Organization acknowledges and agrees that the all communications relating to any adverse event shall be deemed to be Confidential Information and shall be subject to the confidentiality obligations at clause 9;

(h)    report all failures, issues or defects in the LumiraDx Platform Software to LumiraDx. The Organization acknowledges and agrees that the all communications relating to failures, issues or defects in the LumiraDx Platform Software shall be considered to be Confidential Information and shall be subject to the confidentiality obligations at clause 8; and

(i)    not permit any third party to provide technical support in respect of the LumiraDx Platform Software, the Services or the Documentation.

8.    PROPRIETARY RIGHTS

8.1    The Organization acknowledges that LumiraDx, and/or its licensors (who are third party owners of intellectual property rights used in the LumiraDx Platform Software), own all Intellectual Property Rights in the LumiraDx Platform Software, the Services and the Documentation. This Licence does not grant the Organization any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the LumiraDx Platform Software, the Services or any related Documentation, other than the right to use them in accordance with this Licence.

8.2    The Organization acknowledges that it has no right to have access to the LumiraDx Platform Software in source-code form.

9.    CONFIDENTIALITY

9.1    LumiraDx acknowledges that the Patient Data is the Confidential Information of the Organization.

9.2    Subject to clause 9.3, the parties shall keep confidential the Confidential Information of the other party and shall use all reasonable endeavours to prevent their employees, agents and independent contractors from making any disclosure to any person of the Confidential Information.

9.3    Clause 9.2 shall not apply to any disclosure of information:

(a)    required by any applicable law, provided that clause 5 shall apply to any disclosures required under the FOIA;

(b)    that is reasonably required by persons engaged by a party in the performance of that party's obligations under this Licence;

(c)    where a party can demonstrate that such information is already generally available and in the public domain otherwise than as a result of a breach of clause 9.2;

(d)    which is already lawfully in the possession of the receiving party, prior to its disclosure by the disclosing party, and the disclosing party is not under any obligation of confidence in respect of that information;

(e)    by a party when the other party has given its prior written consent to disclosure.

10.    TRAINING

10.1    The Documentation includes a user manual which provides basic training information for the Organization and the Users. The Organization shall ensure that all Users have read and understood the basic training information, set out in the Documentation, before using the LumiraDx Platform Software.

10.2    The Organization agrees to undertake, and shall procure that all Users undertake, any additional training requirements set out in the LumiraDx Platform Software from time to time.

11.    LIMITATION OF LIABILITY

11.1    The Organization agrees that it assumes sole responsibility for results obtained from the use of the LumiraDx Platform Software and the Services and for conclusions drawn from such use. LumiraDx shall have no liability for any damage caused by errors or omissions in any information provided by the Organization, or any actions taken by LumiraDx at the Organization's direction. The Organization acknowledges that the LumiraDx Platform Software was not designed to the Organization’s individual requirements and that it is therefore the Organization’s responsibility to ensure that the facilities and functions of the LumiraDx Platform Software as described in the Documents meet its requirements.

11.2    The LumiraDx Platform Software and the Services are intended only as a diagnostic aid and are not a substitute for the expertise and judgement of physicians, pharmacists or other healthcare professionals. All information is provided on the basis that the healthcare practitioners responsible for patient care will retain full and sole responsibility for deciding any treatment to prescribe or dispense for all patients and in particular whether the use of information provided by the LumiraDx Platform Software is safe, appropriate or effective for any particular patient or in any particular circumstances.

11.3    LumiraDx shall not be liable:

(a)    whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of income, loss of profits or contracts, loss of business, business interruption, loss of money or anticipated savings, loss of or depletion of opportunity, goodwill, reputation and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Licence; or

(b)    for any loss arising as a result of the Organization exporting information or data (including Patient Data) from the display functions in Connect Manager.

11.4    Other than the losses set out in clause 11.3 (for which LumiraDx is not liable), LumiraDx's total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Licence shall be limited to the total fees paid to LumiraDx for the Diagnostic Instrument(s) during the 12 months preceding the date on which the claim arose.

11.5    Nothing in this Licence excludes the liability for death or personal injury caused by negligence or for fraud or fraudulent misrepresentation.

11.6    The Customer acknowledges that any Open-Source Software provided by the Supplier is provided "as is" and expressly subject to the disclaimer in clause 11.7. The terms of an Open-Source Software licence may override some of the terms of this Licence.

11.7    This Licence sets out the full extent of LumiraDx’s liabilities in respect of the LumiraDx Platform Software, the Services and the Documentation. Except as expressly stated in this Licence, there are no conditions, warranties, representations or other terms, express or implied, that are binding on LumiraDx. Any condition, warranty, representation or other term concerning the supply of the LumiraDx Platform Software, the Services or the Documentation which might otherwise be implied into, or incorporated in, this Licence whether by statute, common law or otherwise, is excluded to the fullest extent permitted by law.

12.    TERM AND TERMINATION

12.1    Without affecting any other right or remedy available to it, LumiraDx may terminate the Licence with immediate effect by giving written notice to the Organization if:

(a)    the Organization, or its Users, commits a material breach of any term of this Licence which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 days after being notified in writing to do so;

(b)    the Organization, or its Users, breach any of the Licence Restrictions or the Acceptable Use Restrictions;

(c)    the Organization suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;

(d)    a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of the Organization other than for the sole purpose of a scheme for a solvent amalgamation of the Organization with one or more other companies or the solvent reconstruction of the Organization;

(e)    an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the Organization;

(f)    a person becomes entitled to appoint a receiver over the assets of the Organization or a receiver is appointed over the assets of the Organization;

(g)    the Organization suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business; or

(h)    the Organizations transfers, or allows any third party access to, any Diagnostic Instrument, on which the Instrument Software is installed or which is used in Manager Mode to access Connect Manager, outside of the Organization or to any third party, without the prior written consent of LumiraDx.

12.2    On termination of this Licence for any reason:

(a)    all the rights granted to the Organization under this Licence shall cease;

(b)    the Organization shall immediately cease all activities authorised by this Licence (including its use of the LumiraDx Platform Software, the Services and the Documentation) and shall delete Connect Manager from all Mobile Devices and immediately destroy all copies in its control;

(c)    the Organization shall return and make no further use of the Documentation (and all copies of it) belonging to LumiraDx;

(d)    the Organization shall delete or extract (using the export functionality in Connect Manager) any Patient Data stored in Connect Manager within 10 days of the date of termination of this Licence. If requested by the Organization, LumiraDx may provide reasonable assistance to enable the extraction of any Patient Data stored in Connection Manager and the costs of such assistance shall be charged to the Organization at the rates agreed with LumiraDx; and

(e)    the Organization shall delete or remove all Patient Data, or other Personal Data, from the Instrument Software within 10 days of the date of termination of this Licence.

12.3 On termination or expiry of this Licence, the following clauses shall continue in force: clause 1 (Interpretation), clause 9 (Confidentiality), clause 11 (Limitation of Liability) and this clause 12 (Termination).

13.    VARIATION

No variation of this Licence shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

14.    WAIVER

No failure or delay by a party to exercise any right or remedy provided under this Licence or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

15.    SEVERANCE

15.1    If any provision (or part of a provision) of this Licence is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

15.2    If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

16.    ASSIGNMENT

16.1    The Organization shall not, without the prior written consent of LumiraDx, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Licence.

16.2    LumiraDx may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Licence.

17.    THIRD PARTY RIGHTS

This Licence does not confer any rights on any person or party (other than the parties to this Licence and, where applicable, their successors and permitted assigns and any LumiraDx Group Company) pursuant to the Contracts (Rights of Third Parties) Act 1999.

18.    NOTICES

18.1    Any notice required to be given under this Licence shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its main trading address or such other address as may have been notified by that party for such purposes.

18.2    A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post.

19.    GOVERNING LAW AND JURISDICTION

19.1    This Licence and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

19.2    Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Licence or its subject matter or formation (including non-contractual disputes or claims).

SCHEDULE 1

Processing, Personal Data and Data Subjects

1.   Processing by LumiraDx

1.1 Nature and Purpose of processing

      LumiraDx, and any member of the LumiraDx Group, may process Personal Data: 

  • to record which tests were performed on which Patients and the results; 
  • to provide services to the Organization and maintain its account; 
  • to ensure Users have access to information relevant to their role and only to their role; 
  • to ensure regulatory compliance; 
  • to ensure Patients can be identified and the correct test results associated with the Patient appear in the electronic health record; 
  • for data analytics and statistical research to help LumiraDx better understand how its products are used; 
  • to investigate misuse of the Organization’s account, fraud and debt collection.
  • for support, maintenance and patient safety (including the investigation of faults); 
  • to improve the performance or features of the LumiraDx Platform Software, the Services or the Documentation;
  • to provide feedback to the Organization and/or Patient and improve the performance of the service that the Organization provide; 
  • to improve or develop the Diagnostic Instrument or LumiraDx Platform Software;
  • to improve the understanding, treatment, outcomes and choice for Patients and healthcare professionals; and 
  • to comply with any relevant statutory or regulatory requirement imposed on LumiraDx from time to time.

1.2 Subject matter and duration of the processing

The subject matter and duration of the processing are set out in the Licence.  

2.  Types of personal data

  • Personal data including patient identification, first name, surname, date of birth and gender; 
  • data concerning health, including healthcare conditions affecting Patients and test result information. 

3.  Categories of data subject

  • Patient(s)  

SCHEDULE 2

Standard Contractual Clauses for the Transfer of Personal Data from the European Union to Processors established in Third Countries (Controller-to-Processor Transfers)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: ...............................................................

address: ...............................................................

tel: ...............................................................

fax: ...............................................................

e-mail: ...............................................................

Other information needed to identify the organisation ..............................................................

(the “data exporter”)

Name of the data importing organisation: ...............................................................

address: ...............................................................

tel: ...............................................................

fax: ...............................................................

e-mail: ...............................................................

Other information needed to identify the organisation ..............................................................

(the “data importer”)

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in ANNEX A.

1.    Definitions
For the purposes of the Clauses:

(a)    personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);

(b)    the data exporter means the controller who transfers the personal data;

(c)    the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)    the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;

(e)    the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)    technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

2.    Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in ANNEX A which forms an integral part of the Clauses.

3.    Third-party beneficiary clause

3.1    The data subject can enforce against the data exporter this clause 3, clause 4(b) to clause 4(i), clause 5(a) to clause 5(e) and clause 5(g) to clause 5(j), clause 6.1 and clause 6.2, clause 7, clause 8.2 and clause 9 to clause 12 as third-party beneficiary.

3.2    The data subject can enforce against the data importer this clause 3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2 and clause 9 to clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.3    The data subject can enforce against the sub-processor this clause 3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2, and clause 9 to clause 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3.4    The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

4.    Obligations of the data exporter

The data exporter agrees and warrants:

(a)    that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)    that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c)    that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in ANNEX B to this contract;

(d)    that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)    that it will ensure compliance with the security measures;

(f)    that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)    to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)    to make available to the data subjects upon request a copy of the Clauses, with the exception of ANNEX B and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)    that, in the event of sub-processing, the processing activity is carried out in accordance with clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and

(j)    that it will ensure compliance with clause 4(a) to clause 4(i).

5.    Obligations of the data importer

The data importer agrees and warrants:

(a)    to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)    that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)    that it has implemented the technical and organisational security measures specified in ANNEX B before processing the personal data transferred;

(d)    that it will promptly notify the data exporter about:

(i)    any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii)    any accidental or unauthorised access; and

(iii)    any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)    to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)    at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)    to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of ANNEX B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)    that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i)    that the processing services by the sub-processor will be carried out in accordance with clause 11; and

(j)    to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

6.    Liability

6.1    The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

6.2    If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

6.3    If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

7.    Mediation and jurisdiction

7.1    The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)    to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)    to refer the dispute to the courts in the Member State in which the data exporter is established.

7.2    The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

8.    Cooperation with supervisory authorities

8.1    The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

8.2    The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

8.3    The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).

9.    Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

10.    Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

11.    Sub-processing

11.1    The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.

11.2    The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

11.3    The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

11.4    The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

12.    Obligation after the termination of personal data processing services

12.1    The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
12.2    The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): ...............................................................

Position: ...............................................................

Address: ...............................................................

Other information necessary in order for 

the contract to be binding (if any): ...............................................................

Signature ...............................................................

 (Stamp of organisation)

On behalf of the data importer:

Name (written out in full): ...............................................................

Position: ...............................................................

Address: ...............................................................

Other information necessary in order for 

the contract to be binding (if any): ...............................................................

Signature ...............................................................

 (Stamp of organisation)

ANNEX A to the Standard Contractual Clauses

This ANNEX A forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this ANNEX A.

Data exporter

 

The data exporter is (please specify briefly your activities relevant to the transfer):

....................................................

Data importer

 

The data importer is (please specify briefly your activities relevant to the transfer):

....................................................

Data subjects

 

The personal data transferred concern the following categories of data subjects (please specify)

....................................................

Categories of data

 

The personal data transferred concern the following categories of data (please specify)

....................................................

Special categories of data (if appropriate)

 

The personal data transferred concern the following special categories of data (please specify)

....................................................

Processing operations

 

The personal data transferred will be subject to the following basic processing activities (please specify)

....................................................

DATA EXPORTER

DATA IMPORTER

Name:..................................................

Authorised signature:...........................

Name:..................................................

Authorised signature:...........................

ANNEX B to the Standard Contractual Clauses

This ANNEX B forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c) (or documents/legislation attached):

..........................................................................................................

..........................................................................................................

..........................................................................................................

.......................................................................................

  1. Interpretation

    1. The definitions and rules of interpretation in this clause apply in the background and in this Licence:

Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Confidential Information: any information which has been designated as confidential by either party in writing or that ought to be considered as confidential (however it is conveyed or on whatever media it is stored) including information which would or would be likely to prejudice the commercial interests of any person, trade secrets, Intellectual Property Rights, know-how of either party and all Personal Data and sensitive data within the meaning of the Data Protection Legislation.

Connect Manager: the online software component known as Connect Manager (and any updates or supplements to it) which is owned and licensed by LumiraDx and may be used in connection with the Diagnostic Instrument when operating in a Managed Mode.    

Data Protection Legislation: the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any national implementing laws, regulations and secondary legislation, the Data Protection Act 2018, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner.

Data Controller: has the meaning given to it in the GDPR.  

Data Processor: has the meaning given to it in the GDPR. 

Diagnostic Instrument: the diagnostic instrument supplied by LumiraDx to the Organization.    

Documentation: physical and electronic documentation provided by LumiraDx which relates to the LumiraDx Platform Software.  

FOIA: the Freedom of Information Act 2000 and any subordinate legislation made under that Act from time to time together with any guidance and/or codes of practice issued by the Information Commissioner or relevant government department in relation to such legislation.

Instrument Software: any software component installed on the Diagnostic Instrument (and any updates or supplements to it) which is owned and licensed by LumiraDx.  

Intellectual Property Rights: patents, utility models, rights to inventions, copyright and neighbouring and related rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

Open-Source Software: open-source software as defined by the Open Source Initiative (http://opensource.org) or the Free Software Foundation (http://www.fsf.org).

Organization: the legal entity who requests a licence to use the  LumiraDx Platform Software from LumiraDx, who is acting as Data Controller.  

LumiraDx Group: means LumiraDx, any subsidiary or any holding company from time to time of LumiraDx, and any subsidiary from time to time of a holding company of that company. Each company in the LumiraDx Group is a member of the LumiraDx Group and the term “LumiraDx Group Company” shall be construed accordingly.  

LumiraDx Platform Software: the Instrument Software and Connect Manager. 

Managed Mode: the use of the Diagnostic Instrument and the Instrument Software with Connect Manager which allows the Organization to transfer Patient Data to Connect Manager.  

Mobile Device: the Organization’s mobile telephone or handheld device.  

Normal Business Hours: 9.00 am to 5.00 pm local UK time, each Business Day.

Patient(s): an individual or individuals accessing care/medical services from a relevant Organization.

Patient Data: the clinical information (including, but not limited to, Personal Data) collected by the Organization in the course of treating Patients which is inputted by its Users onto the LumiraDx Platform Software.  

Personal Data: has the meaning given to it in the GDPR.

Requests for Information: means a request for information or an apparent request under the FOIA.  

Services: any services accessible through Connect Manager and the content LumiraDx provides to the Organization through it.  

Users: anyone authorised by the Organization to use the LumiraDx Platform Software which includes its employees, agents and independent contractors (namely clinicians).

    1. Clause, Schedule and paragraph headings shall not affect the interpretation of this Licence.

    2. The Schedules form part of this Licence and shall have effect as if set out in full in the body of this Licence. Any reference to this Licence includes the Schedules.  

    3. Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

  1. Installation

LumiraDx shall ensure that one copy of the Instrument Software is pre-installed on each Diagnostic Instrument.  

  1. Grant of Licence 

    1. In consideration of the Organization agreeing to abide by the terms of this Licence, LumiraDx hereby grants to the Organization, and the Users, a non-exclusive, non-transferable right to use the LumiraDx Platform Software, the Services and the Documentation within their Organization in the territory where authorized to use the Diagnostics Instrument for the treatment of Patients, for the period during which the Organization uses the Diagnostic Instrument, unless terminated in accordance with this Licence.     

    2. LumiraDx has the right to disable any password, whether chosen by the Organization or allocated by LumiraDx, at any time, if in its reasonable opinion the Organization, or the Users, have failed to comply with any of the terms of this Licence.

    3. The Organization may be provided with updates of the LumiraDx Platform Software which includes the incorporation of “patches” and corrections of errors from time to time.  

    4. The Organization shall only: 

      1. allow Users to use the LumiraDx Platform Software, the Services and the Documentation if over 18 years of age; 

      2. use the LumiraDx Platform Software and the Services in connection with a Diagnostic Instrument supplied by LumiraDx; and 

      3. use the Documentation to support its use of the LumiraDx Platform Software and the Services as provided in clauses 3.5(a) and 3.5(b).  

    5. The Organization shall not, except as expressly set out in this Licence or as permitted by law:

      1. copy the LumiraDx Platform Software, the Services or the Documentation;

      2. make available or grant access to the LumiraDx Platform Software, the Services or the Documentation to anyone outside of the Organization;

      3. rent, lease, sub-license, distribute, loan, translate, merge, adapt, vary or modify the LumiraDx Platform Software, the Services or the Documentation;

      4. make alterations to, or modifications of, the whole or any part of the LumiraDx Platform Software, the Services or the Documentation; 

      5. permit the LumiraDx Platform Software, the Services or the Documentation or any part to be combined with, or become incorporated in, any other programs or documentation without obtaining the prior written consent of LumiraDx;

      6. disassemble, decompile, reverse-engineer or create derivative works based on the whole or any part of the LumiraDx Platform Software or the Services; 

      7. access all or any part of the LumiraDx Platform Software, the Services or the Documentation in order to build a product which competes with the LumiraDx Platform Software or the Services; 

      8. provide or otherwise make available the LumiraDx Platform Software, the Services or the Documentation in whole or in part (including object and source code), in any form to any person other than provided for in clause 3 without prior written consent from LumiraDx; and 

      9. transfer or sell any Diagnostics Instrument on which the Instrument Software is installed, to any third party, without the prior written consent of LumiraDx.  

(together, the “Licence Restrictions”).

    1. The Organization shall not:  

      1. use the LumiraDx Platform Software, the Services or the Documentation in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with this Licence, or act fraudulently or maliciously, for example, by hacking into or inserting malicious code, including viruses, or harmful data into Connect Manager, the Services or the Documentation or any operating system;

      2. use the LumiraDx Platform Software for any purpose other than testing performed in connection with use of the Diagnostic Instrument in a professional setting; 

      3. infringe LumiraDx’s intellectual property rights or those of any third party in relation to its use of the LumiraDx Platform Software, the Services or the Documentation (to the extent that such use is not permitted by this Licence);

      4. transmit any material that is defamatory, offensive or otherwise objectionable in relation to its use of the LumiraDx Platform Software, the Services or the Documentation;

      5. use the LumiraDx Platform Software, the Services or the Documentation in a way that could damage, disable, overburden, impair or compromise LumiraDx’s systems or security or interfere with other users; and

      6. subject to clause 12.2(d), not collect or harvest any information or data from Connect Manager, the Services or the Documentation, 

(together, the “Acceptable Use Restrictions”).

    1. LumiraDx shall follow its archiving procedures for Patient Data processed by Connect Manager (as set out in its back-up policy, a copy of which is available on request).  In the event of any accidental or unlawful loss, damage, alteration, unauthorised disclosure or access to Patient Data, LumiraDx will notify the Organization without undue delay on becoming aware of the event. The Organization’s sole and exclusive remedy shall be for LumiraDx to use reasonable commercial endeavours to restore the Patient Data from the latest back-up.  LumiraDx shall not be responsible for any loss, destruction, alteration or disclosure of Patient Data caused by any third party except for a third party processor engaged by LumiraDx for the processing of Patient Data in accordance with clause 4.6.  

  1. Data Protection 

    1. Each party shall duly observe all their obligations under the Data Protection Legislation, which arise in connection with this Licence.  This clause 4.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.  

    2. The Organization shall have sole responsibility for the Patient Data.  Subject to this clause 4, LumiraDx shall have no rights in the Patient Data.  

    3. LumiraDx shall process Personal Data relating to the Organization’s employees, agents and independent contractors in accordance with its privacy policy as displayed on its website from time to time.  For the purposes of this clause 4.3, LumiraDx is the Data Controller of such Personal Data.    

    4. The parties acknowledge that for the purposes of the Data Protection Legislation, the Organization is the Data Controller and LumiraDx is the Data Processor of the Patient Data and other related Personal Data provided by the Organization to LumiraDx for processing in accordance with clauses 4.5 and 4.6. Schedule 1 sets out the scope, nature and purpose of processing by LumiraDx, the duration of the processing and the types of Personal Data and categories of Data Subject (as defined in the Data Protection Legislation).

    5. Notwithstanding the general obligation in clause 4.1, when processing Patient Data:

      1. the Organization shall ensure that the relevant third parties, including, but not limited to Patients, have been informed of, and have given their specific consent to, such use (including the use set out at Schedule 1), processing, and transfer as required by Data Protection Legislation;

      2. LumiraDx shall:

        1. only process that Patient Data on the written instructions of the Organization, which are set out in Schedule 1, unless LumiraDx is required by the laws of any member of the European Union or by the laws of the European Union applicable to LumiraDx to process Patient Data (“Applicable Laws”). Where LumiraDx is relying on Applicable Laws as the basis for processing Patient Data, LumiraDx shall promptly notify the Organization of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit LumiraDx from so notifying the Organization;

        2. ensure that it has in place appropriate technical, contractual and organisational measures to protect against unauthorised or unlawful processing of the Patient Data and against accidental loss or destruction of, or damage to, the Patient Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

        3. ensure that all personnel who have access to and/or process Patient Data are obliged to keep the Patient Data confidential;

        4. assist the Organization, at the Organization's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

        5. notify the Organization without undue delay on becoming aware of a breach of Patient Data; 

        6. ensure it does not knowingly or negligently do or omit to do anything which places the Organization in breach of the Organization’s obligations under the Data Protection Legislation; 

        7. maintain complete and accurate written records and information of its Patient Data processing activities to demonstrate compliance with this clause 4; and  

        8. not transfer any Patient Data outside the EEA unless appropriate safeguards have been put in place.  The Organization agrees that Personal Data relating to the Organization’s employees, agents or independent contractors may be transferred outside the EEA provided that appropriate safeguards in relation to the transfer are in place and LumiraDx ensures that an adequate level of protection is provided to all Patient Data transferred.  

    6. The Organization consents to LumiraDx appointing third party data repository providers (which includes any member of the LumiraDx Group) and third party delivery providers, third party suppliers of devices (including the Diagnostic Instrument), third party services providers (who may provide telephone support services and technical support services) as a third party processor of Personal Data under this Licence. LumiraDx confirms that it has entered or (as the case may be) will enter with the third party processor into a written agreement substantially on that third party's standard terms of business. As between the Organization and LumiraDx, LumiraDx shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 4.6.

    7. The Organization agrees that LumiraDx may create anonymised data from the Patient Data inputted into the LumiraDx Platform Software by the Organization provided that ISB1523 Anonymisation Standards for Publishing Health Care Data are observed.

  2. Conditionality clause 

    1. If the UK leaves the European Union without a withdrawal agreement on the day of exit (or the transitional period under a withdrawal agreement expires before the European Commission has adopted an adequacy decision for the UK) then:

      1. the parties hereby enter into the standard contractual clauses (“SCCs”) in the EU Commission's decision 2010/87/EC annexed at Schedule 2 and agree, where no other appropriate safeguard or exemption applies, that the Patient Data subject to this Licence (and to which Chapter V of GDPR) applies) will be transferred in accordance with the SCCs exclusive of any optional clauses as of that date. The parties agree to use best endeavours to complete the annexes to the SCCs promptly and in any event within 30 days for the purpose of giving full effect to the clauses. If there is any conflict between this Licence and the SCCs the terms of the SCCs shall apply.

  3. Freedom of information 

    1. LumiraDx acknowledges that the Organization may be subject to the requirements of the FOIA and shall assist and co-operate with the Organization (at the Organization’s expense) to enable the Organization to comply with these information disclosure requirements.

    2. LumiraDx shall:

      1. transfer any Request for Information to the Organization as soon as practicable after receipt of a Request for Information;

      2. provide the Organization with a copy of all Information in its possession or power in the form that the Organization requires as soon as practicable (or such other longer period as the Organization may specify) of the Organization requesting that Information; and

      3. provide all necessary assistance as reasonably requested by the Organization to enable the Organization to respond to a Request for Information within the time for compliance set out in section 10 of the FOIA.

    3. In no event shall LumiraDx respond directly to a Request for Information. 

  4. Organization's obligations

    1. The Organization shall:

      1. obtain permission from the owners of the Mobile Devices, on which it has downloaded or used a copy of Connect Manager which are controlled, but not owned, by it; 

      2. treat passwords, or any other information provided as part of LumiraDx’s security procedures, as confidential. The Organization shall not disclose it to any third party; 

      3. ensure that all its Users of the LumiraDx Platform Software act in accordance with this Licence and only use it for the purposes set out in clause 3;  

      4. ensure that all its Users of the LumiraDx Platform Software comply with the procedures and guidelines set out in the Documentation (including the user manual) relating to the use of the LumiraDx Platform Software; 

      5. at all times co-operate with LumiraDx and provide information reasonably required by LumiraDx; 

      6. supervise and control the use of the LumiraDx Platform Software in accordance with the terms of this Licence and ensure that the LumiraDx Platform Software is only used by suitably qualified and trained healthcare professionals; 

      7. immediately notify LumiraDx of any adverse event where the  LumiraDx Platform Software may have been a contributory factor.  The Organization further agrees to provide written details of the event and co-operate with LumiraDx in its investigation of the event.  The Organization acknowledges and agrees that the all communications relating to any adverse event shall be deemed to be Confidential Information and shall be subject to the confidentiality obligations at clause 9; 

      8. report all failures, issues or defects in the LumiraDx Platform Software to LumiraDx.  The Organization acknowledges and agrees that the all communications relating to failures, issues or defects in the LumiraDx Platform Software shall be considered to be Confidential Information and shall be subject to the confidentiality obligations at clause 8; and 

      9. not permit any third party to provide technical support in respect of the LumiraDx Platform Software, the Services or the Documentation. 

  5. Proprietary rights

    1. The Organization acknowledges that LumiraDx, and/or its licensors (who are third party owners of intellectual property rights used in the LumiraDx Platform Software), own all Intellectual Property Rights in the LumiraDx Platform Software, the Services and the Documentation.  This Licence does not grant the Organization any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the LumiraDx Platform Software, the Services or any related Documentation, other than the right to use them in accordance with this Licence.  

    2. The Organization acknowledges that it has no right to have access to the LumiraDx Platform Software in source-code form.

  6. Confidentiality

    1. LumiraDx acknowledges that the Patient Data is the Confidential Information of the Organization.

    2. Subject to clause 9.3, the parties shall keep confidential the Confidential Information of the other party and shall use all reasonable endeavours to prevent their employees, agents and independent contractors from making any disclosure to any person of the Confidential Information.  

    3. Clause 9.2 shall not apply to any disclosure of information:

      1. required by any applicable law, provided that clause 5 shall apply to any disclosures required under the FOIA;

      2. that is reasonably required by persons engaged by a party in the performance of that party's obligations under this Licence;

      3. where a party can demonstrate that such information is already generally available and in the public domain otherwise than as a result of a breach of clause 9.2;

      4. which is already lawfully in the possession of the receiving party, prior to its disclosure by the disclosing party, and the disclosing party is not under any obligation of confidence in respect of that information;

      5. by a party when the other party has given its prior written consent to disclosure.

  7. Training 

    1. The Documentation includes a user manual which provides basic training information for the Organization and the Users.  The Organization shall ensure that all Users have read and understood the basic training information, set out in the Documentation, before using the LumiraDx Platform Software.  

    2. The Organization agrees to undertake, and shall procure that all Users undertake, any additional training requirements set out in the LumiraDx Platform Software from time to time.  

  8. Limitation of liability

    1. The Organization agrees that it assumes sole responsibility for results obtained from the use of the LumiraDx Platform Software and the Services and for conclusions drawn from such use. LumiraDx shall have no liability for any damage caused by errors or omissions in any information provided by the Organization, or any actions taken by LumiraDx at the Organization's direction.  The Organization acknowledges that the LumiraDx Platform Software was not designed to the Organization’s individual requirements and that it is therefore the Organization’s responsibility to ensure that the facilities and functions of the LumiraDx Platform Software as described in the Documents meet its requirements.  

    2. The LumiraDx Platform Software and the Services are intended only as a diagnostic aid and are not a substitute for the expertise and judgement of physicians, pharmacists or other healthcare professionals.  All information is provided on the basis that the healthcare practitioners responsible for patient care will retain full and sole responsibility for deciding any treatment to prescribe or dispense for all patients and in particular whether the use of information provided by the LumiraDx Platform Software is safe, appropriate or effective for any particular patient or in any particular circumstances.

    3. LumiraDx shall not be liable: 

      1. whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of income, loss of profits or contracts, loss of business, business interruption, loss of money or anticipated savings, loss of or depletion of opportunity, goodwill, reputation and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Licence; or

      2. for any loss arising as a result of the Organization exporting information or data (including Patient Data) from the display functions in Connect Manager.    

    4. Other than the losses set out in clause 11.3 (for which LumiraDx is not liable), LumiraDx's total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Licence shall be limited to the total fees paid to  LumiraDx for the Diagnostic Instrument(s) during the 12 months preceding the date on which the claim arose.   

    5. Nothing in this Licence excludes the liability for death or personal injury caused by negligence or for fraud or fraudulent misrepresentation. 

    6. The Customer acknowledges that any Open-Source Software provided by the Supplier is provided "as is" and expressly subject to the disclaimer in clause 11.7.  The terms of an Open-Source Software licence may override some of the terms of this Licence.    

    7. This Licence sets out the full extent of LumiraDx’s liabilities in respect of the LumiraDx Platform Software, the Services and the Documentation.  Except as expressly stated in this Licence, there are no conditions, warranties, representations or other terms, express or implied, that are binding on LumiraDx.  Any condition, warranty, representation or other term concerning the supply of the LumiraDx Platform Software, the Services or the Documentation which might otherwise be implied into, or incorporated in, this Licence whether by statute, common law or otherwise, is excluded to the fullest extent permitted by law.

  9. Term and termination

    1. Without affecting any other right or remedy available to it, LumiraDx may terminate the Licence with immediate effect by giving written notice to the Organization if:

      1. the Organization, or its Users, commits a material breach of any term of this Licence which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 days after being notified in writing to do so;

      2. the Organization, or its Users, breach any of the Licence Restrictions or the Acceptable Use Restrictions; 

      3. the Organization suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;

      4. a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of the Organization other than for the sole purpose of a scheme for a solvent amalgamation of the Organization with one or more other companies or the solvent reconstruction of the Organization;

      5. an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the Organization;

      6. a person becomes entitled to appoint a receiver over the assets of the Organization or a receiver is appointed over the assets of the Organization; 

      7. the Organization suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business; or 

      8. the Organizations transfers, or allows any third party access to, any Diagnostic Instrument, on which the Instrument Software is installed or which is used in Manager Mode to access Connect Manager, outside of the Organization or to any third party, without the prior written consent of LumiraDx.  

    2. On termination of this Licence for any reason:

      1. all the rights granted to the Organization under this Licence shall cease; 

      2. the Organization shall immediately cease all activities authorised by this Licence (including its use of the LumiraDx Platform Software, the Services and the Documentation) and shall delete Connect Manager from all Mobile Devices and immediately destroy all copies in its control; 

      3. the Organization shall return and make no further use of the Documentation (and all copies of it) belonging to LumiraDx; 

      4. the Organization shall delete or extract (using the export functionality in Connect Manager) any Patient Data stored in Connect Manager within 10 days of the date of termination of this Licence.  If requested by the Organization, LumiraDx may provide reasonable assistance to enable the extraction of any Patient Data stored in Connection Manager and the costs of such assistance shall be charged to the Organization at the rates agreed with LumiraDx; and 

      5. the Organization shall delete or remove all Patient Data, or other Personal Data, from the Instrument Software within 10 days of the date of termination of this Licence.  

    3. On termination or expiry of this Licence, the following clauses shall continue in force: clause 1 (Interpretation), clause 9 (Confidentiality), clause 11 (Limitation of Liability) and this clause 12 (Termination).  

  10. Variation

No variation of this Licence shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

  1. Waiver

No failure or delay by a party to exercise any right or remedy provided under this Licence or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

  1. Severance

    1. If any provision (or part of a provision) of this Licence is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

    2. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

  2. Assignment

    1. The Organization shall not, without the prior written consent of LumiraDx, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Licence.

    2. LumiraDx may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Licence.

  3. Third party rights

This Licence does not confer any rights on any person or party (other than the parties to this Licence and, where applicable, their successors and permitted assigns and any LumiraDx Group Company) pursuant to the Contracts (Rights of Third Parties) Act 1999.

  1. Notices

    1. Any notice required to be given under this Licence shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its main trading address or such other address as may have been notified by that party for such purposes.  

    2. A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. 

  2. Governing law and Jurisdiction 

    1. This Licence and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

    2. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Licence or its subject matter or formation (including non-contractual disputes or claims).

SCHEDULE 1


Processing, Personal Data and Data Subjects


1.   Processing by LumiraDx

1.1 Nature and Purpose of processing

      LumiraDx, and any member of the LumiraDx Group, may process Personal Data: 

  • to record which tests were performed on which Patients and the results; 

  • to provide services to the Organization and maintain its account; 

  • to ensure Users have access to information relevant to their role and only to their role; 

  • to ensure regulatory compliance; 

  • to ensure Patients can be identified and the correct test results associated with the Patient appear in the electronic health record; 

  • for data analytics and statistical research to help LumiraDx better understand how its products are used; 

  • to investigate misuse of the Organization’s account, fraud and debt collection.

  • for support, maintenance and patient safety (including the investigation of faults); 

  • to improve the performance or features of the LumiraDx Platform Software, the Services or the Documentation;

  • to provide feedback to the Organization and/or Patient and improve the performance of the service that the Organization provide; 

  • to improve or develop the Diagnostic Instrument or LumiraDx Platform Software;

  • to improve the understanding, treatment, outcomes and choice for Patients and healthcare professionals; and 

  • to comply with any relevant statutory or regulatory requirement imposed on LumiraDx from time to time.

1.2 Subject matter and duration of the processing

The subject matter and duration of the processing are set out in the Licence.  

2.  Types of personal data

  • Personal data including patient identification, first name, surname, date of birth and gender; 

  • data concerning health, including healthcare conditions affecting Patients and test result information. 

3.  Categories of data subject

  • Patient(s).   

SCHEDULE 2

Standard Contractual Clauses for the Transfer of Personal Data from the European Union to Processors established in Third Countries (Controller-to-Processor Transfers) 


For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: ...............................................................

address: ...............................................................

tel: ...............................................................

fax: ...............................................................

e-mail: ...............................................................

Other information needed to identify the organisation ..............................................................

(the “data exporter”)

Name of the data importing organisation: ...............................................................

address: ...............................................................

tel: ...............................................................

fax: ...............................................................

e-mail: ...............................................................

Other information needed to identify the organisation ..............................................................

(the “data importer”)

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in ANNEX A.

  1. Definitions

For the purposes of the Clauses:

    1. personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);

    2. the data exporter means the controller who transfers the personal data;

    3. the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

    4. the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;

    5. the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

    6. technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

  1. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in ANNEX A which forms an integral part of the Clauses.

  1. Third-party beneficiary clause

    1. The data subject can enforce against the data exporter this clause 3, clause 4(b) to clause 4(i), clause 5(a) to clause 5(e) and clause 5(g) to clause 5(j), clause 6.1 and clause 6.2, clause 7, clause 8.2 and clause 9 to clause 12 as third-party beneficiary.

    2. The data subject can enforce against the data importer this clause 3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2 and clause 9 to clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

    3. The data subject can enforce against the sub-processor this clause 3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2, and clause 9 to clause 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

    4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

  2. Obligations of the data exporter

The data exporter agrees and warrants:

    1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

    2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

    3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in ANNEX B to this contract;

    4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

    5. that it will ensure compliance with the security measures;

    6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; 

    7. to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

    8. to make available to the data subjects upon request a copy of the Clauses, with the exception of ANNEX B and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

    9. that, in the event of sub-processing, the processing activity is carried out in accordance with clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and 

    10. that it will ensure compliance with clause 4(a) to clause 4(i). 

  1. Obligations of the data importer

The data importer agrees and warrants:

    1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

    2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

    3. that it has implemented the technical and organisational security measures specified in ANNEX B before processing the personal data transferred; 

    4. that it will promptly notify the data exporter about:

      1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

      2. any accidental or unauthorised access; and

      3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

    5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

    6. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

    7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of ANNEX B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

    8. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

    9. that the processing services by the sub-processor will be carried out in accordance with clause 11; and

    10. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

  1. Liability

    1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

    2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. 

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

    1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses. 

  1. Mediation and jurisdiction 

    1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

      1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

      2. to refer the dispute to the courts in the Member State in which the data exporter is established.

    2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

  2. Cooperation with supervisory authorities

    1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

    2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

    3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).

  3. Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

  1. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses. 

  1. Sub-processing

    1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.

    2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

    3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

    4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. 

  2. Obligation after the termination of personal data processing services

    1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

    2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): ...............................................................

Position: ...............................................................

Address: ...............................................................

Other information necessary in order for 

the contract to be binding (if any): ...............................................................

Signature ...............................................................

 (Stamp of organisation)

On behalf of the data importer:

Name (written out in full): ...............................................................

Position: ...............................................................

Address: ...............................................................

Other information necessary in order for 

the contract to be binding (if any): ...............................................................

Signature ...............................................................

 (Stamp of organisation)

  1. to the Standard Contractual Clauses

This ANNEX A forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this ANNEX A.

Data exporter

 

The data exporter is (please specify briefly your activities relevant to the transfer):

....................................................

Data importer

 

The data importer is (please specify briefly your activities relevant to the transfer):

....................................................

Data subjects

 

The personal data transferred concern the following categories of data subjects (please specify)

....................................................

Categories of data

 

The personal data transferred concern the following categories of data (please specify)

....................................................

Special categories of data (if appropriate)

 

The personal data transferred concern the following special categories of data (please specify)

....................................................

Processing operations

 

The personal data transferred will be subject to the following basic processing activities (please specify)

....................................................

DATA EXPORTER

DATA IMPORTER

Name:..................................................

Authorised signature:...........................

Name:..................................................

Authorised signature:...........................

  1. to the Standard Contractual Clauses

This ANNEX B forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c) (or documents/legislation attached):

.....................................................................................................................................................................................................................................................................................................................................................................................................................

 

(iv)