DATA PROCESSING AGREEMENT
In this relationship Mediapharm is engaged by the Customer to process personal data. In this connection, Mediapharm has the role of ‘Processor’ and the Customer has the role of ‘Controller’. This Processor’s Agreement is an integral part of the agreements between the Parties (referred to below as: ‘the Agreement’).
THIS AGREEMENT IS BETWEEN:
(1) Mediapharm Ltd, a company registered in England under number 4747439, whose registered office is 406 Roding Lane South, Woodford Green, Essex IG8 8EY and whose trading address is 1 Cresswell Park, Blackheath Village, London, SE3 9RD
(the "Processor");
(2) Customer
(“the Contoller”).
RECITALS
(A) The Processor has agreed to provide the Services (as defined below) on the terms set out in the Services Agreement (as defined below).
(B) The parties wish to enter into this agreement to take account of their respective obligations under the GDPR (as defined below), and to supplement the provisions in the Services Agreement, on the terms set out below.
IT IS AGREED as follows:
1. DEFINITIONS
1.1 In this agreement the following words and expressions shall have the following meanings unless the context otherwise requires:
“Appropriate Technical and Organisational Measures” shall be interpreted in accordance with the Privacy Laws.
“Customer Personal Data” means any Personal Data, the Processing of which is subject to Privacy Laws, that is controlled by the Customer and its customers (where applicable) which the Processor Processes in the course of providing the Services under the Services Agreement, wherever the Processing takes place.
“Data Controller” shall be interpreted in accordance with the Privacy Laws.
“Data Processor” shall be interpreted in accordance with the Privacy Laws.
“Data Subject” shall be interpreted in accordance with the Privacy Laws.
“EU Data Protection Law” means all applicable EU data protection and privacy laws, including:
(i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC and, on and after 25 May 2018, the General Data Protection Regulation 2016/679;
(ii) the Privacy and Electronic Communications Directive 2002/58/EC; and
(iii) any other European Union or EU Member State laws made under or pursuant to (i) or (ii), in each case as such laws may be amended or superseded from time to time.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Personal Data” shall be interpreted in accordance with the Privacy Laws.
“Personal Data Breach” shall be interpreted in accordance with the
“Privacy Laws” means applicable laws serving to ensure the protection of Personal Data (including in connection with the Processing of Personal Data), and the protection of the rights and freedoms (in particular, their right to privacy) of Data Subjects relating to their Personal Data, including EU Data Protection Law and UK Data Protection Law, in each case as such laws may be amended or superseded from time to time.
“Processing” shall be interpreted in accordance with the Privacy Laws (and “Process” shall be construed accordingly).
“Services” means the services provided by the Processor to the Customer as agreed from time to time and in accordance with the Services Agreement.
“Services Agreement” means the services agreement which has been entered into by the Processor and the Customer or, in the absence of a specific services agreement, the standard Terms and Conditions of the Processor.
“UK Data Protection Law” means all applicable UK data protection and privacy laws including any UK law which replaces EU Data Protection Law, or which implements or transposes EU Data Protection Law into UK law.
2. DATA PROTECTION
2.1 The Processor agrees, in relation to the Customer Personal Data, that the Customer is the Data Controller (and therefore controls what happens to the Customer Personal Data) and the Processor is the Data Processor. The clauses in this agreement only apply to the extent that the Processor is Processing Personal Data on behalf of the Customer.
2.2 The subject-matter and the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects are set out in Schedule 1 to this agreement.
2.3 The Processor acknowledges and agrees that nothing in this agreement relieves the Processor from its responsibilities and liabilities under the Privacy Laws.
2.4 The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Processor in accordance with this agreement.
2.5 When the Processor Processes Customer Personal Data in the course of providing the Services, the Processor will:
2.5.1 Process the Customer Personal Data only in accordance with written instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or international organisation except where required to do so by law. If the Processor is required by law to Process the Customer Personal Data for any other purpose, the Processor will inform the Customer of this requirement before the Processing, unless that law prohibits this on important grounds of public interest. If the Customer issues a direction to the Processor which requires the Processor to do something that is inconsistent with the terms of the Services Agreement, the Processor may wish to make a reasonable charge, in which case that charge will be as agreed in writing between the parties. The Customer hereby instructs the Processor to respond on the Customer’s behalf to inbound communications received by phone, email, post or other means as part of the Services, to carry out any Processing which is required in order to provide the Services, and to accept any verbal instructions from the Customer given via phone from time to time with regard to provision of the Services (in which event the Processor may at its sole discretion require written confirmation of the instructions prior to their execution);
2.5.2 take reasonable steps to ensure the reliability and competence of the Processor personnel who have access to the Customer Personal Data;
2.5.3 ensure that the personnel required to Process the Customer Personal Data:
(a) are informed of the confidential nature of the Customer Personal Data;
(b) are subject to appropriate obligations of confidentiality; and
(c) do not publish, disclose or divulge any of the Customer Personal Data to any third party unless directed in writing to do so by the Customer;
2.5.4 implement and maintain Appropriate Technical and Organisational Measures to protect the Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure;
2.5.5 taking into account the nature of the Processing, assist the Customer:
2.5.5 taking into account the nature of the Processing, assist the Customer:
(a) by taking Appropriate Technical and Organisational Measures and in so far as it is possible, in
fulfilling the Customer’s obligations to respond to requests from Data Subjects exercising their rights. The Processor shall notify the Customer of any requests from Data Subjects without undue delay; and
(b) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR or equivalent provisions in the Privacy Laws;
2.5.6 on expiry of the Duration of the Processing specified in Schedule 1, at the Customer’s option, either delete or return to the Customer all the Customer Personal Data (unless the Processor is required to retain it by law). In the event that the Customer doesn’t issue specific instructions, any original paper documents containing Customer Personal Data will be returned to the Customer and all other Customer Personal Data will be deleted. If the Customer requires the Processor to delete the Customer Personal Data in any other circumstances, the Processor may make a reasonable charge for doing so; and
2.5.7 make available to the Customer all information necessary to demonstrate its compliance with its obligations in this agreement and allow the Customer and its auditors or authorised agents to conduct audits and inspections during the term of the Services Agreement (and provide reasonable assistance in connection therewith) for the purpose of verifying that the Processor is Processing Customer Personal Data in accordance with the Processor’s obligations under this agreement, the Services Agreement and applicable Privacy Laws provided that the Customer (a) will not exercise its audit rights more than once in any 3 year period save where the Customer reasonably believes that a further audit is required due to a Personal Data Breach; (b) gives at least 30 days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (c) conducts its audit during normal business hours and limits its audit to a maximum of 2 business days; and (d) takes all reasonable measures to prevent material business interruption to the Processor.
2.6 The Customer consents to the Processor appointing third party sub-processors to Process the Customer Personal Data to assist the Processor in providing the Services provided that the Processor notifies the Customer by email at least 30 days in advance of the appointment thereby giving the Customer the opportunity to object to such appointment. A list of sub-processors correct at the date of this agreement is set out in Schedule 2 to this agreement, and the Customer hereby gives consent to the Processor appointing those sub-processors. Where the Processor appoints a sub-processor to carry out any part of the Services, the Processor must ensure the reliability and competence of the sub-processor, its employees and agents who may have access to the Customer Personal Data and must include in any contract with the sub-processor provisions in favour of the Customer which are substantially similar to those in this clause 2 and as required by applicable Privacy Laws. For the avoidance of doubt, where a sub-processor fails to fulfil its obligations under any sub-processing agreement or any applicable Privacy Laws, the Processor will remain fully liable to the Customer for the fulfilment of the Processor’s obligations under this agreement and the Services Agreement. Should the Customer object to the Processor appointing a sub-processor prior to its appointment then provided such objection is based on reasonable grounds relating to data protection the Processor will either not appoint the sub-processor or, if this is not reasonably possible, at the Processor’s sole discretion the Customer may suspend or terminate the Services Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).
2.7 If the Customer wishes the Processor to transfer Customer Personal Data to or from any third party which is contracted directly to the Customer (or third party system which is organised by or on the instruction of the Customer) then the Customer must give authority by way of instruction to the Processor in writing, such authority to remain in place (unless such authority clearly relates to a one-time access) until it is specifically revoked in writing by the Customer. A list of such third parties to and from which the Customer authorises the Processor to transfer Customer Personal Data correct at the date of this agreement is set out in Schedule 3 to this agreement, and the Customer hereby gives such authority.
2.8 The Processor shall notify the Customer immediately if, in the Processor’s opinion, an instruction for the Processing of Customer Personal Data given by the Customer infringes applicable Privacy Laws. The Processor may refuse to execute such instructions.
2.9 The Processor shall communicate any claims or requests in respect of the Customer Personal Data without delay to the Customer to enable the Customer to provide details to its customers.
2.10 If the Processor becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to any Customer Personal Data that the Processor Processes when providing the Services (a "Personal Data Breach"), the Processor will:
2.10.1 notify the Customer within two working days;
2.10.2 provide the Customer (as soon as possible) with a detailed description of the Personal Data Breach, the type of Customer Personal Data that was the subject of the Personal Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information the Customer may reasonably request relating to the Personal Data Breach); and
2.10.3 not release or publish any filing, communication, notice, press release, or report concerning the Personal Data Breach without the Customer’s prior written approval (except where required to do so by law).
2.11 The Processor may notify the Customer if, in the Processor’s opinion, an instruction for the Processing of Customer Personal Data given by the Customer may increase the risk of a Personal Data Breach occurring.
2.12 If the Processor has notified the Customer in accordance with clause 2.8 or clause
2.11 and the Customer subsequently instructs the Processor to execute the original instruction then the Customer hereby indemnifies the Processor against all liabilities which may arise as a result of any Personal Data Breach occurring.
2.13 Unless the Customer instructs the Processor to the contrary, the Processor may scan any paper documents in its possession containing Personal Data, securely shred the original, and store the resulting scan image electronically if the Processor considers this to be in accordance with Appropriate Technical and Organisational Measures.
2.14 If, pursuant to Article 28(7) or Article 28(8) of the GDPR, the Information Commissioner adopts standard contractual clauses for the matters referred to in Article 28(3) and Article 28(4) of the GDPR and the Customer notifies the Processor that it wishes to incorporate any element of any such standard contractual clauses into the Agreement, the Processor will agree to the changes as reasonably required by the Customer to achieve this.
2.15 The Processor will not Process Customer Personal Data outside the European Economic Area, or a country in respect of which a valid adequacy decision has been issued by the European Commission, except with the prior written consent of the Customer. Where the Customer gives its consent, such transfers will be made subject to the terms of the model clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission or any replacement or additional form approved by the European Commission or as applicable in the UK.
3. GENERAL
3.1 In the event of any conflict between the Services Agreement and this agreement, the provisions of this agreement shall prevail to the extent that they are more stringent than those in the Services Agreement. Save as specifically modified and amended in this agreement, the terms and conditions contained in the Services Agreement shall remain in full force and effect and shall govern this agreement.
3.2 This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with English law.
3.3 The Processor and the Customer irrevocably agree that the English courts that have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection with, this agreement or its subject matter or formation.
SCHEDULE 1
Subject-matter of the Processing: The Processing of Personal Data in the course of the Processor providing the Services to the Customer and discharging any legal obligations imposed on the Processor.
Duration of the Processing: The term of the Services Agreement including the data retention period thereafter.
Nature and purpose of the Processing: The collection, transmission, storage and deletion of Personal Data in order to provide the Services to the Customer on the terms set out in the Services Agreement.
Type of Personal Data: The Customer Personal data may include, among other information, learning records, personal contact information (such as name, address, telephone or mobile number), information contained in telephone messages, emails and written correspondence, information provided by the Data Controller to the Processor and information provided directly by the Data Subject to the Processor, information contained in telephone call recordings, special categories of Personal Data eg data relating to health, and or other data transmitted as a consequence of the Data Controller and its end users using the Processor’s services under the terms of the Services Agreement.
Categories of Data Subject: Data Subjects may include the Customer’s representatives (including employees, contractors, partners, agents and other individuals authorised to act on behalf of the Customer), end users of the Customer and its customers, and individuals attempting to communicate or transfer Personal Data to end users of the Processor’s services.