Office 1, Ladysden Farm, Winchet Hill, Goudhurst, Kent, TN17 1JX And the Following Companies: (“Data Processors”)
AJM Healthcare Group Limited -
17 North Crescent, Diplocks Way, Hailsham, East Sussex, BN27 3JF, UK
Celtic Therapy & Rehab Services Limited -
222 Swansea Road, Pontardawe, Swansea, Wales, SA8 4BX
360 Wheelchairs Limited -
The Hangar, Hadley Park East, Telford, Shropshire, United Kingdom, TF1 6QJ
Wheel Freedom Limited -
Wheelfreedom, Unit 61 Barwell Business Park, Leatherhead Road, Chessington, Surrey, KT9 2NY
AYL engages the Data Processors listed above to provide AYL with the services listed under the Services Provided subsection.
As part of the provision provided by the Data Processors, personal data may be transferred from AYL to the Data Processors, which they will then process on behalf of AYL.
To ensure compliance by the AYL with obligations according to Applicable Privacy and Data Protection Law, the AYL and the Data Processors have agreed to enter into this Agreement concerning all Processing of Personal Data by the Data Processors for or on behalf of AYL.
1.1. FOR THE PURPOSE OF THIS AGREEMENT
“Applicable Privacy and Data Protection Law” means all applicable laws, regulations, and other pronouncements having the effect of law relating to the processing of personal data and privacy to which the parties are legally obligated to comply.
For purposes of clarity, “Applicable Privacy and Data Protection Law” includes but is not limited to the General Data Protection Regulation 2016/679 of the European Parliament and the Council (“GDPR”) and any law, regulation, act, measure, or guidance implementing or supplementing GDPR, including where applicable the guidance and codes of practice issued by the ICO, as well as any other laws and regulations of the European Union or the United Kingdom that may from time to time apply to the processing of personal data and privacy to which the parties are legally obligated to comply. References to “Applicable Privacy and Data Protection Law” means the Applicable Privacy and Data Protection Law may be amended, modified, supplemented, or restated.
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office.
“Personal Data” means the personal data provided, made available, or otherwise accessible to the Data Processors and/or the Data Processors’ Representatives, whether directly or indirectly, that falls within the definition of “Personal Data” as defined in Article 4 of “the GDPR” or other “Applicable Privacy and Data Protection Law”.
“Data Subject” has the meaning given to the term ‘data subject’ in Article 4 of “the GDPR”. “Processing” has the meaning given to the term ‘processing’ in Article 4 of “the GDPR”.
“Schedule” or “Schedules” means the Schedule or Schedules annexed to and forming an integral part of this Agreement and which shall affect as if set out in full in the body of this Agreement.
“Data Processors” or “Representatives” means any of the directors, officers, employees, consultants, sub-contractors, or agents of the Data Processors.
“Sub-Processor” means a sub-processor appointed by the Data Processors to process Personal Data.
“Sub-Processing Agreement” means an agreement between the Data Processors and a Sub- Processor governing the processing of Personal Data to be carried out by the Sub-Processor.
“Services” means the services to be provided to AYL by the Data Processors, by any of the Data Processors’ Representatives and/or by a Sub-Processor [in accordance with the Service Agreement] as described within the Services Provided section of this form.
The Agreement is effective as of the Effective Date and shall continue in full force and effect for so long as the Data Processors is Processing Personal Data for or on behalf of the AYL and thereafter as provided in clause 9 of this Agreement.
The terms of this Agreement are to apply to all Processing of Personal Data described in Schedule 2 conducted for or on behalf of AYL by the Data Processors and to all Personal Data held by the Data Processors in relation to processing, whether such Personal Data is held at the date of this Agreement or received afterwards.
3.1. The Data Processors are only to conduct the services and only to carry out the processing of Personal Data received from AYL.
3.1.1. to conduct those services described in the services provided section and not for any other purpose.
3.1.2. to the extent and in such manner as is necessary for those purposes; and
3.1.3. strictly per the express documented instructions from AYL as may be communicated in writing to the Data Processors from time to time, unless the Data Processors are required by law to act without such instructions (as per Article 29 of the GDPR) (in which case the Data Processors shall inform AYL of the legal requirement before Processing Personal Data for that purpose unless prohibited from doing so by law).
3.2. The Data Processors may not make or retain any copies of, or otherwise, make any record of Personal Data than to conduct the services as described in the Services Provided section and not for any other purpose.
4.1. Both AYL and the Data Processors shall comply at all times with Applicable Privacy and Data Protection Law and shall not perform their obligations under this agreement, or any other agreement/arrangement between themselves in such a way as to cause either party to be in breach of any of its obligations under Applicable Privacy and Data Protection Law.
4.2. The Data Processors undertake the Processing of Personal Data following this Agreement and Applicable Privacy and Data Protection Law.
4.3. The Data Processors shall provide all reasonable assistance to AYL in complying with its obligations under Applicable Privacy and Data Protection Law in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments. In particular, the Data Processors shall:
4.3.1. keep detailed records of all Processing conducted on Personal Data in accordance with the requirements of Article 30(2) of the GDPR;
4.3.2. submit to measures, audits, and inspections reasonably instigated or requested by AYL and/or to provide AYL with whatever information it reasonably requires ensuring that the parties are both meeting their obligations under Applicable Privacy and Data Protection Law;
4.3.3. notify AYL immediately if it is asked to do something which would be an infringement of Applicable Privacy and Data Protection Law including if the Data Processors believes that an instruction from AYL infringes Applicable Privacy and Data Protection Law;
4.3.4. notify AYL of any Personal Data breaches of Applicable Privacy and Data Protection Law that have occurred, or which may have occurred whilst they are Processing Personal Data. In the event of a Personal Data breach which requires notification under Applicable Privacy and Data Protection Law to the ICO or a Data Subject (howsoever caused), the Data Processors shall ensure that any notice they give AYL under this clause shall (where such information is known at the time and is available);
(a) Describe the nature of the Personal Data breach including, where possible, the categories and the approximate number of Data Subjects concerned, and the categories and the approximate number of Personal Data records concerned.
(b) Communicate the name and contact details of the Data Processors’ data protection officer or another point of contact where further information can be obtained.
(c) Describe the likely consequences of the Personal Data breach; and
(d) describe the measures taken or proposed by the Data Processors to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.1. The Data Processors shall immediately notify AYL as soon as it receives a data access request, complaint, or another query from a Data Subject. Or any other person relating to the Processing of Personal Data under this Agreement.
5.2. The Data Processors shall cooperate fully with AYL and, as required, assist concerning any subject access request, complaint, or other query and in particular by providing AYL with whatever information and assistance it reasonably requires complying with the request, complaint, or query.
6.1. The Data Processors shall hold, store and maintain Personal Data in trust and confidence and shall ensure that Personal Data is conducted securely and in accordance with Applicable Privacy and Data Protection Law.
6.2. The Data Processors shall ensure that the Data Processor’s Representatives and any other persons who have access to and/or are authorised to conduct Processing of Personal Data are subject to a duty of confidence and in particular are contractually obliged to keep Personal Data confidential on terms no less onerous than those set out in this Agreement.
6.3. The Data Processors must use all reasonable efforts to ensure that the Data Processors’ Representatives abide by this duty of confidentiality and do not do any act which, if done by the Data Processor, would be a breach of this Agreement.
6.4. The Data Processors shall implement appropriate technical and organisational measures to ensure the security and processing of the Personal Data, in particular, to ensure the protection of Personal Data against alteration, loss, damage, unauthorised or unlawful processing unauthorised, or unlawful disclosure to third parties. Such technical and organisational measures shall include commercially reasonable safeguards and ensure a level of security appropriate to the risk.
6.5. AYL reserves the right to issue instructions to the Data Processors as to the technical and organisational measures to be implemented by the Data Processors under sub-clauses 6.4.
7.1. The Data Processors shall not publish, copy or transfer any Personal Data and shall not disclose or share Personal Data which it is processing under this agreement with any third party without express documented consent from AYL. Should AYL give such consent;
(a) the Data Processors shall enter into a suitable and adequate written Sub-Processing Agreement with the Sub-Processor in accordance with this Agreement, as set out in sub-clause 7.2;
(b) only permit the processing of Personal Data to the extent, and in such manner, as is necessary to comply with its obligations to AYL, or as may be required by law (in which case the Data Processors shall inform AYL of the legal requirement before processing the Personal Data for that purpose unless prohibited from doing so by law);
(c) the Data Processors shall not process the Personal Data, or otherwise, transfer/transmit the Personal Data outside of the European Economic Area.
7.2. In the event that the Data Processors appoints a Sub-Processor (with the express documented consent of AYL), the Data Processors shall;
(a) enter into a suitable and adequate written Sub-Processing Agreement with the Sub- Processor, which shall impose upon the Sub-Processor the same obligations are imposed upon the Data Processors by this Agreement [and which shall permit both the Data Processors and AYL to enforce those obligations];
(b) ensure that the Sub-Processor complies fully with its obligations under the Sub- Processing Agreement and Applicable Privacy and Data Protection Law.
8.1. The Data Processors warrants, represents, and undertakes that it shall comply with Applicable Privacy and Data Protection Law.
8.2. The Data Processors shall be liable for and shall fully indemnify (and keep indemnified) AYL in respect of any losses, damages, liabilities, claims, costs, or expenses suffered or incurred by AYL (including legal fees, fines penalties, and third-party damages or compensation) arising directly or in connection with the Data Processors’ or a Sub- Processor’s breach of this Agreement.
8.3. The Data Processors shall fully indemnify AYL in respect of any losses, damages, liabilities, claims, costs or expenses suffered or incurred by AYL (including legal fees, fines penalties, and third party damages or compensation) to remedy any breaches by the Data Processors or Sub-Processor of Applicable Privacy and Data Protection Law; defend all claims brought against AYL brought as a result of the Data Processors’ or Sub-Processor’s breach of this agreement, or satisfy a legal requirement caused by the Data Processors or Sub-Processor’s breach of this agreement.
8.4. If a Sub-Processors fails to meet its obligations under any Sub-Processing Agreement, the Data Processors shall remain fully liable to AYL for failing to meet its requirements under this agreement.
8.5. Nothing in this agreement shall relieve or affect the liability of the Data Processors to the Data Subject or for any other breach of that Party’s direct obligations under Applicable Privacy and Data Protection Law. The Data Processors shall acknowledge that it remains subject to the authority of the ICO and shall fully cooperate with the ICO, as required, and that failure to comply with its obligations as the Data Processors may render it subject to fines, penalties, and compensation.
9.1. The Data Processors may only retain Personal Data for;
(a) so long as is required to perform the services;
(b) for a longer period required by Applicable Privacy and Data Protection Law; or (c) for such other period as AYL may reasonably request in writing.
9.2. For the avoidance of doubt, AYL reserves the right to determine the periods for which the Data Processor may retain the Personal Data under sub-clause 9.1 and to issue instructions relating to the retention and destruction of Personal Data at any time. Where no other instructions have been given to the Data Controllers by AYL, Personal Data (including copies of Personal Data held by the Data Processors) shall not be retained by the Data Processors for longer than six years.
9.3. At the expiration of such period or otherwise upon demand by AYL, the Data Processors shall immediately return to AYL or destroy all Personal Data.
9.4. The Data Processors’ obligations include the obligation to use all commercially reasonable efforts to expunge all Personal Data (including all copies of the Personal Data that it holds) in any medium and from any systems or equipment in the possession; or under the control of the Data Processors or their Representatives into which the Personal Data was programmed or inserted by or on behalf of the Data Processors or the Data Processors’ Representatives. No copies may be retained by the Data Processors or the Data Processors’ Representatives of any Personal Data.
9.5. AYL reserves the right to issue instructions to the Data Processors, as to the methods by which Personal Data is to be returned or destroyed under sub-clauses 9.2, 9.3 and 9.5.
9.6. Following the return or destruction of Personal Data under sub-clauses 9.2 and 9.3, the Data Processors shall certify to AYL that the Personal Data (including all copies of the Personal Data that it holds) has been returned or destroyed in accordance with this Agreement.
9.7. Any Personal Data that is not returned or destroyed pursuant to this agreement shall continue to be subject to the confidentiality and non-disclosure provisions of this agreement notwithstanding any expiration or termination of this agreement.
AYL will only share our user’s personal data with Data Processors where the person has given AYL permission to do so and for the following services:
• To provide additional information and answer specific questions asked by an AYL user on the Data Processors equipment/services.
• To provide AYL’s customers with the product they require. This is a complete service that could include the assessing, fitting, ordering, trialling, and delivering of equipment to AYL’s users.
• To be able to provide any other services with the AYL’s customer requires and has specifically asked for help with.
The Parties shall review the effectiveness of the processing of Personal Data under this agreement every 12 months. AYL will then either continue, amend or terminate this agreement depending upon the outcome of the review.
This agreement shall be governed by the laws of England and Wales.