...
(a.) the Controller with full details and copies of the complaint, communication, data loss event or request;
(b.) such assistance as is reasonably requested by the Controller to enable the Controller to comply with an Individual Rights Request within the relevant timescales set out in the Data Protection Legislation;
(c.) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
(d.) assistance as requested by the Controller following any data loss event;
(e.) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.
16.7 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
16.8 The Processor when ensuring that it has in place such Protective Measures, having been reviewed and approved by the Controller, shall follow the reasonable request of the Controller to supply such evidence as requested by the Controller within 28 days.
16.9 The Processor shall designate a Data Protection Officer or where not required by Law, authorised responsible officer who is David Stone, dpo@patientsknowbest.com.
16.10 Before any Personal Data is shared by the Providers with PKB, the Providers shall:
16.10.1 identify and remove the Personal Data of any Data Subjects who have opted out of data being loaded to the PKB platform through a locally operated and promoted Opt-Out scheme;
16.10.2 implement data minimisation measures as required by this clause 16.10 and as may be agreed by the Parties from time to time to ensure only approved data is loaded to the PKB platform; and
16.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
(a.) notify the Controller in writing of the intended Sub-processor and processing;
(b.) obtain the written consent of the Controller;
(c.) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 1 and associated schedules such that they apply to the Sub-processor; and
(d.) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
16.12 The Processor shall remain fully liable for all acts or omissions of any Sub-processor.
16.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
16.15 The Controller may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without the written consent of the Controller.
16.16 At the choice of the Controller, the Processor shall return or destroy all personal data to the Controller at the end of the provision of services relating to the processing and delete any existing copies.
16.17 The Processor warrants that it shall:
...
i
...
. Process the Personal Data in compliance with Law; and
...
ii
...
. take appropriate technical and organisational measures against Data Breach.
16.18 The Processor agrees to indemnify and keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations under this Agreement.
16.19 This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.
16.20 Any variation (change request) to this agreement must be agreed by the Data Controller in advance of the change. This request must be in writing to the data controller and must be authorised in writing back to the Processor before any variation can take place. The authorised officers who can approve, raise, reject or escalate variations to this agreement are detailed in Schedule 3 and can be updated from time to time in writing by either party. Any change that is authorised by the data controller must be acknowledged as a variation to this contract and parties who initially signed this agreement must also resign this agreement. This variation should be dated and clearly detailed within any subsequent agreement. If the variation is rejected and the Processor is unable to continue meeting its obligations as part of this agreement, then this must be escalated to the data controller who has the right to terminate this agreement with immediate effect.
16.21 Day to day management of this contract is undertaken by the parties as detailed in Schedule 3 which can be updated from time to time in writing by either party.
16.22 Where there is a dispute, the aggrieved Party shall notify the other Party in writing of the nature of the dispute with as much detail as possible about the deficient performance of the other party. A representative from senior management of each of the parties (together the "Representatives") shall meet in person or communicate by telephone within five Working Days of the date of the written notification in order to reach an agreement about the nature of the deficiency and the corrective action to be taken by the respective Parties. The Representatives shall produce a report about the nature of the dispute in detail to their respective boards and if no agreement is reached on corrective action, then the chief executives of each Party shall meet in person or communicate by telephone, to facilitate an agreement within five Working Days of a written notice by one to the other. If the dispute cannot be resolved at board level within a further five Working Days, or if the agreed upon completion dates in any written plan of corrective action are exceeded, either party may seek the legal remedies to which it is entitled under this agreement.
16.23 If the Processor listed in this Schedule is taken over, goes out of business or enters administration, then the representative of the Data Controller will decide on the next steps and endeavour to find an alternative data processor for the purposes of this project. However, in the event that there are no alternative Processor(s) (Data Processor(s), all data processing for the purposes of this project will come to an end and all relevant parties listed in this Data Processing Agreement will be notified accordingly.
16.24 The Processor will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing will be required as part of the Controller's due diligence.
PART 4 – APPLICABLE TO ALL
RECORDS
Each Party shall maintain such records as required by Data Protection Law in respect of its Processing of PKB Data and as may be reasonably necessary to demonstrate its compliance with this Agreement.
REVIEW OF THIS AGREEMENT
The effectiveness of this Agreement shall be reviewed from time to time at such intervals as may be agreed by the Governance Committee, having consideration to the Permitted Purposes and whether any amendments may be necessary to this Agreement. This review will involve assessing whether:
this Agreement needs to be updated to comply with any amendments to Data Protection Law; and
Personal Data Breaches have been handled in accordance with this Agreement where PKB Data are involved.
WARRANTIES
Each Party represents and warrants to the other Party that:
it has full capacity to enter into and perform this Agreement which has been duly executed by the required corporate action;
entry into and performance of this Agreement does and will not violate or be subject to any restriction in or by any other agreement or obligation.
The use of PKB Data as permitted by this Agreement does not infringe the rights of any third party.
...