When you register for the International Esodata.org membership account having aforementioned institute / Hospital affiliation, legally represented by your first name and the last name, you agree to the Data Use and Sharing Agreement.
This Data Use and Sharing Agreement ("DUA") is entered into on the date of your registration to this website by submitting this user registration form between the user and on behalf of the Member Institution and the International Society for Diseases of the Esophagus (“ISDE”).
Preamble
WHEREAS ISDE is a nonprofit organization committed to advancing knowledge, research, and education in the domain of esophageal diseases;
WHEREAS ISDE administers and maintains ESODATA, a specialized data repository designed to aggregate expert opinions, research data, and clinical standards related to esophageal diseases;
WHEREAS the Member Institution is a recognized medical institution contributing pseudonymized and/or de-identified clinical data (referred as the “Disclosed Limited Data Set”) to the ESODATA platform for research and data collection purposes;
Now, therefore, in consideration of their mutual promises to each other, hereinafter stated, the ISDE and Member Institution agree as follows:
1. Purpose of this DUA
This DUA establishes the terms under which the Member Institution agrees to share data with ISDE for the purpose of contributing to the ESODATA database. Both parties commit to ensuring the protection of shared data and compliance with all applicable data protection laws, national and international, as may be relevant to this agreement.
1.1 Definitions
For purposes of this DUA, the following terms shall have the meaning set forth below:
A. “De-identified Data” means data that has been processed to remove 18 specific identifiers as outlined in the U.S. Health Insurance Portability and Accountability Act (HIPAA) "safe harbor" method, making re-identification highly unlikely. De-identified data is not subject to HIPAA regulations.
B. “Pseudonymized Data” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
C. “Anonymized Data” means data that has been processed in such a way that the data subject is not or no longer identifiable. Anonymized data is not subject to the EU General Data Protection Regulation (GDPR) as per Recital 26, which states that the principles of data protection do not apply to anonymous information.
2. Scope of Data Sharing, Disclosure, and Use
2.1 Permitted Data Use
ISDE is authorized to utilize the Disclosed Limited Data Set solely for the administration and operation of ESODATA. Any further data use, beyond those expressly permitted by this Agreement, will require prior written consent from the Member Institution.
2.2 Data Minimization and Purpose Limitation
The data shared will be limited to what is necessary for the specific research or analysis objectives defined by ESODATA. ISDE will ensure that all data processing is executed solely for the purposes specified, consistent with the principles of data minimization.
2.3 Responsibilities Concerning Pseudonymization and De-identification at Submission
Each contributing center of the Member Institution is solely responsible for ensuring that no directly identifiable data is entered into the ESODATA system. Data included in the Disclosed Limited Data Set submitted by the Member Institution to ISDE shall be pseudonymized or de-identified at the point of submission, ensuring that any personally identifiable information is either removed or substituted with artificial identifiers and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person. The data stored in ESODATA will only contain Pseudonymized data and/or de-identified data where no directly identifying Personal data is included. The member from the data contributing Member Institution who submits the data must have obtained any regulatory or ethics approvals necessary to collect the Data and transfer the Data to ESODATA. ; The Member Institution must have full authority to transfer the Data to the ISDE. Data will be collected on opt-out basis, meaning that data subjects are included unless they explicitly choose to opt-out, in accordance with applicable data protection laws and best practices.
2.4 Full Anonymization for Publication of Research and Findings
Prior to the publication or public dissemination of any research analysis or findings based on ESODATA, ISDE will ensure that the data undergoes a thorough anonymization process. This includes the removal or irreversible encryption of indirect identifiers, ensuring that the identities of individuals cannot be reconstructed, even when cross-referenced with other datasets. Anonymized data is inherently safeguarded from identification, thus rendering it compliant with applicable data protection regulations. In the event ISDE wishes to publish research analysis or findings based on ESODATA that contain pseudonymized data that may not be deemed fully anonymized, ISDE will seek advance written consent from the Member Institution or the data subject.
2.5 Data Protection and Security Measures
A. Data Controller Responsibilities. ISDE and The Member Institution are both considered data controllers for the processing of the Disclosed Limited Data Set and will act in accordance with regional or national level and additional data protection laws to implement appropriate technical and organizational measures to meet the national and international regulatory requirements.
B. Legal Compliance. The Member Institution warrants that any data provided complies with all applicable local laws and that the legal foundation for data sharing and processing is duly established. ISDE commits to processing said data strictly within the parameters agreed upon, ensuring full legal compliance at all times.
C. Technical and Organizational Measures. Appropriate technical and organizational measures are in place to protect the data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
D. Confidentiality and Third-Party Access. All Disclosed Limited Data Set will be treated strictly confidentially and shall have in place procedures so that any third party it authorizes to have access to the data, including employees and third party vendors or data processors, will respect and maintain the confidentiality and security of such data. Any person or organization acting under the authority of the ISDE, including a third party technical service providers, shall be obligated to process the data only on instructions and within the terms of service agreements (including any data processing agreement/addendum) from the ISDE and in accordance with the permitted use under this DUA.
3. Scope of ISDE’s Use of Anonymized Data, Results and Property rights
3.1 Broad Use of Anonymized and Pseudonymized Data
The Member Institution consents to providing pseudonymized or de-identified data sets, which ISDE will anonymize prior to any use in research. When fully anonymized, the data may be used for various purposes, including but not limited to the development of clinical studies, creation of statistical models, and generation of derivative works. Such outputs may be shared with the broader scientific and healthcare communities, subject to confidentiality provisions and applicable laws. The lawful basis for this processing under the GDPR is ISDE's legitimate interest in advancing scientific research and improving healthcare outcomes.
3.2 Continuous and Perpetual Use
ISDE retains the right to use anonymized data for ongoing research endeavors, provided that the anonymity of individuals remains intact, ensuring that no individual’s identity can be reasonably inferred. The Disclosed Limited Data Set may be employed to study trends, advance scientific methods, and enhance the understanding of esophageal diseases. ISDE may use the data for both commercial and non-commercial purposes, including improving patient care, developing new healthcare technologies, and enhancing treatment protocols.
In the event ISDE wishes to engage in public research endeavors based on ESODATA that contain pseudonymized data that may not be deemed fully anonymized, ISDE will seek advance written consent from the Member Institution or the data subject. Public research endeavors include research activities, publications, or presentations that involve the dissemination of findings to the public or scientific community.
3.3 Secondary Uses of Anonymized Data
Anonymized data collected under this Agreement may also be utilized for secondary purposes such as algorithm development for predictive healthcare tools, public health monitoring, market research, and collaboration with industry partners. ISDE will ensure that all secondary uses of the data comply with applicable legal requirements and the data remains in an anonymized state throughout its secondary application.
3.4 Data Sharing with Third-Party Entities
ISDE may share anonymized data with reputable third-party entities, including research institutions, healthcare organizations, government bodies, and industry partners. Any such third-party recipient must enter into agreements that ensure the confidential treatment of the data, as well as its proper and lawful use. ISDE will perform due diligence to guarantee that these third parties maintain the highest standards of data privacy and legal compliance.
3.5 Results and data reports
All discoveries, developments, databases, inventions (whether patentable or not), methods, reports, know-how, or trade secrets which are made by the ISDE as a result of the conduct of the Analyses (hereinafter: “Results”) shall be the solely property of the ISDE. The Member institution shall be entitled to submit an application to a research and database committee established by ISDE to use the Results for its own research proposal(s).
3.6 Representations and warranties
Other than the warranties set out in section 2.3 and 2.5, the Data contained in the Disclosed Limited Data Set is provided by the Member institutions to the ISDE without any warranties whatsoever, express or implied, including any warranties for merchantability or fitness for a particular purpose.
3.7 Intellectual and/or industrial property rights
Nothing in this Agreement shall be construed as transferring to ISDE, either expressly or by implication, any ownership rights to the Disclosed Limited Dataset. Nor shall it be construed as granting ISDE any ownership rights under patent, patent application, trade secret, know how, confidential information, trade or service mark, copyright, or other intellectual and/or industrial property rights Member institution possesses or may possess, nor any option to any such right or license. The Member Institution acknowledges the ISDE is the sole proprietary owner of ESODATA and nothing in this DUA shall be construed as transferring any proprietary ownership rights pertaining to the ESODAT platform.
4. Retention and Destruction of Data
4.1 Data Retention
ISDE will retain anonymized data from the Disclosed Limited Data Set for extended periods to support for continuation of research and analysis. Pseudonymized or de-identified data will be kept only for as long as necessary to achieve research objectives or to meet legal requirements.
Basis of Consent: By contributing data to ISDE, each Member Institution consents to the storage and use of the Disclosed Limited Data Set for the duration necessary to fulfill the intended purposes as defined by the ESODATA project or as required by applicable law. ISDE may retain portions of the Disclosed Limited Data Set continuously, provided that such data has been appropriately de-identified or pseudonymized, ensuring it cannot be traced back to identifiable individuals. This consent includes continuous storage of data for historical, research, or statistical purposes under the conditions specified herein.
4.2 Data Deletion Upon Request
Upon receiving a legitimate request from the Member Institution, ISDE will delete pseudonymized data from its records. Anonymized data, which is not subject to such requests when data cannot be linked to any identifiable source institution, may be retained continuously, unless otherwise directed by law or the Member Institution.
4.3 Certification of Data Destruction
When data destruction is required or requested, ISDE will ensure that all relevant data is securely erased and will provide the Member Institution with written certification, detailing the date, method, and scope of the destruction process.
5. Limitation of Liability
5.1 General Limitation of Liability
ISDE’s liability under this Agreement for any claims arising from data protection breaches or non-compliance with applicable laws shall be limited to direct damages. ISDE will not be held liable for any indirect, consequential, or punitive damages, unless such damages result from gross negligence or intentional misconduct.
5.2 Force Majeure
Neither party will be held liable for any failure or delay in fulfilling its obligations under this Agreement due to causes beyond its reasonable control, including but not limited to acts of God, war, civil unrest, or significant technical disruptions.
6. Third-Party Vendors and Service Providers
6.1 Vendor Compliance
ISDE may engage third-party vendors for the processing, storage, and analysis of data under this Agreement. These vendors shall be bound by agreements that mandate their compliance with applicable legal standards and industry norms regarding data protection.
6.2 Limitation of Liability for Vendors
ISDE, as well as its third-party vendors, will not be liable for any indirect or special damages arising out of the use of third-party services unless caused by gross negligence or willful misconduct.
7. Indemnification
7.1 Indemnification by ISDE
ISDE agrees to indemnify and hold harmless the Member Institution, its officers, employees, and agents from any claims, losses, or liabilities arising from ISDE’s breach of this Agreement or any applicable data protection laws.
7.2 Indemnification by Member Institution
Similarly, the Member Institution agrees to indemnify and hold harmless ISDE, its officers, employees, agents, contractors, and third-party vendors from any claims, losses, or liabilities resulting from the Member Institution’s non-compliance with this Agreement or applicable legal standards.
8. Other Provisions.
8.1 Assignment. This DUA shall be binding on the successors and assigns of Member Institution and ISDE. However, ISDE may not assign this DUA, in whole or in part, without Member Institution’s written consent. Any attempted assignment in violation of this provision shall be null and void. The Member Institution agrees to notify ISDE of any assignment to a successor and assigns.
8.2 Counterparts. The parties may execute this DUA in counterparts, all of which together shall constitute one agreement.
8.3 Entire Agreement and Severability. This DUA is the complete agreement between the parties and supersedes all previous agreements or representations, written or oral, regarding the Disclosed Limited Data Set and any related matters as addressed in this DUA. If any part of this DUA is held to be unenforceable, the remainder shall continue in effect.
8.4 Interpretation. Any ambiguity in this DUA shall be resolved in favor of a meaning that permits the parties to comply with applicable law.
8.5 Notices. Any notices required or permitted under this DUA must be in writing and sent by electronic mail with written acknowledgement of receipt or overnight delivery service to the addresses for each party provided below or such different addresses as a party may later designate in writing.
9. Governing law.
9.1 Jurisdiction. Member Institution agrees that all matters relating access or use of the data, including all disputes, will be governed by the laws of the United States and by the laws of the State of California, USA without regard to its conflicts of laws provisions. You agree to the personal jurisdiction by and venue in the state and federal courts in the state of California, USA and waive any objection to such jurisdiction or venue. The preceding provision regarding venue does not apply if you are a consumer based in the European Union. If you are a Member institution based in the European Union, you may make a claim in the courts of the country where you reside. Any claim under these Terms of Use must be brought within one (1) year after the cause of action arises, or such claim or cause of action is barred. Claims made under the separate terms and conditions of purchase for goods and services are not subject to this limitation. No recovery may be sought or received for damages other than out-of-pocket expenses, except that the prevailing party will be entitled to costs and attorneys’ fees.
9.2 Dispute resolution. In the event of any controversy or dispute between ISDE and Member Institution arising out of or in connection with your research collaboration or use of the data, the parties shall attempt, promptly and in good faith, to resolve any such dispute. If we are unable to resolve any such dispute within a reasonable time (not to exceed thirty (30) days), then either party may submit such controversy or dispute to mediation. If the dispute cannot be resolved through mediation, then the parties shall be free to pursue any right or remedy available to them under applicable law.
10. Term and Termination.
This DUA and ISDE’s authorization to use or retain Disclosed Limited Data Set will remain in effect from the Effective Date until terminated. Either party may terminate this DUA at any time, with or without cause, by providing thirty (30) days written notice to the other party. The terms of this DUA shall remain effective in their entirety until Member Institution receives the certificate of data destruction as set forth in Section 4.2 (Retention and Destruction). Section 3 (Scope of ISDE’s Use of Anonymized Data, Results and Property rights), Section 4.1 (Data Retention), Section 5 (Limitation of Liability), Section 7 (Indemnification), Section 9 (Governing Law), and Section 10 (Term and Termination), and shall survive termination of this DUA.
No general conditions will apply to this Agreement.
-- International