Data Processing Agreement
Stryker as Data Processor

(Revision May 2019)


Preamble

This Data Processing agreement (“DPA”), hereby forms part of an agreement between Stryker (identified as “Stryker” or an affiliate thereof in the applicable agreement) (“Stryker”) and the Customer (identified as “Customer” or the party that receives services from Stryker in the applicable agreement) (“Customer/Controller/Exporter”) in connection with the services (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

In the course of providing the Services to Customer pursuant to the Agreement, Stryker may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPA consists of two parts: the main body of the DPA with Exhibit 1 (Standard Contractual Clauses) with Appendix 1 (Description of Data Transfers), Appendix 2 (Security Measures)

 

1. Definitions

"Affiliate" - shall mean any of the entities that is part of the Stryker group of companies that is permitted to Process the Personal Data pursuant to this DPA between Stryker and Customer but has not signed its own SOW with Customer and is not a customer;

"Applicable Data Protection Law" - shall mean (i) the European Union’s General Data Protection Regulation, or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (hereafter indicated as: ‘GDPR’), and (ii) any other applicable data protection law in respect of which the parties are subject to, including, without limitation, laws relating to the protection of medical information or personal identifiers;

"Data Subject" - shall mean an identifiable person, which is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"EEA" - shall mean the European Economic Area;

"Personal Data" - shall mean any information relating to an identified or identifiable natural person (Data Subject), for clarity, Personal Data shall not include any anonymized data;

"Personal Data Breach" - shall mean a breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

"Process/Processing" - shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"Special Categories of Data" - shall mean data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data, biometric data Processed for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person's sex life or sexual orientation;

"Standard Contractual Clauses" - shall mean Standard Contractual Clauses for the Controller-to-Processor transfers approved by EC Commission Decision of 5 February 2010 and reproduced in Exhibit 1 to this DPA;

"Sub-processor" - shall mean any data processor engaged by the Processor who agrees to receive from the Processor Personal Data exclusively intended for Processing activities to be carried out on behalf of the Controller in accordance with its instructions, the terms of this DPA and the terms of a written subcontract;

"Supervisory Authority" - shall mean an independent public authority which is established by law as the authority in charge of enforcing data protection law in any particular jurisdiction;

"Technical and Organizational Security Measures" - shall mean those measures aimed at protecting Personal Data against accidental destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing; and

Third Country” - shall mean a country that the European Commission, or other national legislative body, has determined does not provide an adequate level of protection for personal data

 

2. Details of the Processing

The details of the Processing operations carried out by Stryker for Customer as its data processor (e.g., the subject-matter of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects) are specified in Appendix 1 to Exhibit 1 to this DPA.

 

3. Roles and Responsibilities

a. Parties’ Roles. To the extent that Stryker Processes Personal Data in the course of providing the Services to Customer, it will do so only as Processor acting on behalf of Customer (as Controller) and in accordance with the Agreement.

b. Purpose Limitation. Stryker will Process the Personal Data only for the purpose of providing the Services and in accordance with Customer’s lawful instructions.

c. Compliance. Customer, as Controller, shall be responsible for ensuring that it: (i) has complied, and will continue to comply, with Applicable Data Protection Law; and (ii) has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Stryker for processing in accordance with the terms of the Agreement and this DPA.

 

4. Obligations of the Processor

Stryker shall:

(a) process the Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Stryker). If Stryker is required to Process the Personal Data for any other purposes provided by applicable law to which it is subject, Stryker shall inform Customer of such requirement prior to Processing unless that law prohibits this on important grounds of public interest;

(b) inform Customer promptly if Stryker cannot comply with any instructions from Customer for whatever reasons or if, in Stryker’s opinion, an instruction for the Processing of Personal Data given by Customer infringes Applicable Data Protection Law;

(c) keep the Personal Data in strict confidence and ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) implement and maintain appropriate technical and organizational security measures – as described in Appendix 2 – designed to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which may result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected;

(e) at Customer’s request and cost (and insofar as is possible), assist Customer by implementing appropriate and reasonable technical and organizational measures to assist with Customer’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including requests for information relating to processing, and requests relating to access, rectification, erasure, restriction or objection, or portability of the Personal Data) provided that Stryker reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures, or fees incurred in connection with such assistance. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, Stryker shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If Stryker is subject to such a blocking obligation, Stryker shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends;

(f) to the extent required by Applicable Data Protection Law, and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with Supervisory Authorities that Customer is required to carry out;

(g) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections conducted by Customer or another auditor mandated by Customer. Any audits performed by Customer shall be at Customer’s sole cost and expense and may be conducted only once in any twelve-month period; and

(h) notify Customer without undue delay:

  1. about any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
  2. about any complaints and requests received directly from Data Subjects (e.g., regarding access, rectification, erasure, restriction or objection, or portability of the Personal Data) without responding to that request, unless it has been otherwise authorized to do so; and
  3. about any Personal Data Breach at Stryker impacting Customer’s Personal Data. In case of such a Personal Data Breach, Stryker, upon Customer's written request, will assist Customer with Customer's obligation under Applicable Data Protection Law, to inform the data subjects and the Supervisory Authorities, as applicable, and to document the Personal Data Breach.

 

5. Sub-processing 

(a) Customer agrees that Stryker may engage Affiliates and third parties as Sub-processors (collectively, “Sub-processors”) to Process the Personal Data on Stryker’s behalf.

(b) The third party Sub-processors currently engaged by Stryker and authorized by Customer are listed at [www.stryker…].

(c) In case Stryker intends to engage new or additional Sub-processors, Stryker shall inform Customer of any intended changes concerning the addition or replacement of any Sub-processor ("Sub-processor Notice"). Customer may object in writing to the appointment of a new or additional Sub-processor within 14 days after receipt of the Sub-processor Notice. In the event that Customer objects on reasonable grounds relating to the protection of Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Customer may terminate the affected part of the Agreement with respect only to those Services which cannot be provided by Stryker without the use of the objected-to new or additional Sub-processor by providing written notice to Stryker.

(d) Where a Sub-processor is engaged by Stryker as described in this Section, Stryker shall:

  1. restrict the Sub-processor’s access to Personal Data only to what is necessary to perform the subcontracted services; and 
  2. impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA.

(e) In case any such Sub-processor is located in a Third Country, Stryker, upon Customer’s written request and in the name of and on behalf of Customer, shall execute a data transfer agreement, which may include the Standard Contractual Clauses for the transfer of personal data as approved by the European Commission pursuant to Decision 2010/87/EU for Controller to Processor transfers or some other set of model clauses approved by Applicable Data Protection Law or a Supervisory Authority. In this case, the Customer instructs and authorizes Stryker to instruct Sub-processors in the Customer’s name and to make use of all Customer's rights vis-a-vis the Sub-processors based on the data transfer agreement.

(f) Stryker shall remain liable to Customer for the performance of the Sub-processor’s obligations, should the Sub-processor fail to fulfill its obligations. However, Stryker shall not be liable for damages and claims that ensue from the Customer’s instructions to Sub-processors.

 

6. Limitation of liability

Any liability arising out of or in connection with this DPA shall follow, and be exclusively governed by, the liability provisions set forth in, or otherwise applicable to, the Agreement. Therefore, and for the purpose of calculating liability caps and/or determining the application of other limitations on liability, any liability occurring under this DPA shall be deemed to occur under the relevant Agreement.

 

7. Duration and termination

(a) The term of this DPA is identical with the term of the relevant Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the relevant Agreement.

(b) Stryker shall, at the choice of the Customer, delete or return to the Customer all Personal Data after the end of the provision of Services, and delete any existing copies unless Stryker is required by law to retain such Personal Data.

 

8. Contractual Relationship 

The parties acknowledge and agree that, by executing the Agreement, Stryker enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Stryker Affiliates, thereby establishing a separate DPA between Customer and each such Affiliate subject to the provisions of the Agreement and this Section 8. Each Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services and Content by Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Affiliate shall be deemed a violation by Stryker. Where an Affiliate becomes a party to the DPA with Customer, it shall to the extent required under applicable Data Protection Law be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

(a) Except where applicable Data Protection Law requires the Affiliate to exercise a right or seek any remedy under this DPA against Customer directly by itself, the parties agree that (i) solely the Stryker entity that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Affiliate, and (ii) the Stryker entity that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for all of its Affiliates together.

(b) The parties agree that the Stryker entity that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Customer and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Affiliates in one single audit.

 

9. Application of the Standard Contractual Clauses

(a) This section 9 shall apply in the case of a transfer of Personal Data from Customer to a Stryker recipient located in a Third Country, provided that the Customer is:

  1. located in the EEA; or 
  2. not located in the EEA but the GDPR applies to the transfer of Personal Data by Customer to Stryker.

(b) In the case of such transfers described in section 9(a), the following provisions shall apply:

  1. the Standard Contractual Clauses shall be incorporated into this DPA by reference and be considered duly executed between the parties upon entering into force of this DPA, and the parties agree to observe the terms of the Standard Contractual Clauses without modification; 
  2. Customer shall be the Data Exporter and Stryker shall be the Data Importer. The names and addresses of these parties are respectively incorporated into the Standard Contractual Clauses; 
  3. the parties’ signatures to the Agreement shall be considered as signatures to the Standard Contractual Clauses; and 
  4. if so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required. In the event that the European Commission approves new sets of controller to processor standard contractual clauses modifying or replacing the Standard Contractual Clauses, the parties acknowledge and agree that having considered any such new set of standard contractual clauses they will take such steps as may be reasonably required to enter into and be bound by this new set of standard contractual clauses.

 

10. Miscellaneous

(a) The parties’ signatures to the Agreement shall be considered as signatures to this DPA.

(b) In the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties’ data protection obligations, this DPA shall prevail.

(c) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.

(d) This DPA shall be governed by the same law as the Agreement, without prejudice to the applicability of Applicable Data Protection Law.