January 11, 2021 Sponsor Agreement with Centre for Human Drug Research. (Portions of this Agreement have been redacted in compliance with Regulation S-K Item 601(b)(10))

EX-10.76 4 ex10-76.htm

 

Exhibit 10.76

 

EXPLANATORY NOTE: [***] INDICATES THE PORTION OF THIS EXHIBIT

THAT HAS BEEN OMITTED BECAUSE IT IS BOTH (I) NOT MATERIAL AND

(II) WOULD BE COMPETITIVELY HARMFUL IN PUBLICLY DISCLOSED.

 

AGREEMENT

 

The undersigned:

 

1.	The CENTRE FOR HUMAN DRUG RESEARCH (CHDR), a foundation located in Leiden in the Netherlands having its registered office at Zernikedreef 8, 2333CL LEIDEN, The Netherlands, and in the present matter lawfully represented by its Chief Executive Officer Prof Dr J. Burggraaf and its Chief Scientific Officer Dr Geert Jan Groeneveld (hereinafter referred to as “CHDR”); and
2.	AIM ImmunoTech Inc. having its registered office at 2117 SW Highway 484, Ocala, Florida 34473, United States, hereby lawfully represented by its President and Chief Executive Officer Thomas K. Equels (hereinafter referred to as “Client”), together referred to as “Parties” and individually as a “Party”, hereby make this Agreement (“Agreement”) dated as of January 8, 2021(the “Effective Date”).

 

Whereas:

 

	A.	The Client is interested in a Phase I randomized, double-blind study to evaluate the safety and activity of repeated intranasal administration of Ampligen® (Poly I:Poly C12U) in healthy subjects;
	B.	CHDR has the facilities and know-how to carry out such a clinical study;
	C.	Client and CHDR are, in the performance of this Agreement, in compliance with the obligations arising out of the Good Clinical Practice Guidelines and the Dutch Act on Medical-scientific Research Involving Human Subjects.

 

Agree as follows:

 

Article 1: Definitions and interpretation

 

The following terms shall have the meaning ascribed to them below:

 

“Agreement”: means the terms and conditions of this main document, together with all Annexes referred herein.

 

“Effective Date”: shall mean the date this Agreement takes effect.

 

“Clinical Trial”: Any investigation in human subjects intended to discover or verify the clinical, pharmacological and/or other pharmacodynamic effects of an investigational product(s) (the “Product”), and/or to identify any adverse reactions to an investigational product(s), and/or to study absorption, distribution, metabolism, and excretion of an investigational product(s) with the object of ascertaining its safety and/or efficacy. The terms clinical trial and clinical study are synonymous. This definition is in line with article 1.12 of the Good Clinical Practice Guideline.

 

“Confidential Information”: shall mean any information belonging to either Party that is not in the public domain and was disclosed to the other Party for the purposes described in this Agreement, among which but not exclusively, any Intellectual Property of either Party.

 

“Intellectual Property (IP)”: any patents, supplementary protection certificates, rights to inventions, registered designs, copyright and related rights, database rights, design rights, topography rights, trademarks, service marks, trade names and domain names, trade secrets, rights in unpatented know-how, rights of confidence and any other intellectual or industrial property rights of any nature including all applications (or rights to apply) for, and renewals or extensions of such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

 

 

“Background IP”: shall mean any Intellectual Property, other than Foreground IP, already owned by Parties on the Effective Date.

 

“Foreground IP”: shall mean any Intellectual Property is conceived, created or developed by, or by a contractor, either Party in the course of the work conducted in the course of this Project.

 

Article 2: Scope of the Agreement

 

Client instructs CHDR, and CHDR accepts this instruction, to conduct research (hereinafter the “Project”) as described in more detail in the proposal/ protocol entitled: “A Phase I, Randomized, Double-Blind Study to Evaluate the Safety and Activity of Ampligen® (Poly I:Poly C12U) in Healthy Subjects at Low Risk for Coronavirus Disease-2019 (COVID-19)”, (“the “Protocol”), which is annexed to this Agreement as Annex 1. The Protocol shall be considered to constitute an integral part of this Agreement. The Protocol shall establish the means for obtaining insurance coverage for the Project. All of the above shall be only applicable on the condition precedent that the Protocol is approved by the Medical Ethics Review Committee.

 

CHDR shall perform the Project in accordance with industry best practices, reasonable care and skill and in compliance with all laws, rules and regulations applicable to the Project (“Applicable Laws”).

 

If necessary, CHDR will be allowed, after consultation with and the express written approval of Client, to involve the services of third persons or organisations for specific matters, provided that CHDR shall procure that such third persons and organisations are subject to obligations of confidentiality which are no less strict than the obligations in force for personnel of CHDR. In as far as these third persons or organisations have access to personal data, CHDR will enter into a data processing agreement with these third persons or organisations as detailed in the processing agreement between CHDR and the Client.

 

Article 3: Prices and payment

 

The Parties have agreed on a Quotation for this Project as shown in Annex 2. Client shall be invoiced by CHDR according to the Payment schedule in Annex 3. Payment terms are thirty (30) days after date of invoice. These amounts do not include applicable Dutch value added tax (which is not applicable to US companies who provide a W-8BEN-E form). After being invoiced by CHDR, Client shall transfer the amount by the indicated payment date to the bank account indicated on the invoice. These fees were agreed upon by the Parties on the basis that Client and CHDR carry out the tasks and activities described in Annex I.

 

Article 4: Coordination

 

Each of the contracting Parties will name a person within its organisation who is responsible for maintaining contacts on the executive level. For CHDR this person will be Dr Geert Jan Groeneveld, MD, for scientific and medical items, and Prof Dr J. Burggraaf for financial and contractual items. For the Client this person will be Dr David R. Strayer for scientific and medical items and Peter W. Rodino, III, for financial and contractual items.

 

 

Article 5: Intellectual Property

 

5.1

It is recognised and understood that the ownership of any Background IP of Client and CHDR pre-existing as of the Effective Date and used in the course of this Project, is not affected by this Agreement.

5.2

Any IP to any know-how, material, discovery or invention, whether patentable or not, conceived or conceived and reduced to practice as a result of the work conducted in the course of this Project (an “Invention”) shall be owned or co-owned by the Party or Parties that developed it, unless the Invention is either “Product Foreground IP” or “Clinical Trial Foreground IP”. An Invention shall be considered “Product Foreground IP” if it relates to the Product of the Company in the Clinical Trial. An Invention shall be considered “Clinical Trial Foreground IP” if it relates to clinical trial methodology, the techniques and technology that may be used by CHDR. Product Foreground IP shall belong to the Client and Clinical Trial Foreground IP shall belong to CHDR.

 

Article 6: Obligations of Client

 

Client undertakes to use reasonable efforts to enable CHDR to carry out the Project. This obligation includes, among other things: (a) providing CHDR with all available and relevant information concerning the drug or drugs with which the Project is concerned, including in particular any information which may be relevant to the safe implementation of the Project; and (b) supplying CHDR with the above-mentioned drug or drugs free of charge, in good time and in sufficient quantities as set forth in the Protocol.

 

Article 7: Obligations of CHDR

 

7.1	CHDR shall use its best efforts to complete the Project according to the estimated timelines, as shown in Annex 4.
7.2	CHDR shall immediately inform Client in writing if CHDR becomes aware that circumstances are such that there will be a substantial delay in the progress of the Project. In such an event the Parties shall, by mutual consent, make an arrangement concerning the consequences of the delay on the subsequent implementation of the Project and/or this Agreement.
7.3	CHDR shall give Client’s monitoring personnel access to all files which have been collated on the individual volunteers and shall allow these personnel to make copies of such files, either in whole or in part, but only in as far as the personal data in the files concerned has been made anonymous.

 

Article 8: Data analyses and publication

 

8.1	CHDR shall be entitled to use the data and analysis, which have been received under the terms of the Project (hereinafter the “Data”), for publications in and/or oral presentations to the scientific media and/or forums, with the understanding that CHDR shall not do so unless it has previously informed Client of the proposed publications or presentations and provided such publications and/or presentations to Client for review and comment not less than thirty (30) days before such proposed use.
	The authorship of such a publication shall reflect the contribution of individual employees of the Client and CHDR. A joint publication is the preferred form.
8.2	If Client can demonstrate that the postponement of a publication or presentation intended CHDR is necessary to protect its intellectual property rights, CHDR shall postpone such publication or presentation, but CHDR shall not be required to do so for a period of longer than three months after the study’s completion unless Client requires more than three months in order to safeguard its rights and the interests connected with its rights outweigh the interests CHDR may have in the proposed publication or presentation, with a maximum of 12 months after the study’s completion. A postponement request shall, in no circumstances, result in the cancellation of any publication or presentation by CHDR. In all cases, agreements on publication needs to be in accordance with the “Revised CCMO Directive on the Assessment of Clinical Trial Agreements” dated 30 August 2011”.

 

 

Article 9: Reporting

 

9.1	The Data pertaining to the Product generated in the course of this Project shall be the sole property of Client, subject to the provisions of article 8 related to CHDR’s right to publish and/or present. Client’s entitlement to the study report (‘Report’) shall not affect CHDR’s copyright or reproduction rights with regard to the publications or presentations described in article 8 above.
9.2	Client shall have the rights to submit the Report and the Data to any drug regulatory authority in any country whatsoever and to use the Report and the Data in order to obtain patents or other similar rights with respect to the Product investigated in the course of this Project.
9.3	Client may refer to the Report and the Data in any publication, with the understanding that the interpretations and/or conclusions set out in such publications shall be purely Client’s responsibility and cannot be attributed to CHDR, unless CHDR has given its prior written consent to the interpretation(s) or conclusion(s) concerned.

 

Article 10: Insurance

 

In accordance with the Dutch “Medical Research involving Human Subjects Act” and the “Decree containing rules for Compulsory Insurance in Medical-scientific Research involving Human Subjects 2015”, CHDR shall insure the subjects who participate in the Project for the following maximum amounts:

 

(1) € 650.000,— (i.e. six hundred and fifty thousand Euro) per claim per subject;

(2)  € 5.000.000,— (i.e. five million Euro) per medical research project;

(3)  € 7.500.000,— (i.e. seven million and five hundred thousand Euro) for the total sum for injuries arising out of medical research projects per insurance year.

 

Article 11: Liability

 

11.1	Client is not liable towards CHDR for any damage to the health of a volunteer that may directly result from his or her participation in the Project. This exclusion shall not apply if and to the extent that the damage to the health of the volunteer exceeds the insurance coverage which CHDR has taken out.
11.2	The exclusion of article 11.1 shall also not apply if the damage to the health of the volunteer was caused by any defect, as defined in article 6:186 of the Dutch Civil Code, in the drug or drugs which Client provided to CHDR. Next to the definition in the above mentioned article, the term “defect” also entails constituting any instance in which Client has, pursuant to its obligation to provide information as described in article 6 above, provided CHDR with incomplete or inaccurate information on the Product or drug(s).
11.3	Except in situations of intentional damage or gross negligence, CHDR is not liable to Client for any damage, including, but not limited to, any damage resulting from Client’s use of the Data, delays in the implementation of the Project or the non-completion of the Project.

 

 

Article 12: Indemnity

 

Client agrees to indemnify and hold CHDR, their officers and employees harmless from any liability, loss or damage they may suffer as a result of claims, demands, costs or judgments against them arising out of the activities to be carried out pursuant to the obligations of this Agreement, including, but not limited to, the use by Client of the results obtained from the activities performed by CHDR under this Agreement; provided, however, that any such liability, loss or damage resulting from the following Subsections “a” or “b” is excluded from this Agreement to indemnify and hold harmless:

 

a. the negligent failure of CHDR to substantially comply with applicable governmental requirements; or

b. the negligence or willful wrongdoing of any officer or employee of CHDR

 

Article 13: Force Majeure; Continuity

 

Neither Party shall be considered in default of the performance of its obligations under this Agreement to the extent that the performance of such obligations is prevented by war, civil disturbance, fire, water damage, floods, sit-ins, lock-outs, government measures or any other event, occurrence or condition which is not caused, in whole or in part, by such Party and which is beyond the reasonable control of such Party.

 

If, as a result of illness on the part of (an) employee(s) of CHDR, CHDR employee(s) advising Client is (are) not able to continue rendering (their) his services to Client, CHDR shall undertake to find (a) replacement(s) within thirty (30) days.

 

Article 14: Duration

 

This Agreement comes into force as from the Effective Date mentioned above and has been concluded for the duration of the Project. The Project shall end in accordance with the agreed timelines, unless sooner terminated in accordance with the terms hereof. The parties agree that the term may be extended by mutual written agreement if events beyond control delay completion of the Services beyond the expiration date. The Parties explicitly agree that as they have included a retention period for any personal data collected during the Project, the data will be retained by CHDR under the processing agreement as detailed in article 16.1 and 16.2 of this Agreement.

 

Article 15: Termination

 

15.1	This Agreement may be terminated earlier by Both Parties, but needs to be in accordance with the “Revised CCMO Directive on the Assessment of Clinical Trial Agreements” dated 30 August 2011, in the event:

 

	●	if the judgement of the competent medical research ethics committee that has assessed the study is irrevocably revoked;
	●	if a reasonable case can be made for terminating the study in the interests of the health of the research subjects;
	●	if it transpires that continuation of the study cannot serve any scientific purpose, and this is confirmed by the medical research ethics committee that has issued a positive decision on the study;
	●	if one of the parties has been declared insolvent or a bankruptcy/winding-up petition has been filed in respect of one of the parties or the financier, or one of the parties or the is dissolved as a legal entity;
	●	if the principal investigator is no longer capable of performing the tasks of the principal investigator, and no replacement agreeable to both parties can be found;
	●	if one of the two parties fails to comply with the obligations arising from the agreement and, provided compliance is not permanently impossible, this compliance has not taken place within thirty days of the defaulting party receiving a written request to comply, unless failure to comply is not in reasonable proportion to the premature termination of the study;
	●	if circumstances beyond the control of both parties make it unreasonable to require the study’s continuation.

 

 

15.2

In all cases of termination of this Agreement the Parties shall cooperate in order to ensure volunteers’/ patients’ safety, continue appropriate treatment, deliver the work results and comply with all applicable regulations.

15.3

In the event of preliminary termination of the Clinical Trial, not being the result of a material breach of the obligations by CHDR as laid down in this Agreement, the total sums payable by Client pursuant to this Agreement shall be equitably prorated for actual work performed up to and including the date of termination, including non-cancellable services with sub-contractors or reserved beds for 6 weeks after date of termination.

 

Article 16: Confidentiality and Data Privacy

 

16.1.	All processing of personal data will be in accordance with the General Data Protection Regulation (“GDPR”). Client shall act as Controller under the GDPR. CHDR shall act as the Processor (as defined in the GDPR) on behalf of the Client. For this reason, Client and CHDR shall enter into a data processing agreement (Annex 6) outlining their respective responsibilities.
16.2.	Termination of the Agreement on any ground whatsoever shall have as its effect that the Processor Agreement shall survive, unless the Parties agree otherwise in writing.
16.3.	In case Client is established outside the European Union (“EU”), Client will appoint a representative in the EU, in writing.
16.4.	CHDR shall obtain informed consent from the Clinical Trial subjects in order to allow for processing of the personal data from the Clinical Trial subjects.
16.5.	The Parties agree to adhere to the principles of medical confidentiality in relation to Clinical Trial Subjects involved in the Clinical Trial.
16.6.	Personal data (as defined in the GDPR) shall not be disclosed to the Client by CHDR or its Principal Investigator unless this is required to satisfy the requirements of the Protocol or for the purpose of adverse event monitoring or adverse event reporting, or in relation to a claim or proceeding brought by the Clinical Trial subject in connection with the Clinical Trial. The Parties shall not disclose the identity of Clinical Trial subjects to third Parties without prior written consent of the Clinical Trial subject, except in accordance with the provisions of the GDPR, or in relation to a claim or proceedings brought by the Clinical Trial subject in connection with the Clinical Trial.
16.7.	Hereby, the Client requests CHDR to retain the personal data collected under the Protocol for the Client for 25 years after database lock. After the lapse of the retention period, the Client requests CHDR to anonymize the personal data, after which identification of the data subject will no longer be possible.
16.8.	The Client hereby instructs CHDR to process the personal data under this Agreement not solely based on informed consent of the data subject, but also based on article 6(1)(a) and (f) and 9(2)(j) of the GDPR.
16.9.	As CHDR is the Processor, the Client instructs CHDR to handle study subject requests’ pertaining to article 15 until 18 and 20 until 22 of the GDPR. As it is of the utmost importance to retain the study data as a complete dataset for the purpose of pharmacovigilance obligations of the Client as well as to preserve the integrity of the study data for scientific purposes, the Client therefore instructs CHDR to limit the exercise of:

 

 

	a.	article 16 GDPR (right to rectification), to the extent that factual errors concerning name and address may be corrected;
	b.	article 17 GDPR (right to erasure);
	c.	article 18 GDPR (right to restriction of processing);
	d.	article 20 GDPR (right to data portability);
	e.	article 21 GDPR (right to object), and;
	f.	article 22 GDPR (the right to not to be subject to automated individual decision-making, including profiling).

 

16.10.

CHDR and Client shall ensure that only those of their officers and employees (and in the case of Client those of its Affiliates) directly concerned with the carrying out of this Agreement have access to the Confidential Information of the other Party. Each Party undertakes to treat as strictly confidential and not to disclose to any third party any Confidential Information of the other Party, except where disclosure is required by a Regulatory Authority or by law. The Party required to make the disclosure shall inform the other within a reasonable time prior to being required to make the disclosure, of the requirement to disclose and the information required to be disclosed. Each Party undertakes not to make use of any Confidential Information of the other Party, other than in accordance with this Agreement, without the prior written consent of the other Party.

16.11.

The obligations of confidentiality set out in article 15.2 shall not apply to information which:

 

	(1)	is or becomes part of the public domain by any other means than a wrongful act or breach of this Agreement by the Parties;
	(2)	was or becomes in the Parties’ lawful possession prior to the disclosure without restriction on disclosure;
	(3)	has been independently developed by the receiving Party and is not subject to a duty of confidentiality.

 

Article 17: Assignment

 

Without the other Party’s written consent, neither Party shall assign the whole or any part of this Agreement or any claim arising from it to any third party; provided, however, that notwithstanding the foregoing, Client may assign all of its rights and obligations hereunder without such consent to an affiliate of Client or to a successor in interest by reason of merger, consolidation or sale of all or substantially all the assets of Client. Subject to the foregoing, this Agreement shall inure to the benefit of and be binding on the Parties’ successors and assigns. Any assignment in violation of the foregoing shall be null and void and wholly invalid, the assignee in any such assignment shall acquire no rights whatsoever, and the non-assigning Party shall not recognize, nor shall it be required to recognize, such assignment.

 

Article 18: Changes / Waiver

 

This Agreement or parts of this Agreement can only be changed with the written consent of both Parties. Similarly, no waiver of the provisions of this Agreement shall be valid or binding on either Party unless in writing and signed by both Parties.

 

 

Article 19: Applicable law and competent court

 

19.1	The entire relationship between the Parties and any and all claims and disputes arising out of or in connection with this Agreement (including the Annexes) and all other agreements relating thereto (including any non-contractual claims and disputes) shall be exclusively governed by and construed in accordance with the laws of the Delaware in the United States.
19.2	Any disputes regarding or in connection with the Processing Agreement shall be exclusively decided by arbitration. The number of arbitrators shall be three. Each party shall choose one arbiter, whom together shall appoint the third arbitrators. The seat of arbitration shall be the Netherlands. The governing laws shall be the laws of the Netherlands.

 

Article 20: Miscellaneous

 

20.1	Notices. All notices from one Party to the other will be in writing to the addresses set forth above. Notices shall be sent by overnight courier, certified mail, return receipt requested, or by other means of delivery requiring a written acknowledged receipt. All notices shall be effective upon receipt.
20.2	Independent Contractor. The business relationship of CHDR to Client is that of an independent contractor and not of a partner, joint venture, employer, employee or any other kind of relationship.
20.3	Severability. In the event that any one or more of the provisions contained in this Agreement will, for any reason, be held to be invalid, illegal or unenforceable in any respect, that invalidity, illegality or unenforceability will not affect any other provisions of this Agreement, and all other provisions will remain in full force and effect.

 

This Agreement is drawn up in duplicate and signed in:

 

Leiden on …11…/…01…/…2021…….

Ocala , Florida USA on 01/082021

 

/s/ Prof Dr. Jacobus Burggraaf		/s/ Peter W. Rodino
Centre for Human Drug Research		AIM ImmunoTech Inc.
Prof Dr Jacobus Burggraaf Chief Executive Officer		Peter W. Rodino, III General Counsel & Chief Operating Officer
/s/ Dr Geert Jan Groeneveld
Centre for Human Drug Research Dr Geert Jan Groeneveld Chief Scientific Officer

 

 

Annexes:

 

Annex 1. Protocol / Synopsis

 

Annex 2. Quotation

 

Annex 3. Payment Schedule

 

Annex 4. Timelines

 

Annex 5. List of responsibilities

 

Annex 6. Processor Agreement

 

[Remainder of Page Intentionally Left Blank]

 

 

Annex 1.

 

Project Description

 

Hereby incorporated by reference, Protocol AMP-COV-100 (CHDR2049) , dated 08 January 2021 and entitled A Phase I, Randomized, Double-Blind, Placebo-Controlled Study to Evaluate the Safety and Activity of Repeated Intranasal Administration of Ampligen® (Poly I:Poly C12U) in Healthy Subjects.

 

 

Annex 2. Quotation

 

[***]

 

 

Annex 3. Payment Schedule

 

[***]

 

Payments to be made to

 

[***]

 

 

Annex 4. Estimated Timelines

 

Signed Protocol, signed contract, IMPD, IB, Insurance certificate	05 January 2021
Submission to Ethics Committee/Competent Authority (EC/CA)	11 January 2021
Expected Approval EC/CA	End of January 2021
Delivery drug supplies by Client	End of January 2021
Start Recruitment	01 February 2021
First Subject First Dose (FSFD)	05 March 2021
Last Subject Last Dose (LSLD)	21 June 2021
Database Lock (DBL)	6 weeks after LSLV
Headline results	3 weeks after DBL
First draft Clinical Study Report (CSR)	9 weeks after DBL
Final draft CSR	2 weeks after receipt of comments on the draft version of CSR
Final data transfer	TBD

 

NB – all above timelines are subject to any EC/CA approval and Protocol amendments. Furthermore, at the time of signing this Agreement, a global pandemic is in progress involving COVID-19 and therefore the timelines are subject to change according to the measures requested by the Dutch authorities (government, RIVM, IGJ, CCMO) to address the situation at the time of the Project execution.

 

 

Annex 5. List of responsibilities

 

ACTIVITY	Client	CHDR	Third Party
STUDY START UP
1. Design the study	X	X
2. Write the protocol		X
3. Review the protocol	X	X
4. Prepare CHDR site-specific subject information sheet and informed consent		X
5. Prepare IB and IMPD (or SPC when applicable)	X
6. Receipt, storage and accountability of drug supplies		X
7. Provide labels for PK samples		X
8. Prepare randomisation code		X
STUDY INITIATION
1. Collect pre-study documents		X
2. Obtain approval from Ethics Committee		X
STUDY CONDUCT
1. Recruitment and screening of subjects		X
2. Execute study procedures		X
3. Perform subjects’ supervision during study		X
4. Perform ongoing procedures described in the protocol		X
5. Perform end of study evaluation of subjects		X
6. Administration site clinical trial file		X
7. Serious Adverse Events (SAE) recording		X
8. Notify SAE to Client		X
9. Notify SAE to Health Authorities and Ethics Committee		X
10. Sample handling		X
13. Monitoring by external party	X
DATA MANAGEMENT
1. Development & design of CHDR database (not CDISC)		X
2. Data entry (double data entry for CRF)		X
3. Data QC		X
4. eCRF data entry		X

 

 

5. Address Client queries		X
6. Data verification before database lock		X
7. Database lock		X
8. Integration of PD data or other data in database		X
PD ASSESSMENT
1. Organize shipment of PD samples		X
2. PD sample analysis		X
STATISTICAL ANALYSIS
1. Write the Statistical Analysis Plan (SAP)		X
2. Review SAP	X	X
3. Provide Interim safety/PD analysis reports		X
4. Provide Blind Data Review (BDR) report		X
5. Perform, PD (incl. non-compartmental analysis) and safety analysis		X
6. Provide safety/PD analysis reports		X
7. Review safety/PD analysis reports	X	X
MEDICAL WRITING
1. Produce integrated CSR		X
2. Prepare scientific publication (Subject to Article 9.1.)	X	X

 

 

Annex 6

 

PROCESSOR AGREEMENT

 

	1.	AIM ImmunoTech Inc., having its registered office at at 2117 SW Highway 484, Ocala, Florida 34473, United States lawfully represented in this matter by its President and Chief Executive Officer Thomas K. Equels, M.S. J.D. (hereinafter: “the Controller”); and
	2.	Centre for Human Drug Research having its registered office at Zernikedreef 8, 2333CL in Leiden, the Netherlands lawfully represented in this matter by its Chief Executive Officer Prof Dr J. Burggraaf (hereinafter “the Processor”).

 

hereinafter also referred to collectively as: “the Parties” and individually as “a Party”;

 

WHEREAS:

 

	(a)	the Processor provides services for the benefit of the Controller, as set out in the sponsor agreement between the Client and CHDR (as defined below);
	(b)	the services entail the processing of Personal Data, including Data concerning health;
	(c)	the Processor solely processes the data concerned on the instructions of the Controller and not for purposes of his own;
	(d)	as of 25 May 2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) will be applicable.

 

DECLARE TO HAVE AGREED THE FOLLOWING:

 

Article 1 Definitions

 

1.1.	In this Processor Agreement the following capitalised terms shall have the following meanings

 

	a.	General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
	b.	Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person as defined in article 4 of the GDPR;
	c.	Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in article 4 of the GDPR;
	d.	Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law, as defined in article 4 of the GDPR;

 

 

	e.	Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller, as defined in article 4 of the GDPR;
	f.	Sub-Processor: any non-subordinated third party engaged by the Processor in the processing of Personal Data within the scope of the Agreement, other than Employees;
	g.	Third party: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data, as defined in article 4 of the GDPR;
	h.	Consent of the Data Subject any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, as defined in article 4 of the GDPR;
	i.	Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as defined in article 4 of the GDPR;
	j.	Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status, as defined in article 4 of the GDPR;
	k.	Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as defined in article 4 of the GDPR;
	l.	Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
	m.	Data Protection Officer (DPO): a person who advises, informs and reports independently either of the Parties about the protection of personal data, who acts in accordance with the articles 37-39 of the GDPR;
	n.	Incident: means either

 

	i	an investigation into or a seizure of Personal Data by government officers or a serious suspicion that this will take place;
	ii	a personal data breach within the meaning of article 4(12) GDPR;

 

	o.	Agreement: the sponsor agreement between Controller and Processor concerning CHDR2049;
	p.	Study Protocol: the document that describes the objective(s), design, methodology, statistical considerations and organisation of a clinical study;
	q.	Study: the clinical study as described in the Study Protocol.

 

1.2.

Wherever this Processor Agreement refers to certain standards, the most recent version of that standard is always referred to. To the extent that the standard concerned is no longer maintained, the most recent version of the logical successor of that standard that represents the state of art in the subject matter of the standard referred to should be read instead.

 

Article 2. Subject-Matter of this Processor Agreement

 

2.1.	This Processor Agreement concerns the processing of Personal Data by the Processor on the instructions of the Controller within the scope of the performance of the Agreement or Agreements.
2.2.	The Parties are concluding the Agreement or Agreements in order to make use of the Processor’s expertise in the areas of processing and securing Personal Data for the purposes ensuing from the Agreement or Agreements and further described in this Processor Agreement. The Processor guarantees that he is properly qualified for this purpose.
2.3.	This Processor Agreement forms an inseparable part of the Agreement or Agreements. To the extent that the provisions of the Processor Agreement are inconsistent with the provisions of the Agreement or Agreements, the provisions of the Processor Agreement shall prevail.

 

 

Article 3. Execution of processing

 

3.1.	The Processor guarantees that he will only process Personal Data for the benefit of the Controller to the extent that:

 

	a.	this is necessary for the performance of the Agreement or
	b.	the Controller has given further written instructions for that purpose.

 

3.2.	Within the scope of the provisions of Article 3.1 under a.), the Processor shall only process the Personal Data in accordance with the Agreement and the Study Protocol that is drawn up in accordance with the Agreement. Part of the written instructions within the scope of Article 3.1 under b.) will be the Data Transfer Agreement between the Controller and the Processor specifying the technical method, timelines and specifications of any data transfer.
3.3.	The Processor will only process the types of personal data from the Data Subjects participating in the study, as laid down in the Study Protocol.
3.4.	The Processor shall follow all reasonable instructions given by the Controller in connection with the processing of the Personal Data. The Processor shall immediately inform the Controller if the instructions are – in his view - in breach of the applicable legislation relating to personal data.
3.5.	Without prejudice to the provisions of the first paragraph of this Article 3, the Processor shall be allowed to process Personal Data if any legal requirement (including any court or administrative orders based thereon) requires that processing by him. In that case the Processor shall inform the Controller, before the processing, of the intended processing and the legal requirement, unless that law or court or administrative orders prohibit such information on important grounds of public interest. The Processor shall enable the Controller, where possible, to raise a defence against this mandatory processing and shall also otherwise restrict the mandatory processing to what is strictly necessary.
3.6.	The Processor shall demonstrably process the Personal data in a proper and careful manner and in agreement with his obligations as a Processor under the GDPR, and other laws and regulations. Within that scope the Processor shall in any event maintain a record of the processing activities within the meaning of Article 30 GDPR and provide the Controller with a copy of that record at the latter’s first request.
3.7.	In regard to processing Data concerning health, the Processor guarantees that he will not act in breach of the applicable health legislation.
3.8.	Unless the Processor has obtained the Controller’s explicit prior written consent, he shall not process Personal Data or arrange for the processing of Personal Data by himself or by third parties in countries outside the European Union (“EU”), unless the Processor is legally obliged so by law. If the latter is the case, the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information. Processing Personal Data or arranging for the processing of Personal Data outside of the EU will take place under the conditions as set out in annex 3.
3.9.	The Processor guarantees that the Employees involved have signed non-disclosure agreements and shall allow the Controller to review these non-disclosure agreements at the latter’s request. Before providing the Controller with a copy of the Study data processed by the Processor, the Processor will pseudonymise the data by removing name and address information of the study subjects.

 

 

Article 4. Security of Personal Data and monitoring

 

4.1.

The Processor shall demonstrably take appropriate and effective technical and organisational security measures (Annex 2), which correspond, given the state of the art and the costs involved therein, with the nature of the Personal Data to be processed, in order to protect the Personal Data from loss, unauthorised review, corruption or any form of unlawful processing and also to guarantee the (timely) availability of the data. These security measures include measures that may already have been provided for in the Agreement. The measures shall in any event include:

 

	a.	measures to ensure that only authorised Employees have access to the Personal Data for the described purposes;
	b.	measures ensuring that the Processor and his Employees and Sub-Processors can only access the Personal Data via registered accounts, with an adequate logging of such accounts, which allow access to only the Personal Data which the person or legal person needs to access;
	c.	measures to protect the Personal data from accidental or unlawful destruction, accidental loss or amendment or unauthorised or unlawful storage, processing, access or disclosure;
	d.	measures for the purpose of identifying weaknesses in relation to the processing of Personal Data in the systems used to provide services to the Controller;
	e.	measures to guarantee the timely availability of the Personal Data;
	f.	measures to ensure that the Personal Data are separated in a logical way from the Personal Data the Processor is processing either for himself or on behalf of third parties.

 

4.2.

The Controller shall be entitled to monitor (or arrange for the monitoring of) the compliance with the measures set out above in Articles 4.1 The Processor shall in any event allow the Controller, if so requested by the Controller, to investigate (or arrange for the investigation of) this at least once a year at a time to be determined by mutual agreement between the Parties and, furthermore, whenever the Controller has a reason for doing so, based on information or privacy incidents (or the suspicion that such incidents have occurred). The Processor shall reasonably lend assistance with such an investigation. The Processor shall follow any instructions for the adjustment of his security policies that the Controller may reasonably give following such an investigation, within a reasonable period of time.

4.3.

The Parties acknowledge that security requirements keep changing and that effective security requires frequent reviews and the regular improvement of outdated security measures. The Processor shall therefore periodically review the measures as implemented on the basis of this Article 4 and, where necessary, improve the measures in order to keep meeting the obligations of this Article 4. The foregoing shall not affect the Controller’s power of instruction to take (or arrange for the taking of) additional measures, if necessary.

 

Article 5. Monitoring, information duties and incident management

 

5.1.	The Processor shall actively monitor breaches of the security measures and report on any personal data breaches to the Controller in agreement with this Article 5.
5.2.	After becoming aware of an incident, the Processor shall notify the Controller without undue delay and provide the latter on that occasion with all the relevant information about:

 

	1)	the nature of the Incident;
	2)	the Personal data that have or may have been affected;
	3)	the discovered and probable consequences of the Incident; and
	4)	the measures taken or to be taken in order to address the Incident or to limit the consequences/damage as much as possible.

 

5.3.	Without prejudice to the other obligations of this Article, the Processor shall take the measures he may reasonably be expected to take in order to address the Incident as soon as possible or to limit the further consequences of that Incident as much as possible. The Processor shall consult the Controller without delay in order to make further agreements about this subject.
5.4.	The Controller hereby instructs the Processor in advance to investigate an Incident, formulate a correct response and take appropriate follow-up steps with regard to the Incident. If the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) needs to be notified, the Controller will instruct the Processor accordingly. This also applies to the Data Subject as provided in Article 5.7.

 

 

5.5.	The Processor shall always have written procedures in place which enable him to provide the Controller with an immediate reaction in respect of an Incident and to effectively cooperate with the Controller in order to handle the Incident. The Processor shall provide the Controller with a copy of such procedures, if so requested by the Controller.
5.6.	Any notifications pursuant to Article 5.2 shall be immediately directed to the Controller or, if relevant, to the Employees of the Controller as identified by the Controller in writing during the term of this Processor Agreement. If the Controller has appointed a Data Protection Officer (DPO), the notifications shall be directed to this DPO.
5.7.	The Processor may not provide information about Incidents to Data Subjects or other third parties, except where the Processor has a legal obligation to do so or the Parties have so agreed otherwise.
5.8.	If and to the extent that the Parties have agreed that the Processor shall have direct contact with the authorities or other third parties with regard to an Incident, then the Processor shall keep the Controller informed hereof on a continuous basis.

 

Article 6. Assistance duties

 

6.1.	The GDPR and other (privacy) legislation grant Data Subjects certain rights. The Processor shall assist the Controller in such manner as described in the Agreement
6.2.	The Processor shall forward any complaint by or request from a Data Subject relating to the processing of Personal Data that he has received to the Controller without delay. CHDR will remove any information that can lead to identification of the study subject and ensure that the information can be identified only by the study number.
6.3.	On the Controller’s first request the Processor shall provide the Controller with all the relevant information on the aspects of his processing of the Personal Data, so that the Controller can demonstrate, partly on the basis of that information, that he is complying with the applicable (privacy) legislation.
6.4.	On the Controller’s first request the Processor shall also lend all the required assistance with the performance of the legal obligations the Controller has under the applicable privacy legislation (such as performing a PIA).

 

Article 7. Engagement of Sub-Processors

 

7.1.	The Processor shall not outsource his activities that consist of the processing of Personal Data or that require the processing of Personal Data to a Sub-Processor without the Controller’s prior written consent. The foregoing shall not apply to the Sub-Processors mentioned in Annex 1, of which the Controller has ascertained that the processing is within the mandate given to the Processor under this Processing Agreement.
7.2.	Where the Controller consents to the engagement of a Sub-Processor, the Processor shall impose obligations on this Sub-Processor that are (at minimum) equal to the Processor’s own obligations under the Processor Agreement or the law and which shall fit within the scope of the processing mandate granted to Processor under this Processing Agreement. The Processor shall record these arrangements in writing and shall monitor their compliance by the Sub-Processor. In particular, the Processor shall impose on the Sub-Processor the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet all obligations under the GDPR. The Processor shall provide the Controller with a copy of the agreement or agreements entered into with the Sub-Processor at the Controller’s request.
7.3.	The Controller’s consent for the outsourcing of work to a Sub-Processor does not alter the fact that the use of Sub-Processors in a non-EU country requires consent in agreement with Article 3.7 of this Processor Agreement.

 

 

Article 8. Confidentiality

 

8.1.	The processor is obliged to keep any Personal Data received from or processed for the Controller confidential.
8.2.	Each Party shall keep any information received from the other Party confidential unless

 

	a.	The other Party has given explicit consent in writing,
	b.	The information is already public without the interference of the receiving Party,
	c.	The processor is legally obliged to provide the information because of a law suit or a legal obligation.

 

8.3.	If article 8.2 under c is applicable, the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information.

 

Article 9. Liability

 

9.1.	Each Party shall be responsible and liable for his own actions.
9.2.	The Controller shall indemnify the Processor and hold the Processor harmless from all claims, actions, rights of third parties and fines and other enforcement actions of the any Data Protection Authority which are the immediate consequence of an imputable shortcoming by the Controller and/or his contractors and/or Processors in the performance of his obligations under this Processor Agreement and/or any violation of the GDPR by the Controller and/or his contractors and/or Processors. The same holds true for any liability coming forth from an action or omission of any Sub-Processor contracted by Processor for the purposes of the execution of the Agreement and/or this Processing Agreement.
9.3.	Any restriction of liability shall also cease to apply for the Party concerned in the case of an intentional act or omission or gross negligence on the part of that Party.
9.4.	Parties agree that in case of discrepancies pertaining to liability between the Processor Agreement and the Agreement, the Processor Agreement prevails.

 

Article 11. Term and termination

 

11.1.	This Processor Agreement shall take effect on the date on which it is signed. The Processor Agreement shall end 25 years after database lock.
11.2.	After it has been signed by both parties, the Processor Agreement shall form an integral and inseparable part of the Agreement. However, termination of the Agreement on any ground whatsoever does not terminate the Processor Agreement, unless the Parties agree otherwise in writing.
11.3.	Obligations which are intended to continue also after the termination of this Processor Agreement in view of their nature shall continue to apply after the termination of this Processor Agreement. These provisions for instance include those which ensue from the provisions on confidentiality, liability, dispute resolution and the applicable law.
11.4.	Without prejudice to the provisions on this subject in the Agreement, either Party shall be entitled to suspend the performance of this Processor Agreement and the Agreement relating to it or to dissolve it with immediate effect without the intervention of the court, if:

 

	g.	the other Party is dissolved or ceases to exist otherwise;
	h.	the other Party materially fails in the performance of his obligations under this Processor Agreement and that failure has not been remedied within 30 days following written notice of default;
	i.	either Party is declared bankrupt or applies for a moratorium.

 

11.5.	The Controller shall be entitled to dissolve (“ontbinden”) this Processor Agreement and the Agreement with immediate effect, if the Processor indicates that he is not able (or no longer able) to comply with the reliability requirements imposed on personal data processing in the legislation and/or in the case-law.
11.6.	Without the Controller’s explicit and written consent, the Processor may not transfer this Processor Agreement and the rights and obligations connected with this Processor Agreement to a third party.

 

 

Article 12. Retention period of Personal Data

 

12.1.

The Processor shall not retain the Personal Data any longer than is strictly necessary in any form that can lead to the identification of the Data Subject, taking into account the retention period as laid down in the Agreement. The Controller instructs the Processor to anonymize the Personal Data after the retention period has lapsed.

12.2.

At the choice of the Controller, the Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Dutch law requires storage of the personal data, pursuant to article 28(3)(g) of the GDPR, for as far as this is compatible with ICH-GCP and the applicable Dutch legislation pertaining to clinical studies.

 

Article 13. Intellectual Property Rights

 

13.1.

To the extent that the Personal Data or their collection is protected by an intellectual property right, the Controller grants the Processor consent to use the Personal Data within the scope of the performance of this Processor Agreement, the Agreement and the Study Protocol.

 

Article 14. Final provisions

 

14.1.	The recitals form an inseparable part of this Processor Agreement.
14.2.	If one or more of the provisions of this Processor Agreement are null and void or voidable, the other provisions shall continue in full effect.
14.3.	This Processor Agreement can only be changed upon written consent of both Parties.
14.4.	The Parties shall endeavor to resolve any conflicts by mutual agreement. This includes the possibility of ending the dispute by means of mediation to be decided by mutual agreement.
14.5.	All notices from one Party to the other will be in writing to the address set forth hence after. Notices shall be sent by overnight courier, certified mail, return receipt requested or by other means of a delivery requiring a written acknowledged receipt. All notices shall be effective upon receipt.

 

Contact details Controller

 

DPO:

Jelmer Pieters MBA CIPP/E

[***]

 

Contact details Processor:

 

[***]

 

 

Article 15 Applicable law and competent court

 

15.1.	This Processor Agreement is exclusively governed and construed in accordance with the laws of the Netherlands.
15.2.	Any disputes regarding or in connection with the Processing Agreement shall be exclusively decided by arbitration. The number of arbitrators shall be three. Each party shall choose one arbiter, whom together shall appoint the third arbitrators. The seat of arbitration shall be the Netherland. The governing laws shall be the laws of the Netherlands.

 

 

This Processor Agreement is drawn up in duplicate and signed in:

 

Leiden on 31/01/2021

Ocala, Florida USA on 01/29/2021

 

/s/ Dr Jacobus Burggraaf		/s/ Peter W. Rodino
Centre for Human Drug Research		AIM ImmunoTech Inc.
Prof Dr Jacobus Burggraaf		Peter W. Rodino, III
Chief Executive Officer		General Counsel

 

 

Annex 1 Sub-Processors

 

Pharmacy:

Apotheek LUMC

LUMC, L0-P30, Albinusdreef 2, 2333 ZA Leiden, The Netherlands

 

Safety Laboratory Analysis:

Afdeling Klinische Chemie en Laboratoriumgeneeskunde (AKCL)

LUMC, E2-P, Albinusdreef 2, Leiden, 2333ZA, Netherlands

 

Safety Laboratory Analysis (microbiology):

Centraal Klinisch Microbiologisch Laboratorium (CKML)

LUMC, E4-P, Albinusdreef 2, Leiden, 2333ZA, Netherlands

 

Archive management

Iron Mountain Nederland B.V.

Cairostraat 1

3047 BB Rotterdam

 

Cloud services
Microsoft Azure

 

 

Annex 2 Technical and Organizational Measures of Processor

The Processor shall implement and maintain the following technical and organizational measures:

 

(1) Access control to premises and facilities

Measures to prevent unauthorised persons from gaining access to data processing systems with which Personal Data are processed or used:

 

Measure	Check applicable
Are the access points secured?	[X]
Which measures are in place to ensure access control?
– Magnetic card	[X]
– Chip card	[  ]
– Key	[  ]
– Works security	[  ]
– Surveillance facilities	[X]
– CCTV	[X]
– alarm system	[X]
– Others:	[  ]
Admission control system to restrict access to authorized employees	[X]
Porter (24/7)	[  ]
Regulations regarding external staff, cleaning staff, and visitors	[X]
Regulations of access control regarding telecommuters/homeworkers	[X]
(2) Access control to systems
Measures to prevent data processing systems from being used without authorisation:
Measure	Check applicable
Determined, secured storage places for data carriers (e.g. USB sticks)	[X]
Only authorized persons can access data carriers	[X]
Data carriers are management according to a determined process	[X]
Data carriers for different principals are kept separately	[  ]
Data carriers can be securely destroyed	[X]

 

 

(3) Access control to data
Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage:
Measure	Check applicable
Only authorized persons can access IT systems	[X]
There are differing permissions for example for reading, deleting, changing	[X]
There are differing permissions for access to data, applications, and operating system	[X]
There is a process to regulate data recovery from a backup	[X]
The use of applications and files is recorded	[X]
Testing and production environments are separate	[X]
(4) Transmission control
Measures to ensure that Personal Data cannot be read, copied, modified or removed without authorisation during electronic transmission or during their transport or storage on data media, and that it is possible to check and establish to which bodies a transfer of Personal Data by means of data transmission facilities is envisaged:
Measure	Check applicable
Data carriers are sent securely	[X]
Data carrier transports are escorted	[  ]
All data is transmitted only in encrypted form	[X]
E-mail is sent encrypted	[X]
Data transfers are secured through an encrypted VPN or similar	[X]
Only authorized persons can transfer and receive data Dedicated Data Transfer Agreement will be concluded for each study as agreed per Article 3.2.	[X]

 

(5) Data entry control
Measures to ensure that it is possible to subsequently check and establish whether and by whom Personal Data have been input into, modified in, or removed from, data processing systems:
Measure	Check applicable
Only persons with specific permissions can enter data	[X]
Data entry is recorded	[X]
Administrative action (for example changing user permissions) is recorded	[X]
(6) Data Processing control
Measures to ensure that Personal Data processed on a commissioned basis are processed strictly in accordance with the instructions of the principal:
Measure	Check applicable
Employees are given express data protection instructions	[X]
Employees are bound by secrecy obligations	[X]
(7) Availability control
Measures to ensure that Personal Data are protected from accidental destruction or loss:
Measure Check applicable
A data backup maintained on at least a daily basis	[X]
Data carriers are stored disaster-proof	[X]
There is a determined process in case of emergencies	[X]
Systems are redundant	[X]
There is an uninterruptible power source	[X]
A business continuity management policy is place	[X]

 

 

(8) Separation control
Measures to ensure that data collected for different purposes are processed separately:
Measure	Check applicable
Data of principals are kept on physically separated systems	[  ]
Data of principals are kept logically separated	[X]
Different employees deal with the data of different	[  ]
Backups are kept physically separated for different principals	[  ]

 

 

Annex 3. Processing outside of the EU

 

Introduction

 

Transfers are not defined in the GDPR. However, article 44 of the GDPR indicates that any transfers to third countries or international organizations may not take place unless the transfer is compliant with chapter V of the GDPR. CHDR interprets transfer as meaning both (1) the act of sending data actively to a party located in another country outside of the EU and (2) entering the data in a system that is hosted in a country outside of the EU. Furthermore, any possibility for processing the personal data from a location located outside the EU shall be qualified as transfer.

 

As indicated in article 3.8 of this Processor Agreement, the Parties will describe in this annex on which ground an international transfer of personal data outside of the EU shall take place. Below, three steps have been described. The Parties will have to verify step-by-step whether one of the steps applies.

Please note that the Parties cannot choose on which lawful basis they will transfer the data to a third party in a country outside of the EU. If Step I applies, that will be the basis for the transfer. Only if a step is not applicable, Parties may proceed with the following step.

The Parties will then need to indicate on which legal basis the transfers shall be based and will indicate which data shall be transferred to which party and country.

 

Step I.

 

Please check and indicate whether the Controller or any third party (including sub-processors) to whom the data is sent (hereinafter: “Receiving Party”) is located in a country within the EU. If that is the case, this annex is not applicable. If the Receiving Party is located outside the EU, please verify whether there is an adequacy decision for the country in which the Receiving Party is located via the following web-link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

 

On the 1 October 2020, the European Commission had recognized:

 

	●	Andorra;
	●	Argentina;
	●	Canada (commercial organizations);
	●	Faroe islands,
	●	Guernsey;
	●	Israel;
	●	Isle of Man;
	●	Japan
	●	Jersey;
	●	New Zealand;
	●	Switzerland;
	●	Uruguay;

 

As providing adequate protection.

 

 

If there is an adequacy decision, the personal data can be transferred to the third country based on the adequacy decision.

 

Please indicate in the text box below that the processing will take place based on an adequacy decision, if that is the case.

 

 

Step II.

 

If there is no adequacy decision, please verify whether appropriate safeguards have been provided by the Receiving Party. These can be:

 

	(a)	a legally binding and enforceable instrument between public authorities or bodies;
	(b)	binding corporate rules in accordance with Article 47 GDPR;
	(c)	standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR;
	(d)	standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) of the GDPR;
	(e)	an approved code of conduct pursuant to Article 40 GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
	(f)	an approved certification mechanism pursuant to Article 42 GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
	(g)	contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization; subject to authorization from the competent supervisory authority; or
	(h)	provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights, subject to authorization of the competent supervisory authorities .

 

In addition to the existence of appropriate safeguards, CHDR has to verify with the Receiving Party that enforceable data subject rights and effective legal remedies for data subjects are available. If that is the case, please indicate below in the text box on which appropriate safeguards the personal data will be transferred.

 

 

 

If the answer was: there are no appropriate safeguards or if there are appropriate safeguards but no enforceable data subject rights or effective legal remedies available for data subjects, please proceed to Step III.

 

Step III.

 

If there are no appropriate safeguards, the transfer of the data is only allowed if one of the conditions named in article 49(1) of the GDPR applies. The Parties will then only be allowed to transfer the data if the data

 

subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers for the data subjects due to the absence of an adequacy decision and appropriate safeguards. Please note that all requirements for consent under the GDPR need to be met.

Please amend the informed consent document for the study accordingly and indicate below in the textbox on which grounds the transfer will take place.

 

Please confirm here that there is no adequacy decision by the European Commission, that there are no appropriate safeguards and that therefore the lawful basis of the transfer is explicit consent: we confirm that there is no adequacy decision by the European Commission and that there are no appropriate safeguards. Therefore, the lawful basis of the transfer is explicit consent.