Data Processing and Protection Agreement
GPDQ Limited, a company incorporated in England and Wales with company number 09635612 and registered address at 727-729 High Road, London, N12 0BP (GPDQ) and its associated companies use personal data, including medical information, for the provision of its services. This addendum applies where specified in an Agreement Schedule. The defined terms in the applicable Terms of Business and Client Agreement shall also apply to this document.
GPDQ’s provision of services under the terms includes a number of different elements or client types and the basis on which the Personal Data of Clients and Patients is processed will differ between these elements. GPDQ will act as a Data Controller or a Data Processor. Where the Client is a Consumer GPDQ will always act as a Data Controller. Where the Client is a Business Client GPDQ may act as a Data Processor when handling Personal Data for You. The terms below set out how GPDQ and Clients agree to act in respect of Personal Data used for the purposes of GPDQ.
The basis on which the Personal Data of Users is used is as follows:
1. The use of Patients’ Personal Data for Services.
When Patients register for Services, they agree to terms on which the Services will be provided. The registration process will confirm the basis on which We will obtain and use their Personal Data. All medical data provided will be managed strictly in accordance with the rules and legislation dealing with medical data. We will not provide this data to any other party (including a Business Client) unless We are properly permitted to do so. Where We obtain Patient data on behalf of a Business Client and the Business Client is entitled to share that data, We will be a Data Processor for the Business Client. In all other instances We will be the Data Controller and act in accordance with Our Privacy Policy. Where We act as a Data Processor the terms below will apply.
2. The provision of Personal Data by a Client
A Client may provide Personal Data to GPDQ to process or to update Personal Data held by GPDQ. The Personal Data will be held by GPDQ as Data Controller and any Business Client warrants that it has confirmed to any staff that their Personal Data will be processed by GPDQ for the purposes of the services.
Where GPDQ collects Personal Data for a Client or a Client provides Personal Data to GPDQ for which GPDQ is a Data Processor, GPDQ shall comply with the obligations set out in the Data Provision section below.
THE FOLLOWING SECTIONS APPLY TO BUSINESS CLIENTS ONLY
The following additional definitions shall apply:
| “Data Protection Legislation” |
laws and regulations that apply in relation to the Processing of Personal Data including (without limitation) the Data Protection Act 2018 and any replacement legislation coming into effect from time to time (including but not limited to the GDPR); |
| “Data Controller” |
has the meaning set out in the Data Protection Legislation; |
| “Data Processor” |
has the meaning set out in the Data Protection Legislation; |
| “GDPR” |
the General Data Protection Regulation (EU) 2016/679; |
| “Personal Data” |
has the meaning set out in the Data Protection Legislation; |
1. Data Protection Addendum Terms (Applicable for Business Clients only)
- 1.1 The protection and lawful use of Personal Data is of paramount importance to GPDQ and the Client and both parties will ensure that any Personal Data they hold is secure and managed in accordance with all legal obligations. GPDQ takes the management of data very seriously and looks to ensure that all of its clients and suppliers do. This Addendum reflects GPDQ’s contractual commitment which is part of its overall data protection processes.
- 1.2 GPDQ and the Client agree to perform obligations under the Agreement between the parties whilst adhering to the requirements of the Data Protection Legislation. Both parties agree to comply with all aspects of the Data Protection Legislation and that in the event that any provision of the agreement would contradict the Data Protection Legislation it will be treated as being subject to the Data Protection Legislation.
- 1.3 The use of Personal Data is as set out above and in the Client Agreement. GPDQ will collect and process information on Patients in accordance with and subject to its Privacy Policy. All Patients shall have access to the Privacy Policy. GPDQ will process any information where it acts as Data Processor for the Client in accordance with the Client’s written instructions and at all times take appropriate technical and operational security measures to protect any personal data.
- 1.4 Personal Data provided to a third party service provider will be provided either under a processor agreement where they will be a Data Processor or a sub-Data Processor or collected by them subject to their own data protection policies and they will be the Data Controller of the same. They are obliged to comply with the provisions of the Data Protection Legislation in relation to the data they hold in all cases.
2. GPDQ Data Processing (Applicable to Business Clients only)
- 2.1 Where GPDQ Processes Personal Data under this Agreement as a Data Processor for the Client (who remains as the Data Controller), GPDQ will
- solely process the Personal Data for the provision of the services under the Agreement and in compliance with the Client’s written instructions;
- notify the Client promptly if GPDQ becomes aware that any instructions of the Client relating to the processing of Personal Data are unlawful;
- notify the Client of any request by a data subject to exercise a right under the Data Protection Legislation in relation to the Client’s data;
- ensure that any persons (including sub-processors) used by GPDQ to process the Client’s data are subject to legally binding obligations of confidentiality in relation to the Personal Data;
- be authorised to engage a sub-contractor to carry out any processing of Personal Data provided that such sub-contractor shall meet all obligations of GPDQ;
- to use Personal Data solely in accordance with the basis for lawful processing which applies to that data;
- take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected;
- taking into account the nature of the data processing activities undertaken provide reasonable assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Client to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;
- assist the Client in ensuring compliance with its obligations under the Data Protection Legislation; and
- make available to the Client all information necessary to demonstrate compliance by GPDQ and/or the Client with the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by or on behalf of the Client or by the Information Commissioners Office pursuant to Article 58(1) of the GDPR.
3. Data Breach (Applicable for Business Clients only)
In the event of a data breach the relevant party must handle it reasonably, taking into account the interests of all parties, and in accordance with the Data Protection Legislation. GPDQ and the Client must inform each other of a relevant data breach without undue delay and no later than 24 hours after becoming aware of the data breach.
The notification must include sufficient information about the data breach and any mitigating actions taken for the other party to assess the severity of the data breach, the risk posed to data subjects, the appropriateness of the steps being taken to remedy the data breach, mitigate any risk arising out of it and prevent it recurring, and the likelihood of any further data breaches.
If required and reasonable the parties will work together as required to minimise the impact, perform mitigating actions and put in place mitigating controls as soon as possible.
4. Subject Access Request (Applicable for Business Clients only)
GPDQ and the Client shall deal with all enquiries, requests, complaints and investigations by Data Subjects or any regulators in relation to the data. Should any such enquiry be received by the other party, that party shall without undue delay (and no later than 3 working days) forward that enquiry to the other party where relevant. The other party will support the resolution of the request as needed.
5. Security Measures (Applicable for Business Clients only)
The parties shall provide sufficient adequate protection of the Personal Data in respect of technical and organisational security measures. The parties must ensure that the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.
The Client shall ensure that the requirements and obligations set out in the Client Agreement shall be met.
6. International Data Transfer (Applicable for Business Clients only)
Where a party exports Personal Data outside the UK the data exporter shall and shall procure that sub-contractors or third parties acting on the data exporter’s behalf who are processing Personal Data comply at all times with the Data Protection Legislation and shall not perform its or their obligations under the Agreement in such a way as to cause the Parties hereto to breach any of their respective obligations under the Data Protection Legislation.
