Summary
11/12/2024

Terms & Conditions

Terms & Conditions

Services

The Data Analysis Core facility of the Paris Brain Institute (hereinafter “DAC” or “ICM”) provides structural support and expertise for processing, analyzing and managing research data. The services offered by DAC range from standardized procedures to customized approaches. DAC develops scripts, pipelines, tools and applications that respond to scientific needs and that require domain knowledge. The DAC is not limited to specific data modalities or technologies, e.g. spanning omics, microscopy, neuroimaging, electrophysiology and clinical research data. The services offered to the Client (hereinafter the “Services”) are detailed in a digital quote, and if needed accompanied by a digital document titled “Service Details”.

Request and management of Services

Any Service requested by the Client will result in the issuance of a written quote on an electronic medium, attached with these Terms & Conditions and, when needed, further specification in the Service Details. The Client’s acceptance of the quote or issuance of a Service order constitutes unconditional and unreserved acceptance by the Client of the Terms & Conditions and Service Details. Any modification in the object or scope of the Services, the conditions of their execution or unexpected contingencies in data quality and project complexity will be subject to a new quote and additional billing. DAC may condition the performance of the Service on the payment of a deposit following the acceptance of the quote, which may amount to up to 100% of the Service price.

Commitments of DAC

DAC undertakes to perform all Services in compliance with ethical principles, European and French legal and regulatory frameworks, and professional secrecy. In performing the Services, DAC is only bound by an obligation of means and not of results.

Client’s commitments

The Client guarantees to ICM that data provided to ICM has been collected in compliance with applicable legislation. For any Services, the Client agrees to provide DAC with all necessary documents and elements necessary for the performance of the Services. DAC reserves the right to refuse to perform the Services or to issue reservations regarding the results due to insufficient data quality, statistical effects or design. DAC cannot be held responsible in the event of a late response from the Client in relation to the deadlines indicated by DAC for the information necessary for the proper performance of the Services. The Client acknowledges that the results obtained during the execution of the Services are of an experimental nature. ICM makes no representation and offers no warranty, express or implied, of any kind regarding the results.

Deliverables

The delivery times for Services are given for information purposes only and do not constitute a commitment from DAC. Delays cannot justify the application of late penalties, cancellation of the contract, or other ongoing Services.

Intellectual property and ownership of results

The Client owns all results of the Services, subject to full payment of the Services as established in the quote. ICM retains ownership of the knowledge and know-how implemented by ICM for the performance of the Services, as well as any improvements that may be made to the aforementioned know-how or knowledge during the performance of the Services. No rights to use ICM’s knowledge and know-how are granted to the Client in connection with the performance of the requested Services.

Confidentiality

ICM commits to treating the Services confidentially and refrains from using or disclosing them to any third party for any reason, except to prove the execution of the Services and particularly to obtain payment, or upon request by a competent administrative or judicial authority. ICM also commits to treating all technical, commercial, financial, or other information communicated by the Client during the execution of the Service as confidential, as identified by the Client. ICM commits to ensuring that its employees and any potential subcontractors respect this confidentiality obligation.

Publications

When individuals at the DAC have substantially participated in the performance of the Services they must be included in the author list. Any person who has personally contributed to the publication, without being an author, must be acknowledged by name. In all communications and publications related to the results of the Services, the Client must systematically and indispensably mention the participation of the DAC as well as specify the nature of the contribution, by including the following acknowledgment:

  • “Part of this work was carried out in the Data Analysis Core facility (DAC). We gratefully acknowledge [name of the people] for [specific tasks or advices]”

In addition, in all communications and publications related to the results of the Services, the Client must systematically and indispensably mention:

  • “The DAC is supported by 2 “Investissements d’avenir” (ANR-10- IAIHU-06 and ANR-11-INBS-0011-NeurATRIS) and the “Fondation pour la Recherche Médicale”

Payment terms

The Client agrees to pay for the Services according to the quote within thirty (30) days or as agreed in the quote, from the invoice date. In case of late payment, ICM reserves the right to apply late penalties equal to one and a half times the legal interest rate in effect on the billing date, which will be automatically and rightfully acquired by ICM, without any formalities or prior notice. ICM will also apply a fixed compensation for collection costs of €40.

Claims

Any claim from the Client must be made by registered mail with acknowledgment of receipt to ICM at the following postal address: Institut du Cerveau et de la Moelle épinière – 47 boulevard de l’Hôpital – 75013 Paris. ICM will endeavor to respond as quickly as possible. Any dispute that has not been resolved amicably will be brought before the courts of Paris.

Personal Data protection

For the sole purposes of the Services provided and in compliance with the provisions of Article 28 of the GDPR, the Client, the data controller, authorises ICM (the “Service Provider”) acting in the capacity of processor, to process research Personal Data in compliance with the terms and conditions set out below. All the definitions included in the GDPR apply to this agreement.

Obligations of the Client

For the purposes of the services contracted, the Client, in its capacity as data controller, agrees to:

  • Give the Service Provider instructions on Personal Data processing operations
  • Transmit pseudonymized data from participants to the Service Provider in order to benefit from the Service Provider’s services, excluding any directly identifying data
  • Inform data subjects about the processing of their data, about the secondary re-use of their Personal Data in other scientific research projects and to obtain the consent of data subjects to the processing of their Personal Data, where applicable.

Obligations of the Service Provider

  • At the Client’s request, the Service Provider undertakes to communicate to the Client all the security measures (technical and organisational) necessary for the processing of Personal Data and that it agrees to implement. The Service Provider must be able to prove the implementation of these measures to the Client in the event of an audit
  • Process Personal Data in compliance with the express written instructions of the Client, for the period specified by the Client and within the limits of the time periods specified in applicable regulations.
  • Keep a written record of the categories of processing activities carried out on behalf of the Client
  • Take all appropriate technical and organisational protection measures to ensure the confidentiality of Personal Data and to provide a level of security that is appropriate for the risk involved
  • Ensure that the persons authorised to process Personal Data as part of the quotation receive the necessary training in protecting Personal Data and that they agree to respect confidentiality or are bound by an appropriate legal confidentiality requirement
  • Assist the Client in ensuring compliance with its legal and regulatory obligations based on the nature of the processing and the information at its disposal (privacy impact assessments, prior consultation of the supervisory authority, etc.)
  • Inform the Client if an instruction is considered to constitute a breach of the applicable regulations.
  • Assist the Client in order to enable it to respond, within the time limits and in compliance with the conditions specified in the applicable regulations, to any request concerning the exercise of a right, request or complaint from a data subject or from a personal Data protection authority or any other regulator. In any event, if the processing of Personal Data on behalf of the Client concerns participants, it is agreed between the parties that any requests relating to the exercising of rights by the said people will be made to the project investigator or a member of the team involved in the project, insofar as they are the only people with the right to keep the link between the coded identity of the said people and their surname(s) and first name(s).

Controls, audits and supply of documentation

The Service Provider acknowledges that the Client, through its internal auditors or any auditor of its choice who is bound by professional secrecy, may request or conduct an audit of some or all of the services provided, including aspects relating to compliance with Personal Data protection requirements incumbent upon the Service Provider as a processor.

With respect to this point, the Service Provider agrees to authorise these audits and to collaborate with the auditors, supplying any documents, information, tools or other data relating to the processing of the Personal Data of the Client, which may be useful for the smooth execution of the audit.

The Service Provider also agrees to authorise any audits and inspections that may be implemented by the competent supervisory authority, and to contribute to these audits and/or inspections. In this respect, the Service Provider undertakes to inform the Client on receiving any request from a supervisory authority as well as on any on-site or documentary inspection that may be carried out by the authority concerning the processing of the Personal Data of the Client.

Security measures

The Service Provider undertakes to implement all appropriate technical and organisational measures in order to ensure a level of Personal Data security that is appropriate for the risk incurred. As part of the services provided, the Service Provider agrees in particular to:

  • Ensure the confidentiality, integrity, availability and resilience of the processing systems and services
  • Restore the availability and access of Personal Data within an appropriate timeframe in the event of a physical or technical incident
  • Test, analyse and assess the efficiency of technical and organisational measures to ensure the security of the processing
  • Take all necessary precautions to protect the security of Personal Data and in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access.
  • Take all measures to prevent any misuse or fraudulent use of the Personal Data, documents and information processed as part of the Contract.

In this context, the Service Provider undertakes to limit access to the Personal Data of the Client to staff members who are qualified and authorised, based on their role and capacity, and within the limits that are strictly necessary for the services provided. All persons authorised to process the Personal Data of the Client will be bound by a confidentiality requirement.

Personal Data retention period

Unless the Client expressly wishes otherwise in writing, Personal Data will be kept in an active database by the ICM for a period of three (3) months from the end of the service. It will then be archived for a period of five (5) years. On the expiry of the period covered by its obligations, at the Client’s discretion and upon notice of the Client the Service Provider agrees to:

  • Delete the Personal Data processed as part of the services and to destroy all existing copies and to send to the Client the certificate of destruction
  • Or return the Personal Data processed as part of the services and to destroy all existing copies and send the Client a certificate of destruction.

Subcontracting by the Service Provider

The Service Provider may call upon subsequent sub-contractors to carry out specific processing activities. In this case, the Service Provider shall inform the Client in advance and in writing of any change envisaged concerning the addition or replacement of subsequent sub-contractors. The Client has one (1) month from the date of receipt of this information to present any objections. A subsequent sub-contractor may only be used if the Client has not raised any objections within the agreed period. When the Service Provider uses a subcontractor, it does so by means of a written contract which provided for the same obligations regarding the protection of Personal Data as those set out in the present contract in the contract signed between the Service Provider and the subcontractor. The Service Provider ensures that the subcontractor complies with the obligations to which it is subject. Where the subsequent sub-contractor fails to fulfil its Personal Data protection obligations, the Service Provider remains fully liable to the Client for the subsequent sub-contractor’s performance of its obligations.

Liability

The Client and the Service Provider agree that any administrative fines imposed directly and exclusively on either party by the competent supervisory authority for non-compliance by the defaulting party with regulations applicable to the protection of Personal Data, shall not be payable by the other party and shall in no case be offset against any sum owed by the defaulting party to the other party under the terms of this Contract.

Transferring Personal Data outside the EU/EEA

In order to carry out the services covered by the Contract, the Service Provider may need to transfer the Personal Data of the Client outside the EU/EEA. With respect to this point, the Service Provider agrees to:

  • Request written agreement from the Client prior to any transfer
  • Comply with the instructions of the Client regarding transfers outside the EU/EEA, except if the Service Provider is required to make these transfers under applicable law. In this case, the Service Provider agrees to inform the Client of this legal obligation prior to processing, unless the relevant law prohibits such information for strong reasons of public interest
  • Oversee the transfer with appropriate safeguards as defined in Article 44 et seq. of the GDPR

Notification of Personal Data breaches

The Service Provider shall notify the Client in writing of any Personal Data breaches within 72 hours of becoming aware of it. The Service Provider undertakes to provide the Client with the assistance and cooperation it may reasonably expect in notifying the relevant Data Protection Authority of any Personal Data breach and informing the data subjects concerned of this breach where necessary.

Information sheet – Processing of Personal Data relating to Client/Prospect’s staff

To provide services and manage contracts, the ICM processes Personal Data relating to the Client/Prospect’s staff required to draw up contractual or pre-contractual measures as data controller for this specific processing only. The Personal Data collected is as follows:

  • Identity information : surname, first name, organization, etc.
  • Contact information : professional details
  • Data required for the performance of contracts and invoicing where applicable.

The recipients of the data are the authorized staff of the departments responsible for managing and monitoring the Client/Prospect. Contact data is kept for five (5) years from the last exchange with the platform. Invoicing data is kept for ten (10) years from the end of the financial year by the ICM Finance Department. In accordance with the applicable legal and regulatory provisions, the Client/Prospect’s employees have the right to access, rectify, update, oppose the processing, limit and delete data.

Client/Prospect personnel may exercise their rights by sending an e-mail to the platform manager at the following address: dac@icm-institute.org. They may also contact the ICM’s DPO at the following address: dpo@icm-institute.org. If after contacting ICM they consider that their rights have not been respected, they may lodge a complaint with the CNIL.