This agreement is made between:
The OrchidLive.com registered account holder (the “Data Controller”); and
Chi (UK) Limited (company registration number 5377131), a company registered in [England and Wales], the registered office of which is at Studio 108, Hoults Yard, Newcastle, NE6 2HL (the “Data Processor”),
each a “Party” and together the “Parties”.
“data controller” means a data controller or controller (as the case may be) as defined by the Data Protection Legislation (and ‘controller’ shall be construed accordingly).
“Data Processing Agreement” means this agreement.
“data processor” means a data processor or processor (as the case may be) as defined by the Data Protection Legislation (and ‘processor’ shall be construed accordingly).
“Data Protection Legislation” means (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Electronic Communications Legislation: means the Privacy and Electronic Communications Regulations 2003 (as amended), and the E Privacy Regulation (when in force).
“Data Subject” means a data subject as defined by the Data Protection Legislation.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means personal data as defined by the Data Protection Legislation.
Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
The Parties acknowledge that for the purposes of the Data Protection Legislation and this Data Processing Agreement, the Data Controller is the data controller and the Data Processor is the data processor. The Schedule to this Data Processing Agreement sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of Personal Data and categories of Data Subject.
Without prejudice to the generality of clause 2.1, the Data Controller will ensure that it has, at all times:
a valid legal basis under the Data Protection Legislation for the processing of Personal Data under this Data Processing Agreement, including, without limitation, such processing by the Data Processor as instructed or permitted by the Data Controller under clause 3.1.1 and clause 3.2 of this Data Processing Agreement;
where required by law (for example, as required for the transmission by electronic means of direct marketing communications under the Privacy and Electronic Marketing Communications Regulations 2003), valid consent (under the Data Protection Legislation) for such processing; and
appropriate notices in place as required by the Data Protection Legislation to enable lawful transfer of Personal Data to the Data Processor for the duration and purposes of this Data Processing Agreement.
Without prejudice to the generality of clause 2.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by the Data Processor of its obligations under this Data Processing Agreement:
process Personal Data only on lawful documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or European Union Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing Personal Data, unless that law prohibits such information on important grounds of public interest;
ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
take all measures required pursuant to Article 32 of the GDPR;
respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR;
assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to the Data Processor;
at the choice of the Data Controller, delete or return all Personal Data to the Data Controller after the end of the provision of the services relating to processing, and delete existing copies unless European Union or European Union Member State law requires storage of Personal Data; and
make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions.
The Data Controller hereby gives its prior consent, documented (written) instructions and written authorisation to the Data Processor to:
engage any of the following processors as sub processors: 1and1 (email provider), Amazon Web Service (server host)
engage any other processors as the Data Processor deems fit in the course of its provision of the services under this Data Processing Agreement, provided that the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors prior to such appointment or replacement, thereby giving the Data Controller the opportunity to object to such changes and does so in compliance with Data Protection Legislation; and
transfer Personal Data to a third country or an international organisation, provided that the Data Processor satisfies all legal obligations under the Data Protection Legislation and any other applicable laws for doing so, including: (i) ensuring appropriate safeguards are in place in relation to the transfer; (ii) the Data Subject has enforceable rights and legal remedies; (iii) the Data Processor provides an adequate level of protection to any Personal Data transferred; and (iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to its processing of Personal Data.
Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the Data Controller, the Data Processor shall ensure that the same data protection obligations as set out in this contract or other legal act between the Data Controller and the Data Processor as referred to in paragraph 3 of Article 28 of the GDPR are imposed on that processor by way of a contract or other legal act under European Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation. Where the other processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that other processor’s obligations.
Any contract or other legal act referred to in this clause 3 shall be in writing, including in electronic form.
The Data Controller agrees that it has considered the Data Processor’s obligations under Article 32 of the GDPR and considers that the Data Processor is in compliance with such obligations, in particular the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Data Controller’s processing of Personal Data.
Either party may, at any time on not less than one month’s prior written notice, revise clause 3 by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Data Processing Agreement).
The Parties shall make such amendments to this Data Processing Agreement as are required to ensure that this Data Processing Agreement complies with any applicable legislation, including any applicable Data Protection Legislation from time to time.
Representations and warranties
The Data Controller hereby represents and warrants:
that it holds, and continues to hold, and shall maintain, a valid legal basis for processing the Personal Data of its Data Subjects;
that wherever consent is required prior to sending any marketing communication to any recipient Data Subject (under the Electronic Communications Legislation), that the Data Controller has collected unambiguous and valid consents (which shall be specific, freely given and informed, as required under the Data Protection Legislation and the Electronic Communications Legislation) of such Data Subjects to the processing of their Personal Data, and that such consents adequately cover the processing by The Data Controller of such Personal Data on behalf of the Data Controller in the manner directed by the Data Controller under clause 3 of this agreement;
that where the Data Controller processes Personal Data on the basis of consent, that such consents meet the requirements of the Data Protection Legislation, are documented, maintained, and that any withdrawal of consents have been accurately recorded;
that the Data Controller is aware of its obligations under the Data Protection Legislation and the Electronic Communications Legislation and complies with all such obligations in force from time to time;
that any data (including Personal Data) transferred to The Data Controller is accurate, complete and up-to-date.
The Data Processor hereby excludes to the fullest extent possible under applicable law any representations or warranties:
as to quality or fitness for any particular purpose of its services other than as expressly set out in any promotional materials of the Data Processor;
that the services offered by The Data Processor will generate any specific results, lead to any specific consequences, meet any targets or increase the net profitability of the Data Controller.
All other warranties, conditions or obligations of The Data Processor that may otherwise arise or may be implied by statute or common law are, to the fullest extent-permitted by law, excluded from this agreement.
Limitations and exclusion of liability
The Data Processor excludes any and all liability to the Data Controller to the maximum extent permitted by law.
In any event, the Data Processor’s total aggregate liability to the Data Controller in any given calendar year shall not exceed an amount equal to fifty per cent. (50%) of any fees or charges paid by the Data Controller to the Data Processor for any services provided by the Data Processor to the Data Controller in that calendar year.
The Data Controller shall hereby hold harmless and indemnify the Data Processor from and against all claims, liabilities, losses (including secondary losses, loss of profits, reputation or goodwill), costs (including legal and professional costs on the indemnity basis) and expenses suffered or incurred by the Data Processor arising out of, in connection with or related to:
any breach by the Data Controller of the terms of this agreement, or any services agreement in place as between the parties;
any breach by the Data Controller of any applicable laws and regulations, including, without limitation, the Data Protection Legislation or the Electronic Communications Legislation; or
any failure by the Data Controller to deliver accurate and up-to-date information to the Data Processor.
Where the Data Controller exercises any of its rights under this Data Processing Agreement, the Data Processor reserves the right to charge the Data Controller for any costs it reasonably incurs in complying with its corresponding obligations under this Data Processing Agreement.
The Data Processor shall only exercise its rights under clause 7.1 where it considers it just and equitable to do so.
Legal and General
If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be modified to the minimum extent necessary to make it valid, legal and enforceable. In the event that such modification is not possible, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
This agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.
All amounts due under this agreement from the Partner to Advantage shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation.
Subject matter of the processing
Any Personal Data (including ‘sensitive personal data’) processed by the Data Processor on behalf of the Data Controller in the course of the Data Processor providing Services (as defined below) to the Data Controller.
Duration of the processing
The duration of the provision of the Services (as defined below) by the Data Processor to the Data Controller.
Nature of the processing
The provision of cloud-based occupational health record storage services (the “Services”) via the URL https://orchidlive.com/public by the Data Processor to the Data Controller as agreed between the Parties.
Purpose of the processing
The provision of the Services by the Data Processor to the Data Controller.
Types of personal data processed
Company and legal entity names
Medical health records
Information relating to individuals’ employment
Server log information (including IP addresses, pages accessed, information requested, the date and time of the request, the source of access to the Data Controller’s website, browser version and operating system).
Online identifiers (including cookies and similar technologies)
Personal Data contained in the Data Controller’s email account
Any other Personal Data processed by the Data Processor on behalf of the Data Controller from time to time
Categories of data subjects
Natural persons in the employment of (or otherwise engaged by) the Data Controller whose Personal Data and occupational health records are stored by the Data Processor in accordance with the terms of the Services
Obligations and rights of the data controller
The obligations and rights of the data controller are set out in clauses 2 and 3 of this Data Processing Agreement.