Supplemental Terms Governing Agreements for Services Performed for
Auris Health, Inc., CSATS, Inc., Ethicon, Inc., Ethicon, LLC, Ethicon US, LLC, Ethicon Endo-Surgery, Inc., Megadyne Medical Products, Inc., Neuwave Medical, Inc., Torax Medical, Inc., or Verb Surgical, Inc.

Version 6.1
Effective Date: May 7, 2021

 

     Except to the extent explicitly agreed otherwise in your agreement with Auris Health, Inc., CSATS, Inc., Ethicon, Inc., Ethicon, LLC, Ethicon US, LLC, Ethicon Endo-Surgery, Inc., Megadyne Medical Products, Inc., Neuwave Medical, Inc., Torax Medical, Inc., or Verb Surgical, Inc. (each the “Company”) the following terms and conditions shall govern your performance of services for the Company under Service Provider’s agreement with Company (the “Agreement”), but only to the extent that you or any subcontractors you utilize to perform the services, and/or the services to be provided under your agreement with Company meet the below criteria. Hereinafter, you shall be referred to as “Service Provider.”

 

Criteria
 

a.     If Service Provider will travel at the request of Company in furtherance of any service to be performed under the Agreement, Service Provider will comply with the provisions of Part A of the Supplemental Terms.

b.     If the services to be provided under the Agreement involve the use or disclosure of Protected Health Information (as defined under the U.S. HIPAA Privacy Requirements), Service Provider will comply with the provisions of Part B of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

c.     If Service Provider is a or in connection with any service to performed under the Agreement will engage any health care professional, a medical school, a medical institution that employs or grants privileges to health care professionals, a medical society, a medical trade association or a government agency that buys health care products and/or services, Service Provider will comply with the provisions of Part C of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

d.     If Service Provider or its subcontractors either (i) own or operate facilities in the European Union or (ii) have/has employees located in the European Union that will provide services or transfer any information that can be used to identify a person (“Personal Information”) in connection with services performed under the Agreement, or (iii) Service Provider or its subcontractors will collect, receive or use Personal Information in connection with services performed under the Agreement, Service Provider and comply with by the provisions of Part D of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

e.     If Service Provider or its subcontractors employ persons who will provide services under the Agreement, Service Provider and its subcontractors will abide by the provisions of Part E of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

f.     If the services to be provided under the Agreement involve the creation of records which demonstrate regulatory, legal and/or other compliance, Service Provider comply with the provisions of Part F of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

g.     If the services to be provided by Service Provider under the Agreement involve the provision of general reimbursement-related information and support to health care providers, office managers, patients and/or third party payors, Service Provider comply with the provisions of Part G of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.

h.     If Service Provider will have access to Company’s IT network in connection with performing services under the Agreement or if in furtherance of such services and/or if Company provides Service Provider any computing assets or devices, including without limitation, a smart phone, virtual private network token or laptop computer, Service Provider shall comply with the provisions of Part H of the Supplemental Terms.

Parts
 

Part A - Travel Policy

Company shall cover the cost of travel and living expenses related to Service Provider’s work, provided that such costs and expenses abide by this travel policy and have been approved in advanced by Company. Company will neither reimburse personal expenses incurred by the Service Provider nor expenses incurred by anyone other than the Service Provider.

I.     Travel Reservations: All reservations for air travel, lodging, and ground transportation should be made through the J&J Travel Department. Reservations can be made by contacting J&J Travel at 1-669-272-1386, prompt 2 between the hours of 8:30 a.m. and 4:30 p.m. Eastern Standard Time.

II.     Airfare: J&J has an established airfare policy. Under the terms of this policy, the J&J Travel Department will select the lowest fare alternative within the time frame of the Service Provider’s request without significantly inconveniencing the Service Provider. A change in departure or arrival time of approximately one hour is not considered an undue inconvenience.

a.     Corporate discount fares have been negotiated with several preferred airline carriers. Where it is beneficial to Company and the Service Provider will not be duly inconvenienced, Service Providers are encouraged to book reservations on the preferred carriers.

b.     Class of Service shall be determined by the length of elapsed flight time. All flights with less than six hours elapsed flight time will be booked in Coach Class. Flights of six or more hours will be booked in Business Class. Company will not pay for First Class travel. Any fee incurred for upgrading Class of Service for a flight is not reimbursable.

c.     Airfare should be charged using either an authorized Company BTA (“Business Travel Account”) or Service Provider’s personal credit card. In the event Service Provider’s personal credit card is used, Service Provider must obtain approval from Company prior to final booking of their airfare. Once travel has occurred, Service Provider must submit original receipts with other travel expenses for reimbursement. Company shall timely reimburse Service Provider following receipt of travel expenses. Company cannot reimburse in advance of the travel occurrence.

III.     Lodging: J&J Travel has several preferred hotels with which it has negotiated favorable rates.  Where these hotels are available, Service Provider shall stay at preferred hotels unless this would cause significant business inconvenience. Hotel room charges cannot exceed policy limits of $275.00 per night. Luxury hotels and resorts/spas are prohibited, unless there is written permission from the Company Corporate Compliance Officer.

a.     For Cincinnati based events: In most instances, an authorized business travel account (“BTA”) has been established with the preferred hotel. Company will be responsible for room charge, tax, phone calls (business-related), and meals (if not provided through event agenda). These charges will be billed to the authorized BTA. Dollar limits for meals must not exceed policy limits of $25.00 per person for breakfast, $35.00 per person for lunch, and $65.00 per person for dinner (evening meal), tax and tip included. All other charges (e.g., movies, dry-cleaning (if event is less than 5 days), mini bar, etc.) are the sole responsibility of the Service Provider.

b.     For remote location events: Service Provider will be responsible for using Service Provider’s personal credit card for charges. Authorized expenses should be submitted to Company for reimbursement. Company will be responsible for room charge, tax, phone calls (business-related), and meals (if not provided through event agenda). Dollar limits for meals must not exceed policy limits of $25.00 per person for breakfast, $35.00 per person for lunch, and $65.00 per person for dinner (evening meal), tax and tip included. All other charges (e.g., movies, dry-cleaning (if event is less than 5 days), mini bar, etc.) are the sole responsibility of the Service Provider.

IV.     Ground Transportation/Car Rental: The use of cost efficient local transportation is encouraged. Service Provider may choose either local ground transportation based on availability, or the rental of a mid-size car. When possible, transportation expenses will be charged to an authorized Company BTA. If for some reason a BTA cannot be utilized, Service Provider may charge expenses to Service Provider’s personal credit card, and submit original receipts for reimbursement. All original receipts for expenses such as fuel, tolls, parking, etc. must be submitted for reimbursement. If the Service Provider is within driving distance of their scheduled event and chooses to use their personal car, Company will reimburse Service Provider the cost of mileage per the terms of the J&J Travel Car Mileage Rate.

Part B - Use of Protected Health Information

With respect to the services provided pursuant to Service Provider’s agreement with Company, Service Provider shall ensure that the provision of the Services complies with any HIPAA Privacy Requirements that apply to such Protected Health Information. The “HIPAA Privacy Requirements” refer collectively to the applicable provisions of the Administrative Simplification section of HIPAA - the Health Insurance Portability and Accountability Act of 1996 (as codified at 42 U.S.C. § 1320d - d-8) and any regulations promulgated thereunder, including without limitation, the federal privacy regulations (45 CFR Parts 160 and 164) and the federal security standards (45 CFR Part 142). Without limiting the foregoing, Service Provider will use a HIPAA-compliant Patient Authorization whenever the HIPAA Privacy Requirements so require. When the Services provided under the Agreement involve direct interactions with patients, consumers or caregivers, the Service Provider shall obtain written consent from any such person allowing Company to use and disclose the personal information collected from such persons.

Part C - Health Care Compliance

The parties acknowledge and agree that the compensation set forth in their agreement for services represents the fair market value of the services provided, negotiated in an arms-length transaction and has not been determined in a manner which takes into account the volume or value of any referrals or business otherwise generated between Company and Service Provider. Nothing contained in Service Provider’s agreement with Company shall be construed in any manner as an obligation or inducement for the Service Provider to recommend that patients purchase Company products or those of any organizations affiliated with Company. The parties further agree that Service Provider’s agreement with Company does not involve the counseling or promotion of a business arrangement that violates state or federal law.

With respect to the services provided pursuant to Service Provider’s agreement with Company, Service Provider shall:

I.     Ensure that the services are provided in compliance with all applicable laws and regulations, including but not limited to: laws and regulations pertaining to the promotion of products regulated by the FDA (21 U.S.C. §§ 201, et seq. and its implementing regulations); laws, regulations and guidance pertaining to state and federal anti-kickback statutes (42 U.S.C. §§ 1320a-7b(b), et seq. and their implementing regulations) and submission of false claims to governmental or private health care payors (31 U.S.C. §§ 3729, et seq. and its implementing regulations); state and federal laws and regulations relating to the protection of individual and patient privacy (42 U.S.C. §§ 1320d, et seq. and their implementing regulations); and any other laws and regulations applicable to the provision of the Services.

II.     Ensure that the Service Provider is:

1. 1. 1. not excluded from a Federal health care program as outlined in Sections 1128 and 1156 of the Social Security Act (see the Office of Inspector General of the Department of Health and Human Services List of Excluded Individuals/Entities at https://exclusions.oig.hhs.gov/;
      2. not debarred by the FDA under 21 U.S.C. 335a (see the FDA Office of Regulatory Affairs Debarment List at http://www.fda.gov/ICECI/EnforcementActions/FDADebarmentList/default.htm ;
      3. not otherwise excluded from contracting with the federal government (see the Excluded Parties Listing System at https://www.sam.gov/index.html/home and
      4. if required, duly licensed and in good standing in accordance with applicable state laws to provide the services. 

The Service Provider shall report to Company any violations of the compliance obligations applicable to the services provided under the Agreement. The Service Provider agrees that Company and its designated representatives shall have the right, upon reasonable notice, to audit all applicable records of the Service Provider for the purpose of determining compliance with the compliance obligations, and any Company Policies applicable to the services provided under the Agreement and the terms of the Agreement. This right to audit shall extend throughout the term of the Agreement and for the later of a period of 2 years after termination of Service Provider’s agreement with Company or resolution of any disputes between Company and the Service Provider hereunder.

 

Documentation of Services Performed
 

For each separate project under a statement of work, proposal, work order or similar document entered into pursuant to the Agreement, Service Provider shall, within 30 days of the conclusion of a project or meeting, provide documentation as set forth in greater detail in the applicable work order, including, at a minimum:

a.     Copies of written agreements including compensation terms, with each health care professional providing services.

b.     Copies of reports indicating that each health care professional providing services is not excluded or debarred and, for any healthcare practitioner, duly licensed under state law, Service Provider shall obtain such reports prior to engaging such health care professionals to provide services for Company’s benefit.

c.     Documentation of the services provided by such health care professional, e.g., a written report, comments collected at a meeting, etc.;

d.     Electronic report of overall expenses paid to or on behalf of each health care professional in connection with the statement of work, proposal, work order or similar document.

e.     Electronic copies of all original receipts documenting such expenses.

f.     Copy of any required ethics or other authorizations allowing health care professionals employed by federal, state or local government agencies to provide services for Company’s benefit in connection with the Agreement.

 

Disclosure of Funding
 

The Physician Payments Transparency Requirements of the Patient Protection and Affordable Care Act of 2010 (codified at 42 U.S.C. 1320a-7h) and implementing regulations, require certain pharmaceutical, medical device, and other companies to annually report to the Centers for Medicare and Medicaid Services (CMS) certain information about payments and transfers of value provided directly or indirectly to U.S. physicians and teaching hospitals, which CMS will make publicly available. This includes any payments or transfers of value that Buyer provides indirectly through Service Provider to U.S. physicians and teaching hospitals. As required by law, Buyer will report to CMS information about payments and transfers of value that Service Provider provides to U.S. physicians and teaching hospitals pursuant to this Agreement. This includes any portion of any payment or transfer of value that Buyer furnishes to Service Provider which Service Provider then provides directly or indirectly to U.S. physicians or teaching hospitals, including its employees, agents, or contractors. Information that Buyer must report includes the identity and business address of each relevant U.S. physician or teaching hospital, the value and purpose of any payments or transfers of value that are furnished, and any other information as may be required by law. To enable Buyer to comply with its legal obligations, Service Provider shall track, maintain, and provide Buyer information and data related to any payments or transfers of value that Service Provider provides to U.S. physicians and teaching hospitals under this Agreement. Service Provider shall provide such information and data in the form and manner that Buyer requests in a timely manner. The Buyer may also report information about compensation, payments or transfers of value that Service Provider provides to U.S. physicians and teaching hospitals as otherwise required by law and the Buyer reserves the right to post on a website accessible to the public such information, whether or not required by law. 

Disclosure of Relationship
 

If Service Provider participates on any committee or board that establishes formulary or other clinical standards, Service Provider will disclose to such committee or board the nature of the Agreement and Service Provider’s relationship with Company.

Conflict of Interests for Service Providers who are Individuals

Where the provision of services by Service Provider (and/or his, her, or its subcontractor) is subject to professional and/or employment rules (such as conflicts of interest or ethics policies) established by the Service Provider’s (and/or his, her or its subcontractor’s) employer or a professional organization or institution with which the Service Provider (and/or his, her or its subcontractor) is affiliated, Service Provider (and/or his, her or its subcontractor) warrants that he/ she/it shall comply fully with such rules, including, as applicable, obtaining any required approval(s) prior to delivering the services and making any required reports. Service Provider (and/or his, her or its subcontractor) shall acknowledge this obligation by executing a Certification in the form of the following and returning the same to Company:

 

Conflict of Interest Certification
 

Dear Healthcare Professional:

In assuming contractual obligations to Company the undersigned Healthcare Professional agrees that financial ties between healthcare professionals and industry may create Conflicts of Interest, both real and perceived, which must be identified and resolved to preserve the public’s trust by ensuring the independence of professional judgment and the integrity of educational and research endeavors. It is the policy of Company to verify that healthcare professionals who receive funding from or provide services to the company abide with any applicable institutional Conflict of Interest policies.

Accordingly, please complete the information below, sign, and return to our attention at your first opportunity.

 

*        *        *
 

I have assessed whether any institutional Conflict of Interest policies apply to me by virtue of my employment or professional affiliation with regard to the above referenced arrangement with [Company. Further, with respect to such Conflict of Interest policies I certify the following:

[  ]     No Conflict of Interest policies apply

[  ]     I have complied and will continue to comply fully with all applicable Conflicts of Interest requirements (e.g., approval, disclosure or reporting requirements, compensation or other limits on outside research, or reporting of compensation) imposed by all Institutions whose internal rules and policies apply to me.

 

                                                                               
Signed                                                 Dated
 

Part D –Protection of Personal Information

1. Definitions
   
   "Personal Information" means data that identifies or can be used to identify an individual.

"Privacy Breach" means any unauthorized access, acquisition, use, disclosure or destruction of, or damage to, Personal Information, or any breach of applicable law or the Agreement with respect to the Processing of Personal Information by Service Provider.

"Process," "Processed," and "Processing" means the collection, possession, use, disclosure, transfer, storage, deletion, combination, access or other use of Personal Information as contemplated by applicable privacy and data protection laws.

2. Personal Information Privacy & Data Protection
   
   In connection with Processing Personal Information that is received or accessed by Service Provider from Buyer or its affiliates, or from their employees, representatives or contractors, or others on behalf of Buyer or its affiliates, Service Provider will, and will ensure that any person engaging in Processing Personal Information on its behalf in connection with the Agreement will, comply with this Part D.
   1. Service Provider shall Process Personal Information only to perform its obligations under this Agreement or as otherwise instructed by Buyer in writing from time to time.
   2. Service Provider shall ensure that Personal Information is not disclosed to, transferred to or allowed to be accessed by any third party (including subcontractors and affiliates) without the prior written consent of Buyer except as specifically set forth in this Agreement. In the event Buyer so consents to Service Provider disclosing, transferring and/or allowing access to Personal Informational to a third party, Service Provider shall ensure in advance that such third party is bound in writing to terms at least as restrictive as this Exhibit with respect to Personal Information, provide such writing to Buyer promptly upon request and fulfill applicable legal requirements, such as execution of data transfer agreements between the Service Provider and the third party. Service Provider shall remain responsible for all actions by such third parties with respect to the Personal Information.
   3. Service Provider shall ensure that Personal Information is not disclosed to, transferred to and/or allowed to be accessed by or otherwise Processed by its employees or personnel in any country other than those set forth in this Agreement unless previously agreed to in writing by Buyer. In the event that Buyer allows Service Provider to expand the list of countries to which the data may be transferred, Service Provider agrees to cooperate with Buyer in meeting any additional regulatory or legal requirements necessary to allow such transfers.
   4. Service Provider shall, to the extent required as part of Service Provider's obligations under this Agreement, ensure that all Personal Information Processed by Service Provider is accurate and, where required, kept up-to-date, and ensure that any Personal Information that is inaccurate or incomplete is erased or rectified in accordance with Buyer’s instructions, this Agreement, or applicable law.
   5. Service Provider shall, unless specifically prohibited by applicable law, (i) promptly (and in any event within five (5) days of receipt) notify Buyer in writing if Service Provider receives any requests, complaints or inquiries from an individual with respect to Personal Information Processed by Service Provider including, opt-out requests, requests for access and/or rectification and allegations that the Processing infringes an individual’s rights under applicable law and, (ii) not respond to any such requests, complaints or inquiries unless expressly authorized to do so by Buyer.
   6. Service Provider shall notify Buyer in writing immediately (and in any event within five (5) days) whenever Service Provider reasonably believes that there has been any Privacy Breach. Such notice will provide detailed information regarding such Privacy Breach, including its nature and scope; actual or potential cause; any reports to law enforcements; and, measures being taken to investigate, correct, mitigate, and prevent future Privacy Breaches. Service Provider will provide, at Service Provider’s sole cost, reasonable assistance and cooperation requested by Buyer to investigate and notify affected individuals, regulatory bodies, or credit reporting agencies with respect to any such Privacy Breach. Service Provider will also remediate and mitigate the effects of the Privacy Breach as Buyer deems appropriate, including any notification that Buyer or an applicable regulatory body may determine appropriate to send to individuals impacted or potentially impacted by the Privacy Breach and/or the provision of any credit reporting or other remedial service. Service Provider shall not notify any individual or any third party of any Privacy Breach without Buyer's prior consent except to the extent required by law and, in such case, Service Provider shall promptly notify Buyer of such requirement. In addition, within thirty (30) days of identifying or being informed of a Privacy Breach, Service Provider shall develop and execute a plan, subject to Buyer’s approval, that reduces the likelihood of a recurrence of such Privacy Breach. Without limiting any other rights of Buyer under this Agreement, Buyer may at its discretion immediately terminate this Agreement as a result of a Privacy Breach without Buyer having any financial or other liability of any nature whatsoever to Service Provider resulting from such termination.
   7. Service Provider shall immediately cease Processing and promptly return, archive, or destroy Personal Information in its possession, in accordance with Buyer’s instructions, when no longer necessary to provide the Services to Buyer, upon termination or expiration of this Agreement for any reason, or immediately upon Buyer’s request. When disposing of any paper, electronic or other record containing Personal Information (including Personal Information retained by Service Provider for disaster recovery and data back-up), Service Provider shall do so by taking all reasonable steps to destroy the information by: (i) shredding; (ii) permanently erasing and deleting; (iii) degaussing; or, (iv) otherwise modifying the Personal Information in such records to make it unreadable, unreconstructable and indecipherable.
   8. If Service Provider is required by law or receives any order, demand, warrant or any other document requesting or purporting to compel the production of Personal Information (such as oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or other similar processes), Service Provider shall, except to the extent prohibited by law, immediately notify Buyer and shall not produce the Personal Information for at least forty-eight (48) hours following such notice to Buyer so that Buyer may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. In addition to the foregoing, Service Provider shall exercise commercially reasonable efforts to prevent and limit any such disclosure, to otherwise preserve the confidentiality of the Personal Information and shall cooperate with Buyer with respect to any action taken with respect to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to the Personal Information.
   9. At any time during the term of this Agreement, upon request and in a reasonable time and manner, Service Provider shall make its internal policies, procedures, practices, and books and records relating to the privacy and security of Personal Information and the Processing of Personal Information available to Buyer and/or its affiliates for review.
   10. Service Provider shall provide Buyer and its affiliates and their representatives upon reasonable request with: (i) access to Service Provider’s premises and records; (ii) assistance and cooperation of Service Provider’s relevant staff; and (iii) facilities at Service Provider’s premises for the purpose of auditing Service Provider’s compliance with its obligations in this Exhibit. Upon notice to Service Provider, Service Provider shall assist and support Buyer in the event of an investigation by any regulator, including a data protection regulator, if and to the extent that such investigation relates to Personal Information handled by Service Provider for Buyer. Such assistance shall be at Buyer’s expense, except where such investigation was required due to Service Provider’s acts or omissions, in which case such assistance shall be at Service Provider’s expense.
   11. Upon Buyer’s request, Service Provider shall enter into data transfer agreements with Buyer and Buyer's affiliates as needed to satisfy cross-border transfer obligations relating to Personal Information, such as the Standard Contractual Clauses issued by the European Commission or a Safe Harbor Onward Transfer Agreement.
   12. Service Provider shall take any other steps reasonably requested by Buyer to assist Buyer in complying with any notification, registration or other obligations applicable to Buyer or its affiliates under laws relating to Processing Personal Information under this Agreement. In the event that this Agreement, or any actions to be taken or contemplated to be taken in performance of this Agreement, do not or would not satisfy either party’s obligations under such laws, the parties shall cooperate with each other and execute an appropriate amendment to this Agreement.
   13. Notwithstanding anything to the contrary in this Agreement, Buyer’s affiliates are intended third-party beneficiaries of this Exhibit, shall be entitled to its benefits and shall be entitled to enforce this Exhibit as if each were a signatory hereto.
   14. Service Provider agrees to indemnify, defend and hold harmless Buyer and its affiliates and their directors, employees, and agents from and against any and all claims and resulting damages, liabilities, expenses, fines and losses of any type, to the extent arising out of, or relating to the following: (i) Service Provider’s failure (or the failure of any personnel, contractor, or agent of Service Provider) to comply with the obligations under this Exhibit; (ii) any Privacy Breach; and (iii) any negligence or willful misconduct by Service Provider, its personnel, contractor or agents or any third party to whom Service Provider provides access to Personal Information.

Part E - Employees

All employees providing material portions of the services shall have adequately performed similar duties for other companies and possess not only the appropriate education and technical skills, but also the ability to communicate clearly to Company and to follow directions. Service Provider will ensure that its personnel are adequately trained on Health Care Compliance, Privacy and all other requirements necessary to perform the services. Service Provider will maintain documentation of training materials and personnel training records.

 

Employment of Young Persons
 

This policy applies to the employment by Service Provider of persons under the age of 18 (“Young Persons”) in the manufacture of any product, or any component of any product, or any services provided to Johnson & Johnson or any of its affiliates worldwide.

 

Age, Health & Safety
 

No person under the age of 16 shall be employed. No person between the ages of 16 and 18 shall be employed unless such employment is in compliance with the health, safety and moral provisions of the International Labour Organization Convention 138 Concerning Minimum Age (“ILO Convention 138”), a summary of which appears below.

 

Hours
 

No young person shall be required to work more than 48 hours of regularly scheduled time and 12 hours of overtime per week, nor more than six days per week.

 

Laws & Regulations
 

No young person shall be employed unless such employment is in compliance with all applicable laws and regulations concerning age, hours, compensation, health and safety.

 

External Manufacturers
 

No manufacturer shall be engaged to manufacture any product, or any component of a product, for Johnson & Johnson or any of its affiliates worldwide unless such manufacturer has entered into an enforceable written agreement to comply with this policy, submit to periodic compliance inspections, maintain the records necessary to demonstrate compliance and provide annual certifications of compliance. If any such manufacturer shall be found to be in breach of such agreement, the manufacturer’s engagement shall be terminated.

 

Exceptions & Interpretations
 

Upon good cause shown in a specific situation, an exception to the Age and Hours (but not Health & Safety) provisions of this policy may be granted by the responsible Executive Committee Member with the concurrence of the Vice President, Administration, if such exception is consistent with ILO Convention 138 and all applicable laws and regulations. (See attached summary of ILO convention 138.) Requests for definitive interpretations of this policy should be directed to the General Counsel.

(NOTE. The Age provision of the Johnson & Johnson Policy on the Employment of Young Persons is more restrictive than ILO Convention 138. The following summary is provided only as an explanatory supplement to the Health & Safety and Exceptions provisions of the Johnson & Johnson policy. For guidance on specific situations, please contact the Johnson & Johnson Law Department.)

 

Summary of ILO Convention No. 138 Concerning Minimum Age
 

For work likely to jeopardize the health, safety or morals of the worker, the minimum age is 18; if there is adequate protection and training of the worker, then the minimum age for such work is 16.  (No exception to this provision is available under the Johnson & Johnson policy.)
For work which is not likely to jeopardize the health, safety or morals of the worker, the minimum age is 14. (Requires an exception under the Johnson & Johnson policy.)
(Requires an exception under the Johnson & Johnson policy.)

Part F - Record Keeping

All paper or electronic records, files, documents, work papers and other information in any form, whether marked “confidential” or not (the “Files and Work Papers”), provided by Company, its employees, agents or affiliates or generated pursuant to the Agreement shall remain the exclusive property of Company. Service Provider (and its subcontractors and agents) shall use Company Files and Work Papers only as permitted by the Johnson & Johnson Guideline for Management of Records in Third Party Relationships (the “Guideline”) set forth below. Service Provider shall permit representatives of Company to enter Service Provider’s premises unannounced at any reasonable time for a site visit, and Service Provider shall ensure that representatives of Company shall be permitted to enter the premises of any subcontractor or agent of Service Provider, unannounced at any reasonable time, in order to assess Service Provider (or its subcontractors or agents) compliance with the Guideline. Service Provider (and its subcontractors and agents) shall maintain the records necessary to demonstrate compliance with the Guideline and shall provide to Company a written certification upon request of Company. Service Provider’s failure to comply with this Section shall be considered a material breach of the Agreement and Company shall have the right to terminate the Agreement forthwith, effective upon 10 days’ prior written notice, and without payment of any penalty or termination fee.

 

Johnson & Johnson Guideline for Management of Records in Third Party Relationships
 

Company Files and Work Papers must not be used by Service Provider, its employees, agents, affiliates, or others for their own gain.
Company Files and Work Papers related to Service Provider’s agreement with Company must be generated, maintained and managed separately from files generated, managed or maintained by Service Provider under agreements with other companies.  In addition, those employees or agents of Service Provider working on projects for Company cannot work on projects for competitors of Company at the same time where a conflict of interest might occur.
Company Files and Work Papers that are created or modified by Service Provider in electronic format must be submitted to Company in electronic format or as otherwise directed by Company.
Company Files and Work Papers must not be stored within Service Provider’s or its employees’ or agents’ homes.
Files and Work Papers of Company must be destroyed on a timely basis as follows:
1.     Files and Work Papers provided to Service Provider by or on behalf of Company or generated by Service Provider pursuant to Service Provider’s agreement with Company shall be kept in Service Provider’s possession only so long as it serves a necessary business purpose, the project is ongoing and, in no case, longer than the time specified in Service Provider’s agreement with Company without the express written permission of Company.

2.     Only final Work Papers (i.e., work products) may be retained after the completion of a project, but in no case beyond termination of Service Provider’s agreement with Company, without the express written permission of Company.

3.     Upon termination of Service Provider’s agreement with Company for any reason and/or upon Company’s written request, all Files and Work Papers prepared by Service Provider in connection with services rendered under Service Provider’s agreement with Company shall be returned to Company or destroyed as directed by Company. No copies are to be made or retained by Service Provider.

4.     Notwithstanding the above requirements, Service Provider must maintain records to the extent required by state and federal statutes and regulations, as applicable.

5.     Service Provider must promptly notify Company prior to destruction of any Company Files and Work Papers so that it can be verified that records are not pertinent to any litigation or government inquiry or otherwise required to be maintained before their destruction.

6.     Service Provider must promptly notify Company prior to the production of subpoenaed Company Files and Work Papers so that Company may seek a protective order or other appropriate protection for Company Files and Work Papers.

Part G – Responsibility Standards for Suppliers

In performing under this Agreement, Service Provider agrees to adhere to the Johnson & Johnson Responsibility Standards for Suppliers, as amended from time to time (posted on jnj.com:  Responsibility Standards for Suppliers https://www.jnj.com/partners/responsibility-standards-for-suppliers).

Part H - Data Safeguards

I.     Service Providers who possess Company information that is not publicly available, have access to Company information or computing resources using Service Provider’s computing and network resources over a network-to-network connection, or host any Company information on a Service Provider-hosted, Internet-facing website or web application, shall have in place and maintain an information security program that encompasses administrative, technical, and physical safeguards that meet or exceed the requirements specified in the current SISR (as defined in Section VI of this Part I) and applicable industry standards to protect against threats both to the unauthorized or accidental destruction, loss, alteration, or use of, and the unauthorized disclosure or access to such Company information. Service Providers that collect, disclose, transfer, store, delete, combine or otherwise use Personal Information (as defined in Part D of these Supplemental Terms) for or on behalf of Company, shall also comply with the requirements set forth in Part D.

II.     If Service Provider uses a Service Provider computing resource to access the Internet in order to view or input Company information that is not publicly available, provided that Service Provider does not electronically or physically retain any Company non-public information subsequent to such access, Service Provider’s obligation with respect thereto is limited to meeting or exceeding the Internet Access Only Requirements specified in the current SISR and any applicable industry standards reasonably intended to protect against threats both to the unauthorized or accidental destruction, loss, alteration, or use of, and the unauthorized disclosure or access to non-public information.

III.     Service Provider personnel (employees, contractors and other individuals) who operate, manage or maintain Company computing and networking resources shall provide those services in compliance with the current IAPP (as defined in Section VI of this Part I), including the deliverables produced under the Agreement (or a statement of work, work order or similar document executed thereunder).

IV.     "Service Provider personnel who are provided access to Company facilities and/or network and computing resources shall abide by all applicable IAPP Acceptable Use policies and complete the information security training approved by Company. For such personnel, Service Provider shall conduct background checks and/or other investigations deemed necessary, as appropriate and permitted by applicable law. Service Provider personnel with direct, unrestricted access to the Johnson & Johnson Network (“JJNET”) shall complete Company IAPP awareness training upon initial access to JJNET and annually thereafter. Service Provider access or connectivity may be terminated at any time upon violation of policies and/or misuse or abuse of privileges.

V.     "If Service Provider discovers or is notified of a breach or potential breach of security relating to Company information that is not intended for public release, Service Provider shall (a) notify Company within 24 hours of such breach or potential breach and (b) if the applicable Company information was in the possession of Service Provider at the time of such breach or potential breach, Service Provider shall (i) investigate and remediate the effects of the breach or potential breach and (ii) provide Company with satisfactory assurance that such breach or potential breach will not reoccur. If such breach or potential breach of security relating to Company information concerns “Personal Information” (as defined in Part D of these Supplemental Terms), Service Provider shall also comply with the requirements of Part D relating to notifications to Company and individuals, and other requirements, in the event of a “Security Breach”.

VI.     "No Company information shall be sold, assigned, leased or otherwise disposed of to a third party by or for Service Provider or commercially exploited by or on behalf of Service Provider or its personnel.

"IAPP" means the Johnson & Johnson Worldwide Policies on Information Asset Protection in effect as of the Effective Date and as revised from time to time by Company and provided to Service Provider. “SISR” means the Johnson & Johnson Service Provider Information Security Requirements in effect as of the Effective Date of the Agreement and as revised from time to time by Company and provided to Service Provider. Service Provider shall have 30 days after receipt of an IAPP or SISR revision from Company to reject any new requirements contained therein. If Service Provider rejects the revised IAPP or SISR, Company shall have the right to terminate the Agreement. If Service Provider intends to implement a change to its systems, policies or procedures that would reduce the level of safeguards already in place, Service Provider shall notify Company and, upon Company's approval, implement such change.