Shortcuts


DPA Schedules

(Revision 11 November 2024)


Animana


IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe


A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:


ii. Categories of personal data is transferred:

  • First and Last name (all data subjects)
  • Address (pet owner only)
  • Phone number (all data subjects)
  • Email address (all data subjects)
  • Client ID/code assigned by practice (pet owner)
  • Birth date (pet owner)*


    *Optional data, included if inputted by clinic
  • Bank account number (pet owner only)*
  • IP address (customer only)*
  • Customer (clinic) account information, to the extent Customer qualifies as personal data
  • Data regarding the pet (such as species, breed, age, birthdate)
  • Data regarding the treatment of the pet (such as services, diagnosis, products)



iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by IDEXX’s Conversion & Implementation and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Collection
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by Training group:

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A:

List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures


Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization:


Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

 


ezyVet

 

IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions.

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

ii. Categories of personal data is transferred:

  • Last name (all data subjects)
  • Address (pet owner only)
  • Phone number (all data subjects)
  • Email address (all data subjects)
  • Gender (pet owner only)
  • IP address (customer only)
  • Customer (clinic) account information, to the extent Customer qualifies as personal data
  • Data regarding the pet (such as species, breed, age)
  • Data regarding the treatment of the pet (such as services, diagnosis, products)


iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by IDEXX’s Conversion & Implementation and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Collection
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by Training group:

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name
: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization: 


Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:


Vet Radar


IDEXX Customer Data Processing Agreement Schedule

Vet Radar IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions (also covering Vet Radar) .


A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:


ii. Categories of personal data is transferred:


iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None


iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer


v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/troubleshooting
  • Alignment/combination
  • Analysis/Segmentation


Activities by Training and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Collection
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/troubleshooting
  • Analysis/Segmentation

 

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):

Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:


SmartFlow


IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe (if applicable to your region) .
SmartFlow Terms and Conditions .

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:


ii. Categories of personal data is transferred:


iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer.

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/troubleshooting
  • Alignment/combination
  • Analysis/Segmentation


Activities by IDEXX’s Sales and Medical Consulting groups:

  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Monitoring/troubleshooting


Activities by Training and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/troubleshooting
  • Analysis/Segmentation


vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization:


Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:


VetConnect PLUS

IDEXX Customer Data Processing Addendum Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
VetConnect PLUS Terms of Service .

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

ii. Categories of personal data is transferred:

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/Troubleshooting
  • Alignment/combination
  • Analysis/segmentation


Activities by IDEXX’s Sales and Medical Consulting groups:

  • Retrieval
  • Consultation
  • Use
  • Storage
  • Collection
  • Disclosure by transmission
  • Dissemination
  • Monitoring/Troubleshooting
  • Analysis/segmentation


Activities by Training and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/Troubleshooting
  • Analysis/segmentation


vi. Purpose(s) of the data transfer and further processing.
To provide the communication functionalities offered in VetConnect PLUS.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A:

List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

System Access Control
Measures to prevent data processing systems from being used without authorization:

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:


SmartService


IDEXX Customer Data Processing Addendum Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
IDEXX SmartService Agreement .

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:


ii. Categories of personal data is transferred:
First and Last name (pet owner and customer employee)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction
  • Monitoring/Troubleshooting


Activities by IDEXX’s Sales, Medical Consulting and Customer Service groups:

  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Monitoring/Troubleshooting


vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization:


Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions: 


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:


rVetLink


IDEXX Customer Data Processing Addendum Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
rVetLink Terms of Service .

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:


ii. Categories of personal data is transferred:

  • Last name (all data subjects)
  • Address (pet owner only)
  • Phone number (all data subjects)
  • Email address (all data subjects)
  • IP address (customer only)
  • Customer (clinic) account information,
    to the extent Customer qualifies as
    personal data


iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by IDEXX’s Conversion & Implementation and Customer Support groups:

  • Collection
  • Organization
  • Structuring
  • Storage
  • Adaptation/Alteration
  • Retrieval
  • Collection
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination
  • Restriction
  • Erasure/destruction


Activities by Training group:

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 6 months after completion of the services related to the Pet Owner.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name
: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.


System Access Control
Measures to prevent data processing systems from being used without authorization:


Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:


Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:


Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:


Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions: 


Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:


Separation of Data
Measures to ensure that data collected for different purposes can be processed separately: