THIS AGREEMENT GOVERNS CLIENT’S PURCHASE AND USE OF SERVICES PROVIDED BY BIG WHITE WALL LIMITED WITH AN OFFICE AT 4th FLOOR, 36-38 WHITEFRIARS STREET, LONDON, EC4Y 8BQ (“PROVIDER”). CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY ACCEPTING THIS AGREEMENT, BY (1) CLICKING A BOX INDICATING ACCEPTANCE, OR (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, CLIENT AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CLIENT” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES. The Services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.
1. DEFINITIONS AND INTERPRETATION
In this Agreement unless the context otherwise requires the following provisions shall have the meanings given to them below:
"Community" the users benefiting from the Services;
“Confidential Information” all information disclosed by a party to the other party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Details of the Services constitute the Provider's Confidential Information, and Client Data is the Confidential Information of the Client. The terms of this Agreement are confidential.
“Deliverables” all Materials and the documents and data specified as deliverables in each Service Specification for each relevant Service in any form (electronic or paper), including computer programs, databases, service outcomes, evaluations and reports, guides and specifications (including drafts of any such Materials or documents);
"Intellectual Property Rights" all patents, rights to inventions, utility models, copyright and related rights, trade marks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database right, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world;
“Materials” templates for implementation and all such other documents as described in the relevant Service Specification or otherwise provided by the Provider to the Client from time to time including the Service Specifications and any user instructions for the Services, all of which may be updated from time to time by the Provider;
“Order Form” means an ordering document or online order specifying the Services to be provided hereunder including specifications for each Service, that is entered into between Provider and Client, including any addenda and supplements thereto;
"Services" means the services that are ordered by Client under an Order Form and made available online by the Provider, as described in the Service Specifications including such support services and Deliverables as described in each relevant Service Specification;
Term means the period of time for which the Service will be provided as set out in the applicable Order Form;
2. SERVICE DELIVERY
The Provider shall, during the Term, provide the Services to the Client and access to the Community (as applicable) in accordance with the terms of this Agreement, the relevant Service Specification and the Order Form and in accordance with all applicable laws and government regulations, subject to Client using the Services in accordance with the terms of this Agreement, the relevant Service Specification and Order Form.
3. CLIENT OBLIGATIONS
3.2 The Client shall not except as may be allowed by any applicable law which is incapable of exclusion by Agreement between the parties: (a) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the software in the Services or any Material (as applicable) in any form or media or by any means; or (b) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the software; or (c) access all or any part of the Services, Materials or Deliverables in order to build a product or service which competes with the Services; or (d) use the Services, Materials or Deliverables to provide services to third parties (other its Community as authorised under this Agreement); or (e) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services, Materials or Deliverables available to any third party except its Community (as authorised under this Agreement); or (f) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Materials and/or Deliverables, other than as provided under this Agreement.
3.3 In the event of a Client's use of any Service in breach of this clause 3 or any other provision of this Agreement, Service Specification or Order Form, without prejudice to any other rights and remedies including the right to terminate, Provider may suspend the Services until Client remedies the breach.
4. CHARGES AND PAYMENT
4.1 The Services ordered including quantities and the fees for the Services shall be set out in the applicable Order Form and Client is responsible for paying all fees as set out in the applicable Order Form.
4.2 Fees will be invoiced in advance and are due thirty (30) days from the date of invoice (“Due Date”), unless otherwise specified in the applicable Order Form.
4.3 Client is responsible for providing complete and accurate billing and contact information to the Provider and for notifying the Provider of any changes to such information.
4.4 If the Provider has not received payment within 30 days after the Due Date, unless the Client is disputing the applicable charges reasonably and in good faith and is cooperating diligently to resolve the dispute, without prejudice to any other rights and remedies it may have, the Provider: (a) may, without liability to the Client, suspend access to the Services while the invoice(s) concerned remain unpaid; and (b) interest shall accrue on such due amounts at an annual rate equal to 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
4.5 All amounts and fees stated or referred to in the Order Form(a) shall be payable in the currency stated in the applicable invoice; and (b) are exclusive of value added tax, which shall be added to the Provider's invoice(s) at the appropriate rate.
5. TERMINATION OF THIS AGREEMENT
5.1 This Agreement shall commence on the Effective Date and shall continue, unless terminated earlier in accordance with this clause 5, until all Terms in applicable Order Form(s) have expired.
5.2 Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate this Agreement without liability to the other: (a) upon thirty (30) days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period; or (b)immediately on written notice if the other party becomes the subject of a petition in bankruptcy or any other proceeding (whether voluntary or involuntary), relating to insolvency, administration, receivership, administrative receivership, liquidation or assignment for the benefit of creditors or takes or suffers any similar or analogous procedure, action or event in consequence of debt in any jurisdiction.
5.3 On termination of this Agreement for any reason: (a) all licences granted under this agreement shall immediately terminate; (b) the Client shall no longer use the Services; (c) the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced. In no event will termination relieve Client of its obligation to pay any fees payable to Provider for the period prior to the effective date of termination.
6. INTELLECTUAL PROPERTY
6.1 As between the Client and the Provider, all Intellectual Property Rights and all other rights in the Service Specifications, Deliverables and the Materials shall be owned by the Provider. Subject to the following provisions of this clause 6, the Provider grants to the Client a royalty free, non-exclusive, non-transferable, worldwide licence to use the Deliverables to the extent necessary to enable the Client to use the Services in accordance with terms of this Agreement and the relevant Service Specification. If this agreement is terminated, this licence will automatically terminate.
6.2 The Client acknowledges that, where the Provider does not own any of the Materials, the Client's use of rights in the Materials is conditional on the Provider obtaining a written licence (or sub-licence) from the relevant licensor or licensors on such terms as will entitle the Provider to license such rights to the Client.
7. CONFIDENTIALITY & DATA PROTECTION
7.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party's Confidential Information shall not be deemed to include information that: (a) is or becomes publicly known other than through any act or omission of the receiving party; (b) was in the other party's lawful possession before the disclosure; (c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) is independently developed by the receiving party, which independent development can be shown by written evidence.
7.2 Each party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to (a) not use any Confidential Information of the other party for any purpose outside the scope of this Agreement and (b) except as otherwise authorized by the other party in writing, limit access to Confidential Information of the other party to those of its employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements containing protections not materially less protective of the Confidential Information than those herein.
7.3 A party may disclose Confidential Information of the other party to the extent compelled by law to do so, provided the party called on to make the compelled disclosure gives the other party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the other party’s cost, if the other party wishes to contest the disclosure.
7.4 To the extent that they share and process Personal Data (as defined in the DPA) pursuant to this Agreement, the parties shall comply with the terms of the Data Processing Agreement (“DPA") set out in Annex 1 hereto. 7.5 This clause 7 shall survive termination of this Agreement, however arising.
8.1 Each party warrants that is has the authority to enter into this Agreement.
8.2 The Provider warrants that during each Term the Services will be delivered materially in accordance with the Service Specification. For any breach of this warranty, Client's exclusive remedies are termination of the applicable Order Form(s) in accordance with clause 5.2(a) and refund of any prepaid fees covering the remainder of the Term specified in the applicable terminated Order Form(s) after the effective date of termination. The warranty in clause 8.2 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to the Service Specifications or otherwise contrary to Provider's instructions, or modification or alteration of the Services by any party other than the Provider or the Provider's duly authorised contractors or agents.
8.3 The Provider: (a) does not warrant that the Client's use of the Services will be uninterrupted or error-free; nor that the Services, Materials, Deliverables and/or any other the information obtained by the Client through the Services will meet the Client's requirements; and (b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Client acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
8.4 The Provider warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement.
8.5 Except as expressly provided herein, each party excludes all warranties, representations, terms, conditions or other commitments of any kind, whether express or implied, statutory or otherwise, and each party specifically disclaims all implied warranties, including (without limitation) any warranties, representations, terms, conditions or other commitments of fitness for a particular purpose or of satisfactory quality or of reasonable skill and care, in each case, to the maximum extent permitted by applicable law.
9. LIMITATION OF LIABILITY
9.1 This clause 9 sets out the entire financial liability of the parties (including any liability for the acts or omissions of the Provider, its employees, agents and sub-contractors) to the Client, in respect of: (a) any breach of this Agreement; (b) any use made by the Client of the Services, Materials and Deliverables or any part of them; and (c) any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.
9.2 Nothing in this Agreement excludes the liability of a party: (a) for death or personal injury caused by such party’s negligence; or (b) for fraud or fraudulent misrepresentation.
9.3 Subject to clause 9.2, neither party shall be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and
9.4 Subject to Clause 9.2, each party’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance, and/or breach of this Agreement (other than breach of the DPA) shall be limited to the total amount of payments received by the Provider from the Client under the applicable Order Form in the twelve (12) months immediately preceding the date on which the liability arises.
9.5 The Provider shall not be responsible for any injury, loss, damage, cost or expense if and to the extent that it is caused by the negligence or wilful misconduct of the Client or by breach by the Client of its obligations under this Agreement.
10. GENERAL PROVISIONS
10.1 Prevention of Corruption. Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from an employee or agent of the other party in connection with this Agreement. The parties shall comply with all applicable laws, regulations and sanctions relating to anti-bribery and anti-corruption including without limitation the Bribery Act 2010 (as such statute is amended from time to time). Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction.
10.2 Force Majeure. The Provider shall have no liability to the Client under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Provider or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Client is notified of such an event and its expected duration.
10.3 Severability. If any provision of this Agreement is held invalid, illegal or unenforceable for any reason by any court of competent jurisdiction, such provision shall be severed and the remainder of the provisions of this Agreement shall continue in full force and effect as if this Agreement had been executed with the invalid, illegal or unenforceable provision eliminated, provided that the original intent of this Agreement and the parties can be achieved.
10.4 Entire Agreement. This Agreement constitutes the entire agreement between the parties in respect of the matters dealt with herein and supersedes all prior negotiations between the parties and all representations and undertakings made by one party to the other, whether written or oral, except that this clause 13 shall not exclude liability in respect of any or fraudulent misrepresentation. In the event of, and only to the extent of, any conflict between the clauses of this Agreement, any document referred to in those clauses and the Appendices, the conflict shall be resolved in accordance with the following order of precedence: (i)the Order Form; (ii) the clauses of this Agreement; (iii) the Service Specification; any (iv) other document referred to in the clauses of this Agreement.
10.5 Third Party Rights. This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
10.6 Notices. Any notice or other communication which is to be given by either party to the other shall be given by electronic mail. Such electronic mail shall be addressed to the other party at the address set out in the Order Form. Provided the relevant communication is not returned as undelivered and the sender has received a delivery receipt, the notice or communication shall be deemed to have been given 4 hours after the time at which the electronic mail was sent or sooner where the other party acknowledges receipt of such electronic mail. Either Party may change its address for service by serving a notice in accordance with this clause 10.6.
10.7 Assignment. Neither party shall, without the prior written consent of the other, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement; provided, however, either party may assign this Agreement in its entirety (including all Order Forms), without the other party’s consent to its affiliate (that is majority owned or controller or under common control) or in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of its assets. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favour of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice.
10.8 No Partnership or Agency. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.
10.9 Governing Law. This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of England.
10.10 Jurisdiction. The parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
In this Data Processing Addendum (DPA), defined terms used shall have the same meaning as in the Agreement unless otherwise defined below:
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
“Data Discloser” means the party disclosing Shared Personal Data;
“Data Receiver” means the party receiving Shared Personal Data;
“Data Protection Laws” means (i) the GDPR and any applicable national implementing Laws as amended from time to time and (ii) the Data Protection Act 2018 (iii) all Laws about the processing of personal data and privacy;
“Data Protection Losses” means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, expenses, losses and damages; and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
“Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
“Excluded Losses” means any and all of the following:
(i) lost or corrupted data;
(ii) loss of reputation or goodwill;
(iii) loss of profits;
(iv) loss of savings;
(v) loss of opportunity;
(vi) wasted expenditure
(in each of (i) to (vi) inclusive whether direct or indirect; and
(vii) any indirect or consequential losses.
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Shared Personal Data;
“Shared Personal Data” means the personal data and special category personal data to be shared between the parties this DPA;
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws and in the UK this is the Information Commissioner’s Office;
Data Controller, Data Processor, Data Subject, Personal Data, Special Category Data, and processing shall have the meanings given to them in the Data Protection Laws.
1.1 This agreement sets out the framework for the sharing of Personal Data between the parties as Data Controllers for the Agreed Purpose.
1.2 The parties agree that each shall process the Shared Personal Data for the Agreed Purpose only.
1.3 Each party shall appoint a single point of contact (SPoC) during the implementation process who or will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. Each party shall notify the other of the identity and contact details of its SPoC.
2. COMPLIANCE WITH DATA PROTECTION LAWS
2.1 Each Party shall comply with Data Protection Laws and the terms of this DPA at all times in respect of the Shared Personal Data.
2.2 Each party is validly registered with the Regulatory Authority.
3. SHARED PERSONAL DATA
3.1 The types of Personal Data and the Special Category Data that will be shared between the parties during the Term of this agreement are set out in the Annex 1 (Data Processing Particulars).
3.2 Further detail on the Shared Personal Data is set out in Annex 1 together with any access and processing restrictions as agreed and established by the parties.
3.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
4. PROCESSING OBLIGATIONS
4.1 Each party shall ensure that it processes Shared Personal Data during the Term of the Agreement on the basis of one or more of the following legal grounds:
(a) Data Subject has unambiguously given his or her consent;
(b) processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the parties are subject, other than an obligation imposed by contract;
(d) processing is necessary in order to protect the vital interests of the Data Subject;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the parties;
(f) processing is necessary for the purposes of the legitimate interests pursued by the parties except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
4.2 In addition to its obligations under clause 4.2, each party shall ensure that it processes Shared Personal Data classified as Special Category Data on the basis of one or more of the following legal grounds:
(a) the Data Subject has given his explicit consent to the processing of the Shared Personal Data;
(b) processing is necessary to protect the vital interest of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his or her consent or the Data Discloser cannot reasonably be expected to obtain the data subject's consent;
(c) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the parties;
(d) processing is for medical purposes and is undertaken by a health professional or a person who owes a duty of confidentiality equivalent to that of a health professional.
4.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to the Data Subjects for them to understand what of their personal data the Data Discloser is sharing with the Data Receiver, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Data Receiver or a description of the type of organisation that will receive the Shared Personal Data.
4.4 The Data Receiver undertakes to inform the Data Subjects of the purposes for which it will process their personal data and provide all of the information that it must provide, in accordance with Data Protection Laws, to ensure that the Data Subjects understand how their personal data will be processed by the Data Receiver.
4.5 Each party shall maintain records of its processing activities as prescribed under Data Protection Laws.
5. DATA QUALITY
5.1 The Data Discloser shall ensure that Shared Personal Data are accurate and it will update the same as necessary prior to transferring the Shared Personal Data.
6. DATA SUBJECTS' RIGHTS AND ASSISTANCE
6.1 Data Subjects have the right to obtain certain information about the processing of their Personal Data and may also request rectification, erasure or blocking of their Personal Data through a Data Subject Request.
6.2 SPoCs are responsible for maintaining a record of Data Subject Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.
6.3 Each party shall provide such assistance to the other as reasonably required (taking into account the nature of processing and the information available to each party) to ensure compliance with each party’s obligations under Data Protection Laws with respect to:
(a) Data Subject Requests;
(b) security of processing;
(c) data protection impact assessments (as such term is defined in Data Protection Laws);
(d) prior consultation with a Supervisory Authority regarding high risk processing; and
(e) notifications to the Supervisory Authority and/or communications to Data Subjects in response to any Personal Data Breach and each party shall promptly notify the other in writing of any communications received by it from Data Subjects or Supervisory Authorities relating to the Shared Personal Data without responding to either of the same prior to liaising with the other party unless doing so would put the party in breach of its obligations to respond within the time frame prescribed by Data Protection Laws and Regulations.
7. DATA RETENTION AND DELETION
7.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
7.2 Notwithstanding clause 7.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods under Law.
7.3 Unless required to retain a copy under Law, the Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser or securely destroyed in the following circumstances:
(a) on termination of the Agreement;
(b) once processing of the Shared Personal Data is no longer necessary for the Agreed Purpose.
8. TRANSFERS OUTSIDE THE EEA
8.1 To the extent required under Data Protection Laws, the Data Receiver shall ensure that any transfers (and any onward transfers) of Shared Persoal Data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories, are effected by way of Appropriate Safeguards and in accordance with such Data Protection Laws.
9. SECURITY AND TRAINING
9.1 Each party shall implement and maintain:
9.1.1 in relation to the processing of Shared Personal Data, the technical and organisational measures prescribed by the Data Protection Laws (at its own cost); and
9.1.2 taking into account the nature of the processing, the technical and organisational measures necessary to assist the other party insofar as is reasonably possible and without cost in the fulfilment of the other party’s obligations to respond to Data Subject Requests (subject to Clause 6.3).
9.2 The Data Discloser shall only provide the Shared Personal Data to the Data Receiver by using secure methods in accordance with Data Protection Laws.
9.3 Each party shall ensure that all of its Staff processing Shared Personal Data are subject to a binding written contractual obligation with such party or under professional obligation to keep the Shared Personal Data confidential (except where disclosure is required in accordance with Law).
9.4 It is the responsibility of each party to ensure that its Staff are appropriately trained to handle and process the Shared Personal Data in accordance with the Data Protection Laws
10. DATA SECURITY BREACHES AND REPORTING PROCEDURES
10.1 The parties have in place their own guidance that must be followed in the event of a Personal Data Breach and each party shall comply with the requirements under Data Protection Laws in regard to Personal Data Breaches.
10.2 The parties shall each notify a Personal Data Breach affecting Shared Personal Data to the other without undue delay to enable the parties to consider what action is required in order to resolve the issue in accordance with the applicable guidance under Data Protection Laws including notifying the Supervisory Authority and Data Subjects.
10.3 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
11.1 Each party reserves its rights to inspect the other party's arrangements for the processing of Shared Personal Data from time to time on reasonable notice, on days and at times and under conditions mutually agreed in advance.
12. INDEMNITY AND LIABILITY
12.1 This clause 12 does not affect the liability of either party to any Data Subject or Supervisory Authority pursuant to a claim made directly against such party.
12.2 As between the parties, liability for all Data Protection Losses arising out of any breach of this DPA, shall be subject to the limitations of liability, exclusions on liability and remedies for loss of data as set out in the Agreement.
12.3 If the Receiving Party receives a compensation claim from a Data Subject relating to processing of Shared Personal Data transferred by the Disclosing Party, it shall promptly provide the Disclosing Party with notice and full details of such claim. The party with conduct of the action shall:
12.3.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
12.3.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.
12.4 This clause 12 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects except to the extent not permitted by Law (including Data Protection Laws).
13. CHANGES TO THE APPLICABLE LAW
13.1 Notwithstanding anything to the contrary in this DPA, in the event:
(i) of a change in any law or regulation or
(ii) a regulator issues a binding instruction, order or requirement which changes the basis on which the Shared Personal Data can be transferred and/or processed pursuant to this DPA, the parties agree to negotiate in good faith to agree an amendment to this DPA and the Agreement (to the extent necessary) to address change in law or regulation or to comply a binding instruction, order or requirement as applicable.
DATA PROCESSING PARTICULARS
1. Subject-matter of processing of Shared Personal Data:
Patients referred for therapy and/or community access, ancillary individuals related to the patients e.g. next of kin; medical practitioners and therapists providing treatment
2. Duration of the processing of Shared Personal Data:
For the Term of the Agreement or longer as necessary to achieve the Agreed Purpose or if required to do so by Law.
3. Nature and purpose of the processing:
To use the Shared Personal Data for the purpose of providing the Services and as otherwise detailed in the Agreement, and to provide aggregated data and clinical score information to the Client relating to the patients referred to BWW.
4. Type of Personal Data:
For prescription of Community access/log-ins:
- Patient Email address
- Patient NHS number or other case management number
- First and last name of referred patient
- Name and contact details for general practitioner or other medical practitioner responsible for referred patient
- Contact information of referred patient (email, phone, physical business address)
- Name and contact details of next of kin
- ID data relating to referred patient
- Personal life data
Special Category Data may also be provided in the prescription note:
trade union membership;
biometrics (where used for ID purposes);
sex life; or
5. Categories of Data Subjects:
Users of the Services (Community)
Patients referred for therapy
General practitioner or other medical practitioners treating patients
Therapists treating patients
6. Processing Instructions
To use the Shared Personal Data for the purpose specified in 3 above and as otherwise detailed in the Agreement.