Master Alliance Provisions Guide (MAPGuide)

European Commission – AstraZeneca, COVID-19 Vaccine Advance Purchase Agreement

  • Information & materials sharing | Data management

17. Data protection

17.1 Processing of personal data by the Commission 

The sharing of personal data is necessary to support contact with employees and subcontractors in order to collaborate under this Agreement (“In-Scope Personal Data”). The Party receiving the personal data from the other Party shall not process the In-Scope Personal Data for longer than necessary to fulfil the agreed purposes of this Agreement. 

Any personal data included in or relating to the APA, including its implementation, shall be processed in accordance with Regulation (EU) 2018/1725. Such data shall be processed solely for the purposes of the implementation, management and monitoring of the APA by the data controller. For the purpose of this provision, the data controller for the Commission shall be the Director-General of the European Commission’s Directorate-General for Health and Food Safety. The data protection notice is available at

The Parties or any other person whose personal data is processed by the data controller in relation to this APA has specific rights as a data subject under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, rectify or erase their personal data and the right to restrict or, where applicable, the right to object to processing or the right to data portability.

Should the Parties or any other person whose personal data is processed in relation to this APA have any queries concerning the processing of its personal data, it shall address itself to the data controller. They may also address themselves to the Data Protection Officer of the data controller. They have the right to lodge a complaint at any time to the European Data Protection Supervisor.

17.2 Processing of personal data by the Parties

The processing of personal data by the Parties shall meet the requirements of Regulation (EU) 2018/1725 and be processed solely for the following purposes: Contact with employees and subcontractors in order to collaborate under the Agreement. Both Parties agree each act as Data Controllers with regards to the Processing of Personal Data they each undertake.

Each Party represents and warrants that it has provided an appropriate data privacy notice and obtained appropriate consent (if legally required) from the data subjects whose In-Scope Personal Data is being shared with the other Party and that such notice and consent is in accordance with Applicable Laws regarding data protection and allows for the desired use of such In-Scope Personal Data. Should a Party learn that it has provided In-Scope Personal Data that may not be shared pursuant to a consent or notice, such Party is responsible for promptly notifying the other Party so that the affected In-Scope Personal Data can be deleted as required.

The Parties agree that the responsibility for complying with any communication addressed to one or both Parties under this Agreement made by a Data Subject exercising one or several of his/her data protection rights un personal data held and under the responsibility of that Party as data controller. The Parties agree to cooperate and provide reasonable assistance as is necessary to each other to enable them to (1) comply with Applicable Laws regarding Data Protection, (2) comply with Subject Requests and (3) respond to any other queries or complaints from data subjects.

In the event a Party suffers a personal data breach, such Party shall ensure it complies with Applicable Laws regarding Data Protection and, if applicable, complies with any obligations to notify Data Protection Supervisory Authority, data subjects or other regulatory bodies as required by Applicable Law regarding the Personal Data Breach.

To the extent the Commission or Participating Member State suffers a personal data breach that (1) has an impact on the services provided under this Agreement or (2) relates to In-Scope Personal Data AstraZeneca shared with the Commission or Participating Member State, the Commission or Participating Member State shall promptly notify AstraZeneca about such personal data breach.

Both Parties shall indemnify, defend, and hold each other harmless from and against any and all liabilities, claims, losses, suits, judgments, and reasonable legal fees arising from any breach, negligent act, error or omission of relevant data protection obligations under this Agreement by the other Party, its subcontractors or their respective personnel.