Data Processing Agreement
This data processing agreement (“DPA”) forms part of the terms and conditions for the provision of services (the “Terms”) between you (the “Client”) and Locum Match Limited trading as 'Locate a Locum', a company registered in Northern Ireland with company number Nl637219 and registered address at Unit 25, 8 Cromac Avenue, Belfast, BT7 2JA (“LAL”). Any capitalised terms in this DPA which are not otherwise defined shall have the meaning given in the Terms. In the event of any conflict between any terms of the Terms and this DPA, this DPA shall take priority. This DPA shall apply to the extent that LAL Processes any Personal Data on behalf of the Client in relation to the Services and is incorporated into the Terms by reference.
1.1 In this DPA, the following terms shall have the following meanings:
“Business Day” means any day which is not a Saturday, Sunday or public holiday in the UK; “Data Protection Law” means laws and regulations relating to the processing, privacy, and use of Personal Data, including the UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) (“UK GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and any laws or regulations implementing or replacing the above;
“Sub-processor” means any Processor engaged by LAL to Process Personal Data on behalf of the Client; and
The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the meaning given under Data Protection Law (and “Process” and “Processes” shall be construed accordingly).
2 DATA PROTECTION
2.1 The parties agree that the Client is the Controller and LAL is the Processor of any Personal Data that LAL Processes on behalf of the Client in relation to the Services. Each party shall comply with its obligations under Data Protection Law.
2.2 The Client warrants and represents that it has the authority, rights and consents necessary to enable LAL to Process the Personal Data in accordance with the Data Protection Law for the purposes of this DPA. The Client shall ensure that the relevant Data Subjects have been informed of, and (if applicable) have given their consent, and that the Client has an appropriate legal ground for the Processing of Personal Data for the purposes of this DPA as required by Data Protection Law.
2.3 The Client shall ensure that all instructions to LAL comply with Data Protection Laws.
2.4 Without prejudice to clause 2.1, in respect of any Processing of Personal Data on behalf of the Client pursuant to the Terms, LAL will:
2.4.1 only Process the Personal Data on the documented instructions from the Client, unless required to do so by applicable law to which LAL is subject; in such case, LAL shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. LAL shall immediately inform the Client if, in its reasonable opinion, an instruction infringes Data Protection Law. The parties agree that the description of Processing at Schedule 1 of this DPA is an accurate description of the Processing undertaken in relation to the Services;
2.4.2 ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2.4.3 taking into account the state of technical development and the nature of Processing, implement appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access;
2.4.4 taking into account the nature of the Processing, assist the Client, at the Client’s cost, appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests from any Data Subject for access, rectification or erasure of the Personal Data, or any objection to Processing. In no event shall LAL be obliged to respond directly to any such request unless specifically required to do so by law;
2.4.5 provide such assistance, at the Client’s cost, as the Client reasonably requires in ensuring compliance with the Client’s obligations pursuant to Articles 32 to 36 of the UK GDPR (security of Processing, breach notification; data protection impact assessments and prior consultations) taking into account the nature of the Processing and the information available to LAL;
2.4.6 at the choice of the Client, securely delete or return the Personal Data to the Client after the end of the provision of Services relating to Processing, unless applicable law or regulation requires storage of the Personal Data;
2.4.7 at the cost of the Client and upon reasonable notice, make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client. The Client may only exercise its right to audit once per calendar year. The parties shall discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Client shall take all necessary steps to minimise the disruption to LAL’s business. Any information obtained pursuant to an audit shall be deemed to be the confidential information of LAL;
2.4.8 only transfer Personal Data outside of the UK and/or EEA in accordance with requirements of Data Protection Law, except where LAL is required to transfer the Personal Data by the laws of the UK, member states of the EU or EU law (and shall inform the Client of that legal requirement before the transfer, unless those laws prevent it doing so);
2.4.9 notify the Client without undue delay and in writing if LAL becomes aware of a Personal Data Breach involving the Client’s Personal Data, together with particulars of the breach to the extent available to LAL; and
2.4.10 promptly inform the Client if LAL receives any request or complaint from a Supervisory Authority relating to the Personal Data
3.1 LAL shall be generally authorised by the Client to engage the Sub-processors listed at www.locatealocum.com subject to LAL notifying the Client of any intended changes concerning the addition or replacement of a Sub-processor by updating the webpage and providing the Client with a mechanism to subscribe to email notifications of such changes at least fifteen (15) days in advance of the change being made. The Client may object in writing to any such changes within ten (10) Business Days of receiving the email notification on reasonable grounds relating to data protection. If the Client does not subscribe to receive such notifications or does not raise an objection in accordance with this clause 3.1, the Client is deemed to have accepted the change and LAL may appoint the Sub-processor.
3.2 LAL shall remain liable to the Client for the acts and omissions of each Sub-processor and shall enter into a written agreement with each Sub-processor on substantially similar terms to this DPA.
4.1 Each party’s liability arising out of or related to this DPA, whether in contract, tort or otherwise, is subject to the limitations and exclusions of liability contained within the Terms.
5.1 This DPA shall terminate upon the expiry or termination of this Terms or, if earlier, LAL ceasing to Process Personal Data on behalf of the Client .
5.2 Except as set out in this DPA, the Terms shall continue in full force and effect.