Data Policy: FreezerPro®

1. INTRODUCTION AND SCOPE

This Personal Data Protection Policy (“Policy”) describes the privacy practices of Brooks Automation, Inc. and its affiliates and subsidiaries (collectively “Brooks” or “we” or “us”) regarding the privacy practices of Brooks regarding the Processing of Personal Data of the customers, to the extent applicable, as part of the provision of Services provided to customers. Where Brooks provides Services to customers, Brooks will be acting as Processor and the Customer will be acting as Controller. This policy applies globally to any and all Services provided by Brooks to its Customers.

Brooks Processes Personal Data on behalf of the Customer in accordance with Data Protection Laws. Insofar necessary, the Service Agreement will be supplemented with an Addendum to set out any additional matters that are specific to the Customer and cannot be regulated in this Policy.

This Policy does not apply to the collection of Personal Data through our website or through cookies with respect to which Personal Data Brooks can be considered Controller. We refer to our separate Privacy Statement for more information in this regard.

Brooks reserves the right to update this Policy without consulting or informing Customers.

2. KEY DEFINITIONS

The capitalized terms listed below have the following meaning in this Policy:

“Customer” means the counterparty to a Service Agreement with Brooks;

“Customer Data Subjects” shall mean the former and current directors, officers and employees and customers of the Customer;

“Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

“Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;

“Personal information” and “personal data” mean any information about an identified or identifiable natural person or which may directly or indirectly identify a natural person.

“Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Processor” shall mean the party, which Processes Personal Data on behalf of the Controller.

3. PERSONAL DATA PROCESSED & USE OF PERSONAL DATA

The details of the Personal Data that will be Processed by Brooks on behalf of the Customer, including the duration, purpose and categories of Personal Data will be set out in an addendum to the Service Agreement. Brooks shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than: as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Customer, or as required to comply with Data Protection Laws or other laws to which Brooks is subject, in which case Brooks shall (to the extent permitted by law) inform Customer of that legal requirement before processing Personal Data. In addition, Brooks is allowed to use aggregated data – to the extent this can no longer be considered Personal Data – for analysing purposes, for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.

4. SUBPROCESSING

Brooks may appoint certain third parties to provide part of the Services or assist with providing technical support. By signing the Service Agreement, the Customer authorizes Brooks to subcontract the Processing of Personal Data to Subporcessors. Subprocessors are in each case subject to the terms between Brooks and the Subprocessor which are no less protective than those set out in this Policy and the Service Agreement. Brooks will inform the Customer of the details of such Subprocessor(s) upon written request from the Customer.

5. CONFIDENTIALITY AND DATA SECURITY

Brooks shall keep the Personal Data confidential and will instruct its staff and Subprocessors to do the same. Brooks shall implement appropriate technical and organization measures to ensure a level of security of the Personal data appropriate to the risk required pursuant to the applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. In assessing the appropriate level of security, Brooks shall take into account the particular risks presented by the Processing. Specific security measures may be further described in an addendum to the Services Agreement.

6. CUSTOMER REQUESTS

Brooks shall, upon the request and to the extent required under Data Protection Laws, cooperate with the requests of the Customer that relate to the Processing of Personal Data. In particular:

Data Subject rights: Brooks shall cooperate as requested by the Customer to enable the Customer to comply with any exercise of rights by a Customer Data Subject in respect of data protection laws. Data Protection Impact Assessment: Brooks shall provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority or the Customer which are required under Article 36 GDPR, in each case in relation to Processing of Personal Data by Brooks on behalf of the Customer and taking into account the nature of the processing and information available to Brooks.

7. DELETION OR RETURN OF PERSONAL DATA

Brooks will, at the choice of the Customer, delete or return the Personal Data at the end of the provision of the Services relating to Processing, to the extent reasonably possible and unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided (“Applicable Law”), or (iii) competent court, supervisory, or regulatory body, require the retention of such Personal Data by Brooks.

8. DATA BREACH

Brooks shall notify Customer without undue delay after becoming aware of a personal data breach, providing the Customer with sufficient information which allows the Customer to meet any obligations to report a data breach under Data Protection Laws. Brooks shall fully cooperate with the Customer and take such reasonable steps to assist in the investigation, mitigation and remediation of each data breach in order to enable the Customer to perform a through investigation, formulate a correct response, and to take suitable steps to meet any requirement under Data Protection Laws.

9. INTERNATIONAL TRANSFERS OF CUSTOMER PERSONAL DATA

Brooks may transfer Customer Personal Data to a Brooks Affiliate located in a third country, or to a subprocessor, but any such transfer shall be made utilizing an approved transfer mechanism.

10. INDEMNIFICATION

The Customer warrants that all Personal Data processed by Brooks on behalf of the Customer has been and shall be Processed by the Customer in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Customer; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Customer Data Subjects which described the processing to be undertaken by Brooks pursuant to the Services agreed upon in the Service Agreement. By signing the Service Agreement, the Customer shall indemnify and hold Brooks harmless against all claims, actions, third party or Supervisory Authority claims, losses, damages and expenses arising from any breach by the Customer of this Policy. The exclusions and limitations of the liability of Brooks set out in the Service Agreement shall also apply to this Policy.