Data Protection Terms

These are standard Data Protection Terms of Owlstone Medical Limited, entered into on the effective date specified in any contract or a letter between:

(1) Owlstone Medical Ltd incorporated and registered in England and Wales with company number 04955647 whose registered office is 183 Cambridge Science Park, Milton Road, Cambridge, CB4 0GJ. (‘Owlstone’) and

(2) You (‘the Customer’).

Each a ‘Party’ and together the ‘Parties’.


A. These Terms shall apply where Owlstone and the Customer have entered into the Contract(s) (defined below).

B. In undertaking the Services (defined below), each Party will have access to and process Personal Data or Shared Personal Data.

C. These Terms confer the responsibilities that each Party has as either a Data Controller, Data Processor or Joint Controller, depending on the Processing activity.

D. The particulars of any personal data utilised in providing the Services are set out in the Contract(s).

1. Definitions and Interpretation

Appropriate Technical and Organisational Measures:

as set as set out in the Data Protection Legislation.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Contract(s): any engagement letters or request for services and any subsequent request for services entered into between the Parties for the provision of services by Owlstone or the Customer.
Controller: as set as set out in the Data Protection Legislation.
Data Protection Authority: the relevant data protection authority is the Information Commissioners Office (ICO).

Data Protection Impact Assessment:

as set as set out in the Data Protection Legislation.
Data Protection Legislation: means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with this legislation. Where data is processed by a Party established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
Data Security Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data or Shared Personal Data.
Data Subject: as set as set out in the Data Protection Legislation.
Effective Date: as defined in the particular Contract(s) between the Parties.
Joint Controller: as set as set out in the Data Protection Legislation.
Legitimate Interest: as set as set out in the Data Protection Legislation.
Personal Data: as set as set out in the Data Protection Legislation.
Permitted Recipients: persons with approved access to a Party’s personal data, including persons working for approved Sub Processors.
Processor: as set as set out in the Data Protection Legislation.
Processing: as set as set out in the Data Protection Legislation.
Services: any Services provided by Owlstone or the Customer pursuant to the Contract(s), or provided during any handover period to another service provider or to Owlstone.
Shared Personal Data: Personal Data that is shared between the Parties for each to utilise as independent Controllers or Joint Controllers, as specified.
Standard Contractual Clauses: the European Commission's Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or such alternative clauses as may be approved by the European Commission from time to time.
Sub Processor: organisations used in the processing of Personal Data under the Contract(s) including group companies, sister companies and consultants. A list of supplier Sub Processors is included in Appendix 2.
Supervisory Authority: the Information Commissioners Office.
Terms: these Data Protection Terms, version 1.0, which may be subject to updates and/or variations between the parties from time to time.

2. Scope

2.1 The purpose of these Terms is to describe data protection and Processing activities undertaken by the Parties in the provision of the Services.

2.2 These Terms shall be deemed to take effect from the Effective Date and shall continue in full force and effect until termination or expiry of the Contract(s), or for as long as the Parties Process Personal Data under these Terms.

2.3 In the case of conflict or ambiguity between:

     (a) any of the provisions of these Terms and the provisions of the Contract(s), the provisions of these Terms will prevail; and

     (b) where applicable, any of the provisions of these Terms and any executed SCCs, the provisions of the executed SCC will prevail.

3. General Data Protection Obligations

3.1 Whenever a Party processes or has access to the other Party’s Personal Data as a Controller or Processor, the Party processing or accessing the data will:

  3.1.1 not transfer any Personal Data outside of the United Kingdom or the European Economic Area unless, in accordance with the Data Protection Legislation:

       (a) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or

       (b) there are appropriate safeguards in place for the transfer of Personal Data; or

       (c) there is an appropriate derogation under the Data Protection Legislation for the Transfer.

  3.1.2 adopt appropriate Technical and Organisational measures against unauthorised or unlawful processing and accidental loss or destruction of or damage to Personal Data including:

       (a) where relevant pseudonymising or encrypting Personal Data;

       (b) ensuring confidentiality, integrity, availability and resilience of its systems and services;

       (c) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident;

       (d) regularly assessing and evaluating the effectiveness of the technical and organisational measures that have been adopted;

       (e) ensuring that any persons who have access to the other Party’s Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in data protection and in the care and handling of Personal Data; and

  3.1.3 inform the other Party immediately of any Data Security Breach affecting the other Party’s Personal Data and provide information and assistance upon request to enable the other Party to notify Data Security Breaches to the Supervisory Authority, affected individuals, or to any other regulators, as applicable.

4. Acting as Processor of the Personal Data

4.1 Where a Party is acting as a Processor and the other Party is acting as a Controller, the Party acting as a Processor will:

  4.1.1 process the Personal Data only in accordance with the relevant Data Protection Legislation;

  4.1.2 process the Personal Data for the purposes of fulfilling its obligations under these Terms, the Contract(s) and in compliance with the Controller’s written instructions;

  4.1.3 notify the Controller immediately if any instructions of the Controller relating to the processing of Personal Data are unlawful;

  4.1.4 maintain a record of processing activities undertaken on the Controller’s Personal Data;

  4.1.5 maintain confidentiality of the Personal Data and not disclose it to third parties other than as authorised by the Controller, these Terms or as required by domestic law, court, regulator or the Supervisory Authority;

  4.1.6 provide reasonable input and assistance to the Controller in carrying out Data Protection Impact Assessments in relation to its Processing activities;

  4.1.7 make available to the Controller information necessary to demonstrate compliance with the obligations set out in this Clause 4 and allow for and contribute to one audit or inspection, conducted by or on behalf of the Controller in each calendar year on receipt of a reasonable contribution the costs of facilitating the audit or inspection;

  4.1.8 allow for and contribute to audits or inspections carried out by the Data Protection Authority;

  4.1.9 delete securely or return all Personal Data to the Controller on termination of these Terms unless it is required to retain copies of the Personal Data in accordance with applicable laws or to meet its own Legitimate Interest in maintaining business records of the services provided. In each case only the minimum Personal Data possible will be retained to meet these purposes. In this case it will also be acting as a Controller and the provisions of Clause 5 will apply.

4.2 Should a Party acting as Processor receive a request from a Data Subject to exercise their rights under the Data Protection Legislation (such as to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing) it will (to the extent that it is acting as a Processor):

  4.2.1 notify the Controller of the request without undue delay; 

  4.2.2 not respond to that request except on the documented instructions of the Controller unless required to do so by the applicable Data Protection Legislation; and

  4.2.3 provide reasonable assistance and co-operation to enable the Controller to respond to the request.

4.3 The party acting as Controller gives the Party acting as Processor general authorisation to utilise:

  4.3.1 Group companies, consultants and sister companies as Sub Processors under these terms provided that obligations equivalent to the obligations set out in this clause 4 are included in all Contracts between the Processor and permitted Sub Processors that will be processing Personal Data;

  4.3.2 Sub Processors that provide general information technology and technical support including data storage and transmission services provided that obligations equivalent to the obligations set out in this Clause 4 are included in all Contracts between the Processor and permitted Sub Processors who will be Processing Personal Data;

  4.3.3 Any Sub Processor noted in the Contract(s), notified to the Controller from time to time or as instructed by the Controller,


provided always that where the Sub Processor fails to fulfil its obligations equivalent to those set out in this clause 4, the Provider shall remain fully liable to the Controller for the Sub Processor’s performance of its obligations.  Where the Controller reasonably concludes, based on Sub Processor’s performance, that the Sub Processor is in material breach of its obligations regarding the Personal Data, the Controller may in writing instruct the Processor to instruct the Sub Processor to remedy such deficiencies without undue delay, failing which the Controller may withdraw its authorisation for the engagement of that Sub Processor.

5. Sharing of Personal Data as Controllers

5.1 This clause sets out the framework for the sharing of Personal Data between the Parties either where both are deemed separate and independent Controllers or where the Parties are considered Joint Controllers. Each party acknowledges that one Party (referred to in this clause as the Data Discloser) will regularly disclose to the other Party Shared Personal Data collected by the Data Discloser for the purposes defined in Contract(s).

5.2 Each Party shall be individually and separately responsible for complying with the obligations that apply to each of them as a Controller under any applicable Data Protection Legislation in relation to the Personal Data processed under the Contract(s), and in particular shall:

     (a) ensure that it has all necessary privacy notices, and consents where relevant, in place to enable lawful transfer of the Shared Personal Data for the agreed Services. Where the Parties are Joint Controllers the privacy notice must set out the agreed roles and responsibilities for complying with Data Protection Laws;

     (b) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

     (c) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by these Terms;

     (d) consult with the other Party about any notices given to Data Subjects in relation to the Shared Personal Data;

     (e) provide the other Party with reasonable assistance in complying with any Data Subject Requests;

     (f) assist the other Party, at the cost of the other Party, in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Legislation with respect to security, Personal Data breach notifications, Data Protection Impact Assessments and consultations with supervisory authorities or regulators;

     (g) provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.

5.3 Any material breach of Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate these Terms with immediate effect.

6. Warranty

6.1 The Customer warrants and represents that:

  6.1.1 it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services;

  6.1.2 it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;

  6.1.3 considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to comply with all applicable Data Protection Legislation and its information and security policies.

6.2 Owlstone warrants that the Customer’s expected use of the Personal Data, to the extent that the Customer is acting on Owlstone’s instructions, will be in accordance with the Data Protection Legislation.

7. Indemnity

7.1 The Customer agrees to indemnify, keep indemnified and defend at its own expense Owlstone against all costs, claims, damages or expenses incurred by Owlstone or for which Owlstone may become liable due to any failure by the Customer or its employees, subcontractors or agents to comply with any of its obligations under these Terms or the Data Protection Legislation.

7.2 Any limitation of liability set forth in the Contract(s) will not apply to this indemnity or reimbursement obligations.

8. Governing Law and Jurisdiction

8.1 These Terms are governed by the laws of England and Wales.

8.2 These Terms, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.

9. Termination

9.1 These Terms will terminate on termination of the Contract(s) as applicable.

9.2 The rights and obligations contained in clauses 1, 3, 5, 6, 7, 8 and 10 will survive termination of these Terms and each Party agrees to continue to utilise and hold all Personal Data in compliance with the Data Protection Legislation.

10. Notices

10.1 All notices or other communications given to a Party under or in connection with these Terms shall be in writing (including email), sent to the recipients set out below. Any notice may be delivered to the recipient personally, by first-class post, recorded delivery or commercial courier at its registered office. Any notice shall be deemed to have been delivered:

  10.1.1 in the case of delivery by hand, when delivered, provided that where such delivery or transmission occurs after 5.30pm on a Business Day or on a day which is not a Business Day, service shall be deemed to occur at 9am on the next following Business Day;

  10.1.2 if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed;

  10.1.3in the case of post or recorded delivery, at 9.00am on the second Business Day (or in the case of airmail 10 Business Days) after delivery to the postal authorities.

All notices shall be sent to the following:

If to Owlstone: If to the Customer:
Neil Tween
Chief Financial Officer
Owlstone Medical Limited
183 Cambridge Science Park
Milton Road
Cambridge CB4 0GJ
Using the name and contact details in the Contract(s), or as notified by the Customer to Owlstone in writing from time to time.
Either Party may from time to time change its address for notification purposes by giving the other written notice of the new address and the date upon which it will become effective.

The acceptance of these Terms shall be confirmed upon the signature of the Contract(s) between and by both Parties.

Get in touch with Owlstone

Let's work together to advance early detection and precision medicine through Breath Biopsy.

Get in touch today