Data Protection Annex

In accordance with Section 15 (Data Protection) of the Agreement, this Data Protection Annex (“Annex”) applies to and is incorporated into the Agreement to the extent that Wolters Kluwer Clinical Drug Information, Inc. (“CDI”) Processes any Personal Data about Data Subjects located in the European Economic Area ("EEA") or the United Kingdom when performing its obligations under the Agreement.

1. Definitions. Capitalized terms used but not defined in this Annex will have the same meanings as set forth in the Agreement. In this Annex, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

"Your Personal Data"

means any Personal Data about Data Subjects located in the EEA or the United Kingdom that is Processed by CDI as part of the use of the Licensed Materials under the Agreement and is provided to CDI by you when you use the Licensed Materials;

"CDI Personal Data"

means any Personal Data about you and Data Subjects working for you that is obtained by CDI as part of the administration and performance of its obligations under the Agreement;

"Data Protection Laws"

means the GDPR, as implemented into domestic legislation of each Member State and as amended, replaced, supplemented or superseded from time to time, including by the UK Data Protection Act 2018;

"EEA"

means the European Economic Area;

"GDPR"

means EEA General Data Protection Regulation 2016/679;

"Agreement"

means the Subscription and License Agreement (or like agreement) entered into between Wolters Kluwer Clinical Drug Information, Inc. (or a predecessor in interest) and you;

"Standard Contractual Clauses"

means the contractual clauses set out in https://www.wolterskluwercdi.com/standard-contractual-clauses;

"Subprocessor"

means any person (including any third party but excluding an employee of CDI or any of its subcontractors) appointed by or on behalf of CDI to Process Personal Data on your behalf in connection with the Agreement.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. ROLES AND SCOPE.

2.1 Your Personal Data. For the purposes of this Annex, to the extent the Licensed Materials are used to Process Your Personal Data, CDI is a separate Controller of Your Personal Data Processed by it.

2.2 CDI Personal Data. For the purposes of this Annex, CDI is a separate Controller of CDI Personal Data Processed by it.

2.3 International Transfers. You acknowledge that CDI is located in the United States of America and that CDI may process CDI Personal Data and Your Personal Data at a destination outside the EEA or the United Kingdom and that such CDI Personal Data and Your Personal Data may be processed by CDI personnel or a Processor of CDI operating outside the EEA or the United Kingdom in countries that the European Commission has not yet decided offer adequate data protection in accordance with European Union data protection law ("Third Countries"). Where you are located in the EEA or the United Kingdom, you (as "data exporter") and CDI (as "data importer") hereby enter into the Controller to Controller Standard Contractual Clauses, which are incorporated into, and made part of, the Agreement. To the extent a country’s Data Protection Laws require adequate contractual assurances for the transfer of Your Personal Data and CDI Personal Data to CDI, the terms set forth in the Standard Contractual Clauses shall apply to any such transfer of such Personal Data to CDI.

2.4 Assistance. You agree that you shall provide all information and documents reasonably requested of you by CDI or CDI's representative(s) to allow CDI to satisfy its obligations under this Annex and Data Protection Laws relating to Your Personal Data and CDI Personal Data.

3. PROCESSING OF YOUR PERSONAL DATA

3.1 CDI's responsibilities. CDI shall:

a. in determining the extent to which Your Personal Data is required in relation to the purposes for which Your Personal Data is to be Processed by CDI, only request Your Personal Data that is relevant, adequate and not excessive in accordance with Data Protection Laws. CDI shall have sole responsibility for using reasonable efforts to ensure that Your Personal Data, at the time it is first made available to You through the Licensed Materials, accurately reflects the data that You provided to CDI. At all times thereafter, You shall be solely responsible for ensuring that Your Personal Data remains accurate and up-to-date in accordance with Data Protection Laws.

b. ensure that Your Personal Data that is in its possession or control is kept for no longer than is necessary for the purposes for which Your Personal Data are processed in accordance with Data Protection Laws.

c. in relation to Your Personal Data, inform you without undue delay after it becomes aware of any Personal Data Breach in relation to Your Personal Data that was in its possession or control, providing a clear description of the nature of the breach and the information referred to in Article 33(b)-(d) of the GDPR as soon as it becomes available. In addition, CDI shall consult in good faith with you and provide you with assistance, information and cooperation in the investigation, notification, mitigation and remediation of each such Personal Data Breach. Whilst CDI may take any information provided by you into account, only CDI shall determine the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Supervisory Authorities in connection with a Personal Data Breach in relation to Your Personal Data.

3.2 Each party's responsibilities. Each party shall, in relation to Your Personal Data that is in its possession or control, be responsible for ensuring that Your Personal Data is Processed in a manner that ensures appropriate security of Your Personal Data including protection against Personal Data Breaches as required by Data Protection Laws. Except to the extent that this Section 3 (Processing of Your Personal Data) allocates responsibility for compliance with particular provisions of Data Protection Laws to a particular party, each party shall comply with its respective obligations under Data Protection Laws in relation to Your Personal Data.

4. PROCESSING OF CDI PERSONAL DATA

4.1 Use of CDI Personal Data. CDI may process such CDI Personal Data for the following purposes:

a. managing and making decisions about this Agreement and any matters (such as invoicing and fee arrangements) arising in connection with this Agreement;

b. communicating with you and the Data Subjects that work for you in relation to matters arising under or in connection with the Agreement and in connection with services that CDI may offer from time to time;

c. complying with regulatory and legal obligations to which CDI is subject;

d. establishing, exercising and defending legal rights and claims;

e. client relationship management purposes;

f. risk management and quality reviews;

g. improving the content of its database, marketing, advertising sending reports to You, or conducting research; and

h. CDI's internal financial accounting, information technology and other administrative support services (collectively, "Processing Purposes"). You will ensure that there is no prohibition or restriction in relation to CDI's use thereof that would prevent or restrict CDI from Processing the CDI Personal Data for the Processing Purposes.

5. GENERAL TERMS.

5.1 Governing law and Jurisdiction. The parties to this Annex hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Annex, including disputes regarding its existence, validity or termination or the consequences of its nullity and this Annex and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

5.2 Severance; Order of Precedence. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of a conflict or discrepancy between this Data Protection Annex and any term of the Agreement, this Data Protection Annex shall take precedence.