LIBREVIEW
PROFESSIONAL TERMS OF USE

Effective Date: January 2021

These Terms of Use govern your use of the LibreView website located at www.Libreview.com (the 'Site'). Please read these Terms of Use carefully before you start to use our Site, create any patient profile, practices, and/or invite Professional Users to create a LibreView Data Management System account, as these Terms of Use are a legal agreement between you and Abbott Diabetes Care Inc.

Abbott Diabetes Care Inc. of 1420 Harbor Bay Parkway, Alameda, CA 94502, USA ('Abbott' or 'us' or 'our' or 'we') is the developer of Sensors ("Sensors"), Readers ("Readers") and glucose test meters ("Meters") for the FreeStyle Libre family of products and the FreeStyle LibreLink mobile app ("FreeStyle App") which may be compatible with the Site and with the LibreView data management system ("LibreView Data Management System").

Newyu, Inc., an affiliate of Abbott, maintains the medical authorizations for the LibreView Data Management System as a medical device, provides other application and software support, and manages the marketing authorizations/registrations for the LibreView Data Management System.

The LibreView Data Management System is a secure, cloud-based diabetes management system that is intended for use by Abbott, Professional Users and patients to aid in the review, analysis and evaluation of patients' historical glucose data, glucose test results and ketone test results in support of an effective diabetes health management program. The LibreView Data Management System allows Abbott to provide improved treatment guidance for patients utilizing Abbott's Meters, Readers and FreeStyle App. The LibreView Data Management System also allows Professional Users to create patient profiles, to remotely manage patients who have LibreView Data Management System accounts and to share patients' LibreView Data Management System account information with other professional users within the same LibreView practice.

THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT INTENDED FOR THE DIAGNOSIS OF OR SCREENING FOR DIABETES MELLITUS. USERS SHOULD BE AWARE THAT THE LIBREVIEW DATA MANAGEMENT SYSTEM IS AN INFORMATION MANAGEMENT SERVICE TO ENABLE THE ANALYSIS OF GLUCOSE DATA AND IS NOT INTENDED AS A SUBSTITUTE FOR THE ADVICE THAT YOU PROVIDE TO YOUR PATIENTS AS A HEALTHCARE PROFESSIONAL. THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT AN ELECTRONIC HEALTH RECORDS SYSTEM AND YOU MUST PRINT AND/OR DOWNLOAD PATIENT INFORMATION THAT YOU DEEM RELEVANT TO YOUR PROVISION OF MEDICAL CARE, TREATMENT OR ADVICE.

YOUR ACCESS AND USE OF THE SITE AND THE LIBREVIEW DATA MANAGEMENT SYSTEM CONSTITUTES, AND IS CONDITIONED UPON, YOUR AGREEMENT TO BE BOUND BY THESE TERMS OF USE. IF YOU DO NOT AGREE TO THESE TERMS OF USE, DO NOT ACCESS OR OTHERWISE USE THIS SITE, ANY SERVICES AVAILABLE THROUGH THIS SITE OR ANY INFORMATION CONTAINED ON THIS SITE.

YOUR USE OF THE SITE IS ALSO SUBJECT TO THE LIBREVIEW PROFESSIONAL PRIVACY NOTICE AVAILABLE AT WWW.LIBREVIEW.COM ('PRIVACY NOTICE'), WHICH EXPLAINS HOW WE COLLECT, PROTECT, RETAIN, STORE, AND DISCLOSE YOUR PERSONAL INFORMATION THAT YOU PROVIDE THROUGH YOUR USE OF THE SITE. IT ALSO SETS OUT THE INFORMATION THAT YOU, AS A PROFESSIONAL USER, SHOULD PROVIDE TO YOUR PATIENTS.

You do not need to register as a Professional User and create a LibreView Data Management System account to simply visit and view the Site.

  1. General: The Site is your gateway to create a LibreView Data Management System account in which your patients' Meters, Readers and the FreeStyle App readings may be stored, reviewed and analyzed by you. The LibreView Data Management System is designed to assist you in viewing and managing aspects of your patients' condition, and to allow Abbott to provide improved treatment guidance for patients utilizing Abbott's Meters, Readers and the FreeStyle App. The LibreView Data Management System allows patients with LibreView Data Management System accounts to share their glucose readings with you, and it also allows you to connect your patients' Meters, Readers and the FreeStyle App to your computer and upload their glucose readings into a patient profile that you have created.

    'Professional User' includes only those medical providers (and their duly authorized representatives and agents) who have either registered a clinical practice or have registered as a professional user of the LibreView Data Management System.

    Abbott only permits one LibreView Data Management System user account per email address. As a Professional User, you may create a clinical practice account and invite other professionals and/or link with other Professional Users with LibreView Data Management System accounts within your practice.

    These Terms of Use apply to your use of the Site and to your right to use the LibreView Data Management System. They are effective from when you set up a LibreView Data Management System account as a Professional User until terminated as set forth below.

    By using this Site, you represent, acknowledge and agree that you are duly authorized to use this Site and to create a Professional User account in the LibreView Data Management System and that you also have the appropriate authority to create a practice and link other HCPs or professionals within your practice, and also create patient profiles that will be shared with and utilized by Abbott.

  2. LibreView Data Management System account: Do not reveal your LibreView Data Management System account information to anyone else or disclose to anyone your password details. You are responsible for maintaining the confidentiality and security of your LibreView Data Management System account and for all activities that occur on or through it. You agree to notify Abbott if you become aware of a security incident or breach affecting your LibreView Data Management System account, including where you believe your password may have been compromised, and fully cooperate with us, law enforcement or other applicable regulatory body in addressing the breach. Abbott is not responsible for any lost, stolen or compromised passwords or for any activity on your LibreView Data Management System account from unauthorized users or for any losses arising out of or in connection with the unauthorized use of your LibreView Data Management System account where caused by you. If there is a violation of any of the security requirements by you or other professional users in a practice that you create, that violation may be considered a breach of these Terms of Use and may result in the immediate loss of your LibreView Data Management System account.

    You will be responsible for obtaining and maintaining any Internet connections, computing equipment and supplies necessary for you to receive, access and use the LibreView Data Management System. You agree to only use the LibreView Data Management System as expressly permitted herein. Abbott, its affiliates and its suppliers own all rights, titles and interests in and to the LibreView Data Management System and to content through the Site, including logos, graphics, videos, images, software and other materials ('Materials').

    Subject to your compliance with these Terms of Use, Abbott hereby grants you a limited, personal, non-exclusive and non-transferable license to use and to display the Materials and to use this Site solely for your professional use. Except for the foregoing license, you have no other rights in the Site or any Materials and you may not modify, edit, copy, reproduce, create derivative works of, reverse engineer, alter, modify, enhance, or in any way exploit any of the Site or Materials in any manner. If you, or any other person under your responsibility, breach any of the provisions in these Terms of Use, the above license will terminate automatically and you must immediately destroy any downloaded or printed Materials.

    Where you create a practice, you will supervise, monitor and train your employees, representatives, contractors, agents, and other professional users who you add to a practice that you create, to ensure proper use and security. You will limit access to the services available through the Site at your locations to those duly authorized users. You will be responsible for their use of the services, compliance with these Terms of Use and for the consequences of any breach of security that is caused by such users or that occurs at your locations.

  3. Permitted uses of your LibreView Data Management System account: To use the LibreView Data Management System you must enter some of your personal information, including your username and password, to create your LibreView Data Management System account. You agree to provide accurate and complete information when you register with, and as you use, the LibreView Data Management System, and you agree to keep your LibreView Data Management System account information accurate, current and complete. These Terms of Use allow you to set up a LibreView Data Management System account as a Professional User over your organization's network, and to set up a practice for use by any professional, employee or other individual authorized by you within your practice. If you have patients who do not have a LibreView Data Management System account which would enable you to view their glucose readings, it also allows you to create a patient profile whereby you may connect your patients' Meters to your computer, upload their glucose readings into the patient profile that you created for them, and share that information with Abbott.

    You acknowledge and agree that the Site and the LibreView Data Management System are provided to enhance your care of your patients and to allow Abbott to provide improved treatment guidance for patients utilizing Abbott's Meters, and you understand that these are not a substitute for your professional judgement or for your responsibilities to your patients.

    AS YOU ARE SETTING UP A LIBREVIEW DATA MANAGEMENT SYSTEM PRACTICE IN YOUR PROFESSIONAL CAPACITY, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE DULY AUTHORIZED TO AGREE AND BIND YOUR PRACTICE TO THESE TERMS OF USE AND HAVE THE NECESSARY CAPACITY AND AUTHORITY TO DO SO.

  4. Prohibited uses of your LibreView Professional system account: We restrict access to the professional parts of our Site to Professional Users. We reserve the right to disable any Professional User ID at any time if, in our opinion, you have failed to comply with any of the provisions of these Terms of Use. When using our Site you may not engage in the prohibited uses set out below. Where required by law, Professional Users must not create any patient profiles without having first obtained their informed, voluntary and explicit consent as may be required by applicable law. You agree that you will NOT use the LibreView Data Management System to:

    1. upload, download, email, transmit, store or otherwise make available any data that is unlawful, harmful, tortious, invasive of another's privacy or otherwise objectionable;
    2. pretend to be anyone that you are not or misrepresent who you are or otherwise misrepresent your affiliation with any person (including a child). Abbott reserves the right to reject or block any LibreView Data Management System account or email address which could be deemed to be an impersonation or misrepresentation of your identity, or a misappropriation of another person's name or identity, or that has been used to hijack another user's data;
    3. upload, download, email, transmit, store or otherwise make available any data or other information from children (any person under the age of 18 or such other age as local law defines as a child), including but not limited to any of the following: full name or surname, date of birth, email address and their Meter data unless you have obtained the consent of the child's parent/guardian;
    4. infringe any person's intellectual property rights (including uploading any content to which you do not have the right to upload);
    5. upload, post, email, transmit, store or otherwise make available any material that contains viruses or any other computer code, files or programs designed to harm, interfere or limit the normal operation of the LibreView Data Management System (or any part thereof), or any other computer software or hardware;
    6. interfere with or disrupt the Site or LibreView Data Management System (including accessing the LibreView Data Management System through any automated means, such as scripts or web crawlers), or any servers or networks connected to the LibreView Data Management System, or any policies, requirements or regulations of networks connected to the LibreView Data Management System (including any unauthorized access to, use or monitoring of data or traffic thereon);
    7. gather, store or upload personal information, including health information, on any persons using an Abbott FreeStyle Libre flash glucose monitoring system without first having received their prior consent or without otherwise being authorized to do so, for example if you are a caregiver, HCP or parent/guardian;
    8. reverse engineer, decompile, disassemble, decode, create derivative works of, gain access to the source code of or modify the LibreView Data Management System except and then solely to the extent permitted under applicable law;
    9. gather, store or upload personal information, including health information, on any other users of the LibreView Data Management System or any individual using a FreeStyle Libre sensor in connection with any of the foregoing prohibited activities; and/or
    10. disclose information about the Site or LibreView Data Management System features or performance to any third party without our prior consent, except as required for legal or regulatory purposes or to assist in the provision of your medical treatment of a patient.
  5. Patient profiles: After you have created a LibreView Data Management System account, you will be permitted to create patient profiles. When creating a patient profile, you will be required to manually enter some personal information for example their name and date of birth. Within their patient profile, you will be able to manually upload their Meter readings to the LibreView Data Management System.

    You will only use the Site and the LibreView Data Management System for those patients from whom you have previously obtained their informed, voluntary or, as necessary, explicit consent, or when you deem it necessary to protect their vital interests and will comply with any additional requirements arising under your local data protection, privacy, health or related laws. It is a misuse of the Site and the LibreView Data Management System to enter personal patient information, including health-related information, without either first securing their informed, voluntary or, as necessary, explicit consent, or having determined that which is necessary to protect their vital interests. Abbott will accept no liability in relation to your use of the Site, including where you use the Site to enter personal information relating to your patients, where these conditions have not been satisfied. We will provide reasonable assistance with any request that you make to remove the personal information of any of your patients from the LibreView Data Management System within a reasonable period from receipt of such request; this does not apply to personal information that Abbott has accessed to improve its treatment guidance for patients utilizing Abbott's Meters.

    AS A PROFESSIONAL USER YOU ARE RESPONSIBLE FOR (I) ANY PATIENT DATA THAT YOU ENTER INTO THE LIBREVIEW DATA MANAGEMENT SYSTEM, (II) THE PERSONAL INFORMATION OF OTHER PROFESSIONALS THAT YOU INVITE TO JOIN A PRACTICE ACCOUNT, AND (III) YOUR USE OF PERSONAL INFORMATION OF ANY INDIVIDUAL WITH A LIBREVIEW DATA MANAGEMENT SYSTEM ACCOUNT. YOU ARE THEREFORE RESPONSIBLE FOR COMPLYING WITH APPLICABLE DATA PROTECTION AND PRIVACY LAWS AND FOR OBTAINING, WHERE REQUIRED, ANY CONSENTS (INCLUDING EXPLICIT CONSENT) NEEDED UNDER APPLICABLE LAW.
    For users in European Economic Area ('EEA') and Switzerland: Patient data will be processed in accordance with the Privacy Notice for the following different purposes:

    1. Where you enter patient data into the LibreView Data Management System or use the personal information of any individual with a LibreView Data Management System account for the purpose of providing medical treatment, except as otherwise provided in these Terms of Use, you are the data controller and are responsible are for complying with applicable data protection and privacy laws;
    2. Where Abbott uses identifiable patient data that you enter into the LibreView Data Management System for the purposes of improving treatment guidance for patients utilizing Abbott's Meters, system troubleshooting, system and/or customer support, research or reporting, or to comply with Abbott's legal obligations, including in relation to quality and safety of medical devices, Abbott will be the data controller and will comply with applicable local data protection and privacy laws; and
    3. Where your patient has independently created a LibreView Data Management System account, either for their own use or for the use of a child or other person for whom they provide care, Abbott will be the data controller and will comply with applicable local data protection and privacy laws.

    Abbott will treat all personal patient information for which it is a data controller, including health information, in accordance with the Privacy Notice. When your patient has created a LibreView Data Management System account and grants you access to that account, or where you set up a LibreView Data Management System account for your patient, Abbott (through the LibreView Data Management System) will be processing both your and your patient's personal data as a 'processor' on your behalf as a healthcare provider where you process your patient information to protect their vital interests as determined in your sole discretion as their healthcare provider.

    Before you start to use our Site, create any patient profile, practices, and/or invite other Professional Users to create a LibreView Data Management System Account, please review the Data Processing Agreement located at the end of these Terms of Use.

    For users in Brazil: Patient data will be processed in accordance with the Privacy Notice for the following different purposes:

    1. Where you enter patient data into the LibreView Data Management System or use the personal information of any individual with a LibreView Data Management System account for the purpose of providing medical treatment, except as otherwise provided in these Terms of Use, you are the data controller and are responsible for complying with applicable data protection and privacy laws;
    2. Where Abbott uses identifiable patient data that you enter into the LibreView Data Management System for the purposes of improving treatment guidance for patients utilizing Abbott's Meters, system troubleshooting, system and/or customer support, research or reporting, or to comply with Abbott's legal obligations, including in relation to quality and safety of medical devices, Abbott will be the data controller and will comply with applicable local data protection and privacy laws; and
    3. Where your patient has independently created a LibreView Data Management System account, either for their own use or for the use of a child or other person for whom they provide care, Abbott will be the data controller and will comply with applicable local data protection and privacy laws.

    Abbott will treat all personal patient information for which it is a data controller, including health information, in accordance with the Privacy Notice. When your patient has created a LibreView Data Management System account and grants you access to that account, or where you set up a LibreView Data Management System account for your patient, Abbott (through the LibreView Data Management System) will be processing both your and your patient's personal data as a 'processor' on your behalf as a healthcare provider where you process your patient information to protect their vital interests as determined in your sole discretion as their healthcare provider.

    For users in the US: Additionally, if you are a healthcare provider in the United States and a covered entity as defined by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations ('HIPAA'), you are creating the patient profile and using the Site and the LibreView Data Management System in compliance with HIPAA either by: i) obtaining a patient authorization to do so; or ii) relying on the exception to the requirement for an authorization under HIPAA for disclosure of Protected Health Information for treatment or healthcare operations purposes. Additionally, that part of Abbott that oversees operation of the Site has implemented safeguards for PHI that HIPAA requires of Covered Entities.

  6. Availability and accuracy of information: The Site and the LibreView Data Management System, or any feature or part thereof, may not be available in all languages or in all countries and Abbott makes no representation that the LibreView Data Management System, or any feature or part thereof, is appropriate or available for use in any particular location. To the extent that you choose to access and use the Site and the LibreView Data Management System, you do so at your own initiative and are responsible for compliance with any applicable laws. Any data uploaded by you or available to view by you are based exclusively on your patients' glucose, ketone and insulin data and other information provided by them. Abbott makes no representations or warranties regarding the accuracy, completeness, reliability or timeliness of any data accessible or viewed by you or of any content generated by the data stored in the LibreView Data Management System. In particular, Abbott makes no representations or warranties that any information based on such data will be in compliance with government regulations requiring disclosure of information.
  7. Deletion of your LibreView Data Management System account: You may delete your LibreView Data Management System account at any time. Your LibreView Data Management System account will be deleted upon receipt and processing of your delete request, unless there is any contractual or legal obligation to keep your information in our databases. Please be aware that it may take up to 72 hours to process your request. You acknowledge that deletion of your LibreView Data Management System account may have no effect on the personal information relating to your patients that Abbott has accessed to improve its treatment guidance for patients utilizing Abbott's Meters. Abbott has no responsibility for retaining/storing or backing up your LibreView Data Management System account on your behalf. You are solely responsible for retaining/maintaining/storing and backing up (electronically and/or with hard copies) any data that you wish to preserve. Abbott is not responsible for unauthorized access to, use of or alteration of your information. If you email, back up or otherwise share any of your personal information or reports with third parties, that information may not be encrypted and Abbott will have no ability to manage the privacy or security of that information. You should take the steps that you determine appropriate to protect the security of such information. In the event that you have registered a practice, you will be required to delete your LibreView Data Management System account upon retirement or upon you leaving that practice and will be responsible for transferring administration rights to another duly authorized Professional User within that practice. Unless otherwise required by law, you agree that your LibreView Data Management System account is non-transferable and that any rights to have a LibreView Data Management System account or any data stored in the LibreView Data Management System will terminate upon your death. Upon receipt of a copy of a death certificate your LibreView Data Management System account may be terminated and all data within deleted. Email DiabetesCarePrivacy@Abbott.com for further information.
  8. Links to third-party websites: This Site may be linked to other websites that are not sites controlled or operated by Abbott (collectively, 'Third-Party Sites'). Certain areas of the Site may allow you to interact and/or conduct transactions with such Third-Party Sites and, if applicable, allow you to configure your privacy settings in your Third-Party Site account to permit your activities on this Site to be shared with your contacts in your Third-Party Site account and, in certain situations, you may be transferred to a Third-Party Site through a link but it may appear that you are still on this Site. In any case, you acknowledge and agree that the Third-Party Sites may have different privacy policies, terms and conditions and/or user guides and business practices than Abbott, and you further acknowledge and agree that your use of such Third-Party Sites is governed by the respective Third-Party Site privacy notice and terms and conditions and/or user guides. You hereby agree to comply with any and all terms and conditions, user guides and privacy policies of any Third-Party Sites. Abbott is providing links to the Third-Party Sites to you as a convenience, and Abbott does not verify, make any representations or take responsibility for such Third-Party Sites, including, without limitation, the truthfulness, accuracy, quality or completeness of the content, services, links displayed and/or any other activities conducted on or through such Third-Party Sites. YOU AGREE THAT ABBOTT WILL NOT, UNDER ANY CIRCUMSTANCES, BE RESPONSIBLE OR LIABLE, DIRECTLY OR INDIRECTLY, FOR ANY GOODS, SERVICES, INFORMATION, RESOURCES AND/OR CONTENT AVAILABLE ON OR THROUGH ANY THIRD-PARTY SITES AND/OR THIRD-PARTY DEALINGS OR COMMUNICATIONS, OR FOR ANY HARM RELATED THERETO, OR FOR ANY DAMAGES OR LOSS CAUSED OR ALLEGED TO BE CAUSED BY OR IN CONNECTION WITH YOUR USE OR RELIANCE ON THE CONTENT OR BUSINESS PRACTICES OF ANY THIRD PARTY. Any reference on the Site to any product, service, publication, institution, or organization of any third-party entity or individual does not constitute or imply Abbott's endorsement or recommendation.
  9. No medical advice: THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT INTENDED FOR THE DIAGNOSIS OF OR SCREENING FOR DIABETES MELLITUS. YOU ACKNOWLEDGE THAT, WHILE ABBOTT USES INFORMATION THAT IT RECEIVES VIA THE LIBREVIEW DATA MANAGEMENT SYSTEM TO IMPROVE TREATMENT GUIDANCE, ABBOTT IS NOT A PROVIDER OF MEDICAL CARE AND ABBOTT IS NOT RESPONSIBLE FOR NOTIFYING YOU OF ANY CHANGES TO ANY OF YOUR PATIENTS' METER READINGS OR FOR PROVIDING MEDICAL ADVICE TO PATIENTS. The LibreView Data Management System is for informational purposes and is designed to help Abbott, patients and you better manage and support diabetes through information, analysis and communication, and is not meant to replace the relationship between patients and their medical providers. Health information content available to you through the LibreView Data Management System is based on information provided via medical device-related data transmissions from patients scanning their FreeStyle Libre sensor. Abbott does not recommend or endorse any specific tests, products, procedures or opinions. YOUR DECISION TO TAKE ACTION BASED ON ANY INFORMATION TRANSMITTED TO OR STORED ON THE LIBREVIEW DATA MANAGEMENT SYSTEM OR ON ANY INFORMATION RECEIVED FROM ABBOTT EMPLOYEES, AGENTS OR SUPPLIERS IS SOLELY AT YOUR OWN RISK. ABBOTT, OUR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AFFILIATES, THIRD-PARTY PROVIDERS AND RELATED COMPANIES ASSUME NO RESPONSIBILITY FOR ERRORS OR OMISSIONS IN THE CONTENT, INCLUDING HEALTH INFORMATION CONTENT, POSTED ON OUR SITE OR FOR THE ACCURACY, TRUTHFULNESS OR CONTENT, INCLUDING HEALTH INFORMATION CONTENT, OF OUR SITE, AND NO RELIANCE BY REGISTERED USERS SHOULD BE PLACED ON THE INFORMATION AVAILABLE IN THE LIBREVIEW DATA MANAGEMENT SYSTEM.
  10. No electronic health records: THE INFORMATION AVAILABLE TO YOU THROUGH THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT AN ELECTRONIC MEDICAL RECORD. YOU MUST DOWNLOAD AND/OR PRINT OFF ANY INFORMATION THAT YOU, IN YOUR SOLE DISCRETION, DEEM NECESSARY TO INCLUDE IN YOUR PATIENTS' MEDICAL RECORDS.
  11. Disclaimer of Warranties: YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE LIBREVIEW DATA MANAGEMENT SYSTEM IS AT YOUR SOLE RISK AND THAT TO THE EXTENT PERMITTED BY LAW, THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. Any content included in the LibreView Data Management System is for the purpose of providing information only. Although Abbott believes the data displayed in the LibreView Data Management System to be accurate as at the time it is transmitted to the LibreView Data Management System, Abbott makes no representation, express or implied, as to the accuracy, completeness or timeliness of the information. In no event will Abbott be liable to you for any losses from mistakes, omissions or delays in transmission of information, or from interruptions in telecommunications connections to the LibreView Data Management System.

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ABBOTT, ITS AFFILIATES AND ITS THIRD-PARTY PROVIDERS PROVIDE THE LIBREVIEW DATA MANAGEMENT SYSTEM 'AS IS' AND 'AS AVAILABLE' WITH ALL FAULTS AND DEFECTS AND WITHOUT ANY OTHER WARRANTY OF ANY KIND, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF TITLE AND NON-INFRINGEMENT, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE AND QUALITY, AND OF LACK OF VIRUSES. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY ABBOTT OR AN ABBOTT-AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY.

    Abbott, its affiliates and its third-party providers do not warrant that the functions contained in the LibreView Data Management System will meet your requirements or that the operation of the LibreView Data Management System will be uninterrupted or error free. To the extent that applicable law requires Abbott to provide warranties, you agree that the scope and duration of such warranty shall be to the minimum extent required to be provided under such applicable law.

    In no event does Abbott provide any warranty or representation with respect to any third-party hardware or software, and Abbott disclaims all liability with respect to any failures thereof. Abbott disclaims any and all liability that may derive from actions or claims against Abbott or any of its affiliates, agents or assigns, or other third parties as may become applicable over the course of these Terms of Use.

    For users in Russia: This Section 11 shall apply to the extent permissible by the Russian healthcare legislation, regulations, and standards.

  12. Limitation of liability: NOTWITHSTANDING ANY LOSSES THAT YOU MAY INCUR AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ENTIRE LIABILITY OF ABBOTT, ITS AFFILIATES AND ANY OF ITS THIRD PARTY PROVIDERS UNDER ANY PROVISION OF OR OTHERWISE IN CONNECTION WITH THESE TERMS OF USE AND YOUR EXCLUSIVE REMEDIES FOR ALL OF THE FOREGOING SHALL BE LIMITED TO EITHER THE FIXING, REPAIRING OR OTHERWISE RECTIFYING ANY FAULTS WITHIN THE LIBREVIEW DATA MANAGEMENT SYSTEM, EVEN IF ANY SUCH LOSS WAS FORESEEABLE OR CONTEMPLATED BY THE PARTIES OR, WHERE APPLICABLE, THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR THE LIBREVIEW DATA MANAGEMENT SYSTEM ACCESS OR USD$10.00. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ABBOTT, ITS AFFILIATES OR ITS THIRD-PARTY PROVIDERS BE LIABLE TO YOU (OR YOUR PATIENTS, EMPLOYEES, CONTRACTORS, AGENTS OR USERS) FOR MONETARY DAMAGES, INCLUDING ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, FOR LOSS OF DATA OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE LIBREVIEW DATA MANAGEMENT SYSTEM, THIRD-PARTY SOFTWARE AND/OR THIRD-PARTY HARDWARE USED OR THAT MAY BE USED WITH THE LIBREVIEW DATA MANAGEMENT SYSTEM, FOR LOSS FROM ANY VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR INFORMATION SYSTEM AND HARDWARE DUE TO YOUR DOWNLOADING ANY MOBILE APP/MATERIAL/WEBSITE LINKED TO THE LIBREVIEW DATA MANAGEMENT SYSTEM, OR OTHERWISE IN CONNECTION WITH ANY PROVISION OF THESE TERMS OF USE) WHETHER IN WARRANTY, CONTRACT OR TORT, INCLUDING NEGLIGENCE OR PRODUCT LIABILITY EVEN IF INFORMED ABOUT THE POSSIBILITY THEREOF, INCLUDING WITHOUT LIMITATION MEDICAL EXPENSES, LEGAL FEES, LOSS OF REVENUE OR PROFITS (WHETHER DIRECT OR INDIRECT), EVEN IF ABBOTT, ITS AFFILIATES OR ANY THIRD-PARTY PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF THE REMEDY FAILS OF ITS ESSENTIAL PURPOSE. ONLY YOU CAN IMPLEMENT BACK-UP PLANS AND SAFEGUARDS NECESSARY TO APPROPRIATELY ADDRESS YOUR NEEDS IN THE EVENT THAT AN ERROR IN THE LIBREVIEW DATA MANAGEMENT SYSTEM CAUSES COMPUTER PROBLEMS AND RELATED DATA LOSSES. FOR THESE BUSINESS REASONS, YOU UNDERSTAND AND AGREE TO THE LIMITATIONS OF LIABILITY IN THIS SECTION AND ACKNOWLEDGE THAT WITHOUT YOUR AGREEMENT TO THIS PROVISION, ANY APPLICABLE FEE CHARGED, WOULD BE HIGHER.

    FOR USERS IN INDONESIA: NOTHING IN THIS AGREEMENT SHALL EXCLUDE ANY MANDATORY STATUTORY REMEDY AVAILABLE TO A USER IN THE EVENT OF A FAILURE TO COMPLY WITH A DATA PROTECTION REQUIREMENT BY ABBOTT THAT MAY GIVE RIGHT TO THE ABILITY OF AN AFFECTED PERSONAL DATA SUBJECT'S RIGHT TO CLAIM MONETARY COMPENSATION UNDER THE ELECTRONIC AND INFORMATION TECHNOLOGY LAW AND/OR ANY OTHER REGULATIONS RELATING TO PROTECTION OF PERSONAL DATA.

    In no event will we be liable to you (your patients, employees, contractors, agents or users) for any losses, costs, damages, charges or expenses resulting from loss, misappropriation, unauthorized access to or modification of data, including personal data, by any third party, or from mistakes, omissions or delays in transmission of information, or from interruptions in telecommunications connections to the service, viruses or failures of performance, interception or from the impact of the LibreView Data Management System on your information or communications systems, including without limitation any record or other communication provided by you, any patient or by us under these Terms of Use.

    For users in Singapore, the UK or Switzerland: Nothing in these Terms of Use shall exclude our liability for death or personal injury arising out of our negligence or fraudulent misrepresentation in connection with the LibreView Data Management System.

    For users in Vietnam: Nothing in this Agreement shall exclude any mandatory statutory liability, including our liability in connection with monetary damages, personal injury or death arising out of our fault or negligence or product defect in connection with Vietnam's Consumer Protection Law and other applicable law and regulations in Vietnam.

    For users in Russia: Nothing in this Agreement shall exclude Abbott's liability for willful misconduct.

  13. Indemnity: You agree to indemnify, defend and hold harmless Abbott, its affiliates and their respective officers, directors, employees, agents, successors, assigns and licensors from and against any and all claims, demands, liabilities, losses, costs and expenses (including solicitors' and experts' fees) made by a third party due to or arising out of, or related to a violation of these Terms of Use or laws, regulations or third party rights including any breach of data protection or privacy obligations, any infringement of their copyright or intellectual property rights of any third party by you or others in your practice or organization or otherwise in connection with your or their use of the LibreView Data Management System whether by negligent act, omission, or willful misconduct.
  14. License: Abbott does not claim ownership of your personal data that you transmit or submit to the LibreView Data Management System. By disclosing your personal information to Abbott, you grant it a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish and translate such data for the purpose of providing you with the LibreView Data Management System. Abbott may create, access, retain, use or disclose to third-party researchers, aggregated, anonymized, de-identified (or pseudonymized to the extent permitted by your law) data derived from the LibreView Data Management System for the purposes of research, to evaluate how the LibreView Data Management System is provided, to evaluate its use and its various components and equipment, to evaluate performance or impact on clinical staff or across clinics, to enhance the functioning of the LibreView Data Management System and the FreeStyle Libre sensors, to validate LibreView Data Management System upgrades, or for product development and quality and safety of medical devices. You agree that the license herein permits Abbott to take any such actions. Where personal information is provided to third-party suppliers to assist us with the provision of the LibreView Data Management System, they are required to keep personal information confidential and secure and may only use personal information to the minimum extent necessary.
  15. Feedback: Any data, comments or materials that you supply via the LibreView Data Management System or provide to Abbott in order to receive support, including feedback data, such as questions, comments, suggestions or the like ('Feedback'), shall be deemed to be non-confidential and non-proprietary. Abbott shall have no obligation of any kind with respect to such Feedback and shall be free to reproduce, use, disclose, exhibit, display, transfer, create derivative works and distribute the Feedback to others without limitation, except for health information and personal information which might be included in the Feedback but is subject to 'Section 14. License' above. Furthermore, Abbott shall be free to use any idea, concepts, know-how or techniques contained in such Feedback for any purpose whatsoever, including developing, manufacturing and marketing products incorporating such Feedback.
  16. Trademarks: LibreView, FreeStyle LibreLink, FreeStyle Libre, FreeStyle and related brand marks are trademarks of Abbott Diabetes Care Inc. in various jurisdictions. Other trademarks are the property of their respective owners. No license or right, express or implied, is granted to you in any of the aforesaid trademarks, and you further agree that you shall not remove, obscure, or alter any proprietary notices (including trademark and copyright notices) that may be affixed to or contained within the LibreView Data Management System. No use of any Abbott trademark, trade name, or trade dress may be made without the prior written authorization of Abbott, except to identify the product or services of the company.
  17. Proprietary rights: You acknowledge and agree that Abbott and/or its licensors own all legal rights, titles and interest in and to the LibreView Data Management System, including but not limited to graphics, user interface, the scripts and software used to implement the LibreView Data Management System, and any software or documents provided to you as a part of and/or in connection with the LibreView Data Management System, including all Intellectual Property Rights that exist therein, whether registered or not, and wherever in the world they may exist. You further agree that the LibreView Data Management System contains proprietary and confidential information that is protected by applicable intellectual property rights and other laws, including but not limited to copyright. You agree that you will not use such proprietary information or materials in any way whatsoever except for use of the LibreView Data Management System in compliance with these Terms of Use. No portion of the LibreView Data Management System may be reproduced in any form or by any means, except as expressly permitted in these Terms of Use or where permitted by applicable law. You shall not remove any product identification, copyright notices or proprietary restrictions from the LibreView Data Management System. You expressly acknowledge and agree that LibreView Data Management System access is licensed and not sold to you, and that Abbott, its licensors, affiliates and suppliers, grant you a non-exclusive license to use the LibreView Data Management System on the basis of these Terms of Use, and that your use of the LibreView Data Management System is also subject to any rules or policies applied by Abbott's third-party providers. You therefore agree that Abbott and/or its licensors do not transfer to any user any ownership or proprietary rights in the LibreView Data Management System, any Intellectual Property Rights, or any other technology, information or materials, and as between the parties, Abbott, its affiliates, its suppliers, and its licensors, retain exclusive ownership of all rights, titles and interest in and to all aspects of the LibreView Data Management System, any Intellectual Property Rights, and all other technology, information and materials, as well as any and all copies or modifications thereof (by whomever and whenever made). RIGHTS NOT EXPRESSLY GRANTED HEREIN ARE RESERVED BY ABBOTT AND/OR ITS LICENSORS. The use of this material and the associated rights of Abbott, its affiliates and its suppliers, are hereby acknowledged except solely to the extent that the foregoing is ineffective in certain countries/states/provinces/jurisdictions.
  18. Remedies: Violations of these Terms of Use may be investigated and appropriate legal action may be taken, including civil, criminal or equitable relief. You understand and agree that Abbott, in its sole discretion, and without prior notice, may terminate your access to our Site, remove any unauthorized user content or exercise any other remedy available if we believe, in our sole discretion, that your conduct or the conduct of any person with whom we believe you act in concert with, or the user content that you provide, violates or is inconsistent with these Terms of Use or applicable law or violates our rights or the rights of our affiliates, licensor or another user of our Site. You agree that monetary damages may not provide us with a sufficient remedy for violations of these Terms of Use and you consent to injunctive or other equitable relief for such violations. A printed version of these Terms of Use and of any related notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to these Terms of Use to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form.
  19. Termination of your LibreView Data Management System account: These Terms of Use are effective upon your creation of a LibreView Data Management System account and shall continue in effect until terminated. You may ask Abbott to delete your LibreView Data Management System account at any time. Abbott may suspend or terminate your LibreView Data Management System account for any of the following reasons without advance notice to you:

  20. Language: The parties agree that the English language will be the official language of these Terms of Use. If there is any conflict, apparent conflict or ambiguity between any of the clauses of these Terms of Use in the English language and the translated language, the wording of the English-language version shall prevail.
  21. Applicable law:

    These Terms of Use shall be governed and construed in accordance with the laws of the State of Illinois without regard to any choice of law provisions. In the event of any conflict between foreign laws, rules and regulations and those of the United States, the laws, rules and regulations of the United States shall govern to the fullest extent possible. You agree that these Terms of Use shall be fully performable in the State of Illinois, and you agree that jurisdiction and venue are proper in of the state and federal courts located in the State of Illinois, United States of America, with respect to any proceedings arising from these Terms of Use or the relationship between the parties hereto. The parties hereby agree that the United Nations Convention on Contracts does not govern these Terms of Use for the International Sale of Goods.

    For users in EEA, the UK, Switzerland, India and Indonesia: These Terms of Use will be governed by and construed in accordance with English law. The parties hereby agree that the United Nations Convention on Contracts does not govern these Terms of Use for the International Sale of Goods. Any dispute arising out of or in connection with these Terms of Use, including any question regarding their existence, validity or termination, shall be referred to and finally resolved by arbitration under the LCIA Rules, which Rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be London. The language to be used in the arbitral proceedings shall be English.

  22. Severability. If, for any reason, a court with proper jurisdiction holds that any part of these Terms of Use is invalid or cannot be enforced, all other parts will remain in effect. The invalid or unenforceable part will be reformed only to the extent necessary to make it valid and enforceable. For example, some jurisdictions may not permit certain disclaimers of warranties in relation to individual Professional Users despite the fact that this is a business to business rather than a consumer agreement, and in such an event, only those disclaimers deemed invalid should be severed from these Terms of Use.
  23. No third party rights. These Terms of Use are between you and us. No other person shall have any rights to enforce any of the terms, whether under the UK Contracts (Rights of Third Parties) Act 1999, or otherwise.
  24. Support: Free technical support is available by going to the LibreView.com support site and clicking on the "Customer Support" link. Inquiries will be directed to the appropriate support teams.
  25. Changing LibreView Data Management System Terms of Use: Abbott reserves the right to change these Terms of Use at any time at our discretion and without prior notice. Users of our Site are expected to regularly check the Terms of Use for changes as they are binding on you. We encourage you to review these Terms of Use every time that you use our Site. Updates will be indicated by a change in the Effective Date and your continued use of our Site and continued access to your LibreView Data Management System account as a Professional User following any such change constitutes your agreement to follow and be bound by the most recent version of these Terms of Use. You will be able to store or print out changes to these Terms of Use in legible form.

BY CLICKING AGREE WHEN YOU CREATE A LIBREVIEW DATA MANAGEMENT SYSTEM ACCOUNT AS A PROFESSIONAL USER, YOU REPRESENT AND WARRANT THAT YOU ARE DULY AUTHORIZED TO ACCEPT AND ENTER INTO THESE TERMS OF USE AND THAT YOU INTEND YOUR ACT TO SERVE AS AN ELECTRONIC SIGNATURE TO THESE TERMS OF USE WITH THE SAME FORCE AND EFFECT AS A MANUAL SIGNATURE.

Please print a copy of this Agreement for Your records.

[FOR USERS IN THE EEA, PLEASE SEE DATA PROCESSING AGREEMENT BELOW]

LIBREVIEW
PROFESSIONAL USER EU/UK DATA PROCESSING AGREEMENT

Effective Date: September 2021

This EU/UK Data Processing Agreement ("DPA") form part of and is incorporated into the Terms of Use that govern your use as a Professional User of the LibreView website located at www.LibreView.com (the "Site"). Please read this DPA carefully before you start to use our Site, create any patient profile, practices, and/or invite other Professional Users to create a LibreView Data Management System account, as this DPA is a legal agreement between you and Abbott Diabetes Care Inc.

YOUR ACCESS AND USE OF THE SITE AND THE LIBREVIEW DATA MANAGEMENT SYSTEM CONSTITUTES, AND IS CONDITIONED UPON, YOUR AGREEMENT TO BE BOUND BY THIS DPA. IF YOU DO NOT AGREE TO THIS DPA, DO NOT ACCESS OR OTHERWISE USE THIS SITE, ANY SERVICES AVAILABLE THROUGH THIS SITE OR ANY INFORMATION CONTAINED ON THIS SITE.

  1. Introduction: This DPA governs how Abbott will process Personal Data on behalf of Professional User. This DPA forms part of and is incorporated into the Site Terms of Use between a Professional User and Abbott for the provision of the LibreView Data Management System available at https://www.LibreView.com ("Terms of Use") and, where applicable, the contract between Professional User and its local Abbott company to provide the LibreView Data Management System ("Main Agreement"). When providing the LibreView Data Management System, Abbott processes certain Personal Data on behalf of Professional User as set out at Annex A (Description of Personal Data processing).

  2. Scope: This DPA applies where Abbott is a Processor of Personal Data on behalf of Professional User, which is a Controller of Personal Data. Abbott processes Personal Data on behalf of Professional User when Abbott provides the LibreView Data Management System to Professional User. This DPA does not apply where Abbott processes Personal Data as a Controller as explained in the Terms of Use and Privacy Policy.

  3. Definitions and Interpretation: Capitalized terms in this DPA have the same meaning as in the Terms of Use, and the following terms in this DPA have the same meaning as contained in Article 4 of the General Data Protection Regulation (2016/679) ("GDPR") and EU member state laws implementing GDPR: "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "processing" (used lowercase throughout this DPA and includes "process", "processes" and "processed"); "Processor"; and "Supervisory Authority".

    "Standard Contractual Clauses" means the standard contractual clauses adopted by the European Commission pursuant to Council Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, as well as any amendments, replacements or other supplementing provisions, as set out at Annex D (Standard Contractual Clauses).

    "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as supplemented by the UK’s Data Protection Act 2018, as amended or superseded from time to time.

    References in this DPA to "GDPR" shall be construed as references to "GDPR and/or the UK GDPR as applicable".

  4. Professional User's obligations: Professional User will: (a) comply with all obligations placed on it as a Controller under GDPR; (b) treat as confidential any knowledge of trade secrets and data security measures of Abbott which it acquires from using the services of the LibreView Data Management System provided by Abbott; and (c) reimburse or pay Abbott for any costs arising from any instructions received from Professional User related to Personal Data processing beyond the contractually agreed provision of the LibreView Data Management System under the Terms of Use or Main Agreement.

  5. Abbott's obligations: Abbott will:

    1. comply with all obligations placed on it as a Processor under GDPR;
    2. only process Personal Data in accordance with Professional User's documented instructions as contained in the Terms of Use unless otherwise required by applicable law;
    3. implement appropriate technical and organizational measures to safeguard Personal Data, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing appropriate to the risk as set out at Annex C (Security measures);
    4. notify Professional User of a Personal Data Breach without undue delay after becoming aware of it, and, where appropriate, take measures to mitigate the possible adverse effects of any security incident or Personal Data Breach;
    5. provide reasonable assistance to Professional User in relation to Professional User's third party notification and communication obligations, including to Data Subjects (as set out at Section 6 (Data Subject requests) below) and Supervisory Authorities, arising out of its use of the LibreView Data Management System and taking into account the nature of the processing and the information available to Abbott;
    6. ensure that its employees, agents, and/or Subprocessors authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    7. maintain a record of any processing of Personal Data it carries out for Professional User and limit the disclosure of such record to those third parties where Professional User has provided prior written consent unless Abbott is otherwise required by applicable law;
    8. ensure that Professional User can verify Abbott's compliance with its obligations under GDPR Article 28, as set out at Section 7 (Verification of compliance and audit rights);
    9. immediately inform Professional User if, in Abbott's opinion, an instruction from Professional User infringes GDPR;
    10. provide Professional User with reasonable assistance in connection with Professional User's obligation under GDPR to carry out data protection impact assessments and to liaise with Supervisory Authorities, where necessary;
    11. to the extent not prohibited by GDPR or any other applicable laws, notify Professional User as soon as reasonably practicable in writing of any subpoena or other judicial or administrative order, process or proceeding seeking access to, or disclosure of, Personal Data uploaded by Professional User in the LibreView Data Management System, and Abbott acknowledges that Professional User may, at its sole expense, seek to defend against or contest such action in lieu and on behalf of Abbott;
    12. at the expiry or termination of Abbott's provision of the LibreView Data Management System at Professional User's choice, delete or return to Professional User without undue delay all Personal Data and refrain from any further processing of such Personal Data, to the extent that this does not contradict Abbott's own obligations under applicable law; where Abbott, retains Personal Data after the termination or expiry of this DPA or the Main Agreement, Abbott will retain such Personal Data in accordance with its relevant retention policies, copies of which can be made available to Professional User on request.

    If Abbott is required to process Personal Data under GDPR or other applicable laws in a manner that does not align with Professional User's instructions, Abbott will, insofar as possible, inform Professional User of the processing activities it is required to undertake before commencing such processing.

  6. Data Subject requests: Taking into account the nature of the processing of Personal Data, Abbott will provide Professional User with reasonable assistance, using appropriate technical and organizational measures where possible, to enable Professional User to respond to a request from a Data Subject to exercise his/her rights under GDPR Chapter 3. Abbott reserves the right to verify that any request for portability has arisen from a Data Subject rather than Professional User. Abbott will notify Professional User of any request it receives from a Data Subject under GDPR Chapter 3, where the Data Subject specifically references Professional User in his/her request.

    Where a Data Subject does not reference Professional User in his/her request, Abbott will respond to the Data Subject using its automated tools by primarily directing Data Subjects to the self-service portals within the LibreView Data Management System or, alternatively, by directing a Data Subject to Abbott's EU DPO site available at https://www.abbott.com/eu-dpo.html or via contact with its dedicated email address at DiabetesCarePrivacy@Abbott.com.

  7. Verification of compliance and audit rights: Abbott will ensure that Professional User can verify Abbott's compliance with its obligations in accordance with GDPR Article 28. Abbott undertakes to give Professional User the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures. Evidence of such compliance measures may be provided by: (a) Abbott's compliance with approved codes of conduct pursuant to GDPR Article 40; (b) Abbott's certification to an approved certification procedure in accordance with GDPR Article 42; or (c) current auditors' certificates, reports or excerpts from reports provided by independent bodies (for example, auditor, data protection officer, IT security department, data privacy auditor, quality auditor).

    If Professional User cannot verify Abbott's compliance with its obligations using the methods set out herein, Professional User may, after consultation with Abbott and upon advance notice, carry out inspections or have them carried out by an auditor to be designated in each individual case.

  8. Subprocessors: Professional User acknowledges that Abbott has entered into written agreements with subprocessors as in listed at Annex B (Subprocessors), each a "Subprocessor", that impose materially similar obligations on such Subprocessors as are placed on Abbott under this DPA. Professional User expressly authorizes Abbott to appoint additional or replacement Subprocessors to assist Abbott to process Personal Data provided that Abbott (a) has executed written agreements with such Subprocessors that impose materially similar obligations on the Subprocessor as are placed on Abbott under this DPA; and (b) informs Professional User about the engagement of any new key Subprocessor through publishing of an updated Privacy Policy. If a Subprocessor fails to comply with its processing obligations, Abbott will be liable to Professional User for such processing obligations.

    Professional User can request Abbott to provide it with further information about a Subprocessor's technical and organizational security measures to protect Personal Data where this is required by local law of Professional User's jurisdiction.

  9. International transfers: LibreView Data Management System servers for the European Economic Area ("EEA") and the UK users are located in the EEA. Abbott is located in the United States of America, a third country for the purposes of GDPR. Professional User understands that for Abbott to provide customer support, maintenance and updates to the LibreView Data Management System ("Maintenance Services"), it will sometimes be necessary to transfer Personal Data, including via remote access into the LibreView servers, from the EEA to Abbott or its Subprocessors pursuant to GDPR Article 49(1)(c).

    To legitimize the export of EEA and UK originating Personal Data under GDPR, the Standard Contractual Clauses set out at Annex D (Standard Contractual Clauses) shall apply. Any references to Directive 95/46/EC in the Standard Contractual Clauses will be read as references to appropriate provisions of GDPR, where possible. Without prejudice to the foregoing, Abbott may transfer Personal Data from the EEA and/or UK to a member of the Abbott group of companies and Subprocessors to the extent necessary for the performance of its contractual obligations under the Terms of Use provided that Abbott has provided appropriate safeguards and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available in accordance with GDPR.

    In the event of Abbott’s receipt of an order from a U.S. governmental agency involved in national security and surveillance seeking access to Personal Data in the LibreView Data Management System, Abbott will: (i) review under applicable law the legality of any such order, including whether it remains within the powers granted to the respective U.S. governmental agency to issue such order; (ii) to the extent reasonable in the given circumstances and depending on the outcome of the aforementioned review of the legality, to take all legal actions and seek all remedies available to Abbott under applicable law to challenge legally binding orders from any U.S. governmental agency that conflict with Abbott’s obligations under the Standard Contractual Clauses set out at Annex D (Standard Contractual Clauses); (iii) inform the U.S. governmental agency of any conflict that arises between such an order and Abbott’s obligations under the Standard Contractual Clauses set out at Annex D (Standard Contractual Clauses); and (iv) document and demonstrate to Professional User the assessments made by Abbott and of any actions taken in relation to such an order.

  10. Data Protection Officers and local representatives: Abbott's Data Protection Officers can be contacted at https://www.abbott.com/eu-dpo.html. In situations where we process information on your behalf and where we act as processor, we will refer the request you as Controller. Professional User's local Abbott company is a designated representative of Abbott pursuant to GDPR Article 27.

  11. Liability: The parties shall each be responsible and liable for their own actions and will take all reasonable steps to mitigate against any damages. The liability regulated in this Article 11 shall relate exclusively to the liability between the parties arising from a breach of the GDPR and this DPA and are without prejudice to and supplement the liability provisions contained in the Terms of Use.

    Where Abbott as a processor and has not complied with obligations of the GDPR specifically directed to data processors or when it has acted outside or contrary to lawful instructions of Professional User then it will: (a) be liable to Professional User for the damage directly caused by its processing of the Personal Data; and (b) reimburse Professional User for all claims, actions or demands by third parties for damage arising directly from its processing of Personal Data. Professional User will take all reasonable steps to mitigate any such damages or losses.

    Where Abbott has paid full compensation for the damage suffered by a Data Subject in accordance with GDPR Article 82.4, Professional User shall reimburse Abbott that part of the compensation corresponding to Professional User's part of the responsibility for the damage.

  12. Governing law and jurisdiction: The governing law relating to the processing or transfer of personal data from the EEA or the UK, this DPA and the Standard Contractual Clauses (as set out at Annex D (Standard Contractual Clauses)), will be the law of the EEA member state in which Professional User is located or, where Professional User is located in the U.K., the governing law will be the laws of England and Wales. In all other respects, the governing law is as set out in the Terms of Use.

  13. Order of Precedence: This DPA supplements and amends the TOU and in the event of a conflict, the following order of precedence will apply:

    1. Standard Contractual Clauses (as set out at Annex D (Standard Contractual Clauses));
    2. this DPA;
    3. Terms of Use; and
    4. where applicable, Main Agreement, except where Abbott and Professional User have entered into a data processing or data sharing agreement as part of the Main Agreement, and in such event, the data processing or data sharing agreement shall supersede this DPA.
  14. Changes: Abbott reserves the right to change this DPA at any time and without prior notice. Professional Users are expected to regularly check the DPA for changes. Abbott encourages Professional Users to review this DPA every time LibreView.com is used. Updates will be indicated by a change in the Effective Date and continued use of LibreView and continued access to your Professional User LibreView Data Management System account following any such change constitutes agreement to be bound by the most recent version of this DPA. You will be able to store or print out the DPA in legible form.

  15. Term and termination: This DPA will remain in force for as long as Professional User has a LibreView Data Management System account. Where required by GDPR or other applicable laws, Abbott may process Personal Data after it has ceased to provide Professional User with the LibreView Data Management System.

***********************************

Annex A
Description of Personal Data processing

Subject matter: When it provides the LibreView Data Management System, Abbott processes the Personal Data of the following categories of Data Subjects as a Processor on behalf of Professional User:

  1. Professional User's employees; and
  2. Patients enrolled to the LibreView Data Management System by Professional User except where patients have separately registered for a LibreView account through the LibreView website.

Processing explanation: Information about the following matters are included in the relevant LibreView Professional User Privacy Policy available at https://pro.libreview.com:

  1. The duration of processing of Personal Data;
  2. The nature and purpose of the processing of Personal Data;
  3. The types of Personal Data Abbott processes;
  4. The categories of Data Subjects whose Personal Data is processed; and
  5. Professional User's rights and obligations.

***********************************

Annex B
Subprocessors

Subprocessor name Subprocessor address Description of services Location from which services are provided
FRANCE ONLY: OVH SAS 2 rue Kellermann, BP 80157, 59100 Roubaix, France Hosting LibreView Data Management System accounts for users located in France. France
Amazon Web Services 410 Terry Avenue North, Seattle, WA 98109, U.S.A. Hosting LibreView Data Management System accounts for users located in the European Economic Area, except France. Ireland
Newyu, Inc., a wholly owned subsidiary of Abbott Laboratories 801 Second Avenue, Suite 800, Seattle, WA 98104, U.S.A. Providing Maintenance Services, in particular troubleshooting and other application and software support. United States of America

***********************************

Annex C
Security measures

Abbott has implemented the technical and organizational security measures set out in this Annex C to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services. Abbott processes Personal Data on EEA server sites operated by an industry-leading cloud service provider that offers sophisticated measures to protect against unauthorized access.

  1. Access control of processing areas (confidentiality): Steps taken by Abbott's industry-leading cloud service provider to prevent unauthorized access to data processing equipment (for example, telephones, database and application servers, and associated hardware) in which Personal Data is processed include the following appropriate measures:

  2. Access control to data processing systems (confidentiality): Abbott takes appropriate measures to prevent its data processing systems from being used by unauthorized persons. This is achieved by:

  3. Access control for the use of certain areas of data processing systems (confidentiality): Abbott personnel authorized to use data processing systems may only access Personal Data where they have sufficient access authorization. Personal Data which is encrypted cannot be read, copied, changed or removed without authorization. This is achieved by:

  4. Transfer control (integrity): Abbott takes steps to prevent Personal Data from being read, copied, altered or deleted by unauthorized persons during its transfer or transport. This is achieved by:

  5. Input control (integrity): Abbott does not access Professional User content unless it is necessary to provide Professional User with the products and professional services it selects. Abbott does not access Professional User content for any purposes other than those set out in the Terms of Use and this DPA. Accordingly, Abbott does not know what content Professional User stores on its systems and cannot distinguish between Personal Data and other content. As a result, Abbott treats all Professional User content in the same manner. In this way, all Professional User content receives the same high level of security, regardless of whether this content contains Personal Data or not.

    Abbott takes appropriate measures to ensure that it is possible to verify and establish that no Personal Data has been entered into or removed from data processing systems. This is achieved by:

  6. Order control: Abbott takes steps to ensure that, where Personal Data is processed, it is processed strictly in accordance with Professional User's instructions. This is achieved by:

  7. Availability control (availability): Abbott takes steps to ensure that Personal Data is protected from accidental destruction or loss. This is achieved by:

  8. Separation of processing for different purposes: Abbott takes steps to ensure that Personal Data collected for different purposes can be processed separately. This is achieved by:

  9. Resilience: Abbott has implemented the following technical and organizational security measures, in particular to ensure the reliability of its processing systems and services:

***********************************

Annex D
Standard Contractual Clauses 2021/914 - Module 2 (Transfer Controller to Processor)

  1. In consideration of the Commission Implementing Decision 2021/914 of 4 June 2021 replacing Decision 2001/497 and Decision 2010/87, this Annex D contains the unchanged and populated Standard Contractual Clauses - Module 2 (Transfer Controller to Processor), which are incorporated into this DPA. References to Standard Contractual Clauses in the DPA shall be read accordingly.
  2. Upon conclusion of this DPA (with this Annex D), all preexisting concluded data protection agreement(s) relating to the LibreView Data Management System and a Professional User LibreView Data Management System account between the parties are replaced and shall no longer apply. This also applies to any data protection agreements that are concluded pursuant to section 13 d. of the body document of the DPA.
  3. In the event of a contradiction between the remainder of the DPA and the Standard Contractual Clauses in this Annex D, the latter shall prevail.
  4. Abbott has also implemented organizational and technical measures in consideration of the European Data Protection Board's Recommendations 01/2020 as well as the European Court of Justice's "Schrems II" decision.

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a)

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 1 for the transfer of personal data to a third country.

(b)

The Parties:

(i)

the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)

the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)

These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)

The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.


1 Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

Clause 2

Effect and invariability of the Clauses

(a)

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)

These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)

Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)

Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii)

Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv)

Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v)

Clause 13;

(vi)

Clause 15.1(c), (d) and (e);

(vii)

Clause 16(e);

(viii)

Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b)

Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)

Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)

These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)

These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Intentionally left blank

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a)

The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)

The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a)

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)

The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)

In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)

The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union 2 (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)

the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)

the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)

the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)

the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.


2 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

8.9   Documentation and compliance

(a)

The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)

The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)

The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)

The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)

The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)

Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. 3 The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)

The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)

The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)

The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.


3 This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

Clause 10

Data subject rights

(a)

The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)

The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)

In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b)

In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)

Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)

lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)

refer the dispute to the competent courts within the meaning of Clause 18.

(d)

The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)

The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)

The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)

The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)

Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)

The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)

Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)

The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)

The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)

[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)

The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a)

The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)

The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)

the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)

the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards 4

(iii)

any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)

The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)

The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)

The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f)

Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.


4 As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1   Notification

(a)

The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)

receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)

becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

[For Module Three: The data exporter shall forward the notification to the controller.]

(b)

If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)

Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d)

The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)

Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimisation

(a)

The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)

The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c)

The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

DOC42186-001_rev-E_en-US