ALDOCHEM EOOD · Burgas, Bulgaria
Data Processing Agreement (DPA) under the EU General Data Protection Regulation
Parties and Roles
This Data Processing Agreement (the "Agreement" or "DPA") is entered into on [DATE] by and between:
(1) [COUNTERPARTY NAME], a company incorporated under the laws of [JURISDICTION], with registered office at [COUNTERPARTY ADDRESS] and registration number [COUNTERPARTY REG. NO.] (the "Controller"); and
(2) ALDOCHEM EOOD, a single-member limited liability company (еднолично дружество с ограничена отговорност) incorporated under the laws of the Republic of Bulgaria, with registered office in Burgas, Bulgaria, and registration number [ALDOCHEM UIC] (the "Processor").
The Controller and the Processor are each referred to as a "Party" and together as the "Parties".
This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the provision of peptide sourcing, custom synthesis, fill and finish, and related research-use-only services (the "Services") under the master services agreement, quotation, purchase order, terms of sale, or other principal contract between the Parties (the "Principal Agreement").
Where, in respect of a given processing activity, the Parties determine the purposes and means of processing jointly, they shall be treated as joint controllers within the meaning of Article 26 GDPR, and the provisions of Clause 12 (Joint Controllership) shall apply to that activity in place of the processor-specific obligations, to the extent of any conflict.
Recitals
WHEREAS the Parties have entered into, or intend to enter into, the Principal Agreement under which the Processor provides the Services to the Controller;
WHEREAS the performance of the Services may require the Processor to process Personal Data for which the Controller acts as controller;
WHEREAS Article 28(3) GDPR requires that processing carried out by a processor be governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller;
WHEREAS the Parties wish to record the terms on which such processing takes place and to ensure compliance with applicable Data Protection Law;
NOW, THEREFORE, in consideration of the mutual covenants set out below, and intending to be legally bound, the Parties agree as follows.
1. Definitions and Interpretation
1.1 Except as otherwise defined in this DPA, capitalised terms have the meanings given to them in the GDPR. In particular, the terms "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Supervisory Authority", and "Special Categories of Personal Data" shall have the meanings set out in Article 4 and Article 9 GDPR.
1.2 "Data Protection Law" means Regulation (EU) 2016/679 (the "GDPR"), together with any national law implementing or supplementing it that applies to the Processing, including the Bulgarian Personal Data Protection Act (Закон за защита на личните данни), in each case as amended, replaced, or superseded from time to time.
1.3 "Sub-processor" means any third party (including any affiliate of the Processor) engaged by the Processor to carry out Processing activities on behalf of the Controller under this DPA.
1.4 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Article 46(2) GDPR, as in force from time to time.
1.5 "Data Subject Request" means a request by or on behalf of a Data Subject to exercise rights under Chapter III GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.
1.6 "Annex" means an annex to this DPA, each of which forms an integral part of it.
1.7 References to "Articles" are to articles of the GDPR unless otherwise stated. Headings are for convenience only and do not affect interpretation. The words "including" and "in particular" are without limitation.
1.8 In the event of any conflict between the body of this DPA and an Annex, the body of this DPA prevails except where the Annex expressly states otherwise. In the event of any conflict between this DPA and the Principal Agreement in respect of the Processing of Personal Data, this DPA prevails.
2. Subject-Matter, Duration, Nature and Purpose of Processing
2.1 The subject-matter of the Processing is the provision of the Services under the Principal Agreement and the Processing operations necessary to deliver them.
2.2 The duration of the Processing is the term of the Principal Agreement, together with any subsequent period during which the Processor retains Personal Data in accordance with Clause 10 (Return or Deletion) or as required by applicable law.
2.3 The nature of the Processing comprises the operations set out in Annex I, which may include collection, recording, storage, organisation, structuring, consultation, use, transmission, restriction, erasure, and destruction of Personal Data, in each case only to the extent necessary for the Services.
2.4 The purpose of the Processing is limited to the performance of the Services and to compliance with the Processor's obligations under the Principal Agreement, this DPA, and applicable law. The Processor shall not Process Personal Data for its own purposes or for any purpose incompatible with the foregoing.
2.5 The categories of Data Subjects and the types of Personal Data Processed are described in Annex I. The Parties acknowledge that the Services are provided for research use only and are not intended to involve the Processing of health data of identified patients; where any Special Categories of Personal Data are nonetheless to be Processed, they shall be identified in Annex I and Processed only subject to the additional safeguards recorded there.
3. Obligations of the Controller
3.1 The Controller warrants that it has a lawful basis under Article 6 (and, where relevant, Article 9) GDPR for the Processing instructed under this DPA, and that it has provided all notices and obtained all consents necessary for the Processor to Process the Personal Data as contemplated by this DPA.
3.2 The Controller shall issue its instructions in a lawful manner and shall be responsible for the accuracy, quality, and legality of the Personal Data and of the means by which it acquired the Personal Data.
3.3 The Controller shall not instruct the Processor to Process Personal Data in a manner that would cause the Processor to be in breach of Data Protection Law, and shall promptly inform the Processor if it becomes aware of any such circumstance.
4. Processor Obligations and Documented Instructions
4.1 The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.2 The Controller's initial documented instructions are set out in this DPA, in Annex I, and in the Principal Agreement. Any additional or amended instructions shall be given in writing and shall be consistent with the scope of the Services.
4.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law. The Processor shall not be obliged to carry out an instruction that it reasonably considers to be unlawful, and the giving of such notice shall not constitute a breach of this DPA by the Processor.
4.4 The Processor shall not engage in "data monetisation" and shall not sell, license, or otherwise make available the Personal Data to any third party except as expressly permitted under this DPA.
5. Confidentiality of Personnel
5.1 The Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 The Processor shall ensure that access to Personal Data is limited to those personnel who require access to perform the Services and shall provide such personnel with appropriate training on the protection of Personal Data.
5.3 The confidentiality obligations in this Clause 5 shall survive termination of this DPA and of the Principal Agreement.
6. Security of Processing
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
6.2 The technical and organisational measures implemented by the Processor as at the date of this DPA are described in Annex II. The Processor may update those measures from time to time provided that the updated measures do not result in a material reduction of the overall level of security.
6.3 Such measures shall include, as appropriate: the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of those measures.
6.4 In assessing the appropriate level of security, account shall be taken in particular of the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.
7. Sub-processors
7.1 The Controller grants the Processor general written authorisation to engage Sub-processors for the performance of the Services, subject to the conditions in this Clause 7. The Sub-processors engaged as at the date of this DPA are listed in Annex I.
7.2 The Processor shall inform the Controller of any intended addition or replacement of a Sub-processor, giving the Controller at least [NOTICE PERIOD] to object on reasonable grounds relating to data protection. If the Controller objects within that period, the Parties shall discuss the objection in good faith; if the objection cannot be resolved, either Party may terminate the affected part of the Services in accordance with the Principal Agreement.
7.3 Where the Processor engages a Sub-processor, it shall do so by way of a written contract that imposes on the Sub-processor data protection obligations that are, in substance, no less protective than those imposed on the Processor under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in accordance with Article 28(4) GDPR.
7.4 The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations to the extent the Sub-processor fails to fulfil its data protection obligations.
8. Assistance with Data Subject Rights
8.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject Requests under Chapter III GDPR.
8.2 If the Processor receives a Data Subject Request relating to Personal Data Processed on behalf of the Controller, it shall not respond to that request itself (except to confirm receipt and to direct the Data Subject to the Controller where appropriate) but shall, without undue delay, notify the Controller and forward the request.
8.3 The Processor shall not be responsible for responding directly to Data Subjects, which remains the Controller's responsibility. Any assistance beyond that which is reasonably required and readily available may be subject to reasonable charges as agreed by the Parties.
9. Assistance with Articles 32 to 36 GDPR
9.1 Taking into account the nature of the Processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 GDPR, namely security of Processing, notification of Personal Data Breaches, communication of Personal Data Breaches to Data Subjects, data protection impact assessments, and prior consultation with the Supervisory Authority.
9.2 Such assistance shall be provided taking into account the nature of the Processing and the information available to the Processor, and may be subject to reasonable charges for assistance that exceeds that which is readily available to the Processor.
10. Personal Data Breach Notification
10.1 The Processor shall notify the Controller without undue delay, and in any event within [NOTICE PERIOD, e.g. 48 hours] after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller.
10.2 The notification shall, to the extent known and to the extent that the information is available to the Processor, describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and of Personal Data records concerned; the likely consequences of the breach; the measures taken or proposed to be taken to address the breach and to mitigate its possible adverse effects; and the name and contact details of a point of contact from whom further information may be obtained.
10.3 Where and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
10.4 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of the Personal Data Breach. Notification of a Personal Data Breach shall not be construed as an acknowledgement by the Processor of any fault or liability.
11. International Transfers
11.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area, or to an international organisation, without the prior documented authorisation of the Controller, except where required to do so by Union or Member State law, in which case Clause 4.1 applies.
11.2 Where a transfer of Personal Data to a third country takes place, such transfer shall be subject to appropriate safeguards under Chapter V GDPR, which may include an adequacy decision of the European Commission, the Standard Contractual Clauses, binding corporate rules, or another lawful transfer mechanism.
11.3 Where the Standard Contractual Clauses apply, they are incorporated into this DPA by reference, and the Parties shall complete their annexes consistently with Annex I and Annex II. In the event of any conflict between the Standard Contractual Clauses and this DPA in respect of the relevant transfer, the Standard Contractual Clauses prevail.
11.4 The Processor shall, where required, assist the Controller in conducting and documenting any transfer impact assessment associated with such transfers.
12. Joint Controllership (Where Applicable)
12.1 Where the Parties act as joint controllers for a given Processing activity under Clause 1 of the Parties and Roles section, they shall determine their respective responsibilities for compliance with Data Protection Law in a transparent manner, in particular as regards the exercise of Data Subject rights and the provision of information under Articles 13 and 14 GDPR.
12.2 The allocation of responsibilities for any joint controllership arrangement shall be recorded in a schedule agreed by the Parties, which shall reflect the essence of the arrangement and make it available to Data Subjects as required by Article 26(2) GDPR.
12.3 Irrespective of the terms of any joint controllership arrangement, a Data Subject may exercise their rights under the GDPR in respect of and against each of the Parties.
13. Audits and Information
13.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
13.2 Audits shall be conducted on reasonable prior written notice of not less than [NOTICE PERIOD], during normal business hours, no more than once in any twelve-month period (save where required by a Supervisory Authority or following a Personal Data Breach), and in a manner that does not unreasonably disrupt the Processor's business or compromise the confidentiality or security of other customers' data.
13.3 The Controller shall bear its own costs of any audit, and the Processor may charge its reasonable costs of supporting an audit that exceeds the provision of standard compliance documentation. Any auditor shall be bound by appropriate confidentiality obligations.
13.4 The Processor may satisfy the audit obligation by making available relevant third-party certifications, attestations, or audit reports, where these reasonably address the scope of the Controller's request.
14. Return or Deletion of Personal Data
14.1 On termination or expiry of the Principal Agreement, or otherwise on the Controller's written request, the Processor shall, at the choice of the Controller, delete or return all Personal Data Processed on behalf of the Controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data.
14.2 Where the Controller elects for return, the Personal Data shall be returned in a commonly used, machine-readable format within [NOTICE PERIOD] of the request, following which the Processor shall delete remaining copies.
14.3 The Processor may retain Personal Data to the extent, and for so long as, required by applicable law, provided that it continues to protect the confidentiality of such Personal Data and Processes it only as necessary for the purpose or purposes for which it is retained.
14.4 On request, the Processor shall provide the Controller with written confirmation that it has complied with this Clause 14.
15. Liability and Indemnity
15.1 Each Party's liability arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Principal Agreement, and this DPA and the Principal Agreement shall be read together as a single agreement for the purpose of any aggregate cap on liability, except where Data Protection Law does not permit such limitation.
15.2 Nothing in this DPA limits or excludes either Party's liability where such limitation or exclusion is not permitted by Data Protection Law, including liability towards Data Subjects under Article 82 GDPR.
15.3 Where the Parties are involved in Processing that causes damage to a Data Subject, liability as between the Parties shall be apportioned according to each Party's respective responsibility for the damage, consistent with Article 82 GDPR.
15.4 The Controller shall indemnify the Processor against loss arising from the Controller's instructions or from a breach by the Controller of its warranties in Clause 3, and the Processor shall indemnify the Controller against loss arising from the Processor's breach of its obligations under this DPA, in each case subject to Clause 15.1.
16. Term and Termination
16.1 This DPA takes effect on [DATE] and remains in force for so long as the Processor Processes Personal Data on behalf of the Controller under the Principal Agreement.
16.2 Termination of this DPA shall not relieve either Party of obligations that by their nature survive termination, including Clauses 5 (Confidentiality of Personnel), 14 (Return or Deletion), 15 (Liability), and 17 (Governing Law).
17. Governing Law and Jurisdiction
17.1 This DPA and any non-contractual obligations arising out of or in connection with it are governed by the laws of the Republic of Bulgaria, without prejudice to the direct application of the GDPR.
17.2 The courts of Burgas, Bulgaria have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, without prejudice to the right of a Data Subject or a Supervisory Authority to bring proceedings before a competent court under Data Protection Law.
17.3 If any provision of this DPA is or becomes invalid or unenforceable, the remaining provisions shall remain in full force, and the Parties shall replace the invalid or unenforceable provision with a valid provision that reflects, as closely as possible, the original intent.
18. General Provisions
18.1 This DPA, together with its Annexes and the data protection provisions of the Principal Agreement, constitutes the entire agreement between the Parties in respect of the Processing of Personal Data and supersedes any prior arrangement on that subject-matter.
18.2 Any amendment to this DPA must be in writing and signed by or on behalf of each Party, save that the Parties shall negotiate in good faith any variation reasonably required to reflect a change in Data Protection Law.
18.3 Notices under this DPA shall be given in writing to the contact details set out in Annex I or as otherwise notified by a Party from time to time.
18.4 No failure or delay by a Party in exercising any right under this DPA shall operate as a waiver of that right.
Annex I — Details of Processing (Template)
A. List of Parties: Controller — [COUNTERPARTY NAME], [COUNTERPARTY ADDRESS], contact: [CONTROLLER CONTACT / DPO]. Processor — ALDOCHEM EOOD, Burgas, Bulgaria, contact: [PROCESSOR CONTACT / DPO].
B. Subject-matter of the Processing: [DESCRIBE, e.g. Processing of contact and order data to fulfil peptide sourcing and custom synthesis Services].
C. Duration of the Processing: [TERM], being the duration of the Principal Agreement plus any statutory retention period.
D. Nature and purpose of the Processing: [DESCRIBE OPERATIONS AND PURPOSE, e.g. storage and use of customer contact and order data to process quotations, orders, delivery, invoicing, and to issue Certificates of Analysis].
E. Categories of Data Subjects: [e.g. the Controller's employees, researchers, procurement contacts, and authorised representatives].
F. Categories of Personal Data: [e.g. names, business contact details, job titles, order and account information]. Special Categories of Personal Data: [NONE / SPECIFY, with safeguards].
G. Sub-processors: [LIST NAME, LOCATION, AND PROCESSING ACTIVITY OF EACH AUTHORISED SUB-PROCESSOR].
H. International transfers and transfer mechanism (if any): [SPECIFY DESTINATION COUNTRY AND MECHANISM, e.g. SCCs / adequacy decision / none].
Annex II — Technical and Organisational Measures (Template)
This Annex describes the technical and organisational measures implemented by the Processor pursuant to Article 32 GDPR and Clause 6. It is to be completed to reflect the measures actually in place and reviewed periodically.
1. Access control and authentication: [DESCRIBE, e.g. role-based access, unique credentials, multi-factor authentication for administrative access].
2. Encryption and pseudonymisation: [DESCRIBE, e.g. encryption of data in transit and at rest, pseudonymisation where appropriate].
3. Confidentiality, integrity, availability, and resilience: [DESCRIBE, e.g. network segregation, backups, redundancy, malware protection].
4. Business continuity and restoration: [DESCRIBE, e.g. backup and recovery procedures, disaster-recovery testing].
5. Regular testing and evaluation: [DESCRIBE, e.g. periodic vulnerability assessment, review of measures, internal audit under the Processor's ISO 9001-style quality management system].
6. Physical security: [DESCRIBE, e.g. controlled access to premises and to the GMP-aligned manufacturing partner facility in Opole, Poland].
7. Personnel and organisational measures: [DESCRIBE, e.g. confidentiality undertakings, data protection training, defined data protection responsibilities].
8. Sub-processor management: [DESCRIBE, e.g. due diligence, contractual controls, periodic review].
Signatures
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written above.
For and on behalf of [COUNTERPARTY NAME] (Controller):
Signature: _______________________________
Name: [NAME]
Title: [TITLE]
Date: [DATE]
For and on behalf of ALDOCHEM EOOD (Processor):
Signature: _______________________________
Name: [NAME]
Title: [TITLE]
Date: [DATE]
Notice
This document is a template provided for general informational purposes only and does not constitute legal advice. It must be reviewed, completed, and adapted by qualified legal counsel to the specific circumstances of the Parties and to applicable law before use. The framing of the Services as research use only (RUO) and as manufactured by a GMP-aligned partner should be verified; nothing in this template should be read as a representation that any facility or process is GMP-certified. No solicitor-client, attorney-client, or other professional relationship is created by the use of this template.
This document is a template provided for information only. It is not legal advice and must be reviewed and adapted by qualified counsel before use. Bracketed items must be completed before execution.