The present Unilateral Commitment (hereafter referred to as the "Commitment") is made by:
[Organisation/Company Name]
(hereafter referred to as the "Party" with capital P)
established at [complete address]
under company number [company number],
legally represented by [representative name].
This Commitment is applicable to:
- all Personal Data processed by the Party.
- only Personal Data processed in relation with the following research project, service or data processing activity: [complete project/service name and details]
WHEREAS
the Party is processing Personal Data and may act as a single Data Controller and/or as Joint Data Controller and/or as Data Processor;
AND
the Party is willing to commit to protect the above-mentioned processed personal data and to respect the applicable provisions of the Regulation (EU) 2016/679 - General Data Protection Regulation (hereafter referred to as “GDPR”) regardless of the location of its data processing activity;
THEREFORE, in consideration of the above premises, the Party agrees with and commits to respect the following clauses:
Definitions
1. For the purposes of this Commitment, definitions not otherwise provided in the text of this Commitment shall have the following meanings:
- "Personal Data" Refers to any data linked to an identified or identifiable individual, as defined by the GDPR, including identifiers like IP addresses.
- "Data Controller" Refers to the entity that determines the purposes and means of processing personal data.
- "Data Joint Controller" Refers to two or more controllers jointly controlling data processing.
- "Data Processor" Refers to an entity processing personal data on behalf of a data controller.
- "Data Exporter" Refers to an entity transferring personal data to a data importer in a third country.
- “Data Importer” refers to an Entity/ies in a third country receiving the Personal Data from the Data Exporter, directly or indirectly via an intermediary entity.
- “Data Provider” refers to an entity that is sharing data with one or several Data Recipients, which are not necessarily acting as data processors.
- “Data Recipient” refers to an Entity that is receiving data from one or several Data Providers.
- “Data Subject” refers to any identified or identifiable natural person whose data are being processed.
- “Personal Data Breach” means a breach of security as specifically defined by the GDPR leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
- “Service Provider” refers to the organisation that manages and makes available the Privacy Pact online service.
- “Special Categories of Personal Data” refers to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- “Supervisory Authority” refers to the competent national Authorities of the Member State of the European Union that oversee and monitor the application of the GDPR.
- “Technical and Organisational Measures” refers to those technical and organisational measures implemented with the aim of ensuring an appropriate level of security and protection of processed data, including against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
- “Primary Use of Data” encompasses the processing of personal data for the initial purpose for which they have been collected.
- “Secondary Use of Data” refers to the processing of personal data for purposes beyond those for which they were originally collected and processed.
- “Data Holder” refers to an Entity or body active in the health or care sector or performing research in relation to the sectors who has the right or obligation or the framework to make available personal electronic health data, including to register, provide and restrict access, as well as to exchange them.
The Clauses of this Commitment shall be read and interpreted in the light of the provisions of the GDPR, and shall not be interpreted in a way that conflicts with the rights and obligations provided for in the GDPR.
Purpose
2. Purpose of the Commitment
This Commitment aims to clarify the rights and obligations regarding the processing of personal data.
3. Territorial Scope
This Commitment applies to the processing of personal data collected from or within European territory, including EU, EEA, EFTA Member States, and the United Kingdom. It applies to the Party acting as Data Controller and/or Data Processor, within the limits of applicable national laws.
General Obligation
4. General Commitment
The Party commits to ensuring compliance with the legal provisions of the GDPR and will:
- Apply data protection by design and by default, including by leveraging pseudonymisation techniques where relevant and applicable;
- Apply purpose and data minimisation by limiting data collection, processing, and retention to what is necessary.
- Maintain transparency, fairness, and lawfulness in personal data processing activities.
- Adequately protect and secure the processing, transmission, and storage of personal data, ensuring confidentiality, integrity, and availability.
- Limit the access to the processed and stored Personal Data to what is needed and to who needs it for achieving the consented or legitimate purpose for which they are processed (role-based access to data)
- Ensure that all personnel and/or affiliated parties involved in the data collection/processing/sharing are bound by the obligations prescribed in the present in a demonstrable manner;
- Ensure that all personnel and/or affiliated parties involved in the data collection/processing/sharing are bound by the obligations prescribed in the present in a demonstrable manner;
- Monitor the effectiveness of the Technical and Organisational Measures in place for ensuring the security of the processing;
- Store electronic Personal Data in a structured, commonly used, and machine-readable format no longer than what is required for the purposes of the Processing;
- Where required, perform Data Protection Impact and Risk Assessments prior to transferring or processing of the personal data;
- Cooperate with the competent Supervisory Authority/Authorities.
5. Rights of the Data Subjects
The Party commits to respect and protect the rights and freedoms of the Data Subjects, as recognised by the GDPR, in particular, the rights:
- To be informed on the purpose and nature of processing of their Personal Data;
- To be informed on their rights as data subjects, including the right to lodge a complaint with a Supervisory Authority;
- To access, rectify, obtain a copy, transfer, and erase their Personal Data;
- To restrict or object to the processing of their Personal Data;
- To easily contact the Party for obtaining complementary information on the processing of their Personal Data and for exercising their rights without unjustified costs;
- To not be subject to a decision based solely on automated Processing, including profiling;
- To transfer their Personal Data to another Entity without hindrance from the Party;
- To withdraw consent at any time, without affecting the lawfulness of Processing based on consent prior to its withdrawal;
- To be informed without delay in case of a Personal Data Breach impacting their rights and freedoms, unless a relevant legal exception applies;
- To receive information on actions taken to address data subject requests within one month of their receipt;
- To receive information free of charge on the processing of their Personal Data.
6. Duty to Record and Document Complaints
The Party commits to having a process in place to record, document and manage Personal Data breaches and received complaints. This shall include:
- A clearly identified point of contact for internal as well as third-party complaints;
- A record of all such complaints received, the nature of the investigation undertaken, and the outcome of the investigation.
Complementary Obligations where the Party Acts as Controller
7. Lawfulness of the Data Processing
The Party commits to ensuring that Personal Data is lawfully processed on the basis of an adequate legal basis such as:
- Data Subject’s consent (in line with GDPR Art 6(1)(a)), where prior informed consent has been explicitly provided by the Data Subject;
- Legitimate interest (such as client-and-employee management, marketing, fraud prevention, intra-group transfers, IT security, etc.) in line with GDPR Art 6(1)(f)), where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child;
- The performance of a contract (in line with GDPR Art 6(1)(b)), where Processing is necessary for the performance of a specific contract to which the data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Complementary lawfulness bases recognised by the GDPR
8. Purpose Limitation
The Party commits to Processing the Personal Data exclusively for the purpose for which it was collected and/or transferred. It may process the data for additional purposes only where such processing is lawful, as described above and in accordance with the GDPR.
9. General Obligations as Data Controller
Where the Party acts as a Data Controller, it commits:
- To not use a Data Processor without a written agreement with the Data Processor(s) describing in detail the rights and obligations of each party;
- To require proof of compliance of Data Processors with legal provisions, in particular related to privacy, data protection, and cybersecurity;
- To facilitate the exercise of Data Subjects’ rights.
10. Obligations as Joint Data Controller
Where the Party acts as a Joint Data Controller, it commits:
- To have a written agreement with the other Joint Data Controller(s) clarifying in writing their respective roles and responsibilities;
- To serve as a contact point for Data Subject willing to exercise their rights;
- To mention the Joint Controller(s) in the data protection policy made available to the Data Subjects for the related service;
- To make the high-level principles of joint controllership available to the data subjects upon demand.
Complementary Obligations where the Party Acts as Data Processor
11. Obligations as Data Processors
Where the Party acts as a Data Processor, it commits:
- To process Personal Data only on documented instructions from the Controller;
- To ensure that all those authorised to process Personal Data are bound by confidentiality obligations;
- To implement all measures required by the Data Controller to secure the Processing;
- To not engage other Data Processors without the explicit agreement of the Data Controller;
- To respond to requests of Data Subjects;
- To assist the Data Controller with appropriate Technical and Organisational Measures, insofar as it is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights;
- To assist the Data Controller in ensuring compliance with the obligations for the security of Data Processing (pursuant to Articles 32 to 36 of the GDPR), such as risk assessment, personal data breach management and notification, data protection impact assessment, and prior consultation with the Supervisory Authority;
- At the choice of the Data Controller, to delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to processing, and deleting existing copies unless otherwise required by law;
- To make all information necessary to demonstrate compliance with the GDPR available to the Data Controller;
- To authorise inspections and audits conducted by the Data Controller or another auditor man-dated by the Data Controller, or by the national Supervisory Authority of the Data Controller;
- To require that the same obligations assumed by the Data Processor(s) be respected by sub-Processors that may be contracted for conducting specific processing activities on behalf of the Data Controller.
Complementary Obligations where the Party Shares and/or Receives Data for Re-search Purposes
12. Obligations as Data Holder or Data Provider for Research Purpose
Where the Party acts as a Data Holder and/or Data Provider for research purpose, before giving access to the data, it commits:
- To check that the Data Recipient is subject to the GDPR and/or contractually bound to respect the obligations and principles mentioned in this Commitment;
- To anonymise, or at least pseudonymise, all Personal Data before their transfer, in accordance with the specific character of each case and research requirements;
- To assess the risks and potential impact of such transfer on the Data Subjects and on their rights and freedoms;
- To assess the lawfulness of the transfer, including with regards to the national regulations applicable to the Party that may provide additional requirements.
13. Documented Requests for Secondary Use of Data
Where the Party wants to access Personal Data as Data Recipient for a Secondary Use of Personal Data, it shall document in writing its request with at least the following information:
- A detailed explanation of the intended use of the requested data, in alignment with a legal purpose;
- A description of the requested data, their format and data sources, where possible, including geographical coverage where data is requested from several Member States;
- An indication whether data should be made available in an anonymised format;
- Where applicable, an explanation of the reasons for seeking access to data in a pseudonymised format;
- A description of the safeguards planned to prevent any other use of the requested data;
- A description of the safeguards planned to protect the rights and interests of the Data Holder and of the natural persons concerned by the request;
- An estimation of the period during which the requested data is needed for processing;
- A description of the tools and computing resources needed for a secure environment.
14. Obligations as Data Recipient for Research Purpose
Where the Party acts as Data Recipient, with regards to the received data, it commits:
- To process the data solely and exclusively for the research purpose declared to the Data Provider and/or Data Holder;
- To not disclose any received Personal Data (as defined by the GDPR) to third parties or to the public;
- To address and reply without undue delay to the requests for information of Data Subjects whose Personal Data are processed by the Party;
- To process the data in accordance with the requirements that may be specified by the Data Provider and /or Data Holder;
- On request, to provide additional information on the ethical and legal assessment of the related data processing;
- Where data are health-related, to inform the Data Provider of any clinically significant findings that may impact the person’s health status;
- To provide information on the results or outputs of the secondary use of the requested data in a fully anonymized and public manner within 18 months after their access.
Complementary Obligations where Personal Data are Transferred to a Third Country that does not Benefit from an Adequacy Decision
15. Obligations as Data Exporter
Where the Party acts as a Data Exporter to third country, before transferring the data it commits:
- To collect information on the third country (or international organisation) data protection regulation and practice, including if:
- The access and processing by the authorities of the third country is based on clear, precise and accessible rules;
- There are mechanisms in place to respect and comply with the principles of necessity and proportionality of the data processing;
- The authority of the country (and/or the international organisation) has established oversight mechanisms;
- There are effective remedies made available to the individuals;
- The legislation on data protection is effectively implemented.
- To ensure the effective implementation of data protection regulations;
- To assess the risks for the rights and freedoms of the Data Subjects whose data are transferred;
- To adopt measures for addressing the identified risks and for bringing the level of protection of the personal data transferred up to the required level of essential data protection equivalence;
- To document the measures in place to preserve the rights and freedoms of the Data Subjects;
- To have a procedure in place for re-assessing the risks related to the transfer of personal data to third countries and to international organisations (as applicable) on a regular basis.
- The Party commits to ensure that any data transfer is lawful with regards to the GDPR (in particular Art. 46 and 47 GDPR), by using adequate mechanism such as:
- Legally binding and enforceable instrument between the Data Importer and Data Exporter;
- Approved Binding Corporate Rules (BCR);
- Standard Contractual Clauses (SCC) adopted or approved by the Commission;
- Aan approved Code of Conduct;
- An approved Certification mechanism.
16. Obligations as Data Importer
Where the Party acts as a Data Importer, it commits:
- To appoint a Representative located in the EEA and making public its information;
- To not transfer the data received to any other parties without the Data Exporter’s prior explicit and written authorisation;
- To provide the Data Subjects whose data are processed with effective remediation mechanisms;
- To inform the Data Exporter of any local legislation that may affect the safety and privacy of the data, as well as informing them in case of an access request or similar by local authorities to the data, unless otherwise prescribed by law;
- To inform the Data Provider/Exporter of any circumstances that may prevent him from complying with the legal requirements.
- To cooperate with the supervisory authorities competent for the data exporters, including by accepting their audits and inspections, by taking into account their advice, and by abiding by their decisions;
- To notify the Data Exporter (and where applicable the certification body) in case of regulatory changes that may compromise the protection of the transferred data and/or the data subjects' rights and freedoms;
- To not disclose the cryptographic keys and/or modify equipment used for securing the transit of personal data that would undermine its security.
- In case of requests for information from third country authorities, the Party commits:
- To review the legality of the request;
- To promptly inform the Data Exporter;
- To minimise the information disclosed;
- To protect data against massive and indiscriminate transfers.
- Where certification has been used to allow the transfer of personal data to the Party, it commits:
- To comply with the rules specified in the certification;
- To notify the Data Exporter and take appropriate additional measures in case it becomes aware of legislations that would prevent compliance with its obligations under the certification;
- To notify the Data Exporter and its Supervisory Authority of any measures taken by the certification body in response to a detected violation of the certification.
- The Party hereby warrants it has no reason to believe that the laws and practices of its country prevent it from fulfilling its commitments under this Commitment.
Termination and Transfer
17. Duration and Termination
- This Commitment enters into force on the date of signature and is not limited in time.
- The Party wishing to withdraw from the Commitment shall announce its withdrawal online through the Privacy Pact website and/or the relevant communication forms with prior notice of at least 90 days.
- In case of withdrawal from the Commitment, the Party commits to inform the Data Providers, Data Controllers, and Data Exporters that have shared personal data with the Party during the time of the Commitment about the withdrawal with a written prior notice of at least 90 days.
18. Transfer
In case of merger, acquisition, transfer of activities or similar, the Party commits to not transfer any personal data to the successor and/or assignee entity without ensuring that:
- Equivalent obligations to the ones included in the present Unilateral Agreement are binding the successor and/or assignee entity;
- The transfer is in full compliance with the applicable data protection regulations, including the GDPR;
- The data subjects are informed about this transfer and have the possibility to object.
Applicable Law, Waiver, Dispute Resolution & Remainder Clause
19. Force Majeure
- The Party shall not be liable for delays to perform any obligation due under this Commitment if the delay is due to any cause beyond reasonable control, such as an act of God, an act of civil or military authority, fire, riot, civil commotion, sabotage, war, embargo, blockage, flood, epidemic, power shortage, or governmental restrictions.
- In any case, the prevented Party shall do everything in its power to limit the duration and effects of the fortuitous event or force majeure.
20. Disclaimer and Liability
- The present Commitment is intended to enable the Party to commit to respecting the rights and freedoms of the Data Subjects. It constitutes a unilateral commitment that binds the Party.
- The Service Provider is not part to this Commitment and provides the Privacy Pact service on an as-is and as-available basis. As such, the Party and any third parties shall acknowledge and agree that:
- The Commitment does not assess the Party’s compliance with the GDPR, nor is intended to guarantee the Party’s conformity with the assumed commitments;
- The Party maintains the sole and exclusive responsibility of complying with the GDPR and other legal provisions related to the processing of Personal Data;
- The Service Provider is not responsible for any litigation costs (or litigation solving costs), between any third parties and the signatory Party. The Party bears the exclusive responsibility and liability for its Commitment and for any loss, damage or sanction related to any effective or potential breach of any of the obligations contained in the Commitment or related to GDPR and commits to keeping the Service Provider harmless.
21. Remainder Clause
If any provision of this Commitment shall be held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of this Commitment and such provision as applied to other persons, places, and circumstances shall remain in full force and effect.
22. Applicable Law and Dispute Resolution
This Commitment shall be governed by, and construed in accordance with, the laws of:
- Luxembourg.
- Another EU jurisdiction: [Indicate the Applicable EU Jurisdiction]
Any dispute related to this Commitment shall be settled exclusively before the appropriate court of law of the above-mentioned jurisdiction.
Miscellanea
23. Written Form
This Commitment may not be amended or modified except in a written instrument executed by the Party.
Signatories
IN WITNESS HEREOF, this Commitment has been executed on the date first above written by a duly authorised representative of the Party.
Full Name: | Full Name: |
Title: | Title: |
Place: | Place: |
Date: | Date: |
Signature: _________________________ | Signature: _________________________ |