...
9.2 Data Subject Access Requests.
9.2.1 If either Party receives a Data Subject Access Request related to Personal Data covered by this Part 2:
9.2.1.1 it shall notify the other within five (5) Business Days of receiving the Data Subject Access Request;
9.2.1.2 Each Providers shall be responsible for responding to the Data Subject Access Request received by them;
9.2.1.3 PKB shall provide Providers with reasonable assistance in responding to the Data Subject Access Request including, taking into account the nature of the Processing, assisting Providers by appropriate technical and organisational measures, insofar as this is possible to respond to requests from Data Subjects exercising their rights under Data Protection Law; and
9.2.1.4 Providers shall keep PKB reasonably informed as to the status and resolution of the Data Subject Access Request.
10. DATA MINIMISATION (INCLUDING OPT-OUT) AND PSEUDONYMISATION
10.1 Taking into the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects each Party shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure that the use of Personal Data in relation to the processing is minimised.
10.2 Each Party shall periodically review data minimisation measures implemented in accordance with this clause 10, and may agree with the other Party further steps to be taken to ensure the minimisation of Personal Data as may be required by Data Protection Law and in any case no less than every three years.
11. GENERAL OBLIGATIONS OF THE PARTIES
11.1 Each Party shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, destruction or other unauthorised or unlawful forms of Processing (such measures may include, where appropriate, the pseudonymisation and encryption of Personal Data covered by this Part 2 and other measures referred to in Article 32(1) of the GDPR).
11.2 Each Party shall ensure that its personnel who have access to Personal Data covered by this Part 2 for the performance of this Agreement are under an obligation of confidentiality and ensure that such access is limited to those individuals who need to know and access PKB Data.
11.3 Upon becoming aware of a Personal Data Breach relating processing where both Parties are Joint Controllers, each Party shall:
11.3.1 notify the other Party in writing without undue delay, and in any event within forty-eight (48) hours, (such notification to include the provision of information as is required under Data Protection Law in respect of the Personal Data Breach);
11.3.2 promptly take reasonable steps to investigate, mitigate and remediate the Personal Data Breach; and
11.3.3 provide reasonable assistance to the other Party, in relation to the other Party’s efforts to investigate, mitigate and remediate the Personal Data Breach.
11.4 PKB shall not transfer Personal Data covered by this Part 2 from the United Kingdom to another jurisdiction without the prior written approval of the Providers and without putting in place appropriate safeguards where required for compliance with Data Protection Law.
11.5 Each Party shall notify the other Parties in writing within five (5) Business Days if it receives a “Third Party Communication” including but not limited to:
11.5.1 any communication from the ICO or any other regulatory authority in connection with Personal Data covered by this Part 2 or;
11.5.2 a request from any third party for disclosure of Personal Data covered by this Part 2 where compliance with such request is required or purported to be required by Applicable Law,
11.6 Each Party shall provide the other Party with reasonable assistance in responding to any Third Party Communication and shall work with the other Party to determine the most appropriate Controller to respond to any Third Party Communication (the“Responsible Controller”) provided that nothing in this Agreement shall prevent a Party from responding to a Third Party Communication to the extent required by Applicable Law.
11.7 The Responsible Controller shall keep the other Party informed as to the status of the resolution of any Third-Party Communication, and the Parties shall provide all such assistance to one another as may be reasonably requested in respect of the same.
11.8 Each Party shall provide reasonable assistance to the other Party in ensuring compliance with its obligations under Data Protection Law taking into account the nature of the Processing for the purposes of this Agreement and the information available to it, including in respect of each Party’s obligations as set out in this Agreement relating to:
11.8.1 security of Processing;
11.8.2 notification of a Personal Data Breach to the ICO;
11.8.3 communication of a Personal Data Breach to the affected Data Subjects; and
11.8.4 Data Protection Impact Assessments and any subsequent consultations with the ICO.
11.9 Each Party shall provide the other Party with such information as the other Party may reasonably request to demonstrate compliance with this Agreement, and if the requesting Party (acting reasonably) considers that such information does not demonstrate the other Party’s compliance with this Agreement, to allow for audits, including inspections, by the requesting Party or an auditor mandated by the requesting Party to verify the other Party’s compliance with this Agreement subject to:
11.9.1 such audit or inspection being conducted during the other Party’s usual business hours and on reasonable advance notice; and
11.9.2 the Party conducting the audit and any third-party auditor:
11.9.3 using reasonable endeavours to minimise any disruption on the other Party’s business; and
11.9.4 complying with any reasonable requirements imposed by the other Party to protect the safety, integrity and security of its premises and systems, and the confidentiality of the other Party’s or third-party confidential information.
11.10 Each Party shall bear its own costs of any audit or inspection under clause 11.9, unless the audit or inspection was conducted by an independent third party and such third party determines the audited Party has materially breached its obligations under this Agreement in which case the audited Party shall reimburse the auditing Party in respect of its reasonable and properly incurred costs of engaging such third party to conduct such audit or inspection.
11.11 The Parties shall keep this Agreement under review and either Party may request a change to this Agreement as may be reasonably required to comply with Data Protection Law. Upon receipt of such a request from a Party, the Parties shall discuss and consider such request in good faith and do all things reasonably necessary to comply with Data Protection Law, including varying this Agreement or entering into any subsequent agreements.
12. JOINT CONTROLLERS
12.1 Each Party acknowledges and agrees that there is a common objective in respect of the Processing and are Joint Controllers for the purpose of Data Protection Law in respect of such Processing.
12.2 Each of the Parties shall perform the obligations allocated to it the table below following allocation of responsibilities in accordance with Article 26 of the GDPR:
Compliance obligation | Responsible Party |
Publicise a contact point for Data Subjects to facilitate the exercise of their rights in relation to the Processing under this Agreement. | Providers |
Upon request, make available to Data Subjects a summary of the arrangement between the Parties under this Agreement, such summary to be in a form agreed by the Parties. | Providers and PKB |
Maintaining transparency material online to meet A13 and A14 requirements. | Providers and PKB |
13. USE OF PROCESSORS
Where PKB uses a Processor to Process Personal Data covered by this Part 2 a, PKB shall:
provide Providers with such information regarding such processors as Providers may reasonably request. For clarity, PKB shall not be required to provide Providers with details of any commercial terms between PKB and any Processor;
ensure that such Processing is subject to an agreement as required by Article 28(3) of the GDPR; and
where Providers have provided their prior written approval to the international transfer of Personal Data covered by this Part 2 conduct such international transfer in accordance with Data Protection Law.
COMBINATION WITH OTHER DATA
Providers acknowledge and agree that PKB may combine Providers Data to external sources of health data (including other Trusts, patient inputted data and third-party application data) with the objective of increasing the quality and breadth of the Personal Data covered by this Part 2.
DATA RETENTION AND DELETION
The Parties shall not retain or Process Personal Data covered by this Part 2 under this Agreement for longer than is necessary to carry out the Agreed Purposes.
PART 3 – APPLICABLE WHERE PKB IS A PROCESSOR
...