Appointment and Instructions for the Data Processor

(the present document applies only to Customers based in EU Countries)

With the present document, your Company (hereinafter “Data Controller” or “Controller”), in its capacity as data controller for the purposes of Regulation (EU) 2016/679 (“Regulation”), hereby appoints Menarini Silicon Biosystems S.p.A. to data processor (hereinafter: “Processor”), also with system administrator functions, in respects to the personal data processing activities carried out by the Processor to perform the services and supply agreement (“Contract”); the Processor hereby accepts the appointment.

1 . Scope of the appointment

1.1. The Controller authorises the processing of personal data by the Processor only for the purposes and insofar as required by the performance of the Contract. Menarini Silicon Biosystems S.p.A. may also carry out activities that may fall within the scope of “System Administrator” activities, as defined by the Italian Data Protection Authority’s decision of November 27, 2008 (“Decision”), in relation to the software/systems described in the Contract (“Systems”), exclusively for the performance of the activities described herein. In this regard, please refer to the detailed instructions at paragraph 3 below.

In accordance with art.28.3 of the Regulation, the type of personal data and the category of data subjects is defined in relation to the contractual activities. The Parties in any case acknowledge that such data are special categories of data, consisting of patients’ health data.

1.2. Where applicable, in relation to the provisions of the Contract and the Processor’s organisation, all Instructions under this document shall be deemed extended, mutatis mutandis, also to the Processor’s collaborators, employees, designated persons, supervisors and system administrators. The Processor shall ensure that it and such persons fully comply with this Data Processing Agreement.

2. Processing rules and general obligations

2.1. In performing the Contract, and specifically in carrying out the personal data processing operations envisaged therein (“Processing”), the Processor shall observe the utmost confidentiality and discretion as regards the information, personal data and knowledge acquired to perform the Contract. The Processor shall take care of their protection and implement appropriate IT and physical security measures and strictly avoid sharing, disclosing or disseminating information unless strictly necessary.

2.2. The Processor shall perform the data processing operations in line with the Regulation, and in particular by processing Personal Data (as defined under art. 4 of the Regulation) lawfully and fairly, in line with the principles of transparency, purpose limitation and minimisation set out by the Regulation, in compliance with the instructions as defined below.

2.3. The instruction to which the Processor shall need to comply are those contained in the Contract, in this document and/or the instructions that the Processor may receive in the future from the Controller.

2.4. The Controller has verified that the Processor disposes of adequate technical, IT and organisational resources in line with Data Protection law.

2.5. In performing Processing operations, the Processor shall, inter alia, comply with the following operational and behavioural instructions:

(a) prevent hard-copy and electronic documents containing personal data from being shared, given or otherwise made available to persons (colleagues or strangers) for whom the documents are not intended for specific work reasons;

(b) use sealed envelopes or personally hand over documents to minimise the possibility that unauthorised third parties may view/access documents that need to be transmitted to others;

(c) file and store electronic media and documents containing personal data in locked places/cabinets/furniture/drawers;

(d) inform the Controller about any Processing that needs to be discontinued, updated or in any way modified by reason of any change in the circumstances/needs, in case the Instructions are in breach of any legal provision, or on specific request of a data subject;

(e) cooperate with the Controller to ensure the rights of Data Subjects under Chapter III of the Regulation (arts. 15 and seq.) are satisfied;

(f) at the Controller’s choice, hand back or destroy any Personal Data in its possession that, by reason of the termination or modification to the Contract, Menarini Silicon Biosystems S.p.A. no longer needs to process.

All the above applies to original documents/deeds, or any paper, electronic or other type of copy thereof, regardless of the method/support employed.

2.6. Menarini Silicon Biosystems S.p.A. may avail of another data processor/sub-processor to delegate some specific Processing activities. Specifically, the Controller hereby authorises Menarini Silicon Biosystems S.p.A. to avail of software suppliers to perform second-level technical assistance on software, and recognise that such sub-processor may also perform system administrator activities in line with the Decision. Specifically, Menarini Silicon Biosystems S.p.A. shall avail of the following sub-processor:

A. Menarini Diagnostics Srl, via Sette Santi 3, 50131 Firenze – Italy for the activities pertaining to post-sales including complaint management, troubleshoot and maintenance.

Menarini Silicon Biosystems S.p.A. shall inform the Controller about any subsequent addition or replacement of any sub-processor, thereby giving the Controller the possibility to object. Silicon Biosystems S.p.A. will impose on all sub-processors the same obligations pertaining to data protection contained in the Contract and in these Instructions. Such sub-processors are indicated in the technical/financial documentation provided.

2.7. Menarini Silicon Biosystems S.p.A. warrants it will grant access to its offices to the Controller, so that this latter may audit the way Processing activities are performed, in ways and with methods to be agreed by the parties.

2.8. Data will not be processed outside the EU.

3.Detailed Instructions for System Administrators

3.1. The company operating as system administrator guarantees it has adopted the same specifications prescribed by the Decision, as far as applicable, such as, by way of example, the individual and specific designation of its own system administrators and their oversight; the recording and storage of access logs; password management, the provision on request of the updated list of designated system administrators and their functions, which shall highlight, if necessary, those involved (even just potentially) in Processing activities of the Controller’s Personal Data.