Last Updated October 18, 2018
INTER-ORGANIZATIONAL DATA SHARING AGREEMENT
This Inter-Organizational Data Sharing Agreement (the “Agreement”) is entered into by and between the Participants defined below and shall become effective as to each Participant as of the date and time of such Participant’s electronic acceptance of this Agreement through the means provided (the “Effective Date”).
United Methodist Communications (“UMCom”), the communications agency for The United Methodist Church (“UMC”), has launched a new global Customer Relationship Management database solution (the “CRM Database”) for purposes of informing, in conjunction with UMCom’s new marketing platform, UMC’s broader marketing strategies in collaboration among its general agencies by capturing and centralizing customer behaviors and preference data.This Agreement shall govern all sharing of Data by those organizations and entities of UMC who choose to store their Data in the CRM Database.The CRM Database is maintained by UMCom for the UMC as a denomination and is available to all General Church bodies, without preference to any Participant, including UMCom.Such Shared Data shall be tagged specifically to the Data Provider, who, as between Participants, owns the exclusive right to any Data added to the Database, until a Data Subject self-selects to share his/her Data with another Participant.UMCom, in the role of Data Recipient, and any one or more Participants, in the role of Data Providers, may outline more specific terms applicable to any specific exchange under this Agreement in the form of an Appendix, which Appendix, upon authorized electronic acceptance by the applicable Participants, shall become incorporated by reference and included within the scope of this Agreement.To the extent Data Providers have access to Shared Data, they will also be considered Data Recipients for purposes of this Agreement and the requirements it imposes on Data Recipients.
FULL TERMS AND CONDITIONS
A. SCOPE AND PARTICIPANTS.
1. Participants agree that this Agreement formalizes a lawful transfer of Data between and among Participants as permitted under its terms and presents no new or additional privacy concerns. Participants agree that they shall conduct an appropriate risk assessment in respect of any Data to be shared under this Agreement based on the type of Data (e.g. Personal Data, Sensitive Personal Data, etc.) and the necessity of the sharing in compliance with all applicable law, rules, and regulations. This Agreement serves to address any residual privacy or information risks and document the actions taken to identify, address and mitigate those risks wherever possible.
2. The sharing of any Data under this Agreement shall be necessary to support the agreed purposes set forth in this Agreement and any applicable Appendix for such Data type (e.g. Personal Data, Sensitive Personal Data, etc.). Participants shall not share, use, or process Shared Data in a way that is incompatible with the agreed purposes under this Agreement and any applicable Appendix for such Data type. Shared Personal Data must not be irrelevant or excessive with regard to such agreed purposes.
3. Participants acknowledge that other Participants may be added or terminated as Participants to this Agreement at any time; therefore, Participants may not rely on the continued availability of a particular Participant’s Data. Participants agree that, prior to admission of a new Participant, the new Participant must agree to be bound by the terms of this Agreement by electronic acceptance by the means provided. Participants agree that, upon such stipulation by a duly authorized representative of such additional Participant, such additional Participant shall be deemed to be a signatory to this Agreement and will be bound by all the terms of this Agreement.
“Authorized User” means an individual who has been granted the appropriate privileges and rights from a Participant to access, view, modify, and/or process Shared Data.
“Data” means the representation of facts as texts, numbers, graphics, images, sounds, or video. Facts are captured, stored, and expressed as Data.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Shared Data.
“Data Owner” means the person or entity having the responsibility and authority for Data.
“Data Provider” means a Participant that provides Data to a Data Recipient under this Agreement.
“Data Recipient” means a Participant and/or its Authorized Users who receive Data from a Data Provider under this Agreement.
“Data Source Systems” means individual data source systems from Data Providers.
“Data Subject” means the individual to whom Personal Data relates.
“EEA” means European Economic Area.
“Family Education Rights and Privacy Act” (“FERPA”), 20 U.S.C. Section 1232g, means the United States law that protects the privacy of students’ personally identifiable information.
“General Data Protection Regulation” (“GDPR”) means EU General Data Protection Regulation 2016/679.
“The Health Insurance Portability and Accountability Act of 1996” (“HIPAA”), and regulations promulgated thereunder by the U.S. Department of Health and Corrections (the “HIPAA Regulations”), means the United States law that establishes privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers.
“Linked Data” means the resulting data set after two or more Participants’ Shared Data have been linked.
“Participant” means a signatory to this Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person or, to the extent required under any applicable law, shall also include information relating to identified or identifiable corporate persons.
“Publication” means the circulation, distribution, or printing of information to or for the public at large.
“Sensitive Personal Data” means data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Shared Data” means Data shared by a Data Provider with a Data Recipient under this Agreement.
“Shared Personal Data” means Data shared by a Data Provider with a Data Recipient under this Agreement that includes any information relating to an identified or identifiable natural person.
“Special Category Data” means special categories of Personal Data as described in the GDPR.
“Subject Access Request” means a request by a Data Subject for access to its Personal Data.
“UMC” means The United Methodist Church.
“UMCom” means United Methodist Communications, the communications agency of UMC.
“UMC Entity” means an official United Methodist Church entity, including, without limitation, any such governing body, conference, district, agency, local church, ministry, institution, office, program, or other organization or entity.
C. CONTROLLING LAWS, RULES AND REGULATIONS.
1. Each Participant shall provide, access, and/or use Shared Data only for purposes permitted under this Agreement and any applicable Appendix and consistent with all applicable international, federal, state and local laws, rules and regulations.
2. Notwithstanding any prior approvals regarding the sharing of Data, if a modification to this Agreement is required for compliance with changes to controlling laws, rules, or regulations, Participants shall cooperate in good faith with each other to implement such changes.
3. Each Participant acknowledges that access and use policies may differ among Participants as a result of differing applicable laws, rules, regulations, and business practices.
D. ROLES AND RESPONSIBILITIES.
Each Participant shall appoint a single point of contact within its organization who can be contacted with respect to Data sharing under this Agreement and queries or complaints under the terms of this Agreement or in connection with Data sharing under this Agreement.
E. DATA SHARING GENERALLY.
1. Data Provider, in its discretion, may share Data with a Data Recipient upon a Data Recipient’s prior consent, for permitted use, processing, and/or modification by such Data Recipients and their Authorized Users for the purposes described in this Agreement and/or an applicable Appendix. Any such sharing of Data shall be governed by this Agreement and any applicable Appendix.
2. Data Provider shall ensure that Shared Data is transmitted through sufficiently secure connections.
F. ACCESS RIGHTS AND RESTRICTIONS/AUTHORIZED USERS.
1. Data Recipients shall not disclose, in whole or in part, Shared Data to any individual or entity not specifically authorized by this Agreement or any applicable Appendix. Data Recipients shall protect Shared Data according to acceptable industry standards, all applicable laws, rules, and regulations, and no less rigorously than they protect their own confidential information.
2. Each Data Provider shall have sole discretion to determine rights of access to Shared Data by Data Recipients and their Authorized Users. Data Providers acknowledge and understand that they are responsible for effectively communicating any access restrictions to Data Recipients, and Data Recipients acknowledge and understand that they are responsible for effectively communicating any access restrictions to their Authorized Users.
3. Further, each Data Recipient shall have sole discretion to add additional access restrictions, beyond any imposed by Data Providers, and based on applicable laws, rules, regulations, and policies.
4. The Data Recipient shall ensure that Shared Data is kept in a secured environment at all times and that only Authorized Users have access to Shared Data.
5. Each Participant is responsible for overseeing the actions of its Authorized Users with respect to the provision, use, and access of Shared Data.
6. Data Recipients shall restrict access to Shared Data to Authorized Users and only for the purposes authorized in this Agreement and/or any applicable Appendices. Data Recipients shall ensure that Authorized Users are appropriately trained prior to accessing Shared Data, understand the guidelines for access and use of Shared Data, and train Authorized Users with respect to security and the handling and use of Shared Data.
7. Data Recipients shall immediately remove an Authorized User’s access to shared Data if the Authorized User no longer qualifies as an Authorized User due to improper use and/or disclosure or if such Authorized User’s role and responsibilities change and the Authorized User is no longer performing the functions of permitted uses.
8. Should a Participant request to stop exchanging Data with another Participant based on statutory or regulatory changes, or based on such other Participant’s actions in connection with the Data or this Agreement, the Participant shall immediately notify the other Participant of such request and the reasons in support of such request, and such Participant shall comply with the requesting Participant’s request within a reasonable period of time.
G. DATA MAINTENANCE, USE AND MODIFICATION.
1. Data Recipient may use and disclose Shared Data only as permitted in this Agreement and only in a manner that does not violate applicable laws, rules, and regulations.
2. Each Participant will be limited to the modification of only its Data and may not modify another Participant’s Data without the prior written permission of such Participant.
3. Data Providers shall maintain their own Data and provide Data definitions to Data Recipients upon request.
4. Data Recipient maintains a stewardship role for the preservation and quality of Shared Data.
5. Data Provider shall not share any Personal Data or Sensitive Personal Data without the prior express written permission of UMCom.
7. Each Data Subject, including individual, as well as all entities for which Data is shared under this Appendix, will, upon inclusion of their Data, be subscribed to a UMC newsletter based on their role as it pertains to UMC (member, leader, or prospective member) and shall have the option to receive the newsletter by text and/or email. These Data Subjects will have access to the UMC Global Preference Center to express communication preferences affirmatively at the outset and going forward, including to opt in to, update, and unsubscribe to subscriptions for the newsletter and other UMC offerings, both through an introductory email and through a link to the Preference Center at the bottom of each email. Any Data Subjects who select through the Preference Center to receive communications from more than one Data Provider will remain in the Database for the other selected Data Providers even if the original Data Provider terminates the Agreement.
8. Each Data Provider will have full access to its Shared Data.
9. Shared Data will not be used by any Participant, including Data Recipients or their Authorized Users, other than the Data Provider, for any purpose unless the Data Subject self-selects to receive communication from another Participant through the Preference Center or through another Participant’s own Data capture processes.
10. Data Providers agree that denomination-wide newsletters and announcements may be shared with any contacts whose Data has been shared under this Agreement, as long as the frequency is reasonable (not more than twice a month).
H. DATA OWNERSHIP.
As between Participants, Data Provider shall serve as the Data Owner unless set forth otherwise in an Appendix or otherwise agreed in writing by the affected Participants. Data Recipient shall not retain any right, title or interest in any of the Shared Data unless set forth otherwise in an Appendix or otherwise agreed in writing by the affected Participants.
I. DATA SECURITY.
Participants agree to securely maintain Shared Data and to take all reasonable precautions and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the particular type of Shared Data and to secure Shared Data from individuals who do not have authorized access. Participants agree to implement appropriate technical and organizational measures to protect the Shared Data in their possession against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including, without limitation:
1. Ensuring IT equipment, including portable equipment, is kept in lockable areas when unattended;
2. Not leaving portable equipment containing the Data unattended;
3. Ensuring that Authorized Users use appropriate secure passwords for logging into systems or databases containing the Data;
4. Ensuring that all IT equipment is protected by suitable antivirus software, firewalls, passwords and encryption devices;
5. Ensuring that any Shared Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) using industry standard encryption;
6. Limiting access to relevant databases and systems to those Authorized Users who need to have access to such Data, and ensuring that passwords are changed and updated regularly to prevent inappropriate access when individuals are no longer engaged by the Participant;
7. Conducting regular threat assessment or penetration testing on systems;
8. Ensuring all Authorized Users handling Personal Data have been made aware of their responsibilities with regards to handling of Personal Data; and
9. Allowing for inspections and assessments to be undertaken by the Data Provider in respect of the security measures taken, or producing evidence of those measures if requested.
J. DATA RETENTION AND DELETION.
1. Data Recipient shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes, except that the Data Recipient shall continue to retain Shared Data in accordance with any applicable retention periods required under the law.
2. Data Recipient shall ensure that any Shared Data are returned to Data Provider or destroyed in the following circumstances, unless the affected Participants agree otherwise in writing:
a. On termination or expiration of the Agreement for whatever reason or termination of membership of the applicable Participants to the Agreement (unless extended further pursuant to the terms of the Agreement or an applicable Appendix); or
b. Once processing of the Shared Data is no longer necessary for the purposes for which it were originally shared.
After Data is destroyed, the Data Recipient shall provide written confirmation to the Data Provider.
3. Any Data Subjects who select through the UMCom global Preference Center to receive communication from more than one Participant will remain in the Database for the other selected Participants even if the original Data Provider terminates the Agreement.
Data Recipients shall provide to Data Providers the right of access to Data Recipient facilities at all reasonable times, in order to monitor and evaluate performance, compliance, and/or quality assurance under this Agreement or other monitoring activities of the other Participant’s Data governance policies, procedures, and systems. If, through these monitoring activities, vulnerability is found, the breaching Participant must take timely appropriate action to correct or mitigate any weaknesses discovered.
L. USE AND ANALYSIS OF DATA AND RESULTING INTELLECTUAL PROPERTY
Data Recipient may request Data use approval from Data Provider for research purposes and the development of papers, reports, studies, publications, and the like (“Work Product”). Unless otherwise agreed in writing by the affected Participants, Data Provider shall be cited as the source of the Data in all such Work Product and Data Recipient shall be cited as the source of interpretations, calculations, and/or manipulations of the Data. Data Provider shall not release the Work Product to the public or third parties without the prior written consent of Data Provider, and Data Recipient shall modify the Work Product as necessary before disclosure to the public or third parties to protect sensitive or confidential Data from public disclosure and to comply with applicable laws, rules, and regulations and any requests of Data Provider. Work Product, excluding the Data incorporated into the Work Product, shall be and remain the sole and exclusive property of the applicable Data Recipient unless otherwise agreed by the applicable Participants, and said Data Recipient shall own all Intellectual Property rights to such Work Product.
M. UNAUTHORIZED USES, DISCLOSURES OR BREACHES.
1. Participants shall notify all affected Participants of any potential or actual losses of Shared Data and Data Breaches of which they become aware as soon as possible and, in any event, within one (1) business day of identification of any potential or actual loss to enable the Participants to consider what action is required to resolve the issue in accordance with applicable laws, rules, and regulations.
2. Participants shall provide reasonable assistance as is necessary to facilitate the handling of any Data Breach in an expeditious and compliant manner. In the event of a Data Breach, the Data Recipient shall coordinate with the Data Provider to contact and inform the individual parties who may have been affected by the Data Breach. Data Recipients may not contact individual parties prior to notifying the Data Provider and shall only do so in coordination with the Data Provider.
3. If costs are associated with notifying individuals whose Data has been compromised or any other damages resulting from the release of the Data, the compensating party shall depend on determined fault for the Data Breach. If the Data Provider is responsible for the breach, the Data Provider shall compensate for communication and damages. If the Data Recipient is responsible for the breach, the Data Recipient shall compensate for communication and damages.
N. DATA SUBJECTS.
1. Data Subjects have the right to obtain certain information about the processing of their Personal Data through a Subject Access Request. Data Subjects may also request rectification, erasure or blocking of their Personal Data.
2. Participants shall maintain a record of Subject Access Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the Data accessed and shared and, where relevant, notes of any meetings, correspondence, phone calls, or other communications relating to the request.
3. Participants agree that the responsibility for complying with a Subject Access Request falls to the Participant receiving the Subject Access Request in respect of the Personal Data held by that Participant.
4. Participants agree to provide reasonable and prompt assistance (in no event later than five (5) business days of such a request for assistance) as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from Data Subjects.
5. Participants shall make available upon request to Data Subjects who are third-party beneficiaries a copy of this Agreement or relevant portions of it, unless it contains confidential information.
6. Participants shall respond to Subject Access Requests in accordance with the terms of this Agreement and in accordance with the Data Protection Authority. Participants shall respond within a reasonable time and as far as reasonably possible to inquiries from any relevant Data Protection Authority in relation to Shared Personal Data.
O. SHARED PERSONAL DATA.
1. To the extent applicable, all Data sharing under this Agreement shall be performed in accordance with the requirements of HIPAA, FERPA, and all other applicable laws, rules, and regulations. Data Recipient shall not share Shared Personal Data with a third party without the express written permission of Data Provider. Where such express written permission has been granted, Data Recipient shall not disclose or transfer Shared Personal Data to any third party without ensuring that adequate protections will be afforded to the Shared Personal Data.
2. The following terms shall apply only if the sharing of Data under this Agreement is subject to the GDPR; i.e., any affected Participant is located within the EEA, or any affected Participant, regardless of where located, offers good or services to, or monitors the behavior of, EEA Data Subjects, or any affected Participant processes or holds the Data of Data Subjects
a. Each Participant shall hold a valid registration with its national Data Protection Authority if legally required prior to any sharing of Shared Personal Data sufficient to cover such Shared Personal Data.
b. Transfers of Personal Data to Third Parties:
Data Recipient shall not share Shared Personal Data with a third party or transfer Shared Personal Data out of the EEA without the express written permission of Data Provider, except as otherwise set forth in this paragraph. Notwithstanding the foregoing, permission is not required if required to make such transfer under applicable law, in which case Data Recipient shall inform Data Provider of such legal requirement before transfer, unless the law prohibits such information on important grounds of public interest. Where such express written permission has been granted or such transfer is required under written law, Data Recipient shall not disclose or transfer Shared Personal Data out of the EEA without ensuring that adequate and equivalent protections will be afforded to the Shared Personal Data. This restriction will not apply to any Data transfers carried out by a Data Provider in respect of Shared Personal Data.
c. Data Processing of Shared Personal Data:
i. Each Participant shall ensure that it processes Shared Personal Data fairly and lawfully and only where processing is necessary in conformance with the purposes of this Agreement, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject that require protection of Shared Personal Data.
ii. Where Sensitive Personal Data or Special Category Data is shared this will be on the following additional grounds:
- The processing of Sensitive Personal Data is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons—(i) holding different beliefs, or (ii) of different states of physical or mental health or different physical or mental conditions, with a view to enabling such equality to be promoted or maintained, providing that the Data use does not support measures or decisions with respect to any particular Data Subject otherwise than with the explicit consent of that Data Subject; and does not cause, nor is likely to cause, substantial damage or substantial distress to the Data Subject or any other person.
- The processing of Special Category Data is necessary for reasons of substantial public interest, on the basis of applicable law that shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
iii. Personal Data and Sensitive Personal Data/Special Category Data may be shared in addition to Personal Data relating to alleged or actual criminal offenses, only where one of the following lawful grounds apply:
- The processing is necessary; or
- The processing is necessary to protect the vital interests of the Data Subject or another individual where the Data Subject is physically or legally incapable of giving consent; or
- The processing is necessary for reasons of substantial public interest, on the basis of applicable law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to conferred on any person by or under an enactment for the exercise of any functions safeguard the fundamental rights and the interests of the Data Subject.
iv. Participants shall inform Data Subjects of the purposes for which it will process their Personal Data and provide all of the information that it must provide in accordance with its own applicable laws, to ensure that Data Subjects understand how their Personal Data will be processed.
P. WARRANTIES AND DISCLAIMERS.
1. In granting access to Shared Data to Authorized Users, Data Recipients warrant and represent that such individuals are authorized to access such Shared Data based on their functions and responsibilities.
2. Data Providers warrant and represent that they have approved all Shared Data in accordance with all applicable federal, state, and local laws, rules and regulations and policies, and that such Shared Data may be shared without the consent of any other person or entity in accordance with any restrictions set forth in this Agreement or any applicable Appendix or as otherwise sufficiently communicated by Data Provider.
3. Data Providers make no representations about the accuracy, completeness, validity, or authentication of their Shared Data. Notwithstanding the foregoing, Participants shall take all reasonable steps to ensure that Shared Personal Data is accurate. Participants shall report any known inaccuracies or systematic problems with Shared Data to other affected Participants.
Q. LINKED DATA.
The result of linking different entities’ data sets is a new data set that potentially has unique regulations and conditions governing its release and use. Each Participant shall have the right to review any new data sets and resulting Intellectual Property prior to Publication to verify that proper disclosure avoidance techniques have been used and to ensure that they reflect the original intent of the Data sharing outlined in this Agreement and any applicable Appendix.
R. NON-FINANCIAL UNDERSTANDING.
This Agreement is a non-financial understanding among the Participants. No financial obligation by or on behalf of any Participant is implied by this Agreement or any Appendix unless specifically set forth in such Appendix. The terms of any financial liability that arises from Data sharing and Data processing carried out in support of the responsibilities covered in this Agreement must be negotiated separately and to the mutual satisfaction of Participants and expressed in an Appendix. The legal authority for Data sharing for specified purposes conveyed by this Agreement cannot be used to support a subsequent claim of implied agreement to financial obligation.
S. THIRD-PARTY VENDORS.
Data Recipients may house Shared Data with third-party vendors subject to the third-party vendors’ agreement to standards, restrictions, and conditions materially equivalent to those of this Agreement. In the event the GDPR applies or other applicable law requires: 1) Data Recipients must require such third-party vendors to agree in writing to standards, restrictions, and conditions materially equivalent to those of this Agreement and to comply with the requirements of the GDPR, if applicable, and any other applicable laws, rules, and regulations, and must provide to Data Providers upon their request copies of such agreements (which may be redacted to remove irrelevant confidential information); 2) where any such vendor fails to fulfill its data protection obligations, Data Recipients shall remain fully liable to Data Providers for the performance of such vendor’s obligations; and 3) Data Recipients must inform Data Providers in the event of any intended changes concerning the addition or replacement of a vendor prior to such changes, and Data Providers may object by terminating their participation in this Agreement effective immediately upon written notice of termination.
T. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR THE DATA PROTECTION AUTHORITY.
1. In the event of a dispute or claim brought by a Data Subject or the Data Protection Authority, to the extent applicable, concerning the processing of Shared Personal Data against any Participant, the affected Participants will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
2. Participants agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Data Protection Authority. If they do participate in the proceedings, Participants may elect to do so remotely (such as by telephone or other electronic means). Participants also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
3. In respect of Data Breaches relating to this Agreement, each Participant shall abide by a decision of a competent court of the Data Provider’s country of establishment or of any binding decision of the relevant Data Protection Authority.
V. EFFECTIVE DATE AND TERM.
This Agreement shall take effect upon its signing by more than one Participant. This Agreement may be amended at any time by mutual agreement of all Participants, and any Appendix may be amended at any time by mutual agreement of all Participant signatories to such Appendix. Any Participant may terminate its rights and obligations under this Agreement, other than those rights and obligations that shall survive the termination of the Agreement as set forth above, at any time by 90-day written notice to the other Participants. This Agreement shall be subject to annual review and to adjustment upon mutual written agreement of the Participants, the first review to occur one year from the Effective Date. This Agreement shall remain in effect until terminated as provided in this Agreement.
W. FORCE MAJEURE.
No Participant shall be in breach of this Agreement or liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure results from events, circumstances or causes beyond its reasonable control. In such circumstances the affected Participant shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for three (3) months, the Participants not affected may terminate this Agreement upon mutual agreement of said Participants by giving thirty (30) days’ written notice to the affected Participant.
X. CHOICE OF LAW.
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of the State of Tennessee, United States of America.
1. The respective rights and obligations of Participants shall survive the termination of this Agreement with respect to Data previously shared.
2. If any provision of this Agreement or any Appendix shall be held invalid, such invalidity shall not affect the other provisions of this Agreement that can be given effect without the invalid provision, if such remainder conforms to the requirement of applicable law and the fundamental purpose of this Agreement, and to this end the provisions of this Agreement are declared to be severable.
3. No one other than a Participant to this Agreement shall have any right to enforce any of its terms.
4. This Agreement is personal to Participants, and neither Participant shall assign or transfer any of its rights and obligations under this Agreement.
5. In case the applicable Data protection and ancillary laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, Participants agree that they will negotiate in good faith to review the Agreement in light of the new legislation.
6. Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between Participants, constitute any Participant the agent of another Participant, or authorize any Participant to make or enter into any commitments for or on behalf of any other Participant.
7. This Agreement contains all the terms and conditions agreed upon by Participants. No other understandings, oral or otherwise, regarding the subject matter of this Agreement shall be deemed to exist or to bind any of the Participants.
8. No other written agreement shall, in any way, vary or alter any provision of this Agreement unless modified in writing by mutual consent of Participants or as required by statutory or regulatory changes.