The Practice = The ‘Controller’.
Tree View Designs Ltd = The ‘Processor’.
For the purposes of this Agreement the terms “Data Controller”, “Data Processor”, “Personal Data”, “Sensitive Personal Data”, “Data Subject” and “Processing” (and Process and Processed shall be construed accordingly) shall have their respective meanings under the Data Protection Act 2018 (“DPA”) as amended or replaced from time to time, including by the EU General Data Protection Regulation 2016/679 together with all equivalent legislation of the UK and any other applicable jurisdiction (the “Data Protection Legislation”).
The Processor is a third party commercial organisation providing healthcare technology solutions and acting as a Data Processor for on behalf of the Controller. The Data Processor has been commissioned by the Controller to provide services identified in Schedule 1 (the “Services”).
Where the nature of those procured Services requires Tree View Designs Ltd to Process Personal Data (“Agreement Data”), the Data Protection Legislation is engaged and establishes Tree View Designs Ltd as a Data Processor.
This Agreement shall, unless terminated in accordance with clause 7, run from the duration of the terms and then automatically expire upon the secure return and /or destruction of the Agreement Data in accordance with clause 2.5.8 below.
This Agreement is governed by and shall be interpreted in accordance with the laws of England and Wales, and the Parties agree to submit to the exclusive jurisdiction of the courts of England.
This Agreement seeks to satisfy the Controller’s obligations under the Data Protection Legislation in respect of its appointment, control and management of the Data Processor.
2. Data Processor Responsibilities
The Processor shall notify the Controller without undue delay, if in the delivery of the Services as an experienced supplier of the Services, it identifies any potential areas of actual or potential non-compliance with the Data Protection Legislation in respect of its Processing of Agreement Data.
The Controller authorises the Processor to Process the Agreement Data during the term of this Agreement as a Data Processor for the purposes of providing the Services only.
The Processor shall not engage, use or permit any third party to carry out Processing of any Agreement Data without the prior written consent of the Controller, which may be withheld or subject to conditions at the Controller’s discretion. If the Controller has consented to the use of any third party (subsequently, an “Authorised Sub-Processor”) for the Processing of Agreement Data:
the Authorised Sub-Processor’s activities must be specified and the same contractual terms set out in this Agreement, imposed on that Authorised Sub-Processor.
Data Processor Obligations
Process the Agreement Data only on documented instructions from the Controller, including this Agreement;
without prejudice to clause 2.5.1, the Processor shall ensure that Agreement Data will only be used by the Processor to the extent required to provide the Services. The Processor shall not without the express prior written consent of the Controller (a) convert any Agreement Data into anonymised, pseudonymised, depersonalised, aggregated or statistical data; (b) use any Agreement Data for “big data” analysis or purposes; or (c) match any Agreement Data with or against any other Personal Data (whether the Processor’s or any third party’s);
not permit any Processing of Agreement Data outside the UK or the European Economic Area without the Controller’s prior written consent which may be subject to conditions at the Controller’s discretion (unless the Processor or Authorised Sub-Processors are required to transfer the Agreement Data, to comply with UK, European Union or European Member State Applicable Laws and such laws prohibit notice to the Controller on public interest grounds);
responding to requests for exercising the Data Subject’s rights under the Data Protection Legislation, including by appropriate technical and organisational measures, insofar as this is possible;
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the controller if its instructions infringe UK, European Union or European Member State Applicable data protection Laws or provisions.
Subject to the Controller and its auditors entering into reasonable confidentiality obligations, the Processor warrants and undertakes on a continuing basis that it shall at any time upon request of the Controller, on reasonable notice and during regular business hours, at no cost to the Controller:
ensure that its staff are made available to the Controller and its auditors (whether internal and/or external);
provide all such persons with access to all relevant information (whether in electronic or hard copy form) and premises where the Personal Data is Processed; and
procure that its staff shall provide all reasonable co-operation and assistance to the Controller,
as may be necessary in the reasonable opinion of the Controller to permit an accurate and complete assessment of the Processor’s compliance with its obligations under this Agreement.
Requests from Data Subjects and Regulators
The Processor warrants and undertakes that it shall notify the Controller within five (5) working days (being any day in England and Wales that is a week day and not a bank holiday) of any complaint by a Data Subject in respect of Data relating to them or any request received from a Data Subject to have access to their Data or of any other communication relating directly or indirectly to the Data Processing in connection with this Agreement and provide all details of such complaint, request or communication to the Controller and promptly and fully cooperate and assist the Controller in relation to any such request or communication.
The Processor shall not respond directly to any Data Subject access request for their Data, to any Data Subject complaint in relation to their Data, or (unless and to the extent required by law) any communication by a Data Protection Authority to them in relation to the Data, in each case unless expressly approved in writing in advance by the Controller
3. Information Access
As a public body, The Practice (data controller) is committed to the transparency agenda and its obligations under the information access regimes. The Practice may be required to disclose documents relating to this contract or the contract itself in response to a request under these regimes.
The Processor shall provide the Controller with all reasonable assistance and co-operation to enable the Controller to comply with its obligations under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004,each as amended or replaced from time to time.
The Controller shall consult the Processor regarding commercial or other confidentiality issues in relation to the Agreement, however the final decision about disclosure of information or application of exemptions shall rest solely with the Controller.
4. Agreement Variations
Any variation to the terms of this Agreement shall be agreed in writing and signed by the parties.
5. Dispute Resolution
Both signatories shall aim to resolve all disputes, differences and questions promptly by means of co-operation and mediation. Should this fail or the disputes, differences and questions cannot be resolved within 30 calendar days of notification by one party to the other, then the dispute resolutions process in the standard NHS Commissioning contract will be followed. Other terms of that contract will not be applicable to this arrangement. The performance of obligations under this Agreement shall not, save for the matter in dispute, cease or be delayed by the application of any dispute resolution procedure.
6. Liability and Indemnity
Without affecting its liability for breach of any of its obligations under this Agreement, the Processor shall, at all times during and after the termination or expiry of this Agreement, indemnify the Controller, keep the Controller indemnified and hold the Controller from and against all losses, charges, expenses and other liabilities it suffers arising out of the Processor’s loss of the Data or unauthorised or unlawful use of the Data whether arising in negligence or otherwise a breach of this Agreement and including any fine imposed on the Controller by the Information Commissioner by way of civil monetary penalty under the Data Protection Legislation.
7. Agreement Completion
The Controller may terminate this Agreement with immediate effect by written notice to the Processor on or at any time after the occurrence of an event that gives rise to an information security incident or otherwise poses a risk of non-compliance with the data protection principles.
8. Enforcement by Third Parties
The parties to this Agreement do not intend that any of its terms will be enforceable by virtue of the Contracts (Rights of Third Parties) Act 1999 or any equivalent legislation by any person not a party to it.
If any clause or part of this Agreement is found by any court, tribunal, administrative body or authority of competent jurisdiction to be illegal, invalid or unenforceable then that provision will, to the extent required, be severed from this Agreement and will be ineffective without, as far as is possible, modifying any other clause or part of this Agreement and this will not affect any other provisions of this Agreement which will remain in full force and effect.
Purpose for Processing
- Delivery of a patient facing website on behalf of customer controllers.
- Facilitating the submission of standard forms and subscription to practice newsletter
- Patients of Controller Customer
Reason for contact
Previous last name
Current and previous GP details
Armed forces status
Alcohol consumption questions
Free text dialogue between patient and practice
Other data fields may be defined by customer as part of agreement.
Lawful Basis / Consent Model
- Consent (newsletter)
- Public task and Medical purposes (forms)
Arrangements for Data on Exit from Agreement
Processor will securely destroy or return any personal data at the request of the Controller customer
The Processor shall ensure destruction or decommissioning of electronic media used to store or Process NHS data is destroyed or overwritten to NHS Standards as defined by NHS Digital.
In the event of any errors resulting in an inability to overwrite, the Processor shall ensure complete destruction of the media itself.
The Processor shall provide the Controller with copies of all relevant overwriting destruction / overwriting reports at the conclusion of the Agreement.
To store and Process personal data securely, and destroy it confidentially when it is no longer necessary and instructed by the Controller.