DATA SHARING ANNEX

(A) SelectScience and the Client are each Controllers of Personal Data of Users and have agreed to share such Personal Data on the terms set out herein.

(B) The Data Discloser agrees to share the Personal Data with the Data Receiver on terms set out in this Annex.

(C) The Data Receiver agrees to use the Personal Data on the terms set out in this Annex.

AGREED TERMS

1. Interpretation

The following definitions and rules of interpretation apply in this Annex.

1.1 Definitions:

Agreed Purpose: has the meaning given to it in clause 2.3 of this Annex.

Annex: this data sharing annex.

Criminal Offence Data: means Personal Data relating to criminal convictions and offences or related security measures to be read in accordance with section 11(2) of the DPA 2018 (or other applicable Data Protection Legislation).

Data Sharing Code: the Information Commissioner's statutory data sharing code of practice which came into force on 5 October 2021, as updated or amended from time to time.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time anywhere in the world, including, without limitation, the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder);and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data, including EU GDPR (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by any data protection or supervisory authority and applicable to a party.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

Shared Personal Data: the Personal Data to be shared between the parties under clause 4 of this Annex.

Special Categories of Personal Data: the categories of Personal Data set out in the Data Protection Legislation.

Subject Rights Request: the exercise by a data subject of their rights under the Data Protection Legislation.

Supervisory Authority: the relevant supervisory authority in the territories where the parties to this Annex are established (including the Information Commissioner).

Controller, Processor, Information Commissioner, Data Subject and Personal Data, Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.

2. Purpose

2.1 This Annex sets out the framework for the sharing of Personal Data when one Controller (the Data Discloser) discloses Personal Data to another Controller (the Data Receiver). It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.

2.2 SelectScience will market/promote the Client’s products and services on its platforms. Personal Information will be collected where SelectScience has a lawful basis for doing so or where a Data Subject has shown an interest in the Client marketing content via completion of a data intake form hosted on the SelectScience website. SelectScience may also promote the Client’s products and services via their own contacts database. The parties consider this data sharing initiative necessary and proportionate as it will benefit the parties and not unduly infringe the Data Subjects' fundamental rights and freedoms and interests.

2.3 The parties agree to only Process Shared Personal Data, as described in clause 4.1 for the following purposes:

a) marketing and advertising

b) pursuing customer and business relations

The parties shall not Process Shared Personal Data in a way that is incompatible with the purposes described in this clause.

2.4 Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to improve actively the effectiveness of the data sharing initiative.

3. Compliance with relevant data protection laws

3.1 Each party must ensure compliance with applicable Data Protection Legislation at all times during the Term of this Annex.

3.2 Each party has such valid registrations as are required by the Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this Annex, unless an exemption applies

4. Shared Personal Data

4.1 The types of Personal Data to be shared between the parties during the Term of this Annex are:

First name, last name, business name, business location, business email address, job title, job function, primary scientific discipline, areas of professional interest

4.2 No Special Categories of Personal Data or Criminal Offence Data will or may be shared between the parties.

4.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.

5. Lawful, fair and transparent processing

5.1 Each party shall ensure that it Processes the Shared Personal Data fairly and lawfully in accordance with clause 5.2 during the Term of this Annex.

5.2 Each party shall ensure that it has lawful grounds under the Data Protection Legislation for the Processing of Shared Personal Data and where the lawful ground relied on is consent, proof of the giving of such consent.

5.3 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.

5.4 The Data Discloser shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:

(a) if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer; and

(b) if Shared Personal Data will be transferred outside the UK pursuant to clause 8.3 of this Annex, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the Controller to enable the Data Subject to understand the purpose and risks of such transfer.

5.5 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:

(a) if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer; and

(b) if Shared Personal Data will be transferred outside the UK pursuant to clause 8.3 of this Annex, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the Controller to enable the Data Subject to understand the purpose and risks of such transfer.

6. Data subjects' rights

6.1 The SPoC for each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.

7. Data retention and deletion

7.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purpose.

7.2 Notwithstanding clauses 7.1 and 7.3, the parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry or as set out in its data retention policies.

7.3 The Data Receiver shall ensure that any Shared Personal Data is returned to the Data Discloser or destroyed the following circumstances:

(a) on termination or expiry of the Terms; or

(b) once Processing of the Shared Personal Data is no longer necessary for the purposes it was originally shared for, as set out in clause 2.3.

7.4 Following the deletion of Shared Personal Data in accordance with clause 7.3, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted.

8. Transfers

8.1 For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by the Data Receiver with a third party, and shall include the following:

(a) subcontracting the processing of Shared Personal Data;

(b) granting a third party Controller access to the Shared Personal Data.

8.2 If the Data Receiver appoints a third party Processor to Process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to the Data Discloser for the acts and/or omissions of the Processor.

8.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the UK unless it;

(a) complies with the provisions of the Data Protection Legislation; and

(b) ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Data Receiver's obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.

9. Security and training

9.1 The parties undertake to have in place throughout the Term of this Annex appropriate technical and organisational security measures to:

(a) prevent:

(i) unauthorised or unlawful processing of the Shared Personal Data; and

(ii) the accidental loss or destruction of, or damage to, the Shared Personal Data

(b) ensure a level of security appropriate to:

(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and

(ii) the nature of the Shared Personal Data to be protected.

9.2 The level of technical and organisational measures agreed by the parties as appropriate as at the Commencement Date having regard to the state of technological development is set out in Schedule 1. The parties shall keep such security measures under review and shall carry out such updates as they agree are appropriate throughout the Term of this Annex.

9.3 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures set out in Schedule 1 together with any other applicable Data Protection Legislation and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data.

9.4 The level, content and regularity of training referred to in clause 9.3 shall be proportionate to the staff members' role, responsibility and frequency with respect to their handling and Processing of the Shared Personal Data.

10. Personal data breaches and reporting procedures

10.1 The parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).

10.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

11. Resolution of disputes with data subjects or the Supervisory Authority

11.1 In the event of a dispute, complaint or claim brought by a Data Subject or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.

11.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

11.3 Each party shall abide by a decision of a competent court of the Data Discloser's country of establishment or of the Supervisory Authority.

12. Warranties

12.1 Each party warrants and undertakes that it will:

(a) Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its Personal Data processing operations.

(b) Make available on request to the Data Subjects who are third party beneficiaries a copy of this Annex, unless it contains confidential information in which case an extract can be provided.

(c) Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.

(d) Respond to Subject Rights Requests in accordance with the Data Protection Legislation, including where necessary (i) advising the other party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject's consent, the timely operation of an effective procedure if such consent is withdrawn.

(e) Where applicable, maintain registration with the relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.

(f) Take all appropriate steps to ensure compliance with the security measures set out in clause 10 above.

12.2 The Data Receiver warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the UK unless it complies with the obligations set out in clause 8.3 above.

12.3 Except as expressly stated in this Annex, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.

Schedule 1

Appropriate technical and organisational security measures

Each party shall, as a minimum, protect the security of the Personal Data Information processed hereunder and ensure the ongoing confidentiality, integrity, availability and resilience of processing systems. Each party shall, on request, provide records of the implemented technical and organisational security measures set out below to facilitate audits and to prove compliance with each party’s obligations.

1. All contractors and subcontractors and consultants of a party shall demonstrate compliance with appropriate standards of information security

2. Access rights of all employees or agents, contractors, subcontractors and consultants of each party shall be appropriate to the role.

3. Save as permitted for the purpose of carrying out this Agreement, no employee, agent, contractor, subcontractor, consultant or other third party shall access, copy, store or disclose any Personal Data or any part thereof.

4. Appropriate measures to guarantee that there will be no corruption or loss of Personal Data will be implemented by each party.