|Blueprint Genetics Oy||Blueprint Genetics Inc.||Blueprint Genetics Canada Inc|
|Biomedicum 2U||1268 Missouri Street||1200 Waterfront Centre|
|Tukholmankatu 8||San Francisco||200 Burrard Street|
|00290 Helsinki||CA 94107||Vancouver BC V6C 3L6|
|VAT No: FI22307900|
1. PURPOSE AND SCOPE
These general terms are applied to all services (the “Services”) provided by Blueprint Genetics Oy, Blueprint Genetics Inc. and Blueprint Genetics Canada Inc. (each hereafter the “Supplier” and “Group Company”). These general terms, complemented by the information in the order form or other customer agreement, form the entire agreement concerning the Services (the “Agreement”). If the test is ordered from Canada, this Agreement is entered with Blueprint Genetics Canada Inc. If the test is ordered from elsewhere in North America or South America, this Agreement is entered with Blueprint Genetics Inc. If the test is ordered from elsewhere in the world, this Agreement is entered with Blueprint Genetics Oy. The Services are only provided to hospitals and medical professionals. Blueprint Genetics does not offer any Services directly to patients or other individuals and reserves the right to reject any orders if the Customer is unable to provide appropriate credentials. The Services provided under this Agreement and the related pricing information and service descriptions are set out on the Supplier’s website and are available through the Supplier’s customer support. The Supplier may amend the specifications, these general terms and the list of prices from time to time by posting new versions on its website.
The Customer orders the Services either by using the Supplier’s online service and following the instructions contained in the online service, or by a paper order form and following the instructions given in the form. Orders are valid only after the Supplier has confirmed the order. The Supplier reserves the right to refuse any orders submitted.
3. OBLIGATIONS OF THE CUSTOMER
The Customer shall be responsible for:
(i) Complying with all applicable laws and regulations and ensuring that it only provides such information and samples to the Supplier that the Customer has the right to provide and the Supplier right to process;
(ii) Ensuring, if a fax number is provided in the study request, that the faxed results are handled in accordance with the applicable privacy laws and that no unauthorized persons have access to the fax machine;
(iii) Following the instructions of the Supplier’s online system or order form, as applicable, to input the required information;
(iv) Ensuring that the quality and quantity of the sample is sufficient in order to perform the tests and if the patient has received bone marrow
transplant it is clearly mentioned in the test requisition;
(v) Ensuring that samples are packed and transported in an appropriate manner, or, if the full service option is ordered, that the samples are handed over for transportation in an appropriate manner;
(vi) All medical advice given to the patient, and ensuring that the patient and other parties to whom the information is disclosed understands the nature of the information provided through genetic testing and the inherent limitations thereof;
(vii) Ensuring that only authorized person(s) have access codes to the Supplier’s online service and informing the Supplier of any changes thereto; and
(viii) Ensuring that any information concerning limiting or canceling the Informed Consent is promptly delivered to the Supplier.
4. OBLIGATIONS OF THE SUPPLIER
The Supplier shall be responsible for:
(i) Providing the Services in accordance with these general terms, the Supplier’s methodology, service descriptions and product descriptions and such degree of skill and care that is ordinarily exercised under similar circumstances by reputable professionals;
(ii) Complying with all applicable laws and regulations; and
(iii) Delivering the results of the Services through the Supplier’s online service, or if so ordered, by regular post and / or fax to the Customer’s address, in the form and manner specified in the service descriptions.
5. DELIVERY OF RESULTS
The Supplier will endeavour to perform the Services and make the results available within 21 days from the receipt of the sample, assuming that the purchase is confirmed. While the Supplier will endeavour to submit the results at the first possibility, it cannot take responsibility for delay of the results due to unforeseen events. The Supplier will typically communicate delivery delay if the results are not available in 28 days from the receipt of the sample. Certain national holidays will postpone the availability of results one day when the national holiday occurs during 21 days from sample reception. These national holidays are:
(i) Christmas Eve (Dec 24), Christmas Day (Dec 25), Boxing Day (Dec 26), New Year’s Day (Jan 1), Epiphany (Jan 6), The Good Friday (variable) and Easter Monday (variable). If the national holiday occurs on Saturday or Sunday, the availability of results will not be postponed.
Notwithstanding the aforementioned, for Exome products, the Supplier will endeavour to make the results available of within 56 days from the receipt of the sample, assuming that the purchase is confirmed, and the Supplier will communicate delivery delay if the Exome results are not available in 63 days from the receipt of the sample. National holidays listed above will postpone the availability of Exome results by one day when the national holiday occurs during 56 days from sample reception.
The Supplier shall invoice for the Services after the results have been made available in the Supplier’s online service or sent to the Customer in accordance with the Supplier’s price list in force at the time when the order was made. The terms of payment are 14 days net from the date of delivery or the date of invoice, whichever is later. Interest on delayed payments accrues in accordance with the Interest Act. VAT and other indirect taxes will be added in accordance with the regulations in force from time to time.
7. STORING OF THE SAMPLES
Unless otherwise required by applicable laws, the Supplier will store samples for a period of twelve (12) months after the test has been conducted in order to enable any verifications which may be requested by the Customer. If the patient has given his consent for the extended storage of the samples, the Supplier may store the samples for a longer period of time.
8. THE CONNECTING CLINICIANS -PROGRAM
The Supplier may, as a part of its online services, facilitate communication between clinicians interested in same inherited disorders as a part of its “Connecting Clinicians” -program. This is done by sharing contact information of clinicians who have similar professional interests, either as indicated by their use of the Services or by information provided by such clinicians. The Customer agrees to notify the Supplier in writing if it chooses to opt out of this program. Also individual clinicians may opt out of the program at any time. No personal data is shared without the data subject’s prior explicit consent.
As a part of the program the Supplier will only help in establishing the initial communication link between clinicians who have similar professional interests. Any information exchange will take place at the discretion of, and directly between, the clinicians. The Supplier will not participate in or monitor the information exchange.
The participating clinicians are solely responsible for any information which they may choose to exchange, as well as any actions taken on the basis of such information. The Supplier does not give any warranties or accept any responsibility for any information exchanged.
9. DISCLAIMER; LIMITATION OF LIABILITY
The Supplier only gives the representations and warranties expressly set out in this Agreement. No other warranties are given or implied. Specifically, and without limiting the generality of the foregoing, the Supplier does not give any warranties as to the accuracy of any results contained in any reports generated by the Services. The Customer acknowledges that it understands the nature of the information provided through genetic testing and that the accuracy of the tests is less than 100 %. The Supplier shall compensate for all damages that it has caused to the Customer through grossly negligent conduct or willful misconduct. The Supplier shall compensate for all damages that it has caused to the patient only if and to the extent so required under a mandatory provision of the applicable law. Otherwise, and to the fullest extent possible under the applicable law, the Supplier shall not be liable for any direct, consequential, indirect or any other damages arising out of the Services or use of the results generated as a result of the Services. In no case shall the liability of the Supplier exceed the amount paid by the Customer for the particular Service. All claims shall be submitted within six (6) months from issue of the test results, otherwise the claim is deemed to be expired.
The Supplier may subcontract its obligations under this Agreement.
The Supplier will be liable for the work of its subcontractors.
11. FORCE MAJEURE
Neither Party shall be liable for delays and damages caused by an impediment beyond its control, which it could not have reasonably taken into account at the time of the conclusion of the Agreement, and whose consequences it could not reasonably have avoided or overcome. A force majeure event suffered by a subcontractor of a Party shall also discharge such Party from liability, if subcontracting from other source cannot be made without unreasonable costs or loss of time. Either Party shall without delay inform the other Party of a force majeure event in writing.
12. OTHER PROVISIONS
All changes and amendments to this Agreement shall be agreed in writing in order to be valid.
In case any provision of this Agreement would be held invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions hereof will not in any way be affected or impaired thereby. Upon such determination that any provision of this Agreement is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to modify this Agreement, so as to effect the original intent of the Parties as closely as possible. Neither Party may assign this Agreement without the written consent of the other Party except in connection with the assignment or transfer of the related business operations. The Supplier shall, however, be entitled to assign its obligations to any Group Company and its receivables under this Agreement to a third party.
Personal data processing: to the extent that personal data provided by the Customer to the Supplier is subject to the General Data Protection Regulation, the Data Processing Annex annexed to this Agreement shall apply.
13. APPLICABLE LAW AND DISPUTE RESOLUTION
This Agreement shall be governed by the laws of Finland, excluding the application of its conflict of laws rules and principles which would require the application of the laws of any other jurisdiction. All disputes arising out of this Agreement or the Services shall be resolved in the district court of Helsinki, Finland.
DATA PROCESSING ANNEX
This annex (the “Annex”) forms an integral part of the General Terms (the “Agreement”) dated May 25, 2018 and concluded by and between Supplier and Customer. To the extent there are any conflicts or discrepancies between terms of Agreement and terms of this Annex, terms of this Annex shall take precedence.
The terms used in this Annex shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.
Where not defined in the Regulation, all capitalized terms used but defined herein shall have the same meaning as in the Agreement.
The Customer is the sole controller of the Customer’s personal data or has been instructed by and obtained the authorization of the relevant controller(s) to agree to the processing of Customer’s personal data by the Supplier as set out in this Annex. With this Annex, the parties agree that Customer appoints the Supplier as its processor to process Customer’s personal data during the term of Agreement under the terms agreed in this Annex.
Supplier shall process the personal data only to further its obligations set forth in the Agreement and in accordance with the written instructions provided by Customer. The personal data relates to following groups of data subjects: patients and their family members.
Supplier may process the following personal data for furthering its obligations relating to the purpose, some of which are special categories of personal data:
- Date of birth
- Medical information from physician’s referral
- Family history and relationships
- Specimen identification number and equivalent identifiers
- Identifiable genetic information
- Email, phone number, address, fax number
Supplier must immediately notify Customer, if it considers that the written instructions provided by Customer for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this Annex, the parties agree to comply with the Regulation as applicable to each party.
Transfers to third countries
Customers located in the European Union or the European Economic Area: Supplier is not entitled to transfer personal data outside EU or EEA, unless Customer has provided its written consent in advance for the transfer. In such event, Supplier must also comply with the obligations that the Regulation specifies for international transfers.
Customers located in third countries: If the Customer is located in a third country, the Supplier is entitled to transfer personal data to such third country for the performance of the Services and the Customer provides its consent for such transfer. In such situation, the legal basis for the transfer is the necessity for the performance of a contract concluded in the interest of the data subject between the Customer and the Supplier.
Consent for secondary use
Data subjects may give the Supplier an informed consent for the secondary use of personal data for research purposes. Such consent must be explicit and freely given and may not in any way affect the Services. In such event, the Supplier will act as a controller of the personal data for research purposes and assumes the liabilities of a controller under the Regulation. For sake of clarity it is expressly stated that such processing is not subject to this Annex.
Supplier is entitled to use sub-processors for processing personal data, provided that it notifies Customer in writing of its intention no later than 30 days in advance. Supplier’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, Customer has the right to object the intended change in the use of a sub-processor.
When using sub-processors for processing personal data, Supplier agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Supplier is fully liable that its sub-processors comply with the requirements of this Annex.
A list of sub-processors that are approved on the Effective Date can be found at www.blueprintgenetics.com/sub-processors. The list will be updated from time to time.
All personal data processed by Supplier on behalf of Customer is considered Customer’s confidential information and Supplier shall not disclose the personal data to anyone or use it for any other than agreed purpose. Supplier ensures that only such people shall have access to the personal data that is necessary for furthering Supplier’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.
Supplier shall implement appropriate technical and organizational measures to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms.
Such measures can include, as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Personal data breaches
Supplier must notify Customer without undue delay about personal data breaches it becomes aware of, so that Customer can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying Customer, Supplier must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the Customer. Supplier must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
Contact information and data protection officer
For notifications and any privacy-related matters, the Supplier shall contact the Customer’s data protection officer, if the contact information for such person has been provided by the Customer.
If the Customer does not have a data protection officer, the Customer is obligated to designate a contact person responsible for data protection for the purpose of processing personal data. The Customer will provide the contact information of the contact person referred to here or data protection officer to the Customer in writing.
Contact information for the Supplier’s data protection officer: firstname.lastname@example.org
If this contact information changes, the Supplier shall notify the Customer immediately.
Data protection impact assessment
If Supplier becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify Customer about this and assist the Customer, if necessary, in conducting a data protection impact assessment.
Data subject’s rights
Taking into consideration the nature of the data processing, Supplier must reasonably and without undue delay assist Customer, including by applicable technical and organizational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to Supplier, it must notify Customer about the request without undue delay.
Supplier shall permit Customer to audit Supplier’s compliance with these terms, and shall provide access and make available to Customer all systems, premises, resources, information and staff as necessary for Customer to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to Supplier’s business operation as reasonably possible. Customer must also provide reasonable advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit.
Term and effects of termination
This Annex enters into force on May 25, 2018 (“Effective Date”) and shall thereafter remain in force until the Agreement is terminated or expires under its terms.
At the termination or expiration of the Agreement, Supplier shall, at Customer’s option, delete or return all personal data to Customer and delete also all copies of the personal data, unless national or EU or member state law requires Supplier to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law.