Splash Orthodontics
Data processing agreement for referring dentists
THIS AGREEMENT is made on Date of Referral.
BETWEEN:
1. Splash Orthodontics 70 Sackville Road, Hove, BN3 3HA ( The “processor”)
2. Referral dentist (the “controller”)
3. The Processor team member has been identified as a Joint Data Controller with the Controller. They agree to follow the Data Protection and Information Security Policy (M 233- DPT), the Information Governance Procedures (M 217C) and all other policies and procedures that apply to information governance and data security at the practice.
BACKGROUND
1. The Controller processes personal data in connection with its business activities.
2. The Processor team member processes personal data on behalf of other businesses and organisations.
3. The Controller wishes to engage the services of the Processor team member to process and/or store personal data on its behalf. This may include the use of cloud-based software services that include the processing and/or storage of personal data.
4. The personal data to be processed will include:
• Personal data for the provision of dental health care
• Personal data for the purposes of providing treatment plans, recall appointments, reminders or estimates
• Personal data such as details of family members for the provision of health care to children or for emergency contact details
• Personal data for the purposes of staff and self-employed team member engagement
• Personal data for the purposes of direct mail, email and text to inform you of important announcements or about new treatments or services
• Personal data – IP addresses so that we can understand our patients better and inform our marketing approach as well as improve the web site experience
• Special category data including health records for the purposes of the delivery of health care and meeting our legal obligations
• Special category data including health records and details of criminal record checks for employees and contracted team members
5. In compliance with the UK GDPR, the Controller and the self-employed team member wish to enter into this processing Agreement.
THE PARTIES HEREBY MUTUALLY AGREE AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:
“GDPR” shall mean the UK General Data Protection Regulation;
“personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;
“processing of personal data” or “processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Processing of personal data includes the processing of special category data for the purposes of the provision of health care as well as for maintaining the health records and criminal record check details of the employees and contractors in our team;
“sub-contract” and “sub-contracting” shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and “Sub Contractor” shall mean the party to whom the obligations are subcontracted; and
“technical and organisational security measures” shall mean measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing.
2. CONSIDERATION
In consideration of the Controller engaging the services of the Processor team member to process personal data on its behalf, the Processor team member shall comply with the security, confidentiality and other obligations imposed on it under this Agreement.
3. OBLIGATIONS OF PROCESSOR / JOINT DATA CONTROLLER
• The Processor team member agrees to implement appropriate technical and organisational security measures to ensure processing meets the requirements of the GDPR and any applicable UK legislation and is otherwise secure.
• The Processor team member agrees to provide the Controller with whatever information it needs to ensure that it has the technical and organisational security measures required by the GDPR and any applicable UK legislation.
• The Processor team member agrees to only act on the written instructions of the Controller (unless required by law to act without such instructions).
• The Processor team member agrees to submit to reasonable audits and inspections by the Controller.
• If the Controller agrees to the terms and conditions of the self-employed team member this is considered a written contract for the purposes of this Agreement.
• The Processor team member agrees to assist the Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR and any applicable UK legislation.
• The Processor team member agrees to assist the Controller in meeting its GDPR obligations (and any obligations under applicable UK legislation) in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
• The Processor team member agrees to inform the Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the UK.
• Nothing within the Agreement relieves the Processor team member of its own direct responsibilities and liabilities under the GDPR or any applicable UK legislation.
4. CONFIDENTIALITY
• The Processor team member agrees that it shall maintain the personal data processed by the Processor team member on behalf of the Controller in confidence. In particular, the Processor team member agrees that, save with the prior written consent of the Controller, it shall not disclose any personal data supplied to the Processor team member by, for, or on behalf of, the Controller to any third party.
• The Processor team member shall not make any use of any personal data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.
• The obligations in clauses 4.1 and 4.2 above shall continue indefinitely after the cessation of the provision of services by the Processor team member to the Controller.
• The Processor team member confirms that all people processing the data are subject to a duty of confidence.
• Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
5. SUB-CONTRACTING
• The Processor team member shall not sub-contract any of its rights or obligations under this Agreement without the prior written consent of the Controller and a written agreement approved by the Controller.
• For the avoidance of doubt, where the Sub Contractor fails to fulfil its obligations under any sub- processing agreement, the Processor team member shall remain fully liable to the Controller for the fulfilment of its obligations under this Agreement.
6. TERM
• This Agreement shall continue in full force and effect for so long as the Processor team member is processing personal data on behalf of the Controller.
• The Processor team member agrees to delete or return all personal data to the Controller as requested at the end of the Agreement.
7.GOVERNING LAW
• Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
• This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
This Agreement is deemed “signed” when agreement is ticked on the website referral on behalf of each parties.