Privacy And Data Protection Policy

[1] Definitions

[1.1] In this Schedule:

Agreement

Means the Terms and conditions for supply of goods and services and Mobile app end-user licence agreement between the Customer and the Supplier

Controller

Has the meaning given in applicable Data Protection Laws from time to time;

Customer

Means the individual entering into the Agreement with the Supplier

Data Protection Laws

Means, as binding on either party or the Services:

1. The GDPR;
2. The Data Protection Act 2018;
3. Any laws which implement any such laws; and
4. Any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

Data Subject

Has the meaning given in applicable Data Protection Laws from time to time;

GDPR

Means the General Data Protection Regulation, Regulation (EU) 2016/679;

International Organisation

Has the meaning given in applicable Data Protection Laws from time to time;

Personal Data

Has the meaning given in applicable Data Protection Laws from time to time;

Personal Data Breach

Has the meaning given in applicable Data Protection Laws from time to time;

Processing

Has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed and processes shall be construed accordingly);

Processor

Has the meaning given in applicable Data Protection Laws from time to time;

Protected Data

Means Personal Data received from or on behalf of the Customer in connection with the performance of the Supplier's obligations under this Agreement;

Supplier

means Optimise Health Group Limited; and

Sub-Processor

means any agent, sub-contractor or other third party (excluding its employees) engaged by the Supplier for carrying out any processing activities on behalf of the Customer in respect of the Protected Data.

[2] Customer's compliance with data protection laws

The parties agree that the Customer is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to this Agreement. The Customer shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Customer shall ensure all instructions given by it to the Supplier in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with Data Protection Laws. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.

[3] Supplier's compliance with data protection laws

The Supplier shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.

[4] Indemnity

The Customer shall indemnify and keep indemnified the Supplier against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer of its obligations under this Schedule.

[5] Instructions

[5.1] The Supplier shall only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with this Schedule, except to the extent:

1. [5.1.1] That alternative processing instructions are agreed between the parties in writing; or
2. [5.1.2] Otherwise required by applicable law (and shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest).

[5.2] If the Supplier believes that any instruction received by it from the Customer is likely to infringe the Data Protection Laws it shall be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.

[6] Security

Taking into account the state of technical development and the nature of processing, the Supplier shall implement and maintain the technical and organisational measures set out in this Schedule to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

[7] Sub-processing and personnel

[7.1] The Supplier shall:

1. [7.1.1] Not permit any processing of Protected Data by any agent, sub-contractor or other third party (except its or its Sub-Processors' own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior authorisation of the Customer (for example, as given by clause 14.3 in the case of laboratories processing Protected Data to carry out tests);
2. [7.1.2] Prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Schedule (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by the Supplier and ensure each such Sub-Processor complies with all such obligations;
3. [7.1.3] Remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
4. [7.1.4] Ensure that all natural persons authorised by the Supplier or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.

[8] Assistance

[8.1] The Supplier shall (at the Customer's cost) assist the Customer in ensuring compliance with the Customer's obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to the Supplier.

[8.2] The Supplier shall (at the Customer's cost) taking into account the nature of the processing, assist the Customer (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Customer's obligations to respond to requests for exercising the Data Subjects' rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.

[9] Audits and processing

The Supplier shall, in accordance with Data Protection Laws, make available to the Customer such information that is in its possession or control as is necessary to demonstrate the Supplier's compliance with the obligations placed on it under this Schedule and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28 of the GDPR), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph 9).

[10] Deletion/return and survival

On the end of the provision of the Services relating to the processing of Protected Data, at the Customer's cost and the Customer's option, the Supplier shall either return all of the Protected Data to the Customer or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Supplier to store such Protected Data. This Schedule shall survive termination or expiry of this Agreement indefinitely in the case of paragraphs 4 and 10 and until 12 months following the earlier of the termination or expiry of this Agreement in the case of all other paragraphs and provisions of this Schedule.