MMG Onward Transfer Agreement

Last Updated: June 2023

This Onward Transfer Agreement, dated as of _______________ (“Agreement”), by and between Matthews Media Group, Inc. (“MMG”) and [“Research Center”], (individually, a “Party” and collectively, the “Parties”) sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with transfers of Personal Data between MMG and [Research Center] pursuant to the “Clinical Research Study” as defined below


(A) MMG are a company providing patient recruitment services;

(B) [Research Center] are a company providing clinical research services;

(C) MMG and [Research Center] have each entered into separate agreements with the Client to provide services under which the Client has sponsored a Clinical Research Study;

(D) MMG shall provide [Research Center] with certain Personal Data (as described in Annex 1) in connection with the Clinical Research Study; and

(E) MMG requires that [Research Center] preserve and maintain the privacy, confidentiality and security of such Personal Data.

Now therefor, in consideration of the mutual covenants and agreements in this Agreement and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, MMG and [Research Center] agree as follows:

1 Definitions and Interpretation

For the purposes of this Agreement the following expressions shall have the following meaning:

“Client” shall mean the pharmaceutical company with whom MMG and [Research Center] are each contracted separately to provide services in connection with the Clinical Research Study.

“Client Personal Data” shall mean Personal Data supplied to [Research Center] by MMG under this Agreement;

“Clinical Research Study” shall mean the medical research study, sponsored by Client.

“Data Privacy Laws” shall mean the following as amended, extended, re-enacted or replaced from time to time.

(i) EC Directive 2002/58/EC on Privacy and Electronic Communications;

(ii) EC Regulation 2016/679 (the “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

(iii) UK Data Protection Act 2018 and the UK GDPR;

(iv) all local laws or regulations implementing or supplementing the EU legislation mentioned in (i)-(iii) above;

(v) all codes of practice and guidance issued by national regulators relating to the laws, regulations and EU legislation mentioned in (i)–(iv) above.

in each case as amended, superseded or replaced from time to time;

“EEA” means the European Economic Area;

“Effective Date” shall mean the date that a Party first disclosed Client Personal Data to the other Party;

“EU/UK Law” means any law in force in the European Union or any law in force in a member state of the European Union and/or UK, including the Data Privacy Laws.

“Losses” means losses, damages, liabilities, claims, demands, actions, penalties, fines, awards, costs and expenses (including reasonable legal and other professional expenses);

“Stated Purpose” shall mean processing of Client Personal Data for the Clinical Research Study, as defined in Annex 1;

“UK” means United Kingdom; and

“UK GDPR” has the meaning given to it in the Data Protection Act 2018 (as amended from time to time).

References to “Processor”, “Controller”, “Personal Data”, “Processing”, “Personal Data Breach”, “Data Subject” or “Supervisory Authority” shall have the same meanings as defined under the Data Privacy Laws.

  1. Commencement & Agreement Status
    1. This Agreement shall commence as of the Effective Date and shall continue in force until terminated in accordance with its terms.
    2. If a Party considers that the relationship between them no longer corresponds to the Stated Purpose, then it shall promptly notify the other Party and the Parties shall discuss and agree in good faith such steps that may be required to confirm the Parties’ intentions.
  2. Data Protection
    The Parties agree that to the extent each Party processes Client Personal Data, each shall be the Client’s Processor, and the Client shall be the Data Controller with respect to such Processing.
  3. Mutual Obligations
    1. Each Party shall:
      1. comply with all Data Privacy Laws applicable to it;
      2. (process Client Personal Data only on the documented instructions of the Client, and only for the Stated Purpose;
      3. promptly notify the other party of any Data Subject request, Personal Data Breach or and/or Data Subject complaint in respect of Client Personal Data and provide such detail as may be reasonably required by the other party;
      4. promptly provide at no charge, such necessary and reasonable assistance and co-operation to the other Party and to any Supervisory Authority, in connection with:
        1. any investigations, audits or enquiries made by a Supervisory Authority in relation to the processing of Client Personal Data pursuant to this Agreement;
        2. the other Party’s ability to comply with any other obligation as imposed on it by the Data Privacy Laws with regard to the processing of the Client Personal Data for the Stated Purpose;
        3. carrying out any data protection impact assessment, in relation to the processing of the Client Personal Data for the Stated Purpose.
    2. In the event of a Personal Data Breach affecting Client Personal Data:
      1. neither party shall make any public announcements relating to the Personal Data Breach that may adversely affect the other party; and
      2. the parties shall work together to try and mitigate the effects of such Personal Data Breach.
  4. Indemnification
    1. To the extent permitted by law, neither Party shall be liable to the other Party for any losses incurred by reason of or in connection with any breach of the provisions of this Agreement.
  5. General
    1. This Agreement constitutes the entire agreement and understanding between the Parties in respect of the matters set out in this Agreement and supersedes any previous agreement between the parties in relation to such matters.

IN WITNESS WHEREOF this Agreement has been signed and dated the day and year above written.

on behalf of [Research Center]


SIGNED by Catherine Clarke
on behalf of Matthews Media Group Inc



Data Processing Details

Subject matter of processing: Transfer to Research Center of the personal data of individuals who completed a pre-screening questionnaire that qualifies them for further screening for the Clinical Research Study. Research Center will use this information to contact the persons for further screening, in accordance with requirements provided in this agreement.
Duration of the processing: (e.g.the period for which the Supplier will be providing the Services to the Agency)
Nature and purpose of the processing: Research may be required to access, receive, store or otherwise process Client Personal Data in order to provide their services to Client under a separate agreement
Type of personal data: Name, address, telephone number, e-mail address
Categories of data subject: Individuals who completed a pre-screening questionnaire that qualifies them for Clinical Research Study
Sensitive data N/A
The frequency of transfer [Data will be transferred on a one off basis] OR [data will be transferred on a continuous basis]
Retention (e.g. Data will be retained for the duration of the provision of Services under the Agreement)