Capitalized terms not defined below but used herein will have the same meaning as in the ALS/BLS Software Solutions Master Software, SaaS and Services Agreement (“Agreement”). For the purposes of this DPA:
A. “Applicable Privacy Laws” means all applicable laws and regulations relating to privacy, data protection, or the collection, use, disclosure, protection, or other processing of information about identifiable individuals.
B. “Personal Information” means the information included in the Customer Content that is about an identifiable individual, including any such information that constitutes “personal information”, “personal health information” or “health information” within the meaning of Applicable Privacy Laws.
C. “ZOLL Offerings” means the Software, SaaS and Services provided under the Agreement.
Prior to disclosing or otherwise providing ZOLL with access to Personal Information, Customer represents and warrants that it has made, obtained and maintained, in accordance with Applicable Privacy Laws, any and all required notices and consents from each of the data subjects of Personal Information or each of the authorized representatives of such data subjects to allow ZOLL to process such Personal Information for the purposes of providing the ZOLL Offerings and as otherwise contemplated by the Agreement and this DPA.
The objective of this DPA is to set out the Customer’s and ZOLL’s obligations with respect to the processing of Personal Information in providing the ZOLL Offerings. The guiding principles of this DPA are those found in Applicable Privacy Laws including the collection, use and disclosure of the least amount of Personal Information necessary to achieve the intended purposes.
A. The Customer hereby appoints ZOLL as its information manager for the purposes of providing the Customer with the ZOLL Offerings in accordance with the Agreement and this DPA, and ZOLL hereby accepts such appointment.
B. ZOLL may collect Personal Information automatically through the ZOLL Offerings, and from Customer and Customer’s end users, employees and independent contractors.
C. ZOLL acknowledges and agrees that Personal Information shall at all times remain in the control of Customer and that ZOLL acquires no independent right to the Personal Information except with respect to Personal Information that has been anonymized or de-identified in accordance with section 5.A.
D. Subject to any service levels set out in the Agreement, ZOLL agrees to provide Customer with unfettered access to Personal Information.
ZOLL shall:
A. not use Personal Information for any purpose other than as necessary to provide the ZOLL Offerings except that ZOLL may anonymize or de-identify the Personal Information in accordance with requirements of Applicable Privacy Laws and may use the anonymized or de-identified information for any purpose consistent with applicable law;
B. not disclose Personal Information to any person except:
(i) as expressly permitted or instructed by Customer, including as permitted by the Agreement or this DPA; or
(ii) as required to comply with applicable laws or regulations or a valid court order or other binding requirement of a competent governmental authority, provided that in any such case:
1. ZOLL notifies Customer in writing of any such requirement without undue delay (and in any event prior to disclosure of the Personal Information); and
2. ZOLL provides all reasonable assistance to Customer in any attempt by Customer to limit or prevent the disclosure of the Personal Information;
C. use reasonable physical, organizational and technological security measures that are appropriate having regard to the sensitivity of the information to protect the Personal Information against loss, theft and unauthorized access, disclosure, copying, use, modification or disposal; and, without limiting the foregoing:
(i) to the extent reasonably practical, maintain and make available to Customer upon Customer’s request an electronic record of:
1. all access to Personal Information held in equipment controlled by ZOLL, which record shall identify the person who accessed the information and the date and time of the access; and
2. all transfers of Personal Information by means of equipment controlled by ZOLL, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent; and
(ii) not move, remove, relocate or transmit any Personal Information without using appropriately secure encryption technology to protect such information while in transit;
D. restrict access to Personal Information to authorized personnel who require access to such information to fulfil their job requirements and who are subject to binding obligations of confidentiality in respect of such Personal Information;
E. return and destroy the Personal Information in accordance with the terms of the Agreement; and
F. inform Customer at the first reasonable opportunity of any breach of ZOLL’s obligations in this Section 5, or any loss or theft of, or unauthorized access, use, or disclosure of Personal Information.
ZOLL shall refer to Customer any individual who contacts ZOLL requesting access to, correction of, or with any express wishes, inquiries or complaints about their Personal Information in connection with or otherwise relating to the ZOLL Offerings.
ZOLL shall provide necessary and reasonable information and co-operation to Customer and to any regulatory or other governmental bodies or authorities with jurisdiction or oversight over Applicable Privacy Laws in connection with any investigations, audits or inquiries relating to the processing of Personal Information in connection with the ZOLL Offerings.
ZOLL shall designate and identify to Customer an individual to be accountable for ZOLL’s compliance with this DPA.
ZOLL shall not subcontract, assign or delegate to any third party its obligations with respect to the collection, use, disclosure, storage, or other processing of Personal Information in connection with the Services without: (i) providing prior notice to [obtaining written consent from] the Customer where required by Applicable Privacy Laws; and (ii) obtaining written contractual commitments of such third party substantially the same as those of this DPA.
ZOLL shall comply with Applicable Privacy Laws in providing the ZOLL Offerings. ZOLL shall make available reasonable and necessary information and documentation to Customer to allow Customer to verify ZOLL’s compliance with this DPA.
Customer acknowledges and agrees that ZOLL and its subcontractors may process and store Personal Information outside of Canada, including in the United States.
To the extent of any inconsistency between the terms in this DPA and those of the Agreement as such terms may relate to Personal Information, the terms of this DPA shall prevail. Customer may terminate the Agreement if Customer determines that ZOLL has breached a material term of this DPA. This DPA shall terminate upon termination of the Agreement and once all Personal Information has been returned and destroyed in accordance with section 5.F.