Data Protection Terms – Controller to Controller
Following the publication of the new UK Standard Contractual Clauses, with the exception of UK to UK contracts only, these data protection terms do not apply to contracts entered into on or after 21 September 2022. Please contact your usual Owlstone point of contact or our Privacy team at privacy@owlstone.co.uk if you have any questions in relation to these terms. Where applicable, updated terms incorporating the UK SCCs will be incorporated into any future contracts that you have with us from 21 September 2022.
These are Data Protection Terms of Owlstone Medical Limited (these ‘Terms’) entered into on the effective date specified in any contract or a letter agreement between:
(1) Owlstone Medical Limited, a company incorporated and registered in England and Wales with company number 04955647 whose registered office is 183 Cambridge Science Park, Milton Road, Cambridge, CB4 0GJ (‘Owlstone’), and
(2) An organisation, institution, hospital, services provider or customer (‘You’).
Each a ‘Party’ and together the ‘Parties’.
BACKGROUND:
A. These Terms shall apply where Owlstone and You have entered into the Contract(s) (defined below) pursuant to which each Party will have access to and process Shared Personal Data.
B. The Shared Personal Data shall be processed for the Agreed Purpose(s) (defined below).
C. These Terms confer the responsibilities that each Party has as Data Controllers in common under Data Protection Legislation.
1.0 Definitions and Interpretation.
Agreed Purposes: as stated and agreed in the Contract(s).
Appropriate Technical and Organisational Measures: has the meaning given to it in the Data Protection Legislation.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Contract(s): any engagement letters or request for services, collaboration, research or other services agreements entered into between the Parties.
Controller: has the meaning given to it in the Data Protection Legislation.
Data Protection Authority: means the Information Commissioners Office (ICO).
Data Protection Impact Assessment: has the meaning given to it in the Data Protection Legislation.
Data Protection Legislation: means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with this legislation. Where data is processed by a Party established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
Data Security Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data or Shared Personal Data.
Data Subject: has the meaning given to it in the Data Protection Legislation.
Effective Date: means as defined in the particular Contract(s) between the Parties.
Legitimate Interest: has the meaning given to it in the Data Protection Legislation.
Personal Data: has the meaning given to it in the Data Protection Legislation.
Permitted Recipients: persons with approved access to a Party’s personal data.
Processor: has the meaning given to it in the Data Protection Legislation.
Processing: has the meaning given to it in the Data Protection Legislation.
Services: any Services provided by Owlstone or You pursuant to the Contract(s), or provided during any handover period to another service provider or to Owlstone.
Shared Personal Data: the personal data to be shared between the parties. Shared Personal Data shall be confined to the categories of information stated and agreed in the Contract(s).
Standard Contractual Clauses: the European Commission’s Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or such alternative clauses as may be approved by the European Commission from time to time.
Supervisory Authority: the Information Commissioners Office.
Terms: these Data Protection Terms (controller to controller) version w1.0, which may be subject to updates from time to time.
2.1 SCOPE
2.2 The purpose of these Terms is to describe data protection and Processing activities undertaken by the Parties in the provision of the services described in the Contract(s).
2.3 These Terms shall be deemed to take effect from the Effective Date and shall continue in full force and effect until termination of the Services or Contract(s) expiry.
2.4 In the case of conflict or ambiguity between:
(a) any provision contained in these Terms and any provision contained in the Contract(s), the provision in these Terms will prevail;
(b) where applicable, any of the provisions of these Terms and any executed SCCs, the provisions of the executed SCCs will prevail.
3.0 GENERAL DATA PROTECTION OBLIGATIONS
3.1 Whenever a Party processes or has access to the other Party’s Personal Data as a Controller, the Party processing or accessing the data will:
3.1.1 not transfer any Personal Data outside of the United Kingdom or the European Economic Area unless, in accordance with the Data Protection Legislation:
3.1.1.1 the transfer is to a country approved as providing an adequate level of protection for Personal Data; or
3.1.1.2 there are appropriate safeguards in place for the transfer of Personal Data; or
3.1.1.3 there is an appropriate derogation under the Data Protection Legislation for the Transfer.
3.1.2 adopt appropriate Technical and Organisational measures against unauthorised or unlawful processing and accidental loss or destruction of or damage to Personal Data including:
3.1.2.1 where relevant pseudonymising or encrypting Personal Data;
3.1.2.2 ensuring confidentiality, integrity, availability and resilience of its systems and services;
3.1.2.3 ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident;
3.1.2.4 regularly assessing and evaluating the effectiveness of the technical and organisational measures that have been adopted.
3.1.2.5 ensuring that any persons who have access to the other Party’s Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in data protection and in the care and handling of Personal Data; and
3.1.3 inform the other Party immediately of any Data Security Breach affecting the other Party’s Personal Data and provide information and assistance upon request to enable the other Party to notify Data Security Breaches to the Supervisory Authority, affected individuals, or to any other regulators, as applicable.
4.0 SHARING OF PERSONAL DATA AS CONTROLLERS
4.1 This clause sets out the framework for the sharing of Personal Data between the Parties either where both are deemed separate and independent Controllers. Each party acknowledges that one Party (referred to in this clause as the Data Discloser) will regularly disclose to the other Party Shared Personal Data collected by the Data Discloser for the Agreed Purposes.
4.2 Each Party shall be individually and separately responsible for complying with the obligations that apply to each of them as a Controller under any applicable Data Protection Legislation in relation to the Personal Data processed under the Contract(s), and in particular shall:
(a) ensure that it has all necessary privacy notices, and consents where relevant, in place to enable lawful transfer of the Shared Personal Data for the agreed Services.;
(b) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
(c) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by these Terms;
(d) consult with the other Party about any notices given to Data Subjects in relation to the Shared Personal Data;
(e) provide the other Party with reasonable assistance in complying with any Data Subject Requests;
(f) assist the other Party, at the cost of the other Party, in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Legislation with respect to security, Personal Data breach notifications, Data Protection Impact Assessments and consultations with supervisory authorities or regulators;
(j) provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.
4.3 Any material breach of Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate these Terms with immediate effect.
5.0 GOVERNING LAW AND JURISDICTION
These Terms are governed by the laws of England and Wales. These Terms, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.
6.0 TERMINATION
6.1 These Terms will terminate on termination or expiry of the Contract(s)
6.2 The rights and obligations contained in clauses 1, 3, 4, and 5 will survive termination of these Terms and each Party agrees to continue to utilise and hold all Personal Data in compliance with the Data Protection Legislation.
7.0 NOTICE
7.1 All notices or other communications given to a Party under or in connection with these Terms shall be in writing (this may include email), sent to the recipients set out below. Any notice may be delivered to the recipient personally, by first-class post, recorded delivery or commercial courier at its registered office. Any notice shall be deemed to have been delivered:
7.1.1 in the case of delivery by hand, when delivered, provided that where such delivery or transmission occurs after 5.30pm on a Business Day or on a day which is not a Business Day, service shall be deemed to occur at 9am on the next following Business Day.
7.1.2 if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed;
7.1.3 in the case of post or recorded delivery, at 9.00am on the second Business Day (or in the case of airmail 10 Business Days) after delivery to the postal authorities; or
7.1.4 if sent by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 7.1.4, business hours means 9.00am to 5.00pm on Business Day.
All notices shall be sent to the following:
If to Owlstone:
Chief Financial Officer Owlstone Medical Limited
183 Cambridge Science Park
Milton Road
Cambridge CB4 0GJ
If to You:
Using the name and contact details in the Contract(s), or as notified by You to Owlstone in writing from time to time.
Either Party may from time to time change its address for notification purposes by giving the other written notice of the new address and the date upon which it will become effective.
These Terms shall be deemed accepted by the Parties upon valid execution of the relevant Contract(s).
