CLINICALWILL.APP - DATA PROCESSING AGREEMENT
1.1 This Data Processing Agreement is incorporated into the Subscriber Agreement and regulates the processing of personal data by Michael Toller Ltd trading as ClinicalWill.App (the "Data Processor") on behalf of the Client who is also the Data Controller.
2. PROCESSING OF PERSONAL DATA
2.1 Purpose: The purpose of the processing under the Subscriber Agreement is the provision of Services to the Client.
2.2 In connection with the Data Processor's delivery of the Services to the Client who is the Data Controller, the Data Processor will process certain categories and types of personal data on behalf of the Data Controller. Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
2.3 "Personal data" includes "any information relating to an identified or identifiable natural person" as defined in GDPR, article 4 (1)” (the "Personal Data"). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in Sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Services. The parties shall update Sub-appendix A whenever changes occur that necessitates an update.
2.4 The Data Processor shall have and maintain a register of processing activities in accordance with the Data Protection Laws.
3.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the "Instruction"), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processing Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Services as described in the Subscriber Agreement. Subject to the terms of this Data Processing Agreement and with mutual agreement of the parties, the Data Controller may issue additional instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide instructions are authorised to do so.
3.2 The Data Controller's instructions for the processing of Personal Data shall comply with Data Protection Legislation. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained
3.3 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of the Data Protection Laws.
4. THE DATA PROCESSOR’S OBLIGATIONS
4.1.1 The Data Processor shall treat the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller has agreed in writing.
4.1.2 The Data Processor's employees, contractors, Trustees and/or Next of Kin shall be subject to an obligation of confidentiality that ensures that the employees shall treat the Personal Data under this Data Processing Agreement with strict confidentiality.
4.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Services and the performance of this Data Processing Agreement.
4.2 The Data Processor shall ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
4.3 Security Measures
4.3.1 The Data Processor shall implement the appropriate technical and organisational measures as set out in this Data Processing Agreement and in the Data Protection Laws. The security measures may be subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
4.4 The Data Processor shall provide documentation for the Data Processor's security measures if requested in writing by the Data Controller.
4.5 Data Protection Impact Assessments and Prior Consultation
4.5.1 If the Data Processor's assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments along with any prior consultation in accordance with the Data Protection Laws.
4.6 Rights of the Data Subjects
4.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject's rights under the Data Protection Laws and the correct and legitimate reply to such a request necessitates the Data Processor's assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Data Protection Laws.
4.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject's rights under the Data Protection Laws and such request is related to the Personal Data of the Data Controller, the Data Processor will immediately forward the request to the Data Controller.
4.7 Personal Data Breaches
4.7.1 The Data Processor shall give notice within 72 hours to the Data Controller of becoming aware of a breach occurring, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed by the Data Processor on behalf of the Data Controller (the "Personal Data Breach").
4.7.2 The Data Processor shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps as the Data Processor deems necessary to establish the cause, and to prevent the Personal Data Breach from reoccurring.
4.8 Documentation of Compliance and Audit Rights
4.8.1 Upon request by the Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give reasonable notice of any audit or document inspection to be conducted and shall avoid causing damage or disruption to the Data Processor’s premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
4.8.2 The Data Controller may be requested to sign a non-disclosure agreement before being furnished with the right to conduct an audit or document inspection as stipulated herein.
4.9 Data Transfers
4.9.1 Ordinarily, The Data Processor will not transfer Personal Data to countries outside the United Kingdom. If transfers out of the UK occur Data Processor will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented
(i) In some cases, personal data may be saved on storage solutions that have servers in the European Economic Area (EEA), for example, Amazon Web Services. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed and a
(ii) for transfers to other areas Supplier will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data.
5.1 The Data Processor is given general authorisation to engage third-parties ("Sub-Processors") to process the Personal Data without obtaining any further written, specific authorisation from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a Sub-Processor (and its Sub-Processors, if any). If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within 10 business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.
5.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller's objection, the Data Controller may terminate the Main Services by providing written notice to the Data Processor.
5.3 The Data Processor shall where appropriate require its Sub-Processors to enter into a Data Processing Agreement.
5.4 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
5.5 The Data Processor is at the time of entering into this Data Processing Agreement using the Sub-Processors listed in Sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Sub-appendix B under paragraph 2 as posted on the website of the Data Processor.
6. REMUNERATION AND COSTS
6.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processing Agreement based on the Data Processor's hourly rates.
6.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller's Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance of the Service Level Agreement if the performance of the obligations under the Service Level Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Service Level Agreement is changed to reflect the new Instruction and commercial terms thereof.
1. Categories of data subjects
In connection with its delivery of the Services the Data Processor processes Personal Data about the following categories of data subjects on behalf of the Data Controller:
b. Next of Kin
c. Trustee/Executor of Clinical/Professional Will
d. Clinical Supervisor
e. Other information relevant to the Data Controller’s business
2. Personal Data
In connection with its delivery of the Services the Data Processor processes the following types of Personal Data in connection with its delivery of the Main Services:
b. Telephone number
c. Email address
d. Other relevant information
1. Approved Sub-Processors
The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:
a. Amazon Web Services
b. Salesforce (Heroku)
c. Stripe (payment platform)
d. Google (Gmail)
2. New Sub-Processors
The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:
These Terms were last updated: 18th October 2021