Data Protection Terms - Controller to Processor
Following the publication of the new UK Standard Contractual Clauses, with the exception of UK to UK contracts only, these data protection terms do not apply to contracts entered into on or after 21 September 2022. Please contact your usual Owlstone point of contact or our Privacy team at email@example.com if you have any questions in relation to these terms. Where applicable, updated terms incorporating the UK SCCs will be incorporated into any future contracts that you have with us from 21 September 2022.
These are Data Protection Terms of Owlstone Medical Limited (these “Terms”), entered into on the effective date specified in any contract or a letter agreement between:
(1) Owlstone Medical Limited, a company incorporated and registered in England and Wales with company number 04955647 whose registered office is 183 Cambridge Science Park, Milton Road, Cambridge, CB4 0GJ. (‘Owlstone’) and
(2) An organisation, institution, hospital, services provider or customer (‘You’).
Each a ‘Party’ and together the ‘Parties’.
A. These Terms shall apply where Owlstone and You have entered into the Contract(s) (defined below).
B. In undertaking the Services (defined below), each Party will have access to and process Personal Data.
C. These Terms confer the responsibilities that each Party has as either a Data Controller or Data Processor.
D. The particulars of any personal data utilised in providing the Services are set out in the Contract(s).
1.0 Definitions and Interpretation.
Appropriate Technical and Organisational Measures: as set as set out in the Data Protection Legislation.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Contract(s): any engagement letters or request for services and any subsequent services, collaboration, research or other agreement entered into between the Parties.
Controller: has the meaning given to it in the Data Protection Legislation.
Data Protection Authority: the relevant data protection authority is the Information Commissioners Office (ICO).
Data Protection Impact Assessment: as set as set out in the Data Protection Legislation.
Data Protection Legislation: means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with this legislation. Where data is processed by a Party established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
Data Security Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.
Data Subject: has the meaning given to it in the Data Protection Legislation.
Effective Date: as defined in the particular Contract(s) between the Parties.
Legitimate Interest: has the meaning given to it in the Data Protection Legislation.
Personal Data: has the meaning given to it in the Data Protection Legislation.
Permitted Recipients: persons with approved access to a Party’s personal data, including persons working for approved Sub Processors.
Processor: has the meaning given to it in the Data Protection Legislation.
Processing: has the meaning given to it in the Data Protection Legislation.
Services: any Services provided by Owlstone or You pursuant to the Contract(s), or provided during any handover period to another service provider or to Owlstone.
Standard Contractual Clauses: the European Commission's Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or such alternative clauses as may be approved by the European Commission from time to time.
Sub Processor: organisations used in the processing of Personal Data under the Contract(s) including group companies, sister companies and consultants. A list of supplier Sub Processors is included in Appendix 2.
Supervisory Authority: the Information Commissioners Office.
Terms: these Data Protection Terms (controller to processor) version w1.0, which may be subject to updates from time to time.
2.2 The purpose of these Terms is to describe data protection and Processing activities undertaken by the Parties in the provision of the Services.
2.3 These Terms shall be deemed to take effect from the Effective Date and shall continue in full force and effect until termination or expiry of the Contract(s).
2.4 In the case of conflict or ambiguity between:
(a) any of the provisions of these Terms and the provisions of the Contract(s), the provisions of these Terms will prevail; and
(b) where applicable, any of the provisions of these Terms and any executed SCCs, the provisions of the executed SCC will prevail.
3.0 GENERAL DATA PROTECTION OBLIGATIONS
3.1 Whenever a Party processes or has access to the other Party’s Personal Data as a Controller or Processor, the Party processing or accessing the data will:
3.1.1 not transfer any Personal Data outside of the United Kingdom or the European Economic Area unless, in accordance with the Data Protection Legislation:
(a) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or
(b) there are appropriate safeguards in place for the transfer of Personal Data; or
(c) there is an appropriate derogation under the Data Protection Legislation for the Transfer.
3.1.2 adopt appropriate Technical and Organisational measures against unauthorised or unlawful processing and accidental loss or destruction of or damage to Personal Data including:
(a) where relevant pseudonymising or encrypting Personal Data;
(b) ensuring confidentiality, integrity, availability and resilience of its systems and services;
(c) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident;
(d) regularly assessing and evaluating the effectiveness of the technical and organisational measures that have been adopted;
(e) ensuring that any persons who have access to the other Party’s Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in data protection and in the care and handling of Personal Data; and
3.1.3 inform the other Party immediately of any Data Security Breach affecting the other Party’s Personal Data and provide information and assistance upon request to enable the other Party to notify Data Security Breaches to the Supervisory Authority, affected individuals, or to any other regulators, as applicable.
4.0 ACTING AS PROCESSOR OF THE PERSONAL DATA
4.1 Where a Party is acting as a Processor and the other Party is acting as a Controller, the Party acting as a Processor will:
4.1.1 process the Personal Data only in accordance with the relevant Data Protection Legislation;
4.1.2 process the Personal Data for the purposes of fulfilling its obligations under these Terms, the Contract(s) and in compliance with the Controller’s written instructions;
4.1.3 notify the Controller immediately if any instructions of the Controller relating to the processing of Personal Data are unlawful;
4.1.4 maintain a record of processing activities undertaken on the Controller’s Personal Data;
4.1.5 maintain confidentiality of the Personal Data and not disclose it to third parties other than as authorised by the Controller, these Terms or as required by domestic law, court, regulator or the Supervisory Authority;
4.1.6 provide reasonable input and assistance to the Controller in carrying out Data Protection Impact Assessments in relation to its Processing activities;
4.1.7 make available to the Controller information necessary to demonstrate compliance with the obligations set out in this Clause 4 and allow for and contribute to one audit or inspection, conducted by or on behalf of the Controller in each calendar year on receipt of a reasonable contribution the costs of facilitating the audit or inspection;
4.1.8 allow for and contribute to audits or inspections carried out by the Data Protection Authority;
4.1.9 delete securely or return all Personal Data to the Controller on termination of these Terms unless it is required to retain copies of the Personal Data in accordance with applicable laws or to meet its own Legitimate Interest in maintaining business records of the services provided. In each case only the minimum Personal Data possible will be retained to meet these purposes. In this case it will also be acting as a Controller and the provisions of Clause 5 will apply.
4.2 Should a Party acting as Processor receive a request from a Data Subject to exercise their rights under the Data Protection Legislation (such as to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing) it will (to the extent that it is acting as a Processor):
4.2.1 notify the Controller of the request without undue delay;
4.2.2 not respond to that request except on the documented instructions of the Controller unless required to do so by the applicable Data Protection Legislation; and
4.2.3 provide reasonable assistance and co-operation to enable the Controller to respond to the request.
4.3 The party acting as Controller gives the Party acting as Processor general authorisation to utilise:
4.3.1 Group companies, consultants and sister companies as Sub Processors under these terms provided that obligations equivalent to the obligations set out in this clause 4 are included in all Contracts between the Processor and permitted Sub Processors that will be processing Personal Data;
4.3.2 Sub Processors that provide general information technology and technical support including data storage and transmission services provided that obligations equivalent to the obligations set out in this Clause 4 are included in all Contracts between the Processor and permitted Sub Processors who will be Processing Personal Data;
4.3.3 Any Sub Processor noted in the Contract(s), notified to the Controller from time to time or as instructed by the Controller, provided always that where the Sub Processor fails to fulfil its obligations equivalent to those set out in this clause 4, the Provider shall remain fully liable to the Controller for the Sub Processor’s performance of its obligations. Where the Controller reasonably concludes, based on Sub Processor’s performance, that the Sub Processor is in material breach of its obligations regarding the Personal Data, the Controller may in writing instruct the Processor to instruct the Sub Processor to remedy such deficiencies without undue delay, failing which the Controller may withdraw its authorisation for the engagement of that Sub Processor.
5.1 You warrant and represent to Owlstone that:
5.1.1 You have no reason to believe that the Data Protection Legislation prevents You from providing any of the Services;
5.1.2 You and anyone operating on Your behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
5.1.3 considering the current technology environment and implementation costs, You will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to comply with all applicable Data Protection Legislation and Your information and security policies.
5.2 Owlstone warrants that Your expected use of the Personal Data when acting on Owlstone’s instructions, will be in accordance with the Data Protection Legislation.
6.1 You agree to indemnify, keep indemnified and defend Owlstone at Your own expense against all costs, claims, damages or expenses incurred by Owlstone or for which Owlstone may become liable due to any failure by You or Your employees, subcontractors or agents to comply with any of Your obligations under these Terms or the Data Protection Legislation.
6.2 Any limitation of liability set forth in the Contract(s) will not apply to this indemnity or reimbursement obligations.
7.0 GOVERNING LAW AND JURISDICTION
7.1 These Terms are governed by the laws of England and Wales.
7.2 These Terms, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.
8.1 These Terms will terminate on termination of the Contract(s) as applicable.
8.2 The rights and obligations contained in clauses 1, 3, 5, 6, 7 and 9 will survive termination of these Terms and each Party agrees to continue to utilise and hold all Personal Data in compliance with the Data Protection Legislation.
9.1 All notices or other communications given to a Party under or in connection with these Terms shall be in writing (including email), sent to the recipients set out below. Any notice may be delivered to the recipient personally, by first-class post, recorded delivery or commercial courier at its registered office. Any notice shall be deemed to have been delivered:
9.1.1 in the case of delivery by hand, when delivered, provided that where such delivery or transmission occurs after 5.30pm on a Business Day or on a day which is not a Business Day, service shall be deemed to occur at 9am on the next following Business Day;
9.1.2 if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed;
9.1.3 in the case of post or recorded delivery, at 9.00am on the second Business Day (or in the case of airmail 10 Business Days) after delivery to the postal authorities; and
9.1.4 if sent by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 9.1.4, business hours means 9.00am to 5.00pm on Business Day.
All notices shall be sent to the following:
If to Owlstone:
Chief Financial Officer
Owlstone Medical Limited
183 Cambridge Science Park
Cambridge CB4 0GJ
If to You:
Using the name and contact details in the Contract(s), or as notified by You to Owlstone in writing from time to time.
Either Party may from time to time change its address for notification purposes by giving the other written notice of the new address and the date upon which it will become effective.
These Terms shall be deemed accepted by the Parties upon valid execution of the relevant Contract(s).