Home /

Data Protection Agreement


“Almac” means Almac Group Limited and its affiliates. 

Data Protection Law” means the legislation protecting the fundamental rights and freedoms of persons and, in particular, their right to privacy, with regard to the Processing of Personal Data.

Data Subject” means an identified or identifiable natural person.

EU Equivalent Protection Area” means the area (or entities as applicable) that comprises:

  • the UK or countries within the European Economic Area; and 
  • countries which the UK or the European Commission may, from time to time, officially recognise as ensuring an adequate level of protection.

In-Scope Data” means any Personal Data processed by Supplier on behalf of Almac in connection with this Agreement. 

Personal Data” means any information relating to an identified or identifiable natural person.

Process” and variants of it, such as “Processing” (whether capitalised or not) means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Supplier” means the entity which supplies goods and/or services to Almac under this Agreement. 

Services” means the services to be provided by Supplier under this Agreement.   “this Agreement” means the applicable written contract, terms and conditions of business or another form of contract under which Supplier supplies goods and/or services to Almac, and processes Personal Data on behalf of Almac or otherwise in connection therewith.


1.1. Each of Almac and Supplier shall, at all times, comply with its obligations under Data Protection Law arising pursuant to this Agreement. 

1.2. To the extent the Supplier processes In-Scope Data on behalf of Almac, the Supplier shall:

1.2.1. process In-Scope Data only:

(a) so far as necessary to provide the Services and perform its other obligations under this Agreement; and

(b) in accordance with Almac’s documented instructions from time to time, as established in this Agreement; and

1.2.2. promptly notify Almac if in the Supplier ‘s opinion any documented instruction is in breach of Data Protection Law.

1.3. To the extent the Supplier is obliged to process In-Scope Data for any other purpose by applicable law, including lawful requests from law enforcement agencies, it shall inform Almac of this requirement prior to processing the In-Scope Data unless such law prohibits this on important grounds of public interest;

1.4. The Supplier shall promptly comply with any request from Almac requiring the Supplier to amend, transfer or delete In-Scope Data.

1.5. As soon as practicable, refer to Almac any requests, notices, complaints or other notifications relating to In-Scope Data from Data Subjects, supervisory authorities (including the Information Commissioner), or other third party, to the extent permitted by Applicable Law, for Almac to resolve; 

1.6. The Supplier shall at Almac’s request, and at no additional cost, provide Almac with full cooperation and assistance as required by Almac to meet its obligations under Data Protection Law, including by providing Almac with full details of the processing carried out by the Supplier, providing copies of any of the In-Scope Data held by the Supplier and any necessary assistance in communicating with Data Subjects, supervisory authorities, any other law enforcement authority or other third party in relation to the Supplier’s processing of In-Scope Data.

1.7. The Supplier shall implement and maintain technical and organisational measures (including organisational processes and procedures, and including any specific security obligations set out or referred to in this Agreement) to protect the In-Scope Data from unauthorised use or access, accidental loss, damage, destruction, theft or disclosure, and ensure that such measures are commensurate with the harm that may result from unlawful processing, unauthorised use or access, accidental loss, damage, destruction, theft or disclosure of the In-Scope Data and the nature of the In-Scope Data itself. 

1.8. To the extent the Supplier becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration or disclosure of, or access to, the In-Scope Data as processed by the Supplier (“Security Breach”), the Supplier shall:

1.8.1. as soon as reasonably practicable notify Almac (and in any event within twenty-four hours of becoming aware);

1.8.2. provide Almac (as soon as possible and no later than within two business days) with a detailed description of the Security Breach, including the type of In-Scope Data that was subject to the Security Breach and the identity of each affected Data Subject, as well as periodic updates to this information and any other information Almac may reasonably request relating to the Security Breach;

1.8.3. take action immediately, at the Supplier’s own expense, to investigate the Security Breach and to identify the effects of the Security Breach and, take measures to prevent and mitigate further effects, take any other action to remedy the Security Breach, and inform the Almac as soon as reasonably possible of what actions have been taken or are planned to be taken;

1.8.4. not release or publish any filing, communication, notice, press release or report concerning the Security Breach, or communicate directly with Data Subjects, without Almac’s prior written consent, except as required by legislation or regulation; and

1.8.5. continue to promptly provide Almac all assistance requested to investigate the cause of, and implement mitigation and remedial measures in respect of, the Security Breach.

1.9. The Supplier shall restrict the disclosure of In-Scope Data to those of its employees and any affiliates employees who may be required to assist it in providing the Services and shall ensure that such employees and affiliates employees:

1.9.1. have undergone training in processing Personal Data and the law and practice of data protection and privacy; and

1.9.2. are bound by contractual obligations which provide equivalent protections in relation to In-Scope Data to those set out in this clause 1.

1.10. The Supplier shall cooperate fully with Almac in implementing such further measures as Almac may reasonably require to protect In-Scope Data in accordance with Data Protection Law, including entering into (or procuring that a subcontractor enters into) a further data processing agreement with Almac.

1.11. The Supplier shall not transfer the In-Scope Data to any third party outside the EU Equivalent Protection Area without the prior written consent of Almac unless Supplier and the entity to which Supplier wishes to transfer the In-Scope Data have entered into valid, appropriate and relevant standard contractual clauses for the transfer of personal data to processors or controllers established in third countries  Supplier shall ensure that no transfers of In-Scope Data shall occur outside the EU Equivalent Protection Area unless such valid, appropriate and relevant clauses have been concluded. Almac shall have a right to request to view such clauses upon request to ensure compliance with this clause subject to confidentiality provisions in place between Supplier and such entity.   

1.12. If Almac has agreed or agrees in writing that Supplier may sub-contract the supply of good and/or services under this Agreement to a third party, such third party shall be bound by data protection obligations at least equivalent to those in this clause 1. Supplier shall, for the avoidance of doubt, remain fully liable for the acts and omissions of its sub-contractors.

1.13. Almac is entitled, on giving reasonable notice to the Supplier, to inspect (or appoint representatives to inspect) all facilities, equipment, documents and electronic data relating to the processing of In-Scope Data by the Supplier to ensure the Supplier’s compliance with this clause 1.

1.14. On expiry or termination of this Agreement for whatever reason the Supplier shall forthwith cease to use or process any In-Scope Data and shall, at Almac’s option:

1.14.1. return, in a format and on storage media that Almac may reasonably specify, all In-Scope Data that the Supplier (or its subcontractors) is electronically storing (or is under its (or its subcontractors’) possession or control) and upon Almac’s confirmation of receipt of the In-Scope Data delete or destroy the In-Scope Data, in such manner as Almac may reasonably request, including destroying relevant copies and back-ups; or1.14.2. directly delete or destroy the In-Scope Data, in such manner as Almac may reasonably request, including destroying relevant copies and back-ups

1.14.2. directly delete or destroy the In-Scope Data, in such manner as Almac may reasonably request, including destroying relevant copies and back-ups

This website uses cookies. By continuing to browse the site, you are agreeing to our use of cookies