Data Processing Addendum

Preliminary

1. The Organisation and LMC have entered into an agreement for the provision of The Log my Care system (System) via the careoffice.logmycare.co.uk website or the Log my Care app (Principal Agreement), involving the provision of certain software/platform services by LMC (Services).  

2. Pursuant to Data Protection Legislation, the parties have agreed to enter into this agreement which will govern the processing of the Organisation Personal Data by LMC on the Organisation’s behalf, in the context of the Services provided under the Principal Agreement.

1. Definitions and interpretation

Definitions

1.1 In this agreement, including the Preliminary, the following words have the following meanings:  

Applicable Law

any law, statute, regulation, or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction in which the goods or services are provided under the Principal Agreement.

Business Day

a day other than a Saturday, Sunday or public holiday in England, when banks in London are open to the public to conduct business.

DPA

Data Protection Act 2018.

Data Protection Legislation

all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the GDPR; the DPA and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended,

and references to data controller, data processor, data subject, international organisation, personal data, process, processes, processed, processing, pseudonymisation, personal data breach and supervisory authority in this agreement have the meanings set out in, and will be interpreted in accordance with (insofar as they are defined):

1. the DPA; and
2. the GDPR.

Data Protection Particulars

in respect of the Organisation Personal Data, the:

1. subject matter and duration of the processing;
2. nature and purpose of the processing;
3. type of personal data being processed; and
4. categories of data subjects.

Data Subject Requests

any requests by data subjects to exercise their  rights set out in Chapter III of the GDPR.  

GDPR

has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA.

Organisation Personal Data

all personal data (including any special categories of personal data) processed or to be processed by LMC (or on behalf of LMC) in connection with the Principal Agreement, including but not limited to the personal data described in the Data Protection Particulars.

Principal Agreement

as defined in the Preliminary.

Services

as defined in the Preliminary.

Sub-Processor

any person or entity engaged by LMC or any further subcontractor to process the Organisation Personal Data on behalf of the Organisation.

Interpretation   ‍

1.2

1.2.1 Schedule and paragraph headings are used for ease of reference only will not affect the interpretation of this agreement.

1.2.2 References to clauses and schedules are to the clauses and schedules of this agreement.  References to paragraphs are to paragraphs of the relevant schedule. A reference to writing or written includes email.

1.2.3 The schedules form part of this agreement and have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the schedules.

1.2.4 A person includes a natural person corporate or unincorporated body (whether or not having separate legal personality).

1.2.5 Any words following the terms including, include, in particular, for example or any similar expression will be construed as illustrative and will not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.2.6 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.

1.2.7 Any reference to the singular includes a reference to the plural and vice versa and any reference to the masculine includes a reference to the feminine and vice versa. ‍

2. Application and subject matter

2.1 The parties agree that, for the purpose of Data Protection Legislation and in respect of all Organisation Personal Data processed on behalf of the Organisation in connection with the Principal Agreement, the Organisation will be the data controller and LMC will be the data processor.

2.2 To the extent that the Principal Agreement contains no provisions relating to data protection, the processing of personal data and/or security of personal data, the parties agree that the provisions contained in this agreement will apply in respect of all processing of personal data carried out by LMC in connection with the Principal Agreement.

2.3 The parties acknowledge and agree that Schedule 1 contains an accurate description of the Data Protection Particulars.

2.4 The parties acknowledge that the Organisation retains control of the Organisation Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation.

3. Organisation obligations

3.1 The Organisation will not transfer any personal data to LMC that is not strictly necessary for the performance of this agreement or the Principal Agreement.

3.2 The Organisation warrants that, on the date of this agreement, all Organisation Personal Data provided to LMC has been collected and processed by the Organisation in accordance with all Data Protection Legislation and the Organisation has ensured that there is and there will continue to be a lawful basis for LMC to process the Organisation Personal Data.

4. LMC obligations

In respect of any Organisation Personal Data, LMC will:

Acting on instructions of the Organisation

4.1 process the Organisation Personal Data only on documented instructions from the Organisation, including with regard to transfers of the Organisation Personal Data to a third country or an international organisation, unless required to do so by any Applicable Laws; in such a case, LMC will notify the Organisation of that legal requirement before processing (unless that law prohibits such notification on important grounds of public interest);

4.2 immediately inform the Organisation if, in LMC’s opinion, an instruction provided by the Organisation infringes Data Protection Legislation;

Confidentiality

4.3 ensure that all persons authorised to process the Organisation Personal Data on LMC’s behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

Guarantees in relation to security

4.4 implement all technical and organisational measures required pursuant to GDPR and, in particular, Article 32 of the GDPR in relation to security of the Organisation Personal Data, and LMC guarantees that it will implement the following measures, at a minimum:

4.4.1 the pseudonymisation and encryption of the Organisation Personal Data, where appropriate;

4.4.2 the ability to ensure the ongoing security, confidentiality, integrity, availability and resilience of LMC’s processing systems and services;  

4.4.3 the ability to restore the availability of the Organisation Personal Data in a timely manner in the event of a physical or technical incident; and

4.4.4 the implementation of a process for regularly testing, assessing and evaluating the effectiveness of LMC’s technical and organisational measures for ensuring the security of the processing.

Assistance to the Organisation

4.5 notify the Organisation promptly if LMC receives a Data Subject Request directly from a data subject, and provide details in relation to such Data Subject Request;

4.6 taking into account the nature of the processing, at the cost of the Organisation, assist the Organisation by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Organisation’s obligation to respond to Data Subject Requests;

4.7 assist the Organisation, at the Organisation’s cost, in ensuring compliance with its obligations pursuant to Articles 32 - 36 of the GDPR taking into account the nature of processing and the information available to LMC, including but not limited to notifying the Organisation without undue delay upon becoming aware of a personal data breach in respect of the Organisation Personal Data, and providing information and assistance to the Organisation as reasonably required for the Organisation to comply with its obligations to notify such personal data breach to the relevant supervisory authority and data subject;

Deletion of Organisation Personal Data

4.8 at the choice of the Organisation, upon termination or expiry of the Principal Agreement or upon a request by the Organisation, at the Organisation’s cost, delete all existing copies of the Organisation Personal Data and/or return all of the Organisation Personal Data to the Organisation within 60 days (unless Applicable Law requires storage of such Organisation Personal Data);  

Transfers of personal data outside the EEA

4.9 not transfer or otherwise process the Organisational Personal Data outside the EEA without obtaining the Organisation’s prior written consent, except for any transfer or processing by a Sub-Processor in accordance with clause 5.3; and

Audit rights

4.10 at the Organisation’s cost, make available to the Organisation all information necessary to demonstrate compliance with the obligations laid down in this agreement and allow for and contribute to audits, including inspections, conducted by the Organisation or another auditor mandated by the Organisation, provided that:  

4.10.1 LMC may object in writing to an auditor mandated by the Organisation if the auditor is, in LMC’s reasonable opinion, not suitably qualified or independent, a competitor of LMC, or otherwise manifestly unsuitable. In the event of such an objection, the Organisation will appoint another auditor or conduct the audit itself; and

4.10.2 the Organisation will give LMC reasonable notice of any audit or inspection to be conducted under this clause 4.10 and will ensure (and procure that each of its mandated auditors ensure) the minimisation of disruption to LMC’s business in the course of such an audit or inspection. LMC will not be obliged to contribute or allow for an inspection or audit more than once in any calendar year, except for any additional audits or inspections which the Organisation is required or requested to carry out by Data Protection Legislation or a supervisory authority.

5. Engaging Sub-Processors

5.1 The Organisation gives a general authorisation to LMC to appoint Sub-Processors to carry out processing of the Organisation Personal Data in the context of the Services, and acknowledges and agrees to the engagement by LMC of the Sub-Processors set out at Schedule 1. LMC will inform the Organisation in writing of any intended changes concerning the addition or replacement of Sub-Processors (to those set out in Schedule 1), giving the Organisation the opportunity to object to such changes.  

5.2 In respect of the appointment of any Sub-Processor:

5.2.1 LMC will engage a Sub-Processor only if a written agreement is in place that is binding on the Sub-Processor and that contains obligations consistent with those imposed on LMC under this agreement;

5.2.2 LMC will remain liable to the Organisation for the performance of any Sub-Processor’s obligations; and

5.2.3 LMC will provide a list of Sub-Processors to the Organisation upon request.

5.3 Where Sub-Processors are located outside of the UK or EEA, LMC confirms that such Sub-Processors:

5.3.1 are located in a third country or territory recognised by the UK’s Information Commissioner’s Office to have an adequate level of protection; or

5.3.2 have entered into Standard Contractual Clauses (SCCs), an Addendum to those SCCs or an International Data Transfer Agreement with LMC.

6. Limitation of liability

Despite any other term of this agreement or the Principal Agreement, to the fullest extent permitted by law, LMC’s aggregate liability to the Organisation in respect of any claim or liability arising under this agreement will be limited to 75% of the total amount payable by LMC to the Organisation for the Services in the year in which the claim arises.

7. Miscellaneous

Termination

7.1 The parties agree that this agreement will be terminated upon the termination of the Principal Agreement.  

Notices

7.2 Any notice required to be given under this agreement will be in writing and will be delivered by hand or sent by prepaid first class post or recorded delivery post or by email to the other party at its address set out in this agreement, or such other address as may have been notified in writing by that party to the other from time to time. A notice is deemed to be given or served:

7.2.1 if delivered by hand, at the time it is left at the address;  

7.2.2 if sent by prepaid post (whether ordinary first class, airmail, special delivery or recorded delivery), on the second Business Day after posting; and

7.2.3 if sent by email, on the next Business Day, unless the sender receives an “out of office” message or an automatic notification that the email has not been received, in which case the email will be deemed to have not been received.

This clause 7.2 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Severance

7.3 If any provision (or part of a provision) of this agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions will remain in force.

Waivers

7.4 A waiver of any right under this agreement is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and to the circumstances for which it is given. No failure or delay by a party to exercise any right or remedy provided under this agreement or by law will constitute a waiver of that or any other right or remedy, nor will it prevent or restrict the further exercise of that or any other right or remedy.

Variation

7.5 Any variation to this agreement must be in writing and signed by both parties.

Third party rights

7.6 Nothing in this agreement confers or will be deemed to confer on any person who is not a party to this agreement a right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of the terms of this agreement.

No partnership

7.7 Nothing in this agreement will be construed as constituting a partnership or joint venture between the parties.  

Counterparts

7.8 This agreement may be executed in any number of counterparts, each of which when executed will constitute a duplicate original, but all the counterparts will together constitute the one agreement.

8. Governing law and jurisdiction

This agreement shall be interpreted, construed and enforced in accordance with English law and shall be subject to the exclusive jurisdiction of the English Courts.  

Schedule 1

Data Protection Particulars

The subject matter and duration of the processing

Subject matter: personal data processed in connection with the provision of software/platform services by LMC to the Organisation.

Duration: from the commencement of the Principal Agreement, up until the earlier of:

• the Organisation requesting LMC to delete the Organisation Personal Data and LMC deleting the Organisation Personal Data accordingly; and
• termination of this agreement or the Principal Agreement, for whatever reason.

The nature and purpose of the processing

The processing of personal data by LMC on behalf of the Organisation, for the purpose of providing the System for use by carers.

The type of personal data being processed

In respect of the categories of data subjects described below:

• usernames
• email addresses
• addresses and contact information
• GPS locations
• photos
• videos
• health data
• care data
• customer support data
• billing contact name and email

The categories of data subjects

• End Users: Patients;
• Users & Customers: Carers.

Authorised list of Sub-Processors

• Amazon Web Services
• MongoDB
• Birdie.so
• Painchek
• Carematch
• ChargeBee
• Cloudflare
• Intercom
• Firebase
• FusionAuth
• GoCardless
• Hubspot
• Mixpanel
• Mandrill
• Sentry
• Stripe