16.1 Each party shall comply with all laws, rules, and regulations applicable to the party in connection with these Conditions of Sale, including, but not limited to, privacy, health and safety, anti-bribery, and corruption laws.
16.2 Processing of personal data: In relation to the provision of services, Philips may process information, in any form, that can relate to identified or identifiable individuals, which may qualify as personal data. Philips and/or its Affiliates will: a) process personal data on behalf and by instruction of the Customer, the terms, rights and responsibilities of the Parties for such processing of personal data are set forth in this clause 16; and b) process information such as log files or device parameters (which may contain personal data), to provide the services and to enable its compliance with and performance of its task as manufacturer of (medical) devices under the applicable regulations and standards (including but not limited to the performance of vigilance, post market surveillance and clinical evaluation related activities).
16.3 Use of Non-Personal Data: Customer agrees that Philips and/or its affiliates may use any data, other than personal data, generated by a Product and/or otherwise provided by Customer to Philips for Philips’ own legitimate business purposes including, but not limited to, for data analytics activities to determine trends of usage and advise on the use of products and services, for research, product and service development and improvement (including the development of new offerings), substantiation of marketing claims and for benchmarking purposes.
16.4 Scope, roles of the parties and definition
16.4.1 This data privacy clause applies when Personal Data are provided to Philips and Processed by Philips on behalf and by instruction of Customer for the provision of the services (“Customer Data”).
16.4.2 Parties acknowledge and agree that regarding the Processing of Customer Data, Philips will act as Processor for Customer, who acts as Controller (or Processor). If Customer is a Processor, Customer warrants that its instructions and actions with respect to the Customer Data have been authorized by the relevant Controller.
16.4.3 The definitions used in this clause have the same meaning as in the EU General Data Protection Regulation 2016/67 (“GDPR”).
16.5 Processing of Customer Data and termination
16.5.1 The subject matter of the Processing of Customer Data is the provision of the services, as described in the quotation. The nature of the Processing of Customer Data may include: hosting and storage; computing; service change management; technical support/issue resolution and such other services set forth in the relevant documentation made available by Philips or otherwise agreed between the parties. The categories of Individuals whose Personal Data will be subject to Processing by Philips include: any individuals whose Personal Data is provided to Philips via the services, such as patients or Customer’s personnel, suppliers, and end-users. The categories of Customer Data may include: any Personal Data provided to Philips such as health-related data.
16.5.2 This data privacy clause remains in effect during the term of the (warranty) (service) being rendered by Philips and, if applicable, a period of three (3) months after the term, during which Philips may keep Processing Customer Data to enable business continuity (“Run-Out Period”) after which it will terminate by operation of law.
16.6 Obligations of Customer
Customer shall Process Customer Data in compliance with the applicable laws, including when acquiring Customer Data and when instructing Philips to Process Customer Data.
16.7 Obligations of Philips
16.7.1 Philips shall Process Customer Data only: (a) on behalf and for the benefit of Customer; (a) in accordance with the instructions of Customer as documented in this privacy clause; (c) for the provision of the services; and (d) to the extent required by the applicable laws that Philips is subject to.
16.7.2 Philips shall not disclose Customer Data to any third party without the prior written approval of Customer, except where such disclosure is required to: (a) perform the services; (b) comply with a legal obligation; or (c) comply with a valid and binding order of a governmental body or court.
16.7.3 Philips shall ensure that its employees and any other person authorized to Process Customer Data: (a) are informed of the confidential nature of the Customer Data; (b) will have access to Customer Data only to the extent necessary to perform the services; and (c) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
16.7.4 Philips shall maintain appropriate technical and organizational measures to safeguard security (including protection against unauthorized or unlawful Processing and Personal Data Breaches, confidentiality and integrity of Customer Data), as set forth in the relevant security documentation provided by Philips or as otherwise agreed between the parties.
16.7.5 Philips shall notify Customer, without undue delay, if Philips becomes aware of a Personal Data Breach. Such notification may be delivered to one or more of Customer’s representatives by any means Philips selects, including via email. Philips shall undertake reasonable efforts to identify the cause of a Personal Data Breach and take those steps, as Philips deems necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Philips’ reasonable control.
16.7.6 Taking into account the nature of the services, Philips shall take reasonable steps to assist Customer, at Customer’s expense, with appropriate technical and organizational measures, insofar as reasonably possible, in the fulfilment of Customer’s obligation to respond to requests from an Individual to exercise its rights as set forth by the applicable laws.
16.7.7 Upon the termination of the relevant services, Customer instructs Philips to delete Customer Data that are no longer required for the performance of the services or alternatively to anonymize such Customer Data in such a way that the Individual cannot be identified, unless Philips is required or permitted to retain certain Personal Data in accordance with the applicable laws. Once such Customer Data are anonymized, Customer authorizes Philips to process the anonymized data for its own purposes.
16.7.8 Philips shall make available to Customer all information necessary to demonstrate compliance with its obligations under Article 28 GDPR. Philips shall take reasonable steps to cooperate with and assist Customer, at Customer’s expense, to comply with Customer’s obligations under GDPR. Philips will, at its discretion: a) provide to Customer a certification issued by a qualified independent third party assessor that Philips’ business processes and procedures involving the Processing of Customer Data comply with this data privacy clause; or b) make available the facilities it uses for the Processing of Customer Data for an audit by a qualified independent third party assessor at Philips’ selection and at Customer’s cost, provided such auditor has executed a written confidentiality agreement acceptable to Philips. Audits will be conducted no more than once per year, during regular business hours and with minimal disruption to Philips’ business, and will be subject to 6 weeks prior notice to Philips and to a detailed written audit plan approved by Philips and Philips’ policies, including those on health and safety, security and confidentiality.
16.8.1 Customer hereby grants to Philips a specific authorization for the following Processors, engaged by Philips and its Affiliates to Process Customer Data (“Sub-Processors”): (a) Philips’ Affiliates; and (b) those entities listed on https://www.philips.com/a-w/privacy.html. Customer hereby grants to Philips a general authorization to engage third party Sub-Processors. This authorization constitutes Customer’s prior written consent to the subcontracting by Philips of the Processing of Customer Data.
16.8.2 Philips shall inform Customer of any changes to the Sub-Processors on the URL specified above. Customer may object to Philips’ use of a new Sub-Processor in case of reasonable and substantiated concerns regarding the protection of Personal Data, by notifying Philips in writing within ten (10) business days after Philips’ notification to Customer. If Customer does not inform Philips of any objections within the stipulated period, the new Sub-Processor will be deemed accepted by Customer. In the event Customer objects to a new Sub-Processor, Philips will undertake reasonable efforts to find a mutually acceptable solution and if not found within sixty (60) days, Customer may terminate those services that cannot be provided without the use of the objected-to new Sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any Sub-Processor.
16.8.3 When Philips engages a new Sub-Processor, Philips: (a) shall enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this clause 17; and (b) subject to the terms set forth in this Conditions of Sale, shall be liable for the acts and omissions of its Sub-Processors regarding the Processing of Customer Data to the same extent Philips would be liable when performing the services of each Sub-Processor itself under the terms of this clause.
16.8.4 Transfers of Customer Data
Without prejudice to any applicable data restrictions specified in the Conditions of Sale, Philips may Process Customer Data globally as necessary to perform the services. To the extent Customer transfers Customer Data to Philips or Philips’ Affiliates that will Process such Customer Data outside the European Economic Area, the Philips Processor BCRs (which are incorporated by reference and form an integral part of this Conditions of Sale; and are accessible on https://www.philips.com/privacy) shall apply to such transfer. To the extent a Philips entity in the European Economic Area will make use of a third party Sub-Processor which will Process Customer Data outside the European Economic Area, Philips shall enter into the applicable EC Standard Contractual Clauses with such Sub-Processor, unless the European Commission has issued an adequacy decision for the country in which the Sub-Processor Processes Customer Data.