Definitions
Agreement: A mutual understanding between parties, where they express consent to specific terms and conditions, creating legal obligations enforceable.
Customer: Any individual, company, or entity purchasing services from PeakData.
Data Protection Laws: All applicable laws and regulations relating to data protection and privacy, including but not limited to the General Data Protection Regulation (GDPR) and New Federal Act on Data Protection (nFADP).
Data Subject: The identified or identifiable natural person to whom the Personal Data relates.
Parties: PeakData and PeakData Customers.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
Processing Information
1. Data Subject
Healthcare Professionals (HCPs)
2. Purpose for Processing
PeakData process publicly available information on HCPs in relation to the following activities:
- Enrichment of a Customer’s existing information on HCPs
- Identify new HCPs outside of a Customer’s existing dataset
- Create HCP level insights
- Conduct market research
- Provide insights and analysis
3.Categories of Personal Data
Identifiers: Limited to name and username.
Online identifiers: Usernames, public handles on forums and websites.
Professional and/or employment information: Biographies, job functions and titles, employer, industry, professional achievements.
Public profiles: Information on available social media, professional networking sites and publicly available websites. We will only process data on public profiles that are strictly professional in nature.
Non-sensitive demographic information: Country of residence.
4. Sub-processors:
- Microsoft
- Amazon Web Services
5. Processing Relationship
In the event that PeakData will not share any additional HCP data with Customer, and only the Customer is sharing data, PeakData shall be deemed the Data Processor and the Customer the Data Controller.
In the event that PeakData is sharing additional HCP data with the customer, both parties will be considered Controllers.
Where the customer is data processor on behalf of a third party, the Customer warrants that their instructions in relation to the personal data has been authorised by the third party.
6. Data Processor Obligations
The Data Processor shall process Personal Data only on the documented instructions of the Data Controller.
The Data Processor shall ensure that its personnel authorised to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Data Controller Personal Data by, and taking into account the nature of the Processing and information available.
7. Data Controller Obligations
The Data Controller shall provide the Data Processor with all necessary instructions for processing Personal Data.
The Data Controller shall ensure that it has a lawful basis for processing Personal Data and that any instructions provided to the Data Processor comply with applicable data protection laws.
Data Protection Schedule
- Both parties will comply with all applicable requirements under Data Protection Law.
- The Customer has the relevant consents and notices in place to ensure the lawful transfer of data to PeakData for the duration and purpose of the agreed services.
- Each Party shall ensure that the personal data is shared and processed in accordance with the lawful basis as stipulated under relevant data protection laws, including but not limited to the New Federal Act on Data Protection (nFADP) and General Data Protection Regulation (GDPR).
- Each Party agrees to uphold the data protection rights of individuals whose personal data is being shared. The Parties agree to cooperate in handling data subject access requests and inquiries related to shared data. The Party that initially receives a request from a data subject will notify the other Party if the request relates to any shared data.
- The Parties agree to retain the shared personal data only for as long as necessary to fulfil the defined purposes, unless a longer retention period is required by law.
- In the event of a data breach affecting the personal data shared, the affected Party shall promptly (within 24 hours of becoming aware) notify the other Party of the breach. The notification shall include:
- The nature of the breach
- The categories and number of individuals affected
- The steps taken to mitigate the breach
- Any potential impact on data subjects
Both Parties shall cooperate fully in investigating and mitigating the breach and in notifying any relevant regulatory authorities, as required by law.
- Each Party shall be responsible for its own compliance with applicable data protection laws and shall indemnify the other Party against any claims, damages, or losses arising from non-compliance, negligence, or misconduct in handling shared personal data.
Agreement
This DPA is a legally binding agreement and will continue for the duration of the agreed services. Where there is another Agreement in place and a DPA has been included, the DPA within the Agreement shall prevail.
The parties agree that this agreement shall be governed and interpreted in accordance with Swiss Law, and hereby submit to the Swiss courts.
Last updated: October 2024