These Terms of Use govern your use of the LibreView website located at www.Libreview.com (the 'Site'). Please read these Terms of Use carefully before you start to use our Site, create any patient profile, practices, and/or invite Professional Users to create a LibreView Data Management System account, as these Terms of Use are a legal agreement between you and Abbott Diabetes Care Inc.
Abbott Diabetes Care Inc. of 1420 Harbor Bay Parkway, Alameda, CA 94502, USA ('Abbott' or us or 'our' or 'we') is the developer of Sensors ("Sensors") and Readers ("Readers") for the FreeStyle Libre family of products and the FreeStyle LibreLink mobile app ("FreeStyle App") which may be compatible with the Site and with the LibreView data management system ("LibreView Data Management System").
Abbott maintains the medical authorizations for the LibreView Data Management System as a medical device, provides other application and software support, and manages the marketing authorizations/registrations for the LibreView Data Management System.
The LibreView Data Management System allows Abbott to provide improved treatment guidance for patients utilizing Abbott’s Readers and FreeStyle App. The LibreView Data Management System also allows Professional Users to create patient profiles, to remotely manage patients who have LibreView Data Management System accounts and to share patients’ LibreView Data Management System account information with other professional users within the same LibreView practice.
THE LIBREVIEW DATA MANAGEMENT SYSTEM IS A SECURE, CLOUD-BASED DIABETES MANAGEMENT SYSTEM THAT IS INTENDED FOR USE BY INDIVIDUALS, HEALTHCARE PROFESSIONALS, AND ABBOTT TO AID IN THE REVIEW, ANALYSIS, AND EVALUATION OF HISTORICAL GLUCOSE DATA, GLUCOSE TEST RESULTS, KETONE TEST RESULTS, DATA FROM CONNECTED DEVICES, AND USER-ENTERED INFORMATION INCLUDING INSULIN, FOOD, EXERCISE, AND NOTES TO SUPPORT AN EFFECTIVE DIABETES HEALTH MANAGEMENT PROGRAM.
THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT INTENDED FOR THE DIAGNOSIS OF OR SCREENING FOR DIABETES MELLITUS.
USERS SHOULD BE AWARE THAT THE LIBREVIEW DATA MANAGEMENT SYSTEM IS AN INFORMATION MANAGEMENT SERVICE TO ENABLE THE ANALYSIS OF GLUCOSE DATA AND IS NOT INTENDED AS A SUBSTITUTE FOR THE ADVICE THAT YOU PROVIDE TO YOUR PATIENTS AS A HEALTHCARE PROFESSIONAL. INDIVIDUALS SHOULD ALWAYS CONSULT THEIR DOCTOR OR OTHER QUALIFIED HEALTHCARE PROFESSIONAL WITH ANY QUESTIONS THAT THEY MAY HAVE REGARDING A MEDICAL CONDITION, INCLUDING DIABETES MANAGEMENT. NEITHER ABBOTT NOR ANY OF ITS AFFILIATED COMPANIES ARE RESPONSIBLE OR LIABLE FOR ANY DIAGNOSIS, DECISION, OR ASSESSMENT MADE BY A USER OR ANY INJURIES A USER MAY INCUR AS A RESULT OF ANY DECISIONS MADE BASED ON THE CONTENT OF THE PRODUCT.
THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT AN ELECTRONIC HEALTH RECORDS SYSTEM AND YOU MUST PRINT AND/OR DOWNLOAD PATIENT INFORMATION THAT YOU DEEM RELEVANT TO YOUR PROVISION OF MEDICAL CARE, TREATMENT OR ADVICE.
YOUR USE OF THE SITE AND THE LIBREVIEW DATA MANAGEMENT SYSTEM CONSTITUTES, AND IS CONDITIONED UPON, YOUR AGREEMENT TO BE BOUND BY THESE TERMS OF USE. IF YOU DO NOT AGREE TO THESE TERMS OF USE, DO NOT ACCESS OR OTHERWISE USE THIS SITE, ANY SERVICES AVAILABLE THROUGH THIS SITE OR ANY INFORMATION CONTAINED ON THIS SITE.
YOUR USE OF THE SITE IS ALSO SUBJECT TO THE LIBREVIEW PROFESSIONAL PRIVACY NOTICE AVAILABLE AT WWW.LIBREVIEW.COM ('PRIVACY NOTICE'), WHICH EXPLAINS HOW WE COLLECT, PROTECT, RETAIN, STORE, AND DISCLOSE YOUR PERSONAL INFORMATION THAT YOU PROVIDE THROUGH YOUR USE OF THE SITE. IT ALSO SETS OUT THE INFORMATION THAT YOU, AS A PROFESSIONAL USER, SHOULD PROVIDE TO YOUR PATIENTS.
You do not need to register as a Professional User and create a LibreView Data Management System account to simply visit and view the Site.
General: The Site is your gateway to create a LibreView Data Management System account in which your patients’ Readers and the FreeStyle App readings may be stored, reviewed and analyzed by you. The LibreView Data Management System is designed to assist you in viewing and managing aspects of your patients’ condition, and to allow Abbott to provide improved treatment guidance for patients utilizing Abbott’s Readers and the FreeStyle App. The LibreView Data Management System allows patients with LibreView Data Management System accounts to share their glucose readings with you, and it also allows you to connect your patients’ Readers and the FreeStyle App to your computer and upload their glucose readings into a patient profile that you have created.
'Professional User' includes only those licensed healthcare providers (‘HCPs’) (and their duly authorized representatives and agents working on behalf of their clinical practice) who have either registered a clinical practice or have registered as a professional user of the LibreView Data Management System..
Abbott only permits one LibreView Data Management System user account per email address. As a Professional User, you may create a clinical practice account and invite other professionals and/or link with other Professional Users with LibreView Data Management System accounts within your practice.
These Terms of Use apply to your use of the Site and to your right to use the LibreView Data Management System. They are effective from when you set up a LibreView Data Management System account as a Professional User until terminated as set forth below.
By using this Site, you represent, acknowledge and agree that you are a Professional User and are duly authorized to use this Site and to create a Professional User account in the LibreView Data Management System and that you also have the appropriate authority to create a practice and link other HCPs or professionals within your practice, and also create patient profiles that will be shared with and utilized by Abbott.
LibreView Data Management System account: Do not reveal your LibreView Data Management System account information to anyone else or disclose to anyone your password details. You are responsible for maintaining the confidentiality and security of your LibreView Data Management System account and for all activities that occur on or through it. You agree to notify Abbott if you become aware of a security incident or breach affecting your LibreView Data Management System account, including where you believe your password may have been compromised, and fully cooperate with us, law enforcement or other applicable regulatory body in addressing the breach. Abbott is not responsible for any lost, stolen or compromised passwords or for any activity on your LibreView Data Management System account from unauthorized users or for any losses arising out of or in connection with the unauthorized use of your LibreView Data Management System account where caused by you. If there is a violation of any of the security requirements by you or other professional users in a practice that you create, that violation may be considered a breach of these Terms of Use and may result in the immediate loss of your LibreView Data Management System account.
You will be responsible for obtaining and maintaining any Internet connections, computing equipment and supplies necessary for you to receive, access and use the LibreView Data Management System. You agree to only use the LibreView Data Management System as expressly permitted herein. Abbott, its affiliates and its suppliers own all rights, titles and interests in and to the LibreView Data Management System and to content through the Site, including logos, graphics, videos, images, software and other materials ('Materials').
Subject to your compliance with these Terms of Use, Abbott hereby grants you a limited, personal, non-exclusive and non-transferable license to use and to display the Materials and to use this Site solely for your professional use. Except for the foregoing license, you have no other rights in the Site or any Materials and you may not modify, edit, copy, reproduce, create derivative works of, reverse engineer, alter, modify, enhance, or in any way exploit any of the Site or Materials in any manner. If you, or any other person under your responsibility, breach any of the provisions in these Terms of Use, the above license will terminate automatically and you must immediately destroy any downloaded or printed Materials.
Where you create a practice, you will supervise, monitor and train your employees, representatives, contractors, agents, and other professional users who you add to a practice that you create, to ensure proper use and security. You will limit access to the services available through the Site at your locations to those duly authorized users. You will be responsible for their use of the services, compliance with these Terms of Use and for the consequences of any breach of security that is caused by such users or that occurs at your locations.
Permitted uses of your LibreView Data Management System account: To use the LibreView Data Management System you must enter some of your personal information, including your username and password, to create your LibreView Data Management System account. You agree to provide accurate and complete information when you register with, and as you use, the LibreView Data Management System, and you agree to keep your LibreView Data Management System account information accurate, current and complete. These Terms of Use allow you to set up a LibreView Data Management System account as a Professional User over your organization’s network, and to set up a practice for use by any professional, employee or other individual authorized by you within your practice. If you have patients who do not have a LibreView Data Management System account which would enable you to view their glucose readings, it also allows you to create a patient profile whereby you may connect your patients’ Readers to your computer, upload their glucose readings into the patient profile that you created for them.
For Professionals in Turkey: You must provide us with your prior explicit consent with respect to transfer of your personal data outside of Turkey before entering into the LibreView Data Management System.
You acknowledge and agree that the Site and the LibreView Data Management System are provided to enhance your care of your patients and to allow Abbott to provide improved treatment guidance for patients utilizing Abbott's Readers and the Freestyle App, and you understand that these are not a substitute for your professional judgement or for your responsibilities to your patients.
AS YOU ARE SETTING UP A LIBREVIEW DATA MANAGEMENT SYSTEM PRACTICE IN YOUR PROFESSIONAL CAPACITY, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE DULY AUTHORIZED TO AGREE AND BIND YOUR PRACTICE TO THESE TERMS OF USE AND HAVE THE NECESSARY CAPACITY AND AUTHORITY TO DO SO.
Prohibited uses of your LibreView Professional system account: We restrict access to the professional parts of our Site to Professional Users. We reserve the right to disable any Professional User ID at any time at our discretion, if, in our opinion, you are not a Profesional User or you have failed to comply with any of the provisions of these Terms of Use. When using our Site, you may not engage in the prohibited uses set out below. Where required by law, Professional Users must not create any patient profiles without having first obtained their patient’s informed, voluntary and explicit consent as may be required by applicable law. You agree that you will NOT use the LibreView Data Management System to:
Patient profiles: After you have created a LibreView Data Management System account, you will be permitted to create patient profiles. When creating a patient profile, you will be required to manually enter some personal information about the patient for example their name and date of birth. Within their patient profile, you will be able to manually upload the patient’s Reader readings to the LibreView Data Management System.
You will only use the Site and the LibreView Data Management System for those patients from whom you have previously obtained their informed, voluntary or, as necessary, explicit consent, or when you deem it necessary to protect their vital interests and will comply with any additional requirements arising under your local data protection, privacy, health or related laws. It is a misuse of the Site and the LibreView Data Management System to enter personal patient information, including health-related information, without either first securing their informed, voluntary or, as necessary, explicit consent, or having determined that which is necessary to protect their vital interests. Abbott will accept no liability in relation to your use of the Site, including where you use the Site to enter personal information relating to your patients, where these conditions have not been satisfied. We will provide reasonable assistance with any request that you make to remove the personal information of any of your patients from the LibreView Data Management System within a reasonable period from receipt of such request; unless prohibited by applicable law, this does not apply to personal information that Abbott has accessed to improve its treatment guidance for patients utilizing Abbott’s Readers and Freestyle App.
AS A PROFESSIONAL USER YOU ARE RESPONSIBLE FOR (I) ANY PATIENT DATA THAT YOU ENTER INTO THE LIBREVIEW DATA MANAGEMENT SYSTEM, (II) THE PERSONAL INFORMATION OF OTHER PROFESSIONALS THAT YOU INVITE TO JOIN A PRACTICE ACCOUNT, AND (III) YOUR USE OF PERSONAL INFORMATION OF ANY INDIVIDUAL WITH A LIBREVIEW DATA MANAGEMENT SYSTEM ACCOUNT. YOU ARE THEREFORE RESPONSIBLE FOR COMPLYING WITH APPLICABLE DATA PROTECTION, HEALTH AND PRIVACY LAWS AND FOR OBTAINING, WHERE REQUIRED, ANY CONSENTS (INCLUDING EXPLICIT CONSENT) NEEDED UNDER APPLICABLE LAW.
Patient data will be processed in accordance with the Privacy Notice
Abbott will treat all personal patient information for which it is a controller, including health information, in accordance with the Privacy Notice. When your patient has created a LibreView Data Management System account and grants you access to that account, or where you set up a LibreView Data Management System account for your patient, Abbott (through the LibreView Data Management System) will be processing your patient’s personal data as a ‘processor’ on your behalf as a healthcare provider where you process your patient information to protect their vital interests as determined in your sole discretion as their healthcare provider.
For Professional Users in the European Economic Area, United Arab Emirates, Switzerland and UK: Before you start to use our Site, create any patient profile, practices and/or invite other Professional Users to create a LibreView Data Management System Account, please review the EU/Swiss/UK Data Processing Agreement located at the end of these Terms of Use.
For Professional Users in Japan: Before you start to use our Site, create any patient profile, practices, and/or invite other Professional Users to create a LibreView Data Management System account to share the data with the J-DREAMS (as defined below) project, please review the Japan Data Processing Agreement for J-DREAMS located at the end of these Terms of Use.
For Professional Users in the US: Additionally, if you are a healthcare provider in the United States and a covered entity as defined by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations ('HIPAA'), you are creating the patient profile and using the Site and the LibreView Data Management System in compliance with HIPAA either by: i) obtaining a patient authorization to do so; or ii) relying on the exception to the requirement for an authorization under HIPAA for disclosure of Protected Health Information for treatment or healthcare operations purposes. Additionally, that part of Abbott that oversees operation of the Site has implemented safeguards for PHI that HIPAA requires of Covered Entities.
Disclaimer of Warranties: YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE LIBREVIEW DATA MANAGEMENT SYSTEM IS AT YOUR SOLE RISK AND THAT TO THE EXTENT PERMITTED BY LAW, THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. Any content included in the LibreView Data Management System is for the purpose of providing information only. Although Abbott believes the data displayed in the LibreView Data Management System to be accurate as at the time it is transmitted to the LibreView Data Management System, Abbott makes no representation, express or implied, as to the accuracy, completeness or timeliness of the information. In no event will Abbott be liable to you for any losses from mistakes, omissions or delays in transmission of information, or from interruptions in telecommunications connections to the LibreView Data Management System.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ABBOTT, ITS AFFILIATES AND ITS THIRD-PARTY PROVIDERS PROVIDE THE LIBREVIEW DATA MANAGEMENT SYSTEM 'AS IS' AND 'AS AVAILABLE' WITH ALL FAULTS AND DEFECTS AND WITHOUT ANY OTHER WARRANTY OF ANY KIND, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF TITLE AND NON-INFRINGEMENT, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE AND QUALITY, AND OF LACK OF VIRUSES. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY ABBOTT OR AN ABBOTT-AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY.
Abbott, its affiliates and its third-party providers do not warrant that the functions contained in the LibreView Data Management System will meet your requirements or that the operation of the LibreView Data Management System will be uninterrupted or error free. To the extent that applicable law requires Abbott to provide warranties, you agree that the scope and duration of such warranties shall be to the minimum extent required to be provided under such applicable law.
In no event does Abbott provide any warranty or representation with respect to any third-party hardware or software, and Abbott disclaims all liability with respect to any failures thereof. Other than as expressly set out in these Terms of Use, Abbott disclaims any and all liability that may derive from actions or claims against Abbott or any of its affiliates, agents or assigns, or other third parties as may become applicable over the course of these Terms of Use.
For users in Russia: This Section 11 shall apply to the extent permissible by the Russian healthcare legislation, regulations, and standards.
For users in Australia: Nothing in Section 11 affects your rights in respect of the consumer guarantees in the Competition and Consumer Act 2010 (Cth). If our services come with guarantees that cannot be excluded under the Australian Consumer Law. For major failures with the service, you are entitled:
If a failure with the service does not amount to a major failure, you are entitled to have the failure rectified in a reasonable time. If this is not done you are entitled to cancel the contract for the service and obtain a refund of any unused portion (if you made a payment to access the Site). You are also entitled to be compensated for any other reasonably foreseeable loss or damage from a failure in the service.
Limitation of liability: NOTWITHSTANDING ANY LOSSES THAT YOU MAY INCUR AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ENTIRE LIABILITY OF ABBOTT, ITS AFFILIATES AND ANY OF ITS THIRD PARTY PROVIDERS UNDER ANY PROVISION OF OR OTHERWISE IN CONNECTION WITH THESE TERMS OF USE AND YOUR EXCLUSIVE REMEDIES FOR ALL OF THE FOREGOING SHALL BE LIMITED TO EITHER THE FIXING, REPAIRING OR OTHERWISE RECTIFYING ANY FAULTS WITHIN THE LIBREVIEW DATA MANAGEMENT SYSTEM, EVEN IF ANY SUCH LOSS WAS FORESEEABLE OR CONTEMPLATED BY THE PARTIES OR, WHERE APPLICABLE, THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR THE LIBREVIEW DATA MANAGEMENT SYSTEM ACCESS OR USD$10.00. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ABBOTT, ITS AFFILIATES OR ITS THIRD-PARTY PROVIDERS BE LIABLE TO YOU (OR YOUR PATIENTS, EMPLOYEES, CONTRACTORS, AGENTS OR USERS) FOR MONETARY DAMAGES, INCLUDING ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, FOR LOSS OF DATA OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE LIBREVIEW DATA MANAGEMENT SYSTEM, THIRD-PARTY SOFTWARE AND/OR THIRD-PARTY HARDWARE USED OR THAT MAY BE USED WITH THE LIBREVIEW DATA MANAGEMENT SYSTEM, FOR LOSS FROM ANY VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR INFORMATION SYSTEM AND HARDWARE DUE TO YOUR DOWNLOADING ANY MOBILE APP/MATERIAL/WEBSITE LINKED TO THE LIBREVIEW DATA MANAGEMENT SYSTEM, OR OTHERWISE IN CONNECTION WITH ANY PROVISION OF THESE TERMS OF USE) WHETHER IN WARRANTY, CONTRACT OR TORT, INCLUDING NEGLIGENCE OR PRODUCT LIABILITY EVEN IF INFORMED ABOUT THE POSSIBILITY THEREOF, INCLUDING WITHOUT LIMITATION MEDICAL EXPENSES, LEGAL FEES, LOSS OF REVENUE OR PROFITS (WHETHER DIRECT OR INDIRECT), EVEN IF ABBOTT, ITS AFFILIATES OR ANY THIRD-PARTY PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF THE REMEDY FAILS OF ITS ESSENTIAL PURPOSE. ONLY YOU CAN IMPLEMENT BACK-UP PLANS AND SAFEGUARDS NECESSARY TO APPROPRIATELY ADDRESS YOUR NEEDS IN THE EVENT THAT AN ERROR IN THE LIBREVIEW DATA MANAGEMENT SYSTEM CAUSES COMPUTER PROBLEMS AND RELATED DATA LOSSES. FOR THESE BUSINESS REASONS, YOU UNDERSTAND AND AGREE TO THE LIMITATIONS OF LIABILITY IN THIS SECTION AND ACKNOWLEDGE THAT WITHOUT YOUR AGREEMENT TO THIS PROVISION, ANY APPLICABLE FEE CHARGED, WOULD BE HIGHER.
FOR USERS IN INDONESIA: NOTHING IN THESE TERMS OF USE SHALL EXCLUDE ANY MANDATORY STATUTORY REMEDY AVAILABLE TO A PROFESSIONAL USER IN THE EVENT OF A FAILURE TO COMPLY WITH A DATA PROTECTION REQUIREMENT BY ABBOTT THAT MAY GIVE RISE TO THE ABILITY OF AN AFFECTED PERSONAL DATA SUBJECT TO CLAIM MONETARY COMPENSATION UNDER THE ELECTRONIC AND INFORMATION TECHNOLOGY LAW AND/OR ANY OTHER REGULATIONS RELATING TO PROTECTION OF PERSONAL DATA.
In no event will we be liable to you (your patients, employees, contractors, agents or users) for any losses, costs, damages, charges or expenses resulting from loss, misappropriation, unauthorized access to or modification of data, including personal data, by any third party, or from mistakes, omissions or delays in transmission of information, or from interruptions in telecommunications connections to the service, viruses or failures of performance, interception or from the impact of the LibreView Data Management System on your information or communications systems, including without limitation any record or other communication provided by you, any patient or by us under these Terms of Use.
For Users in Australia: Nothing in this Section 12 affects your rights in respect of the consumer guarantees in the Competition and Consumer Act 2010 (Cth). Regardless of any other provision of these Terms of Use, if the Competition and Consumer Act 2010 (Cth) or any other legislation states that there is a guarantee in respect of the services we supply, and our liability for breach of that guarantee may not be excluded but may be limited, our liability for such breach is limited to, supplying the services again or paying the cost of having the services supplied again.
For users in Belgium: Nothing in these Terms of Use shall exclude our liability for damages caused by our wilful misconduct, fraud, fraudulent misrepresentation or gross negligence in connection with the LibreView Data Management System. Abbott’s liability for personal injury or death caused by our fault is not excluded either.
For users in Singapore, United Arab Emirates and the UK: Nothing in these Terms of Use shall exclude our liability for death or personal injury arising out of our negligence or fraudulent misrepresentation in connection with the LibreView Data Management System.
For users in Switzerland: Nothing in these Terms of Use shall exclude our liability for death or personal injury arising out of our negligence or fraudulent misrepresentation or our liability for damages arising out of our gross negligence or willful misconduct in connection with the LibreView Data Management System.
For users in Vietnam: Nothing in these Terms of Use shall exclude any mandatory statutory liability, including our liability in connection with monetary damages, personal injury or death arising out of our fault or negligence or product defect in connection with Vietnam’s Consumer Protection Law and other applicable law and regulations in Vietnam.
For users in Russia: Nothing in these Terms of Use shall exclude Abbott’s liability for willful misconduct.
For users in Turkey: Nothing in these Terms of Use shall exclude Abbott’s liability for gross negligence or willful misconduct.
Termination of your LibreView Data Management System account: These Terms of Use are effective upon your creation of a LibreView Data Management System account and shall continue in effect until terminated. You may ask Abbott to delete your LibreView Data Management System account at any time. Abbott may suspend or terminate your LibreView Data Management System account for any of the following reasons without advance notice to you:
Applicable law:
These Terms of Use shall be governed and construed in accordance with the laws of the State of Illinois without regard to any choice of law provisions. In the event of any conflict between foreign laws, rules and regulations and those of the United States, the laws, rules and regulations of the United States shall govern to the fullest extent possible. You agree that these Terms of Use shall be fully performable in the State of Illinois, and you agree that jurisdiction and venue are proper in any of the state and federal courts located in the State of Illinois, United States of America, with respect to any proceedings arising from these Terms of Use or the relationship between the parties hereto. The parties hereby agree that the United Nations Convention on Contracts for the International Sale of Goods does not govern these Terms of Use.
For users in EEA, the UK, Switzerland, India and Indonesia: These Terms of Use will be governed by and construed in accordance with English law. The parties hereby agree that the United Nations Convention on Contracts for the International Sale of Goods does not govern these Terms of Use. Any dispute arising out of or in connection with these Terms of Use, including any question regarding their existence, validity or termination, shall be referred to and finally resolved by arbitration under the LCIA Rules, which Rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be London. The language to be used in the arbitral proceedings shall be English.
For Users in Australia: Nothing in this Section 22 excludes or purports to exclude the application of the Competition and Consumer Act 2010 (Cth) where relevant.
For Users in Australia: You will be notified of any changes to these Terms of Use when You start the LibreView Data Management System. Changes will be considered to have been accepted by You unless You inform Abbott in writing or by using electronic means agreed upon by Abbott. Abbott will draw Your attention to this fact when changes are announced. If You should decide to object to any change, You must do so within six weeks after receipt of announcement of the change. In the event of an objection, Abbott may terminate Your LibreView Data Management System account upon four weeks’ notice. Otherwise, Section 26 does not apply to users located in Australia.
BY CLICKING AGREE WHEN YOU CREATE A LIBREVIEW DATA MANAGEMENT SYSTEM ACCOUNT AS A PROFESSIONAL USER, YOU REPRESENT AND WARRANT THAT YOU ARE DULY AUTHORIZED TO ACCEPT AND ENTER INTO THESE TERMS OF USE AND THAT YOU INTEND YOUR ACT TO SERVE AS AN ELECTRONIC SIGNATURE TO THESE TERMS OF USE WITH THE SAME FORCE AND EFFECT AS A MANUAL SIGNATURE.
Please print a copy of these Terms of Use for Your records.
[FOR USERS IN THE EEA, JAPAN, SWITZERLAND AND UK, PLEASE SEE DATA PROCESSING AGREEMENT BELOW]
AGREEMENT based on the Standard Contractual Clauses 2021/914 - Module 2 (Transfer Controller to Processor) and including Module 3 (Transfer Processor to Processor)
This EU/Japan/Swiss/UK Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Use that govern your use as a Professional User of the LibreView website located at www.LibreView.com (the “Site”). Please read this DPA carefully before you start to use our Site, create any patient profile, practices, and/or invite other Professional Users to create a LibreView Data Management System account, as this DPA is a legal agreement between you as controller and data exporter and Abbott Diabetes Care Inc., 1420 Harbor Bay Parkway, Alameda, CA 94502 (USA), through its GDPR Article 27 representative or other local affiliates ("Abbott") as processor and data importer and Abbott Laboratories as sub-processor and receipt of personal data via an onward transfer from Abbott as processor and data importer.
Your access and use of the Site and the Libreview Data Management System (“Libreview”) constitutes and is conditioned upon your agreement to be bound by this DPA. If you do not agree to this DPA, do not use or access any services or information available through this Site. All pre-existing data protection agreement(s) relating to Libreview or a Professional User Libreview account between the parties are replaced and shall no longer apply except when the parties specifically agree.
SECTION I
Clause 1
Purpose and scope
|
(a) |
The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 1 for the transfer of personal data to a third country. |
|
(b) |
The Parties:
|
|
(c) |
These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. |
|
(d) |
The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses. 1 Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
|
Effect and invariability of the Clauses
|
(a) |
These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. |
|
(b) |
These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. |
Clause 3
Third-party beneficiaries
|
(a) |
Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
|
|
(b) |
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. |
Clause 4
Interpretation
|
(a) |
Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. |
|
(b) |
These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. |
|
(c) |
These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. |
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Intentionally left blank
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
MODULE TWO: Transfer controller to processor
8.1 Instructions
|
(a) |
The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. |
|
(b) |
The data importer shall immediately inform the data exporter if it is unable to follow those instructions. |
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
|
(a) |
The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. |
|
(b) |
The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. |
|
(c) |
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. |
|
(d) |
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. |
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union 2 (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
|
(i) |
the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; |
|
(ii) |
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question; |
|
(iii) |
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or |
|
(iv) |
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. |
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
2 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
8.9 Documentation and compliance
|
(a) |
The data importer shall promptly and adequately deal with inquiries from the data exporter that relate to the processing under these Clauses. |
|
(b) |
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter. |
|
(c) |
The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. |
|
(d) |
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. |
|
(e) |
The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. |
MODULE THREE: Transfer processor to processor
8.1 Instructions
|
(a) |
The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing. |
|
(b) |
The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract. |
|
(c) |
The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller. |
|
(d) |
The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.. |
|
(a) |
The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. |
|
(b) |
The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. |
|
(c) |
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. |
|
(d) |
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. |
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union 3 (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
|
(i) |
the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; |
|
(ii) |
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679; |
|
(iii) |
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or |
|
(iv) |
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. |
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
|
(a) |
The data importer shall promptly and adequately deal with inquiries from the data exporter or the controller that relate to the processing under these Clauses. |
|
(b) |
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller. |
|
(c) |
The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller. |
|
(d) |
The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer. |
|
(e) |
Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller. |
|
(f) |
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. |
Clause 9
Use of sub-processors
MODULE TWO: Transfer controller to processor
|
(a) |
The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. |
|
(b) |
Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. 4 The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses. |
|
(c) |
The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. |
|
(d) |
The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract. |
|
(e) |
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data. |
4 This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
MODULE THREE: Transfer processor to processor
|
(a) |
The data importer has the controller’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s). |
|
(b) |
Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects 5. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses. |
|
(c) |
The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. |
|
(d) |
The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract. |
|
(e) |
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data. |
5 This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
Clause 10
Data subject rights
MODULE TWO: Transfer controller to processor
|
(a) |
The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter. |
|
(b) |
The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. |
|
(c) |
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. |
MODULE THREE: Transfer processor to processor
|
(a) |
The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorized to do so by the controller. |
|
(b) |
The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. |
|
(c) |
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter. |
Clause 11
Redress
|
(a) |
The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject. |
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
|
(b) |
In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. |
|
(c) |
Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
|
|
(d) |
The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. |
|
(e) |
The data importer shall abide by a decision that is binding under the applicable EU or Member State law. |
|
(f) |
The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws. |
Clause 12
Liability
|
(a) |
Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. |
|
(b) |
The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. |
|
(c) |
Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. |
|
(d) |
The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage. |
|
(e) |
Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. |
|
(f) |
The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage. |
|
(g) |
The data importer may not invoke the conduct of a sub-processor to avoid its own liability. |
Clause 13
Supervision
|
(a) |
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority. |
|
(b) |
The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to inquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken. |
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
|
(a) |
The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses. |
|
(b) |
The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
|
|
(c) |
The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses. |
|
(d) |
The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request. |
|
(e) |
The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.] |
|
(f) |
Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply. |
6 As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
Clause 15
Obligations of the data importer in case of access by public authorities
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
15.1 Notification
|
(a) |
The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
|
[For Module Three: The data exporter shall forward the notification to the controller.]
|
(b) |
If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. |
|
(c) |
Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.] |
|
(d) |
The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. |
|
(e) |
Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses. |
15.2 Review of legality and data minimization
|
(a) |
The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). |
|
(b) |
The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.[For Module Three: The data exporter shall make the assessment available to the controller.] |
|
(c) |
The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. |
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
|
(a) |
The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. |
|
(b) |
In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). |
|
(c) |
The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. |
|
(d) |
[For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. |
|
(e) |
Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. |
Clause 17
Governing law
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
|
(a) |
Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. |
|
(b) |
The Parties agree that those shall be the courts of the Member State whose law shall apply pursuant to Clause 17. |
|
(c) |
A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. |
|
(d) |
The Parties agree to submit themselves to the jurisdiction of such courts. |
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter:
Professional User, a provider of healthcare services to patients.
Role: Controller
Data importer:
Abbott, the provider of the LibreView Data Management System.
Role: Processor
MODULE THREE: Transfer processor to processor
Data exporter:
Abbott, the provider of the LibreView Data Management System.
Role: Processor
Data Importer:
Abbott Laboratories
Role: Sub-processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred:
The Personal Data transferred concern the following categories of Data Subjects:
Categories of personal data transferred
The Personal Data transferred concern the following categories of data:
Registration data
IT usage data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous as long as the data exporter uses the service of the data importer.
Nature of the processing
The Personal Data transferred shall be subject to the following processing operations:
Purpose(s) of the data transfer and further processing
To provide, operate and maintain the LibreView Data Management System.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Data Importer will continue to store data exporter's patients' personal information for the period that the data exporter has an active Professional User LibreView Data Management System account, unless data exporter chooses to delete their patient information sooner. Data Exporter's Professional User LibreView Data Management System account will be considered to be inactive once there has been no activity on it for six (6) months. Further, Data Importer may retain personal data in accordance with applicable legal requirements.
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred:
The Personal Data transferred concern the following categories of Data Subjects:
Categories of personal data transferred:
The Personal Data transferred concern the following categories of data:
Registration data
IT usage data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
As and when Maintenance Services are provided.
Nature of the processing:
The Personal Data transferred shall be subject to the following processing operations:
Purpose(s) of the data transfer and further processing:
To provide, operate and maintain the LibreView Data Management System.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Once the issue for which Maintenance Services are provided has been resolved, the personal data is deleted by the Data Importer.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The supervisory authority competent for the controller.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
A description of the technical and organizational measures that Abbott implements in accordance with Clause 8.6 of the Standard Contractual Clauses is set out in Annex C (Security measures).
Abbott has implemented the technical and organizational security measures set out in this Annex II to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services. Abbott processes Personal Data on EEA server sites operated by an industry-leading cloud service provider that offers sophisticated measures to protect against unauthorized access.
Access control of processing areas (confidentiality): Steps taken by Abbott’s industry-leading cloud service provider to prevent unauthorized access to data processing equipment (for example, telephones, database and application servers, and associated hardware) in which Personal Data is processed include the following appropriate measures:
Access control to data processing systems (confidentiality): Abbott takes appropriate measures to prevent its data processing systems from being used by unauthorized persons. This is achieved by:
Access control for the use of certain areas of data processing systems (confidentiality): Abbott personnel authorized to use data processing systems may only access Personal Data where they have sufficient access authorization. Personal Data which is encrypted cannot be read, copied, changed or removed without authorization. This is achieved by:
Transfer control (integrity): Abbott takes steps to prevent Personal Data from being read, copied, altered or deleted by unauthorized persons during its transfer or transport. This is achieved by:
Input control (integrity): Abbott does not access Professional User content unless it is necessary to provide Professional User with the products and professional services it selects. Abbott does not access Professional User content for any purposes other than those set out in the Terms of Use and this DPA. Accordingly, Abbott does not know what content Professional User stores on its systems and cannot distinguish between Personal Data and other content. As a result, Abbott treats all Professional User content in the same manner. In this way, all Professional User content receives the same high level of security, regardless of whether this content contains Personal Data or not.
Abbott takes appropriate measures to ensure that it is possible to verify and establish that no Personal Data has been entered into or removed from data processing systems. This is achieved by:
Order control: Abbott takes steps to ensure that, where Personal Data is processed, it is processed strictly in accordance with Professional User’s instructions. This is achieved by:
Availability control (availability): Abbott takes steps to ensure that Personal Data is protected from accidental destruction or loss. This is achieved by:
Separation of processing for different purposes: Abbott takes steps to ensure that Personal Data collected for different purposes can be processed separately. This is achieved by:
Resilience: Abbott has implemented the following technical and organizational security measures, in particular to ensure the reliability of its processing systems and services:
Abbott has also implemented organizational and technical measures in consideration of the European Data Protection Board's Recommendations 01/2020 as well as the European Court of Justice's "Schrems II" decision.
ANNEX III
LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
| Subprocessor name | Subprocessor address | Description of services | Location from which services are provided |
|---|---|---|---|
| Amazon Web Services | 410 Terry Avenue North Seattle WA 98109 U.S.A. | Hosting LibreView Data Management System accounts for users located in the European Economic Area, Switzerland and the UK. | France for users located in France Germany for users located in Germany Ireland for all other EEA, Swiss and UK users Japan for Japanese users |
MODULE THREE: Transfer processor to processor
| Subprocessor name | Subprocessor address | Description of services | Location from which services are provided |
|---|---|---|---|
| Abbott Laboratories | 100 Abbott Park Road, Abbott Park, Ill. 60064U.S.A. | Providing Maintenance Services, in particular troubleshooting and other application and software support. | United States of America |
ANNEX IV
LOCAL LAW AMENDMENTS FOR DATA EXPORTERS NOT SUBJECT TO THE GDPR
|
1 |
Local Law Amendments for Data Exporters located in Switzerland:
|
|
2 |
Local Law Amendments for Data Exporters located in United Kingdom::
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Table 4: Ending this Addendum when the Approved Addendum Changes
PART 2: MANDATORY CLAUSES
Interpretation of this Addendum
Alternative Part 2 Mandatory Clauses:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DOC42186-001_rev-P_en-US