Terms and Conditions
Last updated: November 2024
Applicability of these Terms
1.1 These Terms and Conditions (“T&Cs” or “Terms”) govern the access to, and use of (in the broadest sense of the word) our Website, NU Pro Platform, Services and/or App. These Terms, are an integral part of a legally binding agreement between you and NU.
1.2 By using our Website and Services, you acknowledge to have read, understood, and agree to be bound by, the Agreement.
Who are we?
2.1 This Website and the Services are offered to Partners by NU, and any agreements concluded in this regard will be concluded with THE NU B.V. (“NU,” “we,” or “us” or “our”) and related to the provision of Services that helps Partners (“you” or “your”) to offer certain biological testing and health span optimization services to their) Clients.
2.2 Our registered (and visiting) address is J.H. Oortweg 21 (2333 CH) in Leiden, the Netherlands.
2.3 You can contact us via e-mail at support@thenu.com. We do not offer first-line customer support to Clients concerning any use of the Services. You remain at all-time responsible to offer first-line customer support services to your Clients. The Terms of Service to which Clients are bound for their use of the Services as applicable, can be found using this link.
2.4 Our VAT identification number is NL861513691B01.
Definitions / Terminology
3.1 For the purpose of the Agreement, the following terms shall have a special meaning.
(a) Active Client Account: A Client Account with an ongoing Client Subscription Plan with a subscription period which is still in effect and has not yet expired.
(b) Admin: Any person assigned by the Partner to have an administrator role and access rights to the Partner’s NU Pro Platform.
(c) Agreement: the purchase agreement concluded between Partner and NU for the provision of the Services and/or use of the NU Pro Platform which consists of these Terms, and any order(s) placed with us by the Partner for the provision of further Services (e.g. directly though the Website or otherwise, if applicable).
(d) Authorised User: any person (i.e. Client, Operator, Admin or Practitioner) granted access to the NU Pro platform and/or Services by you (or by NU acting on your instructions, if applicable) in accordance with these Terms.
(e) Client Account: A registered account created by an Admin or Practitioner to register a Client in the NU Pro Platform.
(f) Client(s): any natural person who is a client of Partner or of a Partner’s Corporate Client, and for who Partner or Partner’s Corporate Client has purchased the Services as described in the Agreement.
(g) Direct Damages: all costs, losses or damages, whatever the legal basis thereof (i.e. tort, contract or otherwise), directly attributable to a Party’s material breach of the Agreement.
(h) Indirect Damages: all costs, losses or damages which do not qualify as Direct Damages. Regardless of its qualification under the previous sentence, Indirect Damages shall always include: indirect damages, punitive damages, consequential damages, loss of profits, loss of data, loss of savings, immaterial damages, and damage due to business interruption or delays.
(i) NU: THE NU B.V. or the company registered with the Chamber of Commerce in the Netherlands (Kamer van Koophandel) as 78739152; also referred to as “we”, “us” or “our”.
(j) NU App: the mobile and web-based application version of the NU Pro Platform which is accessible through Active Client Accounts or Operator Accounts.
(k) NU Output: results of NU data processing available via the NU Pro Platform and NU App.
(l) NU Pro Platform: NU’s self-serve platform accessible at the Website through which Partner can access Services provided by NU.
(m) Operator Account: A registered account to access Partner’s NU Pro Platform, with either the administrator or the practitioner role and access rights (as assigned by the Partner).
(n) Parties: NU and the Partner, together.
(o) Partner: the legal entity that has entered into the Agreement with NU for the provision of the Services.
(p) Partner’s Corporate Client: any legal entity for who Partner has purchased the Services as described in the Agreement and who will provide the Services to its Client(s). (q) Party: either NU or the Partner, depending on the context.
(r) Practitioner: Any person assigned by the Partner to have a practitioner role and access rights to the Partner’s NU Pro Platform .
(s) Samples: Client’s saliva, stool, blood, and/or other biological samples acquired in the context of our Services.
(t) Self-reported Health Information: Information volunteered by Clients about their health or lifestyle in response to the questionnaires (“Health Questionnaire(s)”) which are mandatory to help tailor the Services to the Clients’ specific needs.
(u) Services: the collection of services and offerings offered by NU via the NU Pro Platform, Website and NU App.
(v) Subscriptions: the Services ordered by Partner for which the Partner is obliged to pay a recurring annual fee.
(w) Supported Format: the format indicated by NU as supported (for example, but not limited, to i) blood tests: pdf or csv file; ii) genome tests: SNP raw data txt file; iii) for gut microbiome: .idat; and iv) for epigenome: FASTQ).
(x) Terms: an abbreviation used to refer to these terms of service (i.e. this document you are currently reviewing).
(y) Test Result: A test result file of a single blood, genome, epigenome, gut microbiome, or other test in a Supported Format.
(z) Testing Kits: Boxes containing saliva testing kits, stool testing kits, and other testing kits including corresponding user instructions manuals and activation codes available for purchase via the NU store in the NU Pro Platform. Testing Kits may be NU branded or co-branded.
(aa) Trial Period: the period of 14 calendar days or such other period as determined by NU, which may be offered to the Partner to test the use of the Website, NU Pro Platform and/or Services without any payment obligation, and during which NU will set up one (1) Operator Account for the Partner and allow or revoke the access to the NU Pro Platform in the scope as determined by NU in its sole discretion.
(bb) Website: the website(s) through which we offer our Services and the NU Pro Platform, available at the following URL(s): https://pro.thenu.com, regardless of how you view them (e.g. via the NU App or browser).
Services offered via the Website and NU Pro Platform
4.1 Our Services are solely offered to Partner and shall not be used by other group entities of Partner or any affiliated entities.
4.2 A minimum of one active Operator Subscription shall be maintained by the Partner to be able to use the Services. The purchase of Services for Clients is only possible for Active Client Accounts.
4.3 Our Services may also entail providing you with support during the ordering process, onboarding support and ongoing support on the use of NU Pro Platform, providing you with general instructions on how to use the Testing Kits, and providing you with reasonable assistance if the Testing Kits appear to be faulty.
4.4 In the performance of our Services, we may procure goods and services from third parties at our own discretion. For example, we do not manufacture the testing kits ourselves. To the extent that blood samples are required, those are collected by our local providers. Testing and analysis of the saliva and stool samples is performed via NU partner laboratories. These third-party services may result in the processing of Client personal data. In such cases, NU will have in place or enter into data processing agreements with each sub-processor that processes Client personal data on its behalf.
4.5 All requests for Services or purchased Services are subject to availability and acceptance of the order by NU and we reserve the right to refuse Services to any partner if we suspect that it does not meet the relevant criteria or if you have otherwise violated this Agreement.
4.6 Despite our best efforts, we may not be able to fulfill your order. As such – and in addition to any other rights to refuse or cancel any order - we reserve the right to refuse or cancel your order for any of the following reasons:
(a) the Services (or part of it) ordered are no longer available;
(b) the pricing was an obvious mistake, and we cannot reasonably be asked to accept such a pricing error;
(c) your payment was not received or could otherwise not be properly processed;
(d) we reasonably suspect your order to not be in compliance with the Agreement;
(e) you and/or your Client did not use a Testing Kit in accordance with the instructions provided with it;
(f) the address, e-mail address and/or other information that you provided to us is invalid or we are otherwise unable to deliver Services to you; or
(g) we cannot make the Services available to you due to a situation of force majeure (overmacht).
Parties’ Responsibilities
5.1 Depending on the Services and Subscriptions purchased by Partner, NU will create the applicable amount of Operator account(s) within 48 hours (work days only) of the purchase date. You will have access to a dedicated NU Pro Platform dashboard, through which you will be able to purchase and/or manage (additional) Client and/or Operator Accounts assign Admin and/or Practitioner rights to Operator Accounts purchase additional Subscriptions and Testing Services, and have access to other the NU Pro Platform features as referenced in your purchase order. If explicitly agreed upon by Parties, NU will support you with the bulk creation of Client Accounts and the upload of relevant Client data. All Services offered by NU are explicitly offered and provided on a best-effort basis (inspanningsverplichting).
5.2 If applicable, Partner is solely responsible for:
(a) Providing NU with the full name(s) and email address of each Operator in time in order to enable NU to set up Operator accounts;
(b) Assigning admin and/or practitioner role and access rights to Operator Accounts;
(c) Creating and managing Client Accounts, which are fully and solely managed by you;
(d) Assigning the relevant Client Accounts to the relevant Practitioner;
(e) Selecting, purchasing and managing the Subscription for each Client;
(f) Granting and/or revoking access to the NU App for each Active Client Account;
(g) Purchasing Testing Services (which come with respective Testing Kits);
(h) Providing Clients with Testing Kits where needed, instructing them on sample collection and the use of NU-provided prepaid return envelopes, or alternatively, returning the Samples to NU on the Clients' behalf;
(i) Selecting and Purchasing additional Operator Subscriptions;
(j) Uploading Test Result(s) in a Supported Format(s) to each Active Client Account, if applicable, and submitting these to be processed by NU. NU has the right to reject Test Results if they are not uploaded in the right Support Format(s) or miss other relevant necessary information;
(k) Managing and upgrading or downgrading to a lower or higher tier Subscription plan and/or other type of Service, if applicable, depending on the needs of you and/or Client;
(l) Completing the Health Questionnaire for every Client or invite the Client to complete the Questionnaire via the NU Pro Platform where supported, and providing NU with Self-reported Health Information by uploading it to each corresponding Client Account, if necessary;
(m) Informing Clients about their rights and obligations in relation to their use of the Services, Website, NU Pro Platform and NU App;
(n) Providing and maintaining valid payment method information and billing details on the Website;
(o) Managing and maintaining the relevant company setting in the admin section provided in the Website; and
(p) Deleting inactive Client Accounts upon expiry of the relevant Client Subscription Plan and saving all relevant data from that Client Accounts.
DISCLAIMER OF MEDICAL ADVICE AND TREATMENT
6.1 The information and Services provided or made available to you and your Client by us and/or via the Website, NU Pro Platform and/or NU App, do not constitute medical advice or treatment, nor are they suitable for independently diagnosing, treating, or preventing diseases or health conditions. The information and Services are only meant for educational, recreational and enjoyment purposes and they are not a substitute for medical advice, clinical diagnosis, or treatment by an appropriate qualified medical professional.
6.2 You hereby acknowledges that you are aware of the limitations of our Services and the limitations of the information provided via the Website, NU Pro Platform and/or NU App. Moreover, by using our Services, you assume full liability for your reliance and your Clients’ reliance on the Services and the information provided to you in the course of that. In addition, you warrant that you will warn Clients of the nature of this Service that it is no substitute to medical advice prior to providing them access to the Services.
Delays
7.1 Despite our best efforts, the provision of the Services order may be delayed. For example, the delivery of NU Output may be delayed if you or the Client fail to provide Samples or Self- Reported Health Information in full or on-time. Sometimes, NU may not be able to process a Sample, or our testing process may result in errors due to several reasons which may include Samples containing insufficient volume or the testing results not meeting standards for accuracy (we call these ‘Sample Failures’). This may lead to unexpected delays in processing the Sample. In such cases, we will notify you of the Sample Failure and details applicable to processing a new Sample in place of the failed Sample.
7.2 Other reasons for delays may arise from situations of force majeure (incl. severe backlogs, strikes, employee sickness, pandemics, IT- failures, etc.) on our part or on the part of our partners.
7.3 While we endeavor to take commercially reasonable steps to minimize such delays, we shall not be liable to you or to any third party for any such delays associated with the Services.
Use of Testing Kits
8.1 Testing Kits received from NU must only be used for the purposes for which they were advertised and must be used before the expiry dates indicated on each item.
8.2 Testing Kits are personal and must only be used by the Client for whom they are intended. You explicitly agree to not share them with or make them available to any third parties other than the ones they are intended for.
8.3 We retain all title and interest (eigendom) to the Testing Kits supplied to you until you have paid us for the related order in full and compensated us for any damages suffered by us as a result of your breaching the Agreement.
Third party services and content
9.1 Please be aware that your use of third-party goods and services may be subject to additional terms and conditions (e.g. end-user license agreements or EULA’s, instruction manuals). You warrant that you and your Authorised Users will comply with all such referenced additional terms and conditions.
9.2 Moreover, in order to provide you with a better user experience of the Website, we may require the use of third-party technology components which may be subject to your agreement to terms and conditions supplied by these third parties. We strive to indicate the applicability of such additional terms and conditions where possible in a clear manner and will provide these terms and conditions upon your request.
9.3 We may also display, link or provide you with third party content via the Website, App and/or NU Pro Platform (e.g. via frames or hyperlinks). That content is the sole responsibility and liability of the third party making it available to you. We have no control over such third-party content. We do not make any warranties, representations, or guarantees with respect to the accuracy, veracity or legal status of such third-party content and disclaim any liability in this regard. We encourage you to read the terms and conditions and privacy notices provided by such third parties on their own website.
Prohibited use of the Services, NU Pro Platform and Website
10.1 When using our Website, NU Pro Platform or Services, you are responsible to ensure that you and your Authorised Users must:
(a) use best efforts to protect the confidentiality and security of your NU Pro Platform account, Operator Account and any Client Account, and login details for the NU Pro Platform and Website;
(b) not threaten or harass other users;
(c) not attempt to bypass geographical or other technical restrictions imposed by us on the Service, NU Pro Platform or Website;
(d) not remove, obscure, or alter any proprietary rights, marks, or notices that may be affixed to or contained in the Service, NU Pro Platform or Website;
(e) not use our Website, NU Pro Platform, Testing Kits, or Services for the processing of infringing or otherwise unlawful content;
(f) not infringe upon NU’s or a third parties’ intellectual property rights, and not commit any other wrongful acts towards NU or any other third party;
(g) not use our Website, Testing Kits, NU Pro Platform or Services for commercial purposes or any other purposes not expressly approved by us, without our prior written consent;
(h) not make available our Testing Kits, NU Pro Platform, or Services to third parties except the ones expressly permitted by us;
(i) not use automated means to access, copy, or otherwise engage with our Services, NU Pro Platform or Website, beyond using interfaces explicitly provided by us for use by our Users;
(j) not interfere with, limit or impede access to or use of the Website, NU Pro Platform or Services for other users;
(k) not acquire access to other users’ accounts, otherwise acquire access to any parts of our Website, NU Pro Platform or Services of which you are aware or should reasonably be aware that they were not supposed to be available or accessible to you;
(l) not adapt, modify or reverse engineer the Website, Testing Kits, NU Pro Platform, or Services, except insofar as such actions cannot be excluded under applicable law, without our explicit prior written consent;
(m) not intentionally test the security of our Website, NU Pro Platform or Services, without our explicit prior written consent;
(n) not resell or otherwise re-provide (access to) our Website, Services, Testing Kits or the NU Pro Platform, without our explicit prior written consent;
(o) not tarnish our reputation;
(p) comply with all our instructions (and those of our partners) regarding the use of Testing Kits, NU Pro Platform, Services and the Website, including the Agreement; and
(q) comply with all applicable laws and regulations regarding online conduct, non- discrimination, intellectual property rights and data protection.
Fees and invoicing
11.1 Rates and pricing are in Euros (EUR) or other appropriate local or international currencies. For Services and Subscriptions purchased online through the Website, the prices that apply are the prices indicated on the Website at the time of purchase and as confirmed in the order confirmation. Our pricing does not include any import taxes and or customs duties. When you order from us, you agree to be responsible for paying any and all such taxes or duties at the time of delivery, as applicable.
11.2 Services can be ordered using the 3rd party payment methods indicated during the ordering process, subject to their availability.
11.3 You shall pay all fees agreed upon to us on time and in full in accordance with the Agreement. You acknowledge and agree that your (and your Clients’) continued access to Website, NU Pro Platform and/or Services is conditional on your payment obligations being continuously completed. laws and regulations regarding online conduct, non- discrimination, intellectual property rights and data protection.
11.4 All fees for the first purchased Subscription and/or for any other type of Services must be paid upfront before use of such purchased Subscription and/or other type of Service. For any additional Subscription you purchase, we use monthly billing cycles, so that your annual Subscription fee will be charged and invoiced in full at the end of the next billing cycle. Billing cycles are set on a monthly basis from the first purchased Subscription. You agree that we may accumulate charges incurred during a billing cycle and submit them as one or more aggregate charges at the end of a billing cycle. To the extent that you upgrade or downgrade to a lower or higher tier Subscription plan throughout an already active term of Subscription, if applicable, the fees for these will be pro-rated on a monthly basis, and charged and invoiced at the end of the next billing cycle.
11.5 NU is entitled to change the fees due for its Subscription services periodically without your consent being required at the start of each new term of your Subscription(s). NU will inform you of any fee changes at least 60 days prior to the start of your new Subscription giving you time to terminate your Subscription prior to the fee changes taking effect.
11.6 You shall notify us in writing of any disputed invoices within ten calendar days after receipt of the invoice. You shall not be able to dispute invoices after expiration of this term. You are not entitled to set-off (verrekenen) or withhold (inhouden) against invoiced amounts, any debt or sum which may be owed to you by NU.
Term and Termination
12.1 The Agreement shall commence from the moment of first use of the Website, NU Pro Platform or Services by the Partner, either as part of a free trial offered by NU or as a result of Partner’s purchase of Services, and shall remain in force either until expiry of the Trial Period or as long as the Partner maintains at least one active Subscription, as applicable. Each Subscription (e.g. Operator Subscription, Client Subscription, Branding Plan) shall start on the date of purchase of the said Subscription on the Website, unless specified otherwise in the online store on the Website. Each such Subscription is a separate 12 month-term commitments and shall automatically renew for a period of twelve (12) months unless either Party provides the other Party with a written notice of termination at least 30 days prior the end of the then applicable Subscription term, unless specified otherwise in the online store on the Website.
12.2 NU will send auto-renewal notifications to you at least 60 days before the auto-renewal date 5for each Subscription. Partner is aware that as set out in Clause 0, Subscriptions may have deviating end dates. This Agreement shall automatically terminate upon expiration or termination of all Subscriptions.
12.3 This Agreement and Subscriptions governed by it may only be terminated to the extent that this is provided for within this Agreement.
12.4 You may terminate a Subscription for convenience (opzeggen) but you will be required to serve out all obligations pertaining to that Subscription until the end of the term for that Subscription with the termination thus preventing the auto-renewal of the Subscription and the termination thus taking effect only for that Subscription at the end of the then current term for that Subscription. Such termination does not entitle you to a (pro rata) refund of any kind.
12.5 You may terminate a Subscription with immediate effect for cause (ontbinding) in the event that we materially breach any of our obligations under the Agreement and do not cure such breach fully within thirty (30) calendar days after receipt of your written notice of default (ingebrekestelling) demanding to do so. If we are in default in accordance with the previous sentence, we will reimburse you within thirty (30) calendar days, on a pro-rated basis, for fees paid for Services receivable after the date of receipt of your notice of termination on a pro-rated basis.
12.6 A breach or default by us in relation to one Subscription shall not provide you with the right to terminate other Subscriptions unless we are in default under all those other Subscriptions as well.
12.7 Termination, for whatever reason and on whatever grounds, shall never relieve you of accrued payment obligations, nor shall payments that we have already received from you be subject to any obligations to undo (ongedaanmakingsverbintenissen), unless otherwise described in this Clause 12.
12.8 We may terminate one or more Subscription(s), or the Agreement as a whole, for cause (ontbinden) if you are in default of your related payment obligations towards us or if you are otherwise in default of this Agreement.
Suspension or termination of Services or access to the Website & indemnification
13.1 We are entitled to suspend or terminate for cause, with immediate and indefinite effect, and without prior notice, any Subscription if you (or your Authorised Users, where applicable), to be determined at our sole discretion, fail to comply with any of your responsibilities mentioned in Clause 0 or other parts of the Agreement. You will not be entitled to any compensation or refund for this.
13.2 Notwithstanding Clause 0, we will use reasonable efforts to notify you of any decision to suspend or terminate your Subscription prior to such a decision coming into effect.
13.3 If you (or your Authorised Users, where applicable) fail to comply with the Agreement and cause damages, our decision to suspend or terminate your Subscription will not affect our entitlement to also seek compensation for damages and we expressly reserve the right to seek compensation of damages and costs.
13.4 You hereby agree to indemnify us and hold us (and our business partners) harmless against any claims for damages arising out of any breach of the Agreement attributable to you or your Authorised Users.
User Generated Content
14.1 You and/or your Authorised Users may be able to store, upload, submit or otherwise cause content (including feedback, suggestions and recommendations) to be processed via our Website, NU Pro Platform or Services (“User Content”). For avoidance of doubt, personal health data, including Self-Reported Health Information that you or your Authorised Users may store, upload, or submit via our Website, NU Pro Platform, or Services is User Content. You warrant and represent that (i) you and your Authorised Users are entitled to provide us (and our partners) with such User Content without infringing any third-party rights, including intellectual property rights and privacy rights; and (ii) the User Content is accurate and not misleading.
14.2 You agree to indemnify and hold us and our partners, and our directors and employees, harmless from and against all third-party liabilities, claims, damages and expenses (including reasonable attorney fees) arising from or relating to any User Content stored, uploaded, submitted or otherwise processed via the Services, NU Pro Platform or Website by you or the Authorised Users.
14.3 We are entitled to remove any User Content stored, sent or otherwise processed via our Services, NU Pro Platform or Website if necessary to protect our rights or the rights of Clients and third parties. We are entitled to do so with immediate effect and without prior notice, but we will try to inform you in advance to give you reasonable time to mitigate the infringement yourself. To the extent permitted by law, we will inform you of any reports we receive from a third party alleging your or your Authorised Users’ infringement of their rights.
14.4 User Content and data generated based on this User Content for a specific Client shall belong to Partner.
14.5 You hereby grants us a worldwide, royalty- free, fully-paid, non-exclusive license to: (i) use the User Content for purposes of providing (and improving) the Services, NU Pro Platform, and Website to you or your Authorised Users, and (ii) use, in perpetuity, the User Content in pseudonymized, anonymized and/or aggregated form for internal business purposes, including the improvement of our Services, NU Pro Platform and the Website. You hereby waive any moral rights (morele rechten) that you may have to such User Content or agree to not enforce them in any way against us.
Changes to the Website, NU Pro Platform and Services
15.1 We are entitled to change, modify, revise and/or update the Services, NU Pro Platform and the Website, at any time and at our sole discretion. We aim to do so with minimally adverse impact on your or your Authorised Users’ access to or use of the Services, NU Pro Platform and Website and will use best efforts to inform you of any maintenance in advance.
Relationship between the Parties
16.1 The Parties consider each other independent contractors and nothing in this Agreement shall be construed to create a partnership, agency, joint venture or employment relationship between the Parties.
16.2 Neither Party is authorized to or will represent itself to be an employee or agent of the other or enter into any agreement with a third party on the other’s behalf of or in the other’s name.
16.3 Each Party will be solely responsible for the payment of all compensation to all its personnel, as well as for payment of all related withholding taxes, social security, workers’ compensation, unemployment and disability insurance or similar items required by any government agency. Neither Party’s personnel will be entitled to any benefits paid or made available by the other Party to its employees, including, without limitation, any vacation or illness payments, or to participate in any plans, arrangements or distributions made by the other Party pertaining to any bonus, stock option, profit sharing, insurance or similar benefits.
Processing of personal data
17.1 NU and you will comply with all applicable laws and regulations for the processing of personal data, including the General Data Protection Regulation (GDPR).
17.2 NU and you shall process personal data in accordance with the Data Processing Agreement (Annex 1 to this Terms). Should you be located outside of the with Economic Area (“EEA”), then Annex 2 of the Data Processing Agreement (Module 4 of the Standard Contractual Clauses of the European Commission) shall apply as well.
17.3 If the processing of Client personal data involves the processing of special personal data, you warrant and guarantee that you, in your capacity as Controller, have obtained an appropriate legal basis under Article 9 GDPR (e.g. explicit consent) for the processing of such special personal data and that NU may rely on this. NU shall never be liable for Direct Damages or Indirect Damages resulting from your failure to comply with this Clause 17.3.
17.4 You warrant and guarantee that you shall ensure, and for this purpose secure appropriate authorizations from Clients, that NU is entitled to use personal data relating to Clients and Authorized Users in pseudonymized, anonymized and/or aggregated form for internal business purposes, including the improvement of our Services and for development of new offerings by NU.
17.5 You warrant and guarantee that you shall ensure, and for this purpose secure appropriate authorizations from Clients, that:
(a) each Client consents to you and us processing their personal data, including data pertaining to their health, genes and biometry, the data of which may be provided directly by Clients or obtained indirectly from samples provided through agreed upon means, for the provision of our Services (incl. testing, reporting, progress monitoring, coaching, etc.);
(b) each Client is aware of, and consents to, the use of machine learning models and that their data may be used to improve our machine learning models;
(c) each Client is aware that they may withdraw such consent, but that their withdrawal will not affect past processing
(d) each Client consents to having its blood drawn by a phlebotomist to the extent necessary for the Services and as requested.
(e) each Client is aware that NU processes personal data in accordance with its Privacy Policy.
17.6 You hereby agree to indemnify us for claims by Clients resulting from your breach of the Clauses 17.3- 17.5 and acknowledge and agree that NU is not able to provide its Services if you have not fulfilled your obligations under this Clauses and secured appropriate authorizations. NU cannot be held liable for any resulting delays, nor will this entitle you to terminate or suspend your payment obligations.
Confidentiality
18.1 The Parties shall keep confidential any and all Confidential Information and shall not disclose Confidential Information to any third parties other than with explicit prior written consent by the Party by whom it was disclosed, except:
(a) by us to third parties as reasonably necessary to provide to you our Services;
(b) as may be necessary to comply with laws, statutes and regulations, provided that the Party obligated to provide the Confidential Information shall notify the other Party in advance to give that Party sufficient time to take all necessary steps to prevent disclosure, unless such notification is not allowed by mandatory law;
(c) to the extent the Confidential Information is known to the public otherwise than by a breach of the provisions of this Clause;
(d) to the extent the Confidential Information has been in the possession of the recipient Party prior to the disclosure thereof by the disclosing Party as must be demonstrated by the recipient Party via written evidence;
(e) to the extent information which in content is equal to the Confidential Information has been independently developed by the recipient Party without using any Confidential Information of the disclosing Party as demonstrated by the recipient Party by written evidence;
(f) to the extent such Confidential Information has been received from a third party without a duty of confidence to the disclosing Party; or
(g) to the professional advisers of the recipient Party in connection with the interpretation or operation of this Agreement or any regulatory burden or dispute arising from it, provided that the recipient Party has obtained a commitment in writing from these professional advisers to keep the Confidential Information strictly confidential.
18.2 The same duty of confidentiality as mentioned in this Agreement must be imposed on each Party’s staff members and personnel, as well as any third parties engaged by a Party, including its subcontractors and employees of such subcontractors with access to the Confidential Information.
18.3 Upon completion or termination of the Agreement a Party will return all documents or other materials in whatever form which contain Confidential Information of the other Party, or destroy all copies thereof and confirm in writing that all copies of such materials have been destroyed.
18.4 The confidentiality obligations in this Clause shall expire twenty-four (24) months after the Agreement has ended on the grounds of completion, termination or dissolution.
Intellectual property rights
19.1 All our intellectual property rights, including but not limited to any copyrights, trademarks, logos, domain names, design rights, database rights, data processing algorithms and know- how, in connection with the Services, Testing Kits, NU Pro Platform, and the Website, including the selection and arrangement of the user generated content referred to in Clause 14, are and shall remain the sole property of NU and, to the extent applicable, its third party licensors. All intellectual property rights created by NU in connection with performance of the Services will be the sole property of NU.
19.2 The Agreement does not grant you any license or other right to use our trademarks, logo’s, designs or other intellectual property, nor do we transfer any of our intellectual property to you.
19.3 NU shall have the right to use Partner’s name and logo on NU website and business materials. Partner acknowledges that NU will use Partner’s logo and/or design rights as provided by the Partner, for the purpose of providing the “white label” or “co-branding” branding features of the NU Pro Platform, Services or Website to the Partner, as applicable.
Warranties
20.1 We try to provide our Services using a commercially reasonable level of skill and care. Except as expressly described in the Agreement, we exclude to the fullest extent permitted by law all warranties, conditions, or representations with respect to the Testing Kits, NU Pro Platform, the Services and the Website. In particular, we do not make any guarantees or commitments about the reliability, availability, non-infringement or suitability for your needs of our Services and Website. The Services, NU Pro Platform and Website are provided “as is” and “as available”, unless Parties have agreed in writing on a service level agreement.
20.2 Please also be referred to our Medical Disclaimer in Clause 6.
Liability and indemnities
21.1 We are not liable for any damages suffered by you and your Client, directly or indirectly, related to the use of the Testing Kits, NU Pro Platform, Website or Services, regardless of the nature of the claim (i.e. tort, contract or otherwise). In particular, you acknowledge and accept that the Services may not yield the information that you had hoped for or may otherwise generate strong emotions.
21.2 Should the exclusion of liability as stipulated in Clause 0 not be enforceable against you and your Client, our liability shall be limited to the compensation of Direct Damages with a maximum of 100% of the fees paid by you for the relevant Subscription(s) in the last twelve-month period preceding the applicable claim. Notwithstanding the previous sentence, we are never liable for Indirect Damages.
21.3 None of the exclusions or limitations stated in the Agreement shall apply to damages caused by intent or gross negligence.
21.4 You agree to indemnify and hold NU, its partners, and each of their respective directors, employees and agents harmless from and against all liabilities, claims, damages, costs and expenses (including reasonable attorney fees) due to third party claims arising from or related to (a) your (or your Authorised Users’) access to or use of the Testing Kits, NU Pro Platform, Services or Website; (b) your (or your Authorised Users’) use of content of NU Output; and (c) your (or your Authorised Users’) violation of the Agreement.
21.5 We are not liable for any delays or failures in performance of any of our obligation towards you, in whole or in part, if such delay or non- performance is due to any cause beyond our (or any of our subcontractors’) reasonable control.
Applicable law and dispute resolution
22.1 The Agreement are exclusively governed by the laws of the Netherlands, without application of its conflict of laws-rules.
22.2 Parties will first attempt to settle any dispute that arises in the context of this Agreement amicably. All disputes arising in connection with the Agreement, or further agreements resulting therefrom, shall be exclusively settled in accordance with the Arbitration Rules of the Netherlands Arbitration Institute (NAI). The arbitral tribunal shall be composed of one arbitrator. The arbitral tribunal shall be appointed according to the list procedure. The place of arbitration shall be Amsterdam (the Netherlands). Arbitral sessions will be held in Amsterdam. The arbitration will be conducted in English. Any court proceedings in the Netherlands before, during or after the arbitration will - to the extent allowed by law - exclusively be dealt with by the Amsterdam District Court or the Amsterdam Court of Appeal, whichever has jurisdiction, following proceedings in English before the Chambers for International Commercial Matters (Netherlands Commercial Court, which consists of the NCC District Court, the NCC Court in Summary Proceedings and the NCC Court of Appeal). The NCC Rules of Procedure (see www.ncc.gov.nl) apply to these proceedings. This Clause is not intended to exclude Supreme Court appeal.
Miscellaneous
23.1 This Agreement governs the relationship between you and NU, and each agreement that is concluded with you. Together with any specific instructions disclosed to you by NU or its partners before, during or after the receipt of your order (e.g., instructions for the use of Testing Kits) it contains the entire agreement between the Parties with respect to the subject matter and supersede all prior proposals, agreements, understandings, terms, and contemporaneous discussions, whether oral or written, between the Parties concerning the same subject matter.
23.2 This Agreement may be executed in any number of counterparts, each of which, when executed, shall constitute an original, but all the counterparts shall together constitute the one agreement. This Agreement may be executed via a recognized electronic signature service (e.g., Docusign) or it may be signed, scanned and emailed to a Party, and any such signatures shall be treated as original signatures for all applicable purposes.
23.3 Amendments to the Agreement shall only be valid and supersede the original Agreement, if agreed upon in writing by both Parties.
23.4 The Agreement is primarily available in English and all agreements governed by it shall be considered concluded in English. Translations to other languages may be provided for the sake of convenience, but the English original shall always be leading with respect to the interpretation of the Agreement and all agreements governed by it.
23.5 You may not assign, delegate or transfer the Agreement or your rights or obligations hereunder, or any NU Pro Platform account, without NU’s prior written consent.
23.6 Should any provision of the Agreement be or become invalid or unenforceable in whole or in part, the remaining provisions shall continue to apply in full and NU and you agree to negotiate in good faith with respect to a valid and enforceable provision approaching as closely as possible the intent of the invalid or unenforceable provision, in order to replace it.
23.7 All delivery dates and timelines described by NU for delivery will be considered non-binding target dates (streeftermijnen), unless expressly agreed upon in writing by NU.
23.8 Any failure by NU to enforce any provision of the Agreement at any time shall not be deemed to be a waiver of its right under the Agreement, nor shall it prejudice any of its right to take subsequent action.
23.9 Expiry of the Agreement, cancellation or other forms of termination of the Agreement or the Services will not affect any existing obligations of you to NU, nor will it affect any rights or remedies of the Parties that have accrued up until the moment of expiry or termination. In particular, the provisions surrounding liability, and applicable law and dispute resolution shall survive expiry and termination.
23.10 All notices, requests, demands and other legally-relevant communications by you to NU under the Agreement must be in writing and in English language and shall be deemed to have been duly given (i) if sent by registered mail (aangetekende post) to NU with available proof of delivery; or (ii) if sent to NU’s e-mail address listed in Clause 0 with available proof of delivery.
ANNEX 1 – DATA PROCESSING AGREEMENT INCL. EU STANDARD CONTRACTUAL CLAUSES FOR PROCESSOR TO CONTROLLER TRANSFERS
Between NU (hereinafter also: “Processor”) and Partner (hereinafter also: “Controller”); each referred to as a “Party” and together the “Parties”.
- Subject matter of this Data Processing Agreement
1.1 This Data Processing Agreement (“DPA”) applies to the processing of all Personal Data of or provided by Controller or any of its affiliates by Processor in the scope of the Services that are provided by Processor to Controller. Processor processes Personal Data on behalf of Controller within the framework of the Agreement that exists between Controller and Processor, and to which this DPA forms an annex.
1.2 Terms such as “processing”, “personal data”, “controller” and “processor” shall have the meaning ascribed to them in the General Data Protection Regulation (“GDPR”). Definitions used in the Agreement shall apply accordingly to this DPA, unless this DPA expressly provides otherwise.
1.3 The specific personal data that may be processed under the Agreement is described in Annex 1 to this DPA (“Personal Data”). The description in Annex 1 to this DPA (“Annex 1 DPA”) additionally provides for example, but not limited to, the further relevant details of the processing, including the type and categories of personal data processed under the Agreement, as well as the nature and purpose of the processing.
- Processing of Personal Data
2.1 Processor shall only process the Personal Data to the extent that this is necessary for the execution of the Agreement, and only pursuant to documented instructions from Controller.
2.2 Processor shall comply with the GDPR or any other applicable data protection laws, and shall cooperate with Controller to enable compliance for Controller with the GDPR or any other applicable data protection laws. In particular, Processor shall cooperate with Controller to enable Controller to comply with the obligations under article 32 – 36 GDPR.
2.3 Controller hereby instructs Processor to process Personal Data in accordance with the limited purposes and specifications set out in Annex 1 DPA.. Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or any other applicable data protection laws.
- Confidentiality
3.1 The Parties shall treat all Personal Data that is to be shared between Processor and Controller as strictly confidential.
3.2 Without prejudice to any existing contractual arrangements between the Parties, Processor shall treat all Personal Data as strictly confidential and that it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of such information and of the Personal Data. Processor shall ensure that all such persons or parties have signed an adequate confidentiality agreement.
3.3 Processor shall ensure that the processing of Personal Data is limited to those employees who have a need to know to perform the Agreement..
- Security
4.1 Without prejudice to any other security standards agreed upon by the Parties, Processor shall take appropriate technical and organizational measures to ensure the security of the processing of Personal Data. These measures shall include, but are not limited to:
(a) measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in this DPA;
(b) measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure; and
(c) measures to identify vulnerabilities with regard to the processing of personal data in systems used to provide the Services to Controller.
4.2 Processor shall at all times have in place a suitable security policy with respect to the processing of Personal Data, outlining in any case (i) the measures set forth in Clause 0 above and (ii) the requirements set forth in Section 32 GDPR.
- Audits
5.1 Controller has the right to perform an audit not more than once a year and only in order to determine to what extent Processor complies with the provisions of the DPA. Such audit will take place at a time agreed by both Parties. Processor shall cooperate with such audit and shall provide auditors access – on request of the auditor – to information that is reasonably necessary for the purpose of the audit. Controller shall at all times bear the external costs of such audit. The internal costs of making the information available will be borne by the party incurring such costs.
5.2 Processor shall at its own expense cooperate with any audit that is instigated by the relevant authorities, including the Dutch Data Protection Authority and shall provide auditors of such authorities access – on request of the auditor – to the information that is reasonably necessary for the purpose of the audit and to the extent it is statutorily required to do so. This shall include any data that is considered Confidential Information under the Agreement.
- Data breaches and Incident Management
6.1 Processor shall notify Controller of any incident with regard to the processing of the Personal Data and shall cooperate with Controller. Specifically, Processor shall provide Controller with all information necessary to fulfil its legal obligations, such as the obligation to notify incidents under Section 33 and 34 GDPR.
6.2 The term “incident” used in Clause 0 shall at least include the following: (a) a complaint or a request (for information) of a natural person with regard to the processing of the Personal Data by Processor; (b) an investigation into or seizure of the Personal Data by government officials; (c) any breach of the security and/or confidentiality as set out in Section 32 GDPR and/or in this DPA, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data or any indication of such breach having taken place.
6.3 In case of an incident as referred to under Clause 6.2(c), Processor shall notify Controller of such an incident without undue delay. Such notification includes as much as reasonably possible amongst others, but not limited to, the following information: (i) the nature of the incident; (ii) the date and time upon which the incident took place and was discovered; (iii) the (amount of) data subjects affected by the incident; (iv) which categories of Personal Data were involved with the incident; and (v) which security measures – such as encryption – were taken to prevent unlawful processing of the Personal Data. Controller alone has the right to notify any public supervisory authority or data subject of such an incident.
6.4 Processor shall take all reasonable and necessary corrective actions to mitigate harmful effects and prevent recurrence of such incidents, to the extent the actions are within Processor’s reasonable control. These obligations shall not apply to incidents that are caused by Controller or data subjects.
- Contracting with Sub-Processors
7.1 Processor is permitted to subcontract any of its activities that (partly) consist of processing the Personal Data or require the processing of Personal Data to a sub-processor, and Controller hereby provides its general written authorization. Controller shall at all times have the right to object to the use of a sub-processor on reasonable grounds.
7.2 Processor shall ensure that all sub- processors are bound by the obligations of Processor under this DPA and shall supervise compliance thereof. Processor shall remain fully liable vis-à-vis Controller for any consequences of subcontracting with such third party.
- International Data Transfer
8.1 Processor may permanently or temporarily transfer the Personal Data to a country outside of the European Economic Area without an adequate level of protection without the prior written consent of Controller. This right includes the engagement of a sub-processor that permanently or temporarily transfers the Personal Data to a country outside of the European Economic Area without an adequate level of protection.
8.2 Notwithstanding Clause 0 above, Processor shall at all times comply with Chapter 5 of the GDPR when transferring Personal Data to a country outside of the European Economic Area.
8.3 If parties make use of the Standard Contractual Clauses (“SCCs”) as drafted by the European Commission for the international transfer of personal data to countries outside of the European Economic Area and that do not have an adequacy decision, then such SCCs shall be added to this DPA as Annex 2 (“Annex 2 DPA”).
- Duration and Termination
9.1 This DPA shall come into effect on the effective date of the Agreement and shall remain 12in effect throughout the term of the Agreement and throughout the term during which Processor processes personal data on Controller’s behalf. It shall end automatically when the Agreement is terminated or expires or when Processor no longer processes personal data on Controller’s behalf.
9.2 Termination or expiration of this DPA shall not discharge Parties from obligations meant to survive the termination or expiration of the DPA, including the obligations deriving from Clauses 3, 5, 9, 10 and 11 of this DPA.
- Returning or Destruction of Personal Data
10.1 Upon termination of this DPA, or upon Controller’s written request, Processor shall either destroy or return the Personal Data.
10.2 Processor shall notify all third parties involved with the processing of the Personal Data of the termination of the DPA and shall ensure that all such third parties shall either destroy the Personal Data the Personal Data to Controller.
- Choice of law and forum
11.1 This DPA is governed by the laws of the Netherlands. Clause 0 of the Terms applies mutatis mutandis to this DPA.
- Miscellaneous
12.1 In the event of a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.
ANNEX 1 DPA: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 DPA sets out certain details of the Processing of Personal Data as required by Section 28(3) of the GDPR:
Subject matter: the Services delivered pursuant to the Agreement by Processor. Duration of the Processing: the term of the Agreement, or the duration of the relevant Services pursuant to the Agreement, as applicable, or as otherwise agreed by the Parties in writing or obligatory by law.
2. The nature and purpose of the processing of Personal Data
The Personal Data will be collected and processed to provide the Services to data subjects. Controller collects and receives the Personal Data from the data subject. No further or public sources are used, unless explicitly stated otherwise. The purposes of processing of the Personal data are: - To allow Processor to provide the Services to Controller as described in the Agreement.
3. The types of Personal Data to be processed
The following categories of Personal Data of data subjects may be collected and processed: - Identity data, such as: (full) name(s), date of birth and gender;
- Contact data, such as: (corporate) e-mail address(es) and telephone number(s); - Biological data, such as: saliva, blood, physical characteristics, Test Results, etc.
- Other data, such as: IP addresses and information about end-user devices and visits to the Website.
4. The categories of individuals to whom the Personal Data relates
The categories of individuals to whom the Personal Data relates are the clients or customers of Controller (‘data subjects’) whose Personal Data has to be collected and processed by Processor pursuant to the Agreement that exists between the Parties.
5. The obligations and rights of the Parties
The obligations and rights of Controller and Processor are set out in the Agreement and the DPA.
ANNEX 2 DPA: STANDARD CONTRACTUAL CLAUSES OF THE EUROPEAN COMMISSION
Solely applicable to Controllers that are located outside of the European Economic Area
Clause 1
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Third-party beneficiaries
(e) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause6, Clause 7;
(ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
(iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
(iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
(f) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Interpretation
(g) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(h) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(i) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Docking clause
(j) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(k) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(l) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
(m) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
(n) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
(o) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub- processing or as regards cooperation with competent supervisory authorities.
(p) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.
8.2 Security of processing
(q) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(r) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
(s) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Documentation and compliance
(t) The Parties shall be able to demonstrate compliance with these Clauses.
(u) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.
Use of sub-processors NOT APPLICABLE
Data subject rights
MODULE FOUR: Transfer processor to controller
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.
Redress
(v) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
Liability
MODULE FOUR: Transfer processor to controller
(w) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(x) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(y) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(z) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(aa) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Supervision
NOT APPLICABLE
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
(bb) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(cc) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(dd) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(ee) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(ff) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(gg) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
15.1 Notification
(hh) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(ii) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(jj) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(kk) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(ll) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(mm)The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(nn) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(oo) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
Non-compliance with the Clauses and termination
(pp) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(qq) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(rr) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(ss) Personaldatacollectedbythedataexporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
Governing law
MODULE FOUR: Transfer processor to controller
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.
Choice of forum and jurisdiction
MODULE FOUR: Transfer processor to controller
Any dispute arising from these Clauses shall be resolved by the courts of Amsterdam, the Netherlands.
A. LIST OF PARTIES
MODULE FOUR: Transfer processor to controller
Data exporter(s):
1. Name: NU or Processor as defined in the DPA Address: detailed in the Agreement and/or the DPA
Contact person’s name, position and contact details: the representative as detailed in the Agreement
Activities relevant to the data transferred under these Clauses: the provision of the Services to Partner and its (Partner Corporate) Clients
Signature and date: defined in the Agreement
Role (controller/processor): processor
Data importer(s):
1. Name: Partner or Controller as defined in the DPA
Address: detailed in the Agreement and/or the DPA
Contact person’s name, position and contact details: the representative as detailed in the Agreement
Activities relevant to the data transferred under these Clauses: use of the Services for its Clients
Signature and date: defined in the Agreement
Role (controller/processor): controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: detailed in the Agreement and/or the DPA (Annex 1 DPA)
Categories of personal data transferred:
detailed in the Agreement and/or the DPA (Annex 1 DPA)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
detailed in the Agreement and/or the DPA (Annex 1 DPA)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): detailed in the Agreement and/or the DPA (Annex 1 DPA)
Nature of the processing:
detailed in the Agreement and/or the DPA (Annex 1 DPA)
Purpose(s) of the data transfer and further processing:
detailed in the Agreement and/or the DPA (Annex 1 DPA)
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
detailed in the Agreement and/or the DPA (Annex 1 DPA)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
detailed in the Agreement and/or the DPA (Annex 1 DPA), if applicable