Covetrus Ascend Data Protection Addendum (UK)
This Data Protection Addendum (“Addendum”, “DPA”) forms part of the Covetrus Ascend Subscription Agreement (“Master Agreement”) between: (i) Veterinary Solutions Ltd, an English company, registered with company number 04207571(“Covetrus”) and (ii) customer (“Customer”).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Master Agreement. Except as specifically modified below, the terms of the Master Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Master Agreement. Except where the context requires otherwise, references in this Addendum to the Master Agreement are to the Master Agreement as amended by, and including, this Addendum.
-
Definitions.
-
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Applicable Law” means all applicable laws in (i) the EEA or any EEA Member State and Switzerland (ii) the UK, (iii) Australia and (iv) New Zealand and such other laws, rules and regulations to which Covetrus or any of the Sub-Processors is subject to from time to time;
- “Approved Addendum” means the template Addendum issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of the Mandatory Clauses;
- “Australian Privacy Laws” means (i) the Privacy Act 1988 (Cth), including the ‘Australian Privacy Principles’ that form part of that Act; and (ii) all other laws applicable in respect of the processing of Personal Data.
- “Customer Group Member” means Customer or any Customer affiliate which means an entity that directly or indirectly controls, is controlled by, or is under common control with, Customer. For purposes of the foregoing, “control” means the ownership of (i) greater than fifty percent (50%) of the voting power to elect directors, or (ii) greater than fifty percent (50%) of the ownership interests;
- “Covetrus Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, Covetrus. For purposes of the foregoing, “control” means the ownership of (i) greater than fifty percent (50%) of the voting power to elect directors, or (ii) greater than fifty percent (50%) of the ownership interest.
- “Customer Personal Data” means any Personal Data Processed by a Covetrus on behalf of Customer or a Customer Group Member pursuant to or in connection with the Master Agreement;
- “Data Protection Laws” includes (but is not limited to), EU Data Protection Laws, Swiss Data Protection Laws, UK Data Protection Laws, Australian Privacy Laws, NZ Data Protection Laws or such other applicable privacy laws as may apply from time to time;
- “EEA” means the European Economic Area;
- “EU Data Protection Laws” means the laws implementing or supplementing the GDPR in the EEA, including in the United Kingdom, Switzerland or any other jurisdiction;
- “GDPR” means EU General Data Protection Regulation 2016/679 or where applicable the “UK GDPR”;
- “Mandatory Clauses” means Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses;
- “NZ Data Protection Laws” means the Privacy Act 2020 and any other New Zealand laws and regulations applicable to Personal Data;
- “Services” means the services and other activities to be supplied to or carried out by or on behalf of Covetrus for Customer Group Members pursuant to the Master Agreement;
- “Standard Contractual Clauses” means the clauses adopted by the EU Commission Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) C/2021/3972;
- “Subprocessor” means any person (including any third party and any Covetrus Affiliate, but excluding an employee of Covetrus or any of its sub-contractors) appointed by or on behalf of Covetrus to Process Personal Data on behalf of any Customer Group Member in connection with the Master Agreement;
- “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
- “UK Data Protection Laws” means the UK Data Protection Act 2018 and the UK GDPR, and any new or revised version of these laws that may enter into force from time to time.
- “UK GDPR” means as defined in Section 3 of the Data Protection Act 2018.
- The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws (or the equivalent terms under the Data Protection Laws) and their cognate terms shall be construed accordingly. Where these terms do not have application under Data Protection Laws (e.g. Australian Data Privacy Laws), the parties’ obligations will be interpreted to align as closely as possible with the scope of those roles and concepts under the GDPR while still fully complying with the applicable Data Protection Laws.
- In the context of the NZ Data Protection Laws, each of the following terms shall have the same meaning as the following equivalent term that is used and defined in the NZ Data Protection Laws: “Controller” shall have the same meaning as “agency”; “Data Subject” shall have the same meaning as “individual” or “affected individual” (as the context requires); “Personal Data” shall have the same meaning as “personal information”; “Personal Data Breach” shall have the same meaning as a “privacy breach”. In addition, “Processing” means any operation performed on Personal Data, including transfer, storage, disclosure, erasure or destruction and “Processor” means the legal person who holds personal information on behalf of a Controller.
- The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
-
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
-
Authority
- To the extent that Covetrus processes Personal Data pursuant to the Master Agreement and this Addendum, each party acknowledges that, for the purpose of Data Protection Laws, Customer is the Processor on processing Customer Personal Data on behalf of its customers and Covetrus is the Processor.
-
Processing of Customer Personal Data
-
Covetrus shall:
- Comply with all applicable Data Protection Laws in the Processing of Customer Personal Data applicable to Covetrus’ provision of Services under the Master Agreement; and
- not Process Customer Personal Data other than pursuant to the Master Agreement, or on the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which Covetrus or the relevant Subprocessor is subject, in which case Covetrus shall to the extent permitted by Applicable Laws inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Personal Data.
-
Each Customer Group Member:
- Instructs Covetrus (and authorises Covetrus to instruct each Subprocessor) to:
- Process Customer Personal Data; and
- In particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Master Agreement; and
- Warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Customer Group Member.
- Instructs Covetrus (and authorises Covetrus to instruct each Subprocessor) to:
- Exhibit 1 to this Addendum sets out information regarding the Duration, Nature and Purpose of the Processing, the Categories of Data Subjects and processed Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
-
Covetrus shall:
- Covetrus shall take reasonable steps designed to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Customer Personal Data, in each case limiting access to those individuals who need to know/access the relevant Customer Personal Data, as necessary for the purposes of the Master Agreement, and to comply with Applicable Laws in the context of that individual’s duties to Covetrus or Subprocessor, and subjecting all such individuals to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Covetrus shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, as set out in Exhibit 2 to this Addendum.
- In assessing the appropriate level of security, Covetrus shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
- Each Customer Group Member authorises Covetrus to appoint (and permit each Subprocessor appointed in accordance with this Section 6 to appoint) Subprocessors in accordance with this Section 6 and any restrictions in the Master Agreement.
- Covetrus may continue to use those Subprocessors already engaged by Covetrus as at the date of this Addendum, subject to Covetrus in each case meeting the obligations set out in Section 6.5. These Subprocessors are listed in Exhibit 3 to this Addendum.
-
Covetrus shall give Customer at least fourteen (14) days prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by Subprocessor. “). If Customer does not object to the engagement within the objection period, consent regarding the engagement shall be assumed. If, within 7 days of receipt of that notice, Customer notifies Covetrus in writing of any objections (on reasonably grounds) to the proposed appointment:
- Covetrus shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
- Where such a change cannot be made within 45 days from Covetrus’ receipt of Customer’s notice, notwithstanding anything in the Master Agreement, Customer may by written notice to Covetrus with immediate effect terminate the impacted services to the extent that it relates to the Services which require the use of the proposed Subprocessor.
- On termination of the impacted services, pursuant to Section 6.3.2, Customer shall be liable for any contracted fees or charges for the remainder of the term of the Master Agreement and any Order Forms thereunder, except Customer can prove the objection to the Subprocessor was due to non-compliance with relevant data protection regulation.
-
With respect to each Subprocessor, Covetrus shall:
- Before the Subprocessor first Processes Customer Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Master Agreement;
- Ensure that the arrangement between on the one hand (a) Covetrus, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR and
- Provide to Customer for review such copies of the Customer’s agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
- Covetrus shall ensure that each Subprocessor performs the obligations under Sections 3.1, 4, 5, 7.1,8.2, 9 and 11.1, as they apply to Processing of Customer Personal Data carried out by the Subprocessor, as if it were party to this Addendum in place of Covetrus.
- Taking into account the nature of the Processing, Covetrus shall assist each Customer Group Member by implementing appropriate technical and organisational measures, insofar as this is possible, to assist the Customer Group Members’ obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Covetrus may apply an additional charge or charges, distinct from any charges or fees payable by Customer under the Master Agreement, for the provision of assistance to Customer in responding to any Data Subject requests. The charge or charges associated with any assistance shall be at Covetrus’ discretion, however they shall be proportionate to any level of assistance and effort expended by Covetrus.
-
Covetrus shall:
- Promptly notify Customer upon becoming aware of any Subprocessor having received a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
- Ensure that the Subprocessor does not respond to that request except on the documented instructions of Customer or the relevant Customer Group Member or as required by Applicable Laws to which the Subprocessor is subject, in which case Covetrus shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Subprocessor responds to the request.
- Covetrus shall notify Customer without undue delay upon Covetrus or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- Covetrus shall co-operate with Customer and each Customer Group Member and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Covetrus shall provide reasonable assistance to each Customer Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer Group Member by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.
- Subject to compliance with Data Protection Laws relating to Personal Data retention, the deletion, return or other treatment of Customer Personal Data on termination of the Master Agreement shall be managed in accordance with the terms of the Master Agreement.
- Each Subprocessor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Covetrus shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws or the Master Agreement requiring its storage and for no other purpose.
- Subject to sections 11.2 to 11.3, Covetrus shall make available to each Customer Group Member on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by any Customer Group Member or an auditor mandated by any Customer Group Member in relation to the Processing of the Customer Personal Data by Covetrus.
- Information and audit rights of the Customer Group Members only arise under section 11.1 to the extent that the Master Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protections Laws (including, where applicable article 28(3) (h) of the GDPR).
-
Customer or the relevant Customer Group Member undertaking an audit shall give Covetrus reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Covetrus’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Covetrus need not give access to its premises for the purposes of such an audit or inspection, unless:
- Customer or the relevant Customer Group Member undertaking and audit reasonably considers necessary because of genuine concerns as to the Covetrus’ compliance with this Addendum;
- A Customer Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,
- Save for any disclosures required for compliance with Data Protection Laws, Customer undertakes to keep, and ensure its auditors and Customer or the relevant Customer Group Members keep, all results or findings from any audit confidential and shall indemnify Covetrus against any and all losses incurred by Covetrus as a result of any breach of this section 11.4.
- The parties acknowledge that Covetrus processes the Customer Personal Data in Australia and other locations inside and outside the EU / EEA. Unless an adequacy decision exists for the respective locations, the Parties herewith agree to the EU Standard Contractual Clauses, which shall become part of this Agreement.
- Covetrus and Customer and all relevant Customer Group Members agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor), as further specified in Exhibit 4 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer or the relevant Customer Group Member (as data exporter) to Covetrus (as data importer).
- To the extent that any transfers of Customer Personal Data fall within the scope of the UK GDPR, from the Customer (as data exporter) to Covetrus (as data importer), the Mandatory Clauses shall apply in accordance with Exhibit 6.
- To the extent that any transfers of Customer Personal Data fall within the scope of Swiss Data Protection Law, from the Customer (as data exporter) to Covetrus (as data importer) the Swiss Addendum set out in Exhibit 7 shall apply.
- Covetrus will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Covetrus will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). Covetrus further agrees to implement the supplementary measures agreed upon and set forth in Exhibit 5 of this DPA in order to enable Customer’s compliance with requirements imposed on the transfer of personal data to third countries under the GDPR. Covetrus may charge Customer, and Customer shall reimburse Covetrus, for any assistance provided by Covetrus with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Covetrus.
- Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this agreement shall remain in full force and effect.
-
The parties to this Addendum hereby submit to the governing law and choice of jurisdiction stipulated in the corresponding exhibit which for the avoidance of doubt refers to (a) Exhibit 6 where the Customer is established in the UK and (b) Exhibit 7 where the Customer is established in Switzerland and (c) for all other Customers, Exhibit 4 to this Addendum with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity, termination or the consequences of its nullity and all non-contractual or other obligations arising out of or in connection with it.
- Nothing in this Addendum reduces Covetrus’ obligations under the Master Agreement in relation to the protection of Personal Data or permits Covetrus to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Master Agreement.
-
Subject to section 13.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Master Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the following order of precedence shall apply:
(i) The Standard Contractual Clauses, including, where applicable, any addendum hereto
(ii) This Data Processing Addendum
(iii) The Master Agreement
(iv) Any other Agreement entered into between the parties
Severance - Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.
Customer
Signature__________________________________
Name_____________________________________
Title______________________________________
Date Signed________________________________
Veterinary Solutions Ltd
Signature__________________________________
Name_____________________________________
Title______________________________________
Date Signed________________________________
Exhibit 1:
Details of Processing
List of Parties | |
---|---|
Data Exporter (Customer and Customer Group Member) | Customer as specified in the Master Agreement |
Data Importer | Veterinary Solutions Ltd |
Description of processing | |
Duration of processing | Customer Personal Data shall be processed for the duration of the term, as specified in the Master Agreement. |
Nature of processing |
The provision of services, as specified in the Master Agreement, may result in processing of data in at least the following manner:
|
Purpose of processing | Provision of the Services described in the SOW to the Master Agreement |
Frequency of transfer | Continuously |
Customer Personal Data | |
Data subjects |
|
Data categories |
|
Competent Supervisory Authority | |
Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland. |
Exhibit 2:
Technical and Organizational Measures
- Pseudonymisation and Encryption, Art. 32 para 1 point a GDPR
- Stored data is encrypted where appropriate, including any backup copies of the data.
-
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR
Confidentiality and integrity is ensured by the secure processing of personal data, including protection against unauthorized or unlawful processing and integrity and availability by measures to protect against accidental loss, destruction or damage.
-
Confidentiality
-
Physical access control
Measures that prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
- Physical access control systems
- Definition of authorizes persons; management and documentation of individual authorizations
- Regulation of Visitors and external staff
- Monitoring of all facilities housing IT systems
- Logging of physical access
-
System/Electronic access control
Measures that prevent data processing systems from being used without authorization.
- User Authentication by simple authentication methods (using username/password), including two-factor authentication where adequate
- Secure transmission of credentials (using TLS)
- Automatic account locking
- Suspending inactive sessions
- Guidelines for handling passwords and certificates
- Definition of authorized persons
- Managing means of authentication
- Access control to infrastructure that is hosted by cloud service provider
- In-time revocation of access for people who no longer need access / leave the company
- Automated alerting on illegal attempts of logging systems directly or indirectly connected to personal data
- Unique credentials per user
-
Internal Access Control
Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.
- Automatic and manual locking
- Access right management
- Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights.
-
Isolation/Separation Control
Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.
- Network separation
- Segregation of responsibilities and duties
- Document procedures and applications for the separation
-
Job Control
Measures that ensure that, in the case of commissioned processing of personal data, the data are processed strictly corresponding the instructions of the principal.
- Training and confidentiality agreements for internal staff and external staff
- Information security assessment for vendors/partners
-
Physical access control
-
Integrity
-
Data transmission control
Measures ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.
- Secure transmission between Customer and server and to external systems by using industry-standard encryption
- Secure network interconnections ensured by Firewalls, anti-virus programs, routinely patching software etc.
- Logging of transmissions of data from IT system that stores or processes personal data
-
Data input control
Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.
- Logging authentication and monitored logical system access
- Logging of data access including, but not limited to access, modification, entry and deletion of data
- Documentation of data entry rights and partially logging security related entries.
-
Data transmission control
-
Availability and Resilience of Processing Systems and Services
Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.
- Implementation of transport policies
- Backup Concept
- Protection of stored backup media
-
Confidentiality
-
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, Art. 32 para 1 point c GDPR
Organizational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.
- We have implemented continuity planning with appropriate recovery objectives.
-
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, Art. 32 para 1 point d GDPR
Organizational measures that ensure the regular review and assessment of technical and organizational measures.
- Testing of emergency equipment
- Documentation of interfaces and personal data fields
- Internal assessments
Pseudonymisation contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.
Exhibit 3:
List of Subprocessors
Name and address of Subprocessor | Subject matter of processing | Nature of processing | Duration of processing |
---|---|---|---|
Veterinary Solutions Ltd | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
Covetrus Software Services Pty Ltd | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
IDEXX Laboratories Inc, One IDEXX Drive, Westbrook, Maine, US | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
National Veterinary Services Limited, Unit 4 Jamage Industrial Estate, Talke Pits, Stoke-on-Trent, ST7 1XW |
Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
MWI Animal Health, Centaur House, Torbay Road, Castle Cary, BA7 7EU, UK | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
GB Group Plc, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, UK | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
Message4u Pty Ltd & Message Media Europe Ltd T/A MessageMedia of While Collar Factory, 1 Old Street Yard, London, EC1Y 8AF, UK | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
VetCheck Technologies Pty Ltd | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
Vetstoria Limited, Matrix House, 12-16 Lionel Road, Canvey Island, Essex, England, SS8 9DE | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
Allianz Insurance Plc, 57 Ladymead, Guildford, Surrey, GU1 1DB | Hosting and processing of Company data. | Includes any operation such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. | For the duration of the engagement. |
Exhibit 4:
Standard Contractual Clauses
- Module Two shall apply in the case of the processing under section 3.1 of the DPA.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
- Clause 9(a) option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.
- The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
- With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 shall apply and the governing law shall be the law of the Republic of Ireland.
- In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
- For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority
- For the Purpose of Annex II of the Standard Contractual Clauses, Exhibit 2 of the DPA contains the technical and organizational measures.
- The specifications for Annex III of the Standard Contractual Clauses, are determined by Exhibit 3 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Covetrus upon request.
Exhibit 5:
Additional Supplementary Measures
Covetrus further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Customer Personal Data in relation to the processing in a third country, as described in this Exhibit 5:
- Additional Technical Measures
-
Encryption
The personal data is transmitted (between the parties and by Covetrus between data centers as well as to a sub-processor and back) using strong encryption.
Hereby, it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of this third country, the parties involved in the communication agree on a trustworthy public-key certification authority or infrastructure, specific protective and state-of-the-art measures are used against active and passive attacks on the sending and receiving systems providing transport encryption, including tests for software vulnerabilities and possible backdoors, in case the transport encryption does not provide appropriate security by itself due to experience with vulnerabilities of the infrastructure or the software used, personal data is also encrypted end-to-end on the application layer using state-of-the-art encryption methods, the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities when data is transiting to this third country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them1, the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification, the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of the intended recipient, and revoked), by Customer or by an entity trusted by Customer under a jurisdiction offering an essentially equivalent level of protection.
In accordance with the requirements outlined in the previous paragraph, the parties agree to implement strong end-to-end content encryption (between the parties and by Covetrus between data centers as well as to a sub-processor and back).
The personal data at rest is stored by Covetrus using strong encryption.
The encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them3. The strength of the encryption and key length takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved. The encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification. The keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked).
1 For the assessment of the strength of encryption algorithms, their conformity with the state-of-the-art, and their robustness against cryptanalysis over time, Customer can rely on technical guidance published by official cybersecurity authorities of the EU and its member states. See e.g. ENISA Report « What is “state of the art” in IT security? », 2019, https://www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security; guidance given by the German Federal Office for Information Security in its Technical Guidelines of the TR-02102 series and ”Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018” at https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf
-
Additional Organizational Measures
- Internal policies for governance of transfers especially with groups of enterprises
- Transparency and accountability measures
- Organizational methods and data minimization measures
- Others
Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
Especially in case of transfers among groups of enterprises, these policies may include, among others, the appointment of a specific team, composed of experts on IT, data protection and privacy laws, to deal with requests that involve personal data transferred from the EEA; the notification to the senior legal and corporate management and to Customer upon receipt of such requests; the procedural steps to challenge disproportionate or unlawful requests and the provision of transparent information to data subjects.
Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.
The training procedures should include the requirements of EU law as to access by public authorities to personal data, in particular as following from Article 52(1) of the Charter of Fundamental Rights. Awareness of personnel should be raised in particular by means of assessment of practical examples of public authorities’ data access requests and by applying the standard following from Article 52(1) of the Charter of Fundamental Rights to such practical examples. Such training should take into account the particular situation of Covetrus, e.g. legislation and regulations of the third country to which Covetrus is subject to, and should be developed where possible in cooperation with Customer.
Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.
Already existing organizational requirements under the accountability principle, such as the adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures. Data minimization should be considered in this regard, in order to limit the exposure of personal data to unauthorized access. For example, in some cases it might not be necessary to transfer certain data (e.g. in case of remote access to EEA data, such as in support cases, when restricted access is granted instead of full access; or when the provision of a service only requires the transfer of a limited set of data, and not an entire database.
Development and implementation of best practices by both parties to appropriately and timely involve and provide access of information to their respective data protection officers, if existent, and to their legal and internal auditing services on matters related to international transfers of personal data transfers.
Adoption and regular review by Covetrus of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.
-
Additional Contractual Measures
- Transparency obligations
- Obligations to take specific actions
- Empowering data subjects to exercise their rights
Covetrus declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require Processor to create or maintain back doors or to facilitate access to personal data or systems or for Covetrus to be in possession or to hand over the encryption key.
Covetrus will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Customer in case of any changes without delay. Clause 14(e) SCC shall remain unaffected. Covetrus commits to providing for a “Warrant Canary” method, whereby it will regularly publish (e.g., at least every 24 hours) a cryptographically signed message informing Customer that as of a certain date and time it has received no order to disclose or grant access to personal data. The absence of an update of this notification will indicate to Customer that Covetrus may have received an order.
In case of any order to disclose or to grant access to the personal data, Covetrus commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for Covetrus.
The parties commit to reasonably assist the data subject in exercising his/her rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling. The parties commit to reasonably assist the data subject to seek information and an effective redress in the EU (e.g. by lodging a claim with a competent supervisory authority and/or judicial authority in the EU). Covetrus commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.
Notwithstanding the foregoing, Covetrus shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.
Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Covetrus´s infringement of the GDPR.
Exhibit 6
UK Addendum
With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (including Customer Group Members) (as data exporter) to Covetrus (as data importer):
- the Approved Addendum as further specified in this Exhibit 6 shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses
- The Standard Contractual Clauses are deemed to be amended to the extent necessary, so they operate for transfers made by Controller to Processor, to the extent that UK Data Protection Laws apply to the Controller’s processing when making that transfer and to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.
- The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Exhibit 4 of this DPA as amended by the Mandatory Clauses.
- Annex 1 A and B of Table 3 to the Approved Addendum are specified by Exhibit 1 of this DPA, Annex II of the Approved Addendum is further specified by Exhibit 2 of this DPA, and Annex III of the Approved Addendum is further specified by Exhibit 3 of this DPA.
- Covetrus (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause 19 of the Mandatory Clauses
- Clause 16 of the Mandatory Clauses shall not apply.
- Neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with UK Data Protection Laws.
- To the extent that the UK GDPR applies, the DPA shall be governed by the laws of England and Wales and the parties submit themselves to the jurisdiction of the courts of England and Wales.
Exhibit 7
Swiss Addendum
As stipulated in clause 13 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.
-
Interpretation of this Addendum
-
Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Exhibit 4 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
This Addendum This Addendum to the Clauses Clauses The Standard Contractual Clauses as further specified in Exhibit 4 of this DPA Swiss Data Protection Laws The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time. - This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
- This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
-
Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Exhibit 4 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
-
Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
-
Incorporation of the Clauses
-
In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 3 of this DPA to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
-
To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 3 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):
- References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs.
-
Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”
- References to “Regulation (EU) 2016/679” or “that Regulation” or ““GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
- Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;
-
Clause 17 is replaced to state
“These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws”.
-
Clause 18 is replaced to state:
“Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.
-
In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 3 of this DPA to the extent necessary so they operate:
- To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 3 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.
- Customer warrants that it and/or Customer Group Members have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.