SNIPER

Data Processing Agreement

Home

/

Data Processing Agreement

Sniper Medical Technologies

Version: V1.0
Effective Date: April 1, 2024
Applicability: This Agreement constitutes an integral part of Sniper’s Sales Terms, Service Terms, Software License Agreements, Technical Service Agreements, Orders, Quotations or other Master Agreements. If the parties have separately signed a dedicated Data Processing Agreement, Clinical Research Agreement, Registration Verification Agreement, Technical Service Agreement, Cross-border Data Transfer Agreement or Confidentiality Agreement that contains more specific provisions on personal information processing, such more specific provisions shall prevail.

1. Definitions
1.1. Master Agreement

Refers to the Sales Terms, Orders, Quotations, Service Terms, Software License Agreements, Technical Service Agreements, Cooperation Agreements or other business documents signed or confirmed between the Customer and Sniper.

1.2. Customer

Refers to the party that signs the Master Agreement with Sniper or accepts Sniper’s products, software or services.

1.3. Sniper

Refers to Suzhou Sniper Medical Technologies Co., Ltd. and its affiliates, branches or authorized entities that provide products, software or services pursuant to the Master Agreement.

1.4. Personal Information

Refers to various information recorded electronically or otherwise that relates to an identified or identifiable natural person, excluding information that has been anonymized.

1.5. Sensitive Personal Information

Refers to personal information that, if leaked or illegally used, would easily lead to infringement of the personal dignity of a natural person or endanger personal or property safety, including medical and health information, genetic testing-related information, biometric information, financial accounts, location tracking, and personal information of minors under the age of 14.

1.6. Customer Personal Information

Refers to personal information provided by the Customer to Sniper, or processed by Sniper on behalf of the Customer in accordance with the Customer’s instructions.

1.7. Processing

Refers to any operation or set of operations performed on personal information, including collection, storage, use, processing, transmission, provision, disclosure, deletion, access, reading, copying, backup, restoration, analysis, de-identification, anonymization, etc.

1.8. Personal Information Processor/Controller

Refers to an organization or individual that independently determines the purposes and means of processing personal information in personal information processing activities.

1.9. Entrusted Processor/Processor

Refers to an organization or individual that processes personal information in accordance with the entrustment and instructions of the personal information controller.

1.10. Subprocessor

Refers to a third party or affiliate entrusted by Sniper to assist Sniper in processing Customer Personal Information on behalf of the Customer.

2. Roles of the Parties
2.1. Sniper as an Independent Personal Information Controller

Sniper generally acts as an independent personal information controller when processing personal information for its own sales, contract performance, customer management, distributor management, supplier management, marketing activities, after-sales service, quality management, compliance management, finance and taxation, recruitment or dispute resolution purposes.
Such processing activities are governed by Sniper’s Privacy Statement, not the entrusted processing provisions of this Agreement.

2.2. Sniper as an Entrusted Processor

When Sniper provides software, cloud services, remote technical support, equipment maintenance, troubleshooting, data analysis, registration verification support, scientific research cooperation support, clinical research support or other services to the Customer in accordance with the Customer’s instructions, and processes Customer Personal Information on behalf of the Customer, the Customer is the personal information controller and Sniper is the entrusted processor.
Unless otherwise agreed in the Master Agreement or this Agreement, Sniper shall not independently determine the purposes and means of processing Customer Personal Information.

2.3. Joint Processing or Independent Processing

If the parties jointly determine the purposes and means of a personal information processing activity, the parties shall separately agree in writing on their respective rights and obligations.
If the parties independently determine the purposes and means of personal information processing, each party shall act as an independent personal information controller and bear corresponding compliance responsibilities respectively.

3. Scope of Processing

The scope of Customer Personal Information processed by Sniper on behalf of the Customer is limited to the Master Agreement, Orders, Service Descriptions, software functions, technical support requests, written instructions of the parties and the annexes to this Agreement.

3.1. Purposes of Processing
Sniper shall process Customer Personal Information solely for the following purposes:
  1. Providing products, software, equipment, reagents, consumables or related services;
  2. Conducting equipment installation, commissioning, training, maintenance, repair, remote diagnosis, troubleshooting and software upgrades;
  3. Responding to customer service requests, technical consultations, quality complaints, after-sales needs or regulatory requirements;
  4. Conducting Customer-authorized data analysis, methodological verification, performance evaluation, registration verification, scientific research cooperation or project support;
  5. Fulfilling the Master Agreement, Orders, quality management, auditing, dispute resolution or legal obligations;
  6. Other purposes confirmed in writing by both parties.
3.2. Means of Processing

Means of processing include receipt, access, reading, storage, use, transmission, backup, restoration, analysis, export, deletion, de-identification, anonymization, etc.

3.3. Processing Period

The processing period shall be the validity period of the Master Agreement, the service period, and the reasonable period required for fulfilling laws and regulations, supervision, quality management, auditing, dispute resolution or data backup and restoration.

3.4. Processing Location

Processing locations include Sniper’s offices, data centers and service locations within the territory of China, and other locations confirmed by both parties or permitted by applicable laws. If cross-border processing or cross-border access is involved, Article 10 of this Agreement shall apply.

4. Customer Obligations
The Customer shall ensure that when providing Customer Personal Information to Sniper or instructing Sniper to process Customer Personal Information, it has met the requirements of applicable laws and regulations, including but not limited to:
  1. Having lawful, legitimate, necessary and clear processing purposes;
  2. Having a valid legal basis, including consent, separate consent, contractual necessity, legal obligation or other legal bases;
  3. Having fully informed relevant individuals of the personal information processing rules;
  4. Having obtained necessary authorizations, consents, separate consents, ethical reviews, regulatory filings or other approvals;
  5. The Customer Personal Information provided to Sniper is true, accurate, lawful, necessary and not excessive;
  6. Not providing Sniper with personal information unrelated to the service purposes;
  7. If involving information of patients, subjects or sample donors, anonymization or de-identification shall be prioritized;
  8. If involving sensitive personal information such as medical and health information, genetic testing information or children’s personal information, stricter compliance obligations shall be fulfilled;
  9. If involving cross-border provision of personal information, data export compliance procedures shall be completed in accordance with the law;
  10. The Customer’s instructions shall not violate applicable laws and regulations.
If Sniper believes that the Customer’s instructions may violate applicable data protection laws and regulations, Sniper shall have the right to suspend the execution of such instructions and request the Customer to confirm, modify or withdraw them.
5. Sniper Obligations
When processing Customer Personal Information as an entrusted processor, Sniper shall fulfill the following obligations:
  1. Processing Customer Personal Information only in accordance with the Customer’s written instructions and the provisions of the Master Agreement;
  2. Not processing Customer Personal Information for its own purposes, unless otherwise required by laws and regulations or otherwise agreed in writing by both parties;
  3. Not processing Customer Personal Information beyond the agreed purposes, means, scope and period;
  4. Imposing confidentiality obligations on employees, consultants, subcontractors or other personnel who have access to Customer Personal Information;
  5. Adopting technical and organizational security measures commensurate with the processing risks;
  6. Assisting the Customer in responding to personal data subject rights requests to the extent permitted by law and technically feasible;
  7. Assisting the Customer in completing personal information protection impact assessments, regulatory inquiries, security incident handling or compliance audits to the extent permitted by law and reasonable;
  8. Not proactively disclosing, selling or providing Customer Personal Information to unrelated third parties;
  9. Deleting, returning or anonymizing Customer Personal Information in accordance with the Customer’s reasonable instructions after the end of the service, unless otherwise required by laws and regulations to retain;
  10. Promptly notifying the Customer when it is found that the Customer’s instructions may violate applicable data protection laws and regulations.
6. Sensitive Personal Information and Medical-Related Data
6.1. Default Principle

Unless otherwise explicitly agreed in the Master Agreement, Research Agreement, Technical Service Agreement or written documents of both parties, the Customer shall not provide Sniper with personal information that can directly identify patients, subjects or sample donors.

6.2. Requirements for Necessary Provision
If it is indeed necessary to provide test data, sample numbers, case information, health and medical information, genetic information or other sensitive personal information to Sniper due to technical support, product quality investigation, clinical research, performance verification, registration declaration, after-sales service, adverse events or regulatory requirements, the Customer shall:
  1. Prioritize providing anonymized data;
  2. If anonymization is not possible, perform de-identification or desensitization;
  3. Delete direct identification information such as name, ID number, full date of birth, address, contact information and medical record number, unless truly necessary;
  4. Ensure that necessary informed consent, separate consent, ethical approval, authorization or other legal bases have been obtained;
  5. Separately confirm with Sniper the data scope, processing purpose, retention period, security measures and division of responsibilities;
  6. Not transmit sensitive personal information through unauthorized channels.
6.3. Sample Numbers and Test Data

Sample numbers, test results, genetic testing data, disease type information, medication information, etc., even if they do not directly contain names, may be associated with and identify specific individuals under certain conditions. Both parties shall prudently manage such information as personal information or sensitive personal information.

7. Security Measures
Sniper shall adopt reasonable security measures based on the nature, scope, purpose of the processing activities, the type of personal information and potential risks, including but not limited to:
  1. Establishing personal information protection and data security management systems;
  2. Implementing access permission control and the principle of least privilege;
  3. Conducting identity authentication and account management for authorized users;
  4. Imposing confidentiality constraints and data protection training on employees;
  5. Adopting encryption or other security protection measures for data in transit;
  6. Adopting encryption, desensitization, isolation or access control measures for sensitive data at rest;
  7. Retaining necessary system logs and operation records;
  8. Establishing data backup, restoration and business continuity mechanisms;
  9. Adopting network security protection, vulnerability management and malicious code protection measures;
  10. Conducting reasonable management of suppliers and subprocessors;
  11. Establishing a personal information security incident emergency response mechanism;
  12. Adopting de-identification, anonymization or data minimization measures as needed.
Specific security measures may vary depending on the type of product, software, service and the content purchased by the Customer. The parties may further agree on special security measures in the annexes.
8. Subprocessors
The Customer authorizes Sniper to use subprocessors to the extent necessary for providing products, software and services, including Sniper’s affiliates, cloud service providers, IT service providers, email service providers, customer support system service providers, logistics providers, maintenance service providers, professional consultants, etc.
Sniper shall require subprocessors to undertake confidentiality, data protection and security obligations no lower than those under this Agreement through contracts or other legal documents.
If required by applicable laws or reasonably requested by the Customer, Sniper may provide the Customer with the current categories or list of major subprocessors.
If Sniper adds or replaces a subprocessor that may have a significant impact on the processing of Customer Personal Information, Sniper shall notify the Customer in a reasonable manner. If the Customer has reasonable objections, it shall raise them within a reasonable period after the notification; the parties shall negotiate a solution. If no solution can be reached, the Customer may terminate the affected services, but shall pay the fees incurred up to the date of termination.
9. Restrictions on Third-Party Provision and Public Disclosure
Without the Customer’s written authorization, Sniper shall not provide or publicly disclose Customer Personal Information to unrelated third parties, except in the following circumstances:
  1. Required by laws and regulations, regulatory authorities, courts, arbitration institutions, law enforcement agencies or other competent authorities;
  2. Necessary for the performance of the Master Agreement and necessary protection measures have been taken;
  3. Necessary for handling security incidents, quality incidents, adverse events, recalls or emergency risks;
  4. Other circumstances authorized by the Customer or permitted by laws and regulations.
If disclosure of Customer Personal Information is required by law, Sniper shall notify the Customer in a timely manner to the extent permitted by law and shall limit the scope of disclosure as much as possible.
10. Cross-border Provision and Overseas Access

If the processing of Customer Personal Information by Sniper on behalf of the Customer involves cross-border provision, overseas access, overseas storage or overseas technical support, the parties shall take necessary compliance measures in accordance with applicable laws.

10.1. Customer Responsibilities
As the personal information controller, the Customer is generally responsible for completing the following matters, unless otherwise agreed in writing by both parties:
  1. Judging the data export scenario and legal path;
  2. Informing individuals of the overseas recipient, processing purpose, processing means, types of personal information and ways to exercise their rights;
  3. Obtaining separate consent from individuals, unless otherwise stipulated by laws and regulations;
  4. Conducting a personal information protection impact assessment;
  5. Completing data export security assessment, standard contract for personal information export filing, personal information protection certification or other compliance procedures;
  6. Ensuring that the cross-border processing instructions issued to Sniper are lawful and valid.
10.2. Sniper Responsibilities

Sniper shall cooperate with the Customer in completing data export compliance to the extent permitted by law and reasonable, including providing necessary information, signing applicable data processing documents, adopting security protection measures, and restricting the processing purposes and scope of overseas recipients.

10.3. Important Data and Large-Scale Personal Information

If Customer Personal Information may constitute important data, or the number of exported data reaches the threshold for security assessment, standard contract or certification stipulated by laws and regulations, the Customer shall complete compliance judgment and necessary procedures before providing relevant data to Sniper or issuing cross-border processing instructions.

11. Personal Data Subject Requests
If a personal data subject directly submits a request to Sniper for inquiry, copying, correction, deletion, withdrawal of consent, restriction of processing, explanation, transfer, etc., related to Customer Personal Information, and Sniper only processes such information as an entrusted processor, Sniper may forward the request to the Customer for processing or require the requester to contact the Customer directly.
Sniper shall provide reasonable assistance to the Customer to the extent permitted by law and technically feasible.
If such assistance exceeds the service scope agreed in the Master Agreement, the parties may separately negotiate the fees, time and implementation methods.
12. Personal Information Protection Impact Assessment
In the following circumstances, the Customer shall conduct a personal information protection impact assessment in accordance with applicable laws, and Sniper shall provide necessary assistance within a reasonable scope:
  1. Processing sensitive personal information;
  2. Using personal information for automated decision-making;
  3. Entrusting processing, providing personal information to other personal information controllers, or publicly disclosing personal information;
  4. Providing personal information overseas;
  5. Other personal information processing activities that have a significant impact on personal rights and interests.
The Customer shall legally retain the personal information protection impact assessment report and processing records.
13. Security Incident Notification and Handling
If Sniper discovers or reasonably confirms a security incident involving Customer Personal Information such as leakage, tampering or loss, Sniper shall notify the Customer without undue delay; in principle, no later than 72 hours after confirming the incident, unless laws and regulations, regulatory requirements or written agreements of both parties require a shorter period.
The notification content shall include, to the extent feasible:
  1. The nature of the incident, the cause of occurrence and possible impact;
  2. The types of personal information involved and the categories of data subjects;
  3. The scale of affected data;
  4. The disposal measures taken or to be taken;
  5. Recommended risk mitigation measures for the Customer;
  6. Contact information of Sniper.
Sniper shall cooperate with the Customer in investigating, controlling, remedying and legally fulfilling regulatory reporting or individual notification obligations.
Without the Customer’s consent, Sniper shall not publicly disclose a security incident involving Customer Personal Information, except as required by laws and regulations, regulatory authorities, courts, arbitration institutions or law enforcement agencies.
14. Audit and Compliance Certification
The Customer may request Sniper to provide compliance information related to the performance of this Agreement within a reasonable scope. Sniper may meet the Customer’s reasonable audit needs through the following methods:
  1. Providing descriptions of security measures;
  2. Providing compliance statements or questionnaire responses;
  3. Providing third-party certifications, audit reports or summaries, if any;
  4. Conducting remote or on-site audits after written agreement by both parties.
The Customer’s audit shall notify Sniper in advance of a reasonable time, shall not unreasonably interfere with Sniper’s normal business operations, and shall not access information unrelated to Customer Personal Information, other customer data, Sniper’s trade secrets, source code, underlying system configurations or security-sensitive information.
The auditor shall undertake strict confidentiality obligations.
15. Data Return, Deletion and Retention
Upon termination of the Master Agreement, completion of services or upon reasonable request by the Customer, Sniper shall return, delete or anonymize Customer Personal Information in accordance with the Customer’s instructions to the extent permitted by law and technically feasible.
The following information may be retained for the necessary period:
  1. Information required to be retained by laws and regulations, supervision, taxation, auditing, quality management, medical device traceability or dispute resolution;
  2. Information in backup systems that cannot be immediately deleted but will be overwritten or deleted within the normal backup cycle;
  3. Information that has been anonymized and cannot identify specific natural persons;
  4. Records necessary to prove contract performance, compliance obligations or claims of rights.
During the retention period, Sniper shall still take reasonable protection measures and shall not use such information for purposes other than the retention purpose.
16. De-identification, Anonymization and Aggregated Data
To the extent that no specific natural person is identified and in compliance with applicable laws, Sniper may de-identify, anonymize or aggregate Customer Personal Information for product quality improvement, equipment performance analysis, software optimization, algorithm verification, service improvement, statistical analysis, fault trend analysis or internal management.
If such data can still identify specific natural persons, Sniper shall still protect it in accordance with this Agreement and applicable laws.
Data after anonymization is no longer considered personal information, and Sniper may use it within the scope permitted by law.
17. Confidentiality
Both parties shall undertake confidentiality obligations for personal information, trade secrets, technical information, customer information, system information, price information, contract information and other confidential information learned in the course of performing this Agreement.
Without the written consent of the other party, neither party shall disclose confidential information to unrelated third parties, except as required by laws and regulations, regulatory authorities, courts, arbitration institutions or competent authorities.
18. Allocation of Responsibilities
The Customer shall be responsible for the lawfulness of its personal information processing purposes, processing means, data sources, informed consent, ethical review, data export, legal basis and processing instructions.
Sniper shall be responsible for security protection, confidentiality obligations, subprocessor management and the obligations agreed in this Agreement during the processing of Customer Personal Information in accordance with the Customer’s instructions.
Either party that causes losses to the other party due to violation of this Agreement or applicable data protection laws and regulations shall bear corresponding responsibilities in accordance with the law.
To the extent permitted by law, the limitation of liability, disclaimer, indemnification and dispute resolution under this Agreement shall apply to the relevant provisions of the Master Agreement, Sales Terms or other written agreements between the parties.
19. Legal Requirements and Regulatory Cooperation
If Sniper receives a request from a regulatory authority, law enforcement agency, court, arbitration institution or other competent authority to provide Customer Personal Information, Sniper shall notify the Customer in a timely manner to the extent permitted by law.
If the law prohibits notifying the Customer, Sniper shall only provide necessary information within the scope required by law and take reasonable measures to protect Customer Personal Information.
20. Agreement Validity and Conflicts
This Agreement constitutes an integral part of the Master Agreement.
If the provisions of this Agreement are inconsistent with the provisions of the Master Agreement regarding personal information protection and data processing, the provision that better protects personal information and is more in line with applicable legal requirements shall prevail; if it cannot be determined, this Agreement shall prevail.
If applicable standard contracts, cross-border data transfer documents, mandatory regulatory provisions or mandatory legal provisions are inconsistent with this Agreement, such mandatory applicable provisions shall prevail.
21. Governing Law and Dispute Resolution
The governing law and dispute resolution mechanism of this Agreement shall be consistent with those of the Master Agreement.
In the absence of such provisions in the Master Agreement, this Agreement shall be governed by the laws of the People’s Republic of China. Any dispute arising from or in connection with this Agreement shall first be resolved through amicable negotiation between the Parties. If the negotiation fails, the dispute shall be submitted to the China International Economic and Trade Arbitration Commission (CIETAC) for arbitration in Beijing. The arbitral award shall be final and binding on both Parties.
Annex 1: Description of Processing Activities
Item Content
Purposes of Processing
Providing products, software, equipment, reagents, consumables, technical support, after-sales service, remote diagnosis, quality management, customer support and services agreed in the Master Agreement
Categories of Data Subjects
Customer employees, customer contacts, distributor/agent personnel, supplier personnel, authorized users, after-sales service contacts; may include patients, subjects or sample donors under written agreement by both parties
Categories of Personal Information
Name, unit, position, telephone, email, address, account information, equipment usage information, service records, training records, fault records, quality complaint information, log information
Sensitive Personal Information
Not processed by default; if it is indeed necessary to process health and medical information, genetic testing data, test results, sample-related information, etc., separate written confirmation shall be made and higher protection measures shall be taken
Processing Operations
Receipt, access, reading, storage, use, transmission, analysis, backup, restoration, deletion, anonymization, de-identification
Processing Period
During the term of the Master Agreement or service, and the reasonable period required for fulfilling legal, regulatory, quality management, auditing and dispute resolution requirements
Categories of Subprocessors
Affiliates, cloud service providers, IT service providers, email service providers, customer support system service providers, logistics providers, maintenance service providers, professional consultants, etc.
Cross-border Transfer
If cross-border transfer is involved, both parties shall separately complete necessary compliance procedures in accordance with applicable laws
Annex 2: Technical and Organizational Security Measures
Sniper shall adopt one or more of the following measures according to the type of service:
  1. Classification and grading management of personal information;
  2. Access permission approval and regular review;
  3. Employee confidentiality commitments and training;
  4. Account identity authentication and password management;
  5. Data transmission encryption or secure channels;
  6. Desensitization, de-identification or encrypted storage of sensitive data;
  7. Security management of servers, terminals, networks and office environments;
  8. Log recording, anomaly monitoring and operation auditing;
  9. Data backup, disaster recovery and business continuity measures;
  10. Supplier security assessment and contractual constraints;
  11. Security incident emergency response;
  12. Regular inspection and improvement of security management measures.

Cookies

Our website may use cookies to maintain basic website functions, identify access preferences, count visits, improve user experience, ensure website security and conduct necessary market analysis. You can manage or refuse cookies through your browser settings. Privacy Policy Cookie Policy