1.1. This Data Sharing Agreement ("DSA") and any other written agreement between the Customer and Moodbeam (collectively, the "Agreements") reflect the Parties’ agreement with regard to the Processing of Personal Data pursuant to the Customer’s distribution and use of devices, data and reporting provided by Moodbeam (collectively, the "Service").
1.2. "Applicable Data Protection Law" means all laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreements as amended, replaced or updated from time to time, including but not limited to:
1.3. "Processing", "Personal Data", "Data Controller", "Data Processor", "Sub-Processor", "Personal Data Breach", "Data Protection Impact Assessment", "Data Subject", "Data Subject Rights", "Third Countries" and "Supervisory Authority" have the meaning ascribed to them in Applicable Data Protection Law.
2.1. This DSA applies to the sharing of Personal Data by Moodbeam with the Customer ("Data Sharing") as set out in Agreements executed by the parties insofar as the Processing (including sharing) of that Personal Data is subject to Applicable Data Protection Law.
2.2. The subject matter, nature and purpose of the Data Sharing, the categories of Personal Data, and the types of Data Subjects are those set out in Schedule 2.
2.3. The Personal Data shall not be shared or re used by the Customer for any purpose incompatible with the purpose for which it has been shared with the Customer by Moodbeam.
3.1. The Parties hereby agree that they are separate Data Controllers of the Personal Data obtained and shared pursuant to this DSA.
3.2. Each party will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed for their own purposes.
3.3. The Parties are separately responsible for the lawful processing of Personal Data, informing Data Subjects about the use, including sharing, of their Personal Data, the security of Personal Data, ensuring Data Subjects can exercise their rights and applying any other relevant provisions of Applicable Data Protection Law.
3.4. The Parties must ensure that appropriate agreements are in place with any Data Processor that Processes Personal Data on their behalf in connection with the means by which Personal Data is shared.
3.5. Each party must immediately inform the other if, in its opinion, a request for Personal Data to be shared infringes Applicable Data Protection Law or other Union or Member State data protection provisions.
3.6. The Customer warrants that it has all necessary rights, including consents, to request that the Personal Data are shared with it by Moodbeam.
4.1. To the extent required by Applicable Data Protection Law, the Customer is responsible for ensuring that any necessary Data Subject consents to the Data Sharing are obtained, and for ensuring that a record of such consents is maintained.
4.2. The Parties agree that the Customer:
4.3. Should consent to the Data Sharing be revoked by the Data Subject in any communication with Moodbeam, Moodbeam will immediately stop sharing that Data Subject’s Personal Data with the Customer.
4.4. Should consent to the Data Sharing be revoked by the Data Subject in any communication with the Customer, the Customer is responsible for promptly communicating the fact of such revocation to Moodbeam.
4.5. Except for the Personal Data the Customer has a lawful purpose under Applicable Data Protection Law to retain after consent to the Data Sharing has been revoked by the Data Subject:
4.6. For all Personal Data it has a lawful purpose to retain under Applicable Data Protection Law, the Customer will notify Moodbeam and the Data Subject in writing of:
5.1. At least once a year the Parties shall consider whether this DSA requires review.
5.2. The Parties agree to each nominate a representative to liaise with the other party. Both representatives are authorised to act on behalf of the Parties on all matters relating to the management of this DSA. The names and contact details of the representatives are given in Schedule 1.
5.3. In the event of any named individuals being replaced, their successor will assume responsibility under this Agreement.
5.4. Each party’s representative shall have the following responsibilities, as a minimum, under this Data Sharing Agreement:
6.1. Without prejudice to any existing contractual arrangements between the Parties, each party must treat all Personal Data obtained and shared pursuant to this DSA as strictly confidential.
6.2. The obligations of confidentiality will apply during the term of this DSA and will survive indefinitely upon termination of this DSA.
7.1. The Customer must make the Personal Data shared with it by Moodbeam available only to those personnel performing services in connection with the research project(s) in which Moodbeam devices are in use.
7.2. The Customer must take commercially reasonable steps to ensure the reliability of any personnel engaged in the processing of the Personal Data shared with it by Moodbeam.
7.3. The Customer must ensure that all personnel engaged in the processing of the Personal Data shared with it by Moodbeam have:
8.1. Each Party must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Personal Data shared with it. These measures will include as appropriate:
8.2. Each Party will, at all times, have in place an appropriate written security policy with respect to the processing of Personal Data.
9.1. Each party will maintain records of Processing activities documenting the Data Sharing. The Parties shall cooperate to fulfil the obligation to maintain such records. Any material change made by a party shall be notified to the other party without undue delay. Each party shall bear its own costs for its own records of Processing Activities.
9.2. At the request of the other, each Party must make available all relevant information necessary to demonstrate compliance with Applicable Data Protection Law and shall allow for and contribute to audits, including inspections, by the other (or an independent, third-party auditor appointed by them) in relation to the Processing of Personal Data shared pursuant to the provision of the Service.
9.3. Any audit shall be carried out on reasonable prior written notice of no less than 30 days and shall not be carried out more than once a year.
9.4. Third-party auditors appointed by the Customer must be independent and must not be competitors of Moodbeam.
10.1. The Customer must immediately notify Moodbeam of any permanent or temporary transfers of Personal Data shared with it by Moodbeam to a country outside of the European Economic Area without an adequate level of protection within the meaning of Applicable Data Protection Laws.
10.2. To the extent that the Parties are relying on a specific statutory mechanism to normalise international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid; the Parties agree to co-operate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
11.1. Each Party must notify the other without undue delay after becoming aware of any breach of security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
11.2. Any notifications made under this clause 11 shall contain:
11.3. Each Party must make reasonable efforts to identify the causes of such a breach and must take necessary and reasonable steps in order to remediate the cause the breach.
11.4. Upon request, each Party shall provide the other with reasonable co-operation and assistance to fulfil the Parties’ obligations under GDPR to notify a Personal Data Breach to the Supervisory Authority and to communicate a Personal Data Breach to the Data Subject. Provided the Personal Data Breach is not due to Moodbeam’s breach of its obligations under this Data Sharing Agreement, the Customer will be responsible for any cost arising from Moodbeam’s provision of such assistance.
12.1. Each party must, to the extent legally permitted, promptly notify the other if it receives a request from a Data Subject to exercise any of the Data Subject’s rights under Applicable Data Protection Law.
12.2. To the extent the Customer, in its use of the Service, does not have the ability to address a Data Subject request, Moodbeam shall, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such requests, to the extent Moodbeam is legally permitted to do so and the response to such Data Subject request is required under Applicable Data Protection Law. The Customer will be responsible for any cost arising from Moodbeam’s provision of such assistance.
13.1. Upon the Customer’s request, Moodbeam shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligations under the Applicable Data Protection Law to carry out a Data Protection Impact Assessment related to the Service and the Data Sharing to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to Moodbeam. The Customer will be responsible for any cost arising from Moodbeam’s provision of such assistance.
13.2. Upon the Customer’s request, Moodbeam shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligations under Applicable Data Protection Law to implement and maintain appropriate organisational and technical measures insofar as this relates to Moodbeam’s services in scope of this Data Sharing Agreement. The Customer will be responsible for any cost arising from Moodbeam’s pro- vision of such assistance.
14.1. Moodbeam shall assist the Customer in ensuring compliance with the obligations pursuant to prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of Personal Data being shared and the information available to Moodbeam. The Customer will be responsible for any cost arising from Moodbeam's provision of such assistance.
14.2. The Parties will cooperate with competent Supervisory Authorities as required by the GDPR.
14.3. If a party is subject to investigative or corrective powers of a Supervisory Authority, it must inform the other without undue delay, insofar as it relates to the Processing of Personal Data covered by this Data Sharing Agreement.
14.4. Parties shall provide reasonable assistance to each other to fulfil the obligation to cooperate with Supervisory Authorities. Each party is responsible for its own costs arising from the provision of such assistance.
15.1. Moodbeam indemnifies the Customer and holds the Customer harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Customer and arising directly or indirectly out of or in connection with a breach of this Data Sharing Agreement and/or the Applicable Data Protection Law by Moodbeam.
15.2. The Customer indemnifies Moodbeam and holds Moodbeam harmless against all claims, actions, third party claims, losses, damages and expenses incurred by Moodbeam and arising directly or indirectly out of or in connection with a breach of this Data Sharing Agreement and/or the Applicable Data Protection Law by the Customer.
16.1. Except for the Personal Data the Customer has a lawful purpose under Applicable Data Protection Law to retain after the effective date of termination of the Main Service Agreement:16.1.1. the Customer shall, at the discretion of Moodbeam, either delete, destroy or return all Personal Data to Moodbeam and destroy or return any existing copies.
16.2. For all Personal Data it has a lawful purpose to retain under Applicable Data Protection Law, the Customer will notify Moodbeam in writing of:
17.1. In the event of any inconsistency between the provisions of this DSA and the provisions of any other agreement, the provisions of this DSA shall prevail.
17.2. In this DSA the singular includes the plural and vice versa, as the context admits or requires.
17.3. If any provision or part-provision of this DSA is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provi- sion shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of the DSA.
17.4. This DSA is governed by the laws of England. Any disputes arising from or in connection with this DSA shall be brought exclusively before a competent court of the Jurisdiction.