Data Processing Agreement

The Practice = The ‘Controller’.
Tree View Designs Ltd = The ‘Processor’.

1. Introduction

For the purposes of this Agreement the terms “Data Controller”, “Data Processor”, “Personal Data”, “Sensitive Personal Data”, “Data Subject” and “Processing” (and Process and Processed shall be construed accordingly) shall have their respective meanings under the Data Protection Act 2018 (“DPA”) as amended or replaced from time to time, including by the EU General Data Protection Regulation 2016/679 together with all equivalent legislation of the UK and any other applicable jurisdiction (the “Data Protection Legislation”).

The Processor is a third party commercial organisation providing healthcare technology solutions and acting as a Data Processor for on behalf of the Controller. The Data Processor has been commissioned by the Controller to provide services identified in Schedule 1 (the “Services”).

Where the nature of those procured Services requires Tree View Designs Ltd to Process Personal Data (“Agreement Data”), the Data Protection Legislation is engaged and establishes Tree View Designs Ltd as a Data Processor.

This Agreement shall, unless terminated in accordance with clause 7, run from the duration of the terms and then automatically expire upon the secure return and /or destruction of the Agreement Data in accordance with clause 2.5.8 below.

This Agreement is governed by and shall be interpreted in accordance with the laws of England and Wales, and the Parties agree to submit to the exclusive jurisdiction of the courts of England. 

This Agreement seeks to satisfy the Controller’s obligations under the Data Protection Legislation in respect of its appointment, control and management of the Data Processor.

2. Data Processor Responsibilities

Compliance with Laws
The Processor shall not cause the Controller to breach any obligation under the Data Protection Legislation.

The Processor shall notify the Controller without undue delay, if in the delivery of the Services as an experienced supplier of the Services, it identifies any potential areas of actual or potential non-compliance with the Data Protection Legislation in respect of its Processing of Agreement Data.


The Controller authorises the Processor to Process the Agreement Data during the term of this Agreement as a Data Processor for the purposes of providing the Services only.

Sub Processing

The Processor shall not engage, use or permit any third party to carry out Processing of any Agreement Data without the prior written consent of the Controller, which may be withheld or subject to conditions at the Controller’s discretion. If the Controller has consented to the use of any third party (subsequently, an “Authorised Sub-Processor”) for the Processing of Agreement Data:

the Processor shall provide the Controller with advance notice of any intended changes to any Authorised Sub-Processor, allowing the Controller sufficient opportunity to object; and
the Authorised Sub-Processor’s activities must be specified and the same contractual terms set out in this Agreement, imposed on that Authorised Sub-Processor.
Without prejudice to this clause 2.4, the Processor shall remain responsible for all acts or omissions of the Authorised Sub-Processor as if they were its own.

Data Processor Obligations

The Data Processor shall (and shall procure that any Authorised Sub-Processor shall):
Process the Agreement Data only on documented instructions from the Controller, including this Agreement;
without prejudice to clause 2.5.1, the Processor shall ensure that Agreement Data will only be used by the Processor to the extent required to provide the Services. The Processor shall not without the express prior written consent of the Controller (a) convert any Agreement Data into anonymised, pseudonymised, depersonalised, aggregated or statistical data; (b) use any Agreement Data for “big data” analysis or purposes; or (c) match any Agreement Data with or against any other Personal Data (whether the Processor’s or any third party’s);
not permit any Processing of Agreement Data outside the UK or the European Economic Area without the Controller’s prior written consent which may be subject to conditions at the Controller’s discretion (unless the Processor or Authorised Sub-Processors are required to transfer the Agreement Data, to comply with UK, European Union or European Member State Applicable Laws and such laws prohibit notice to the Controller on public interest grounds);
ensure that any person authorised to Process the Agreement Data:
has committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality
Processes the Agreement Data solely on instructions from the Controller; and
are appropriately reliable, qualified and trained in relation to their Processing of Agreement Data;
implement (and assist the Controller to implement) technical and organisational measures to ensure a level of security appropriate to the risk presented by Processing the Agreement Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise Processed (together, a “Data Security Incident”);
notify the Controller without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay, and for the avoidance of doubt, the Processor and Authorised Sub-Processor may not delay notification under this clause 2.5.6 on the basis that an investigation is incomplete or ongoing, and not make or permit any announcement to any party, without the Controller’s consent, which may be subject to conditions at the Controller’s sole discretion;
provide reasonable assistance to the Controller in:
responding to requests for exercising the Data Subject’s rights under the Data Protection Legislation, including by appropriate technical and organisational measures, insofar as this is possible;
reporting any Data Security Incident to any supervisory authority or Data Subjects and documenting any Security Breach;
taking measure to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate persons accordingly;
at the choice of the Controller, securely delete or return all Agreement Data to the Controller after the end of the provision of services relating to Processing, and securely delete any remaining copies and certify when this exercise has been completed (which shall be at least to the minimum standard set out in Schedule 2); and
hold Agreement Data physically and electronically separate to any other records or Personal Data, Processed by the Processor or Authorised Sub-Processor other than for the performance of the Services.

Information Provision

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the controller if its instructions infringe UK, European Union or European Member State Applicable data protection Laws or provisions.


Subject to the Controller and its auditors entering into reasonable confidentiality obligations, the Processor warrants and undertakes on a continuing basis that it shall at any time upon request of the Controller, on reasonable notice and during regular business hours, at no cost to the Controller:

ensure that its staff are made available to the Controller and its auditors (whether internal and/or external);
provide all such persons with access to all relevant information (whether in electronic or hard copy form) and premises where the Personal Data is Processed; and
procure that its staff shall provide all reasonable co-operation and assistance to the Controller,
as may be necessary in the reasonable opinion of the Controller to permit an accurate and complete assessment of the Processor’s compliance with its obligations under this Agreement.

Requests from Data Subjects and Regulators

The Processor warrants and undertakes that it shall notify the Controller within five (5) working days (being any day in England and Wales that is a week day and not a bank holiday) of any complaint by a Data Subject in respect of Data relating to them or any request received from a Data Subject to have access to their Data or of any other communication relating directly or indirectly to the Data Processing in connection with this Agreement and provide all details of such complaint, request or communication to the Controller and promptly and fully cooperate and assist the Controller in relation to any such request or communication.

The Processor shall not respond directly to any Data Subject access request for their Data, to any Data Subject complaint in relation to their Data, or (unless and to the extent required by law) any communication by a Data Protection Authority to them in relation to the Data, in each case unless expressly approved in writing in advance by the Controller

3. Information Access

As a public body, The Practice (data controller) is committed to the transparency agenda and its obligations under the information access regimes. The Practice may be required to disclose documents relating to this contract or the contract itself in response to a request under these regimes.

The Processor shall provide the Controller with all reasonable assistance and co-operation to enable the Controller to comply with its obligations under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004,each as amended or replaced from time to time.

The Controller shall consult the Processor regarding commercial or other confidentiality issues in relation to the Agreement, however the final decision about disclosure of information or application of exemptions shall rest solely with the Controller.

4. Agreement Variations

Any variation to the terms of this Agreement shall be agreed in writing and signed by the parties.

5. Dispute Resolution

Both signatories shall aim to resolve all disputes, differences and questions promptly by means of co-operation and mediation. Should this fail or the disputes, differences and questions cannot be resolved within 30 calendar days of notification by one party to the other, then the dispute resolutions process in the standard NHS Commissioning contract will be followed. Other terms of that contract will not be applicable to this arrangement. The performance of obligations under this Agreement shall not, save for the matter in dispute, cease or be delayed by the application of any dispute resolution procedure.

6. Liability and Indemnity

Without affecting its liability for breach of any of its obligations under this Agreement, the Processor shall, at all times during and after the termination or expiry of this Agreement, indemnify the Controller, keep the Controller indemnified and hold the Controller from and against all losses, charges, expenses and other liabilities it suffers arising out of the Processor’s loss of the Data or unauthorised or unlawful use of the Data whether arising in negligence or otherwise a breach of this Agreement and including any fine imposed on the Controller by the Information Commissioner by way of civil monetary penalty under the Data Protection Legislation.

7. Agreement Completion

The Controller may terminate this Agreement with immediate effect by written notice to the Processor on or at any time after the occurrence of an event that gives rise to an information security incident or otherwise poses a risk of non-compliance with the data protection principles. 

8. Enforcement by Third Parties

The parties to this Agreement do not intend that any of its terms will be enforceable by virtue of the Contracts (Rights of Third Parties) Act 1999 or any equivalent legislation by any person not a party to it.

9. Invalidity/Severability

If any clause or part of this Agreement is found by any court, tribunal, administrative body or authority of competent jurisdiction to be illegal, invalid or unenforceable then that provision will, to the extent required, be severed from this Agreement and will be ineffective without, as far as is possible, modifying any other clause or part of this Agreement and this will not affect any other provisions of this Agreement which will remain in full force and effect.

Schedule 1


Purpose for Processing

  • Delivery of a patient facing website on behalf of customer controllers.
  • Facilitating the submission of standard forms and subscription to practice newsletter

Data Subjects

  • Patients of Controller Customer

Data Sets

Physical address
Email Address
Date birth
Reason for contact 
Ethnic origin,
Birth town
Birth country
Previous last name
Telephone number
Current and previous GP details
Armed forces status
Carer status
Residency information
Alcohol consumption questions
Smoking questions
Free text dialogue between patient and practice

Other data fields may be defined by customer as part of agreement.

Lawful Basis / Consent Model

  • Consent (newsletter)
  • Public task and Medical purposes (forms)

Arrangements for Data on Exit from Agreement

Processor will securely destroy or return any personal data at the request of the Controller customer

Schedule 2

Data Destruction

The Processor shall ensure destruction or decommissioning of electronic media used to store or Process NHS data is destroyed or overwritten to NHS Standards as defined by NHS Digital.

In the event of any errors resulting in an inability to overwrite, the Processor shall ensure complete destruction of the media itself.

The Processor shall provide the Controller with copies of all relevant overwriting destruction / overwriting reports at the conclusion of the Agreement.

To store and Process personal data securely, and destroy it confidentially when it is no longer necessary and instructed by the Controller.