Data Protection and Security
11.1 This clause 11 and clause 12 together with WIMPOLE DIGITAL’s Privacy Policy explains how WIMPOLE DIGITAL will treat and protect the Member and its patients’ personal data when it uses WIMPOLE DIGITAL’s Products and/or Services.
11.2 The following definitions apply:
11.2.1 the terms “data subject”, “data controller”, “data processor”, “processing”, “personal data” and “special categories of personal data” bear the respective meanings given them in the Data Protection Legislation;
11.2.2 Member Data includes personal data and special categories of personal data.
11.3 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation (“the General Obligations”).
11.4 Without prejudice to the General Obligations, if WIMPOLE DIGITAL processes any personal data on the Member behalf when performing its obligations under the Contract, the parties record their intention that the Member shall be the data controller and WIMPOLE DIGITAL shall be a data processor.
11.5 Without prejudice to the General Obligations:
11.5.1 the Member will ensure that it has all necessary appropriate consents and notices in place as required by the Data Protection Legislation to enable the lawful transfer of personal data (including special categories of personal data) to WIMPOLE DIGITAL and third parties that WIMPOLE DIGITAL works with to provide the Associated Services for the duration and purposes of the Contract, so that WIMPOLE DIGITAL and the third parties WIMPOLE DIGITAL works with may lawfully use, process, store and transfer the personal data and special categories of personal data in accordance with the Contract on the Member behalf; and
11.5.2 the Member acknowledges that:
(a) the processing, transferring and storage of its and its patients’ personal data is necessary to enable WIMPOLE DIGITAL to provide and the Member to use the Products and/or Services in accordance with the Contract; and
(b) where the processing, transferring and storage of such personal data includes special categories of data, the Member has obtained the data subject’s explicit consent to such processing.
11.6 Without prejudice to the General Obligations, WIMPOLE DIGITAL shall in relation to any personal data processed in connection with the performance by WIMPOLE DIGITAL of its obligations under the Contract:
11.6.1 process that personal data only on the written instructions of the Member unless WIMPOLE DIGITAL is required by the laws of any member of the European Union or by the laws of the European Union applicable to WIMPOLE DIGITAL to process personal data (“Applicable Laws”). Where WIMPOLE DIGITAL is relying on laws of a member of the European Union or European Union law as the basis for processing personal data, WIMPOLE DIGITAL shall promptly notify the Member of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit WIMPOLE DIGITAL from so notifying the Member;
11.6.2 only transfer any personal data outside of the European Economic Area in accordance with clause 11.9;
11.6.3 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
11.6.4 ensure that access to the Member Data to meet WIMPOLE DIGITAL’s obligations under the Contract is limited to those personnel or authorised subcontractors who need access to and/or process personal data to meet WIMPOLE DIGITAL’s obligations under the Contract and that such personnel or authorised subcontractors are obliged to keep the personal data confidential;
11.6.5 ensure that all personnel or authorised sub-contractors who have access to and/or process personal data do so only in accordance with the instructions from the Member for such processing;
11.6.6 assist the Member in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
11.6.7 allow for and contribute to audits, including, inspections, conducted by the Member or another auditor mandated by the Member regarding compliance with the Data Protection Legislation;
11.6.8 notify the Member without undue delay on becoming aware of a personal data breach;
11.6.9 at the written direction of the Member, delete or return personal data and copies thereof to the Member on termination of the Contract unless required by Applicable Law to store the personal data;
11.6.10 inform the Member immediately if, in WIMPOLE DIGITAL’s opinion, any instruction given to it by the Member infringes Data Protection Legislation; (collectively “WIMPOLE DIGITAL’s Commitments”).
11.7 WIMPOLE DIGITAL shall maintain complete and accurate records and information to demonstrate its compliance with WIMPOLE DIGITAL’s Commitments and make them available to the Member on demand.
11.8 WIMPOLE DIGITAL shall keep such records as necessary to comply with Articles 30(2) and 30(3) (ignoring Article 30(5)) of the GDPR.
11.9 The Member acknowledges and agrees that personal data may be transferred to third parties or stored outside the European Economic Area as is necessary in Registration for the Member to use the Products and/or Services in accordance with the Contract and/or to enable WIMPOLE DIGITAL to discharge its obligations under the Contract. Where WIMPOLE DIGITAL does engage such third parties:
11.9.1 such third parties may be outside the European Economic Area;
11.9.2 in the absence of an adequacy decision by the European Commission in relation to the country where that third party resides, WIMPOLE DIGITAL shall ensure that:
(a) such third parties and WIMPOLE DIGITAL have provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) the third party complies with its obligation under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferring;
(d) the third party complies with reasonable instructions notified to it in advance by WIMPOLE DIGITAL and/or the Member with respect to processing personal data.
(e) WIMPOLE DIGITAL has entered or (as the case may be) will enter with the third– party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause 11;
(f) it informs the Member of any intended changes concerning the additional or replacement of such third parties; and
(g) as between the Member and WIMPOLE DIGITAL, WIMPOLE DIGITAL shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 11.
11.10 The scope, nature and purpose of processing, the duration of the processing and the types of personal data and categories of data subject as applicable to the Contract are set out in the Privacy Policy.
11.11 WIMPOLE DIGITAL may, at any time on not less than thirty (30) days’ notice, revise this clause 11 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme which shall apply when replaced by attachment to the Contract.
Member Data
12.1 WIMPOLE DIGITAL may use the Member Data:
12.1.1 to discharge its obligations in accordance with the Contract;
12.1.2 to offer best practice recommendations to the Member if applicable;
12.1.3 for benchmarking exercises; and
12.1.4 for development and marketing activity, specifically Product improvements/updates, educational material (whitepapers/seminars/webinars) or user guidelines. The Member has a right at any time to stop WIMPOLE DIGITAL using the Member Data by contacting [email protected].
12.2 The Member shall own all right, title and interest in and to all of the Member Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Member Data.
12.3 If WIMPOLE DIGITAL on its own or through any third party has notice that Member Data stored by the Member or its Authorised Users is in breach of a law or infringes third party rights, WIMPOLE DIGITAL may in its discretion without liability to the Member or its Authorised Users and without prior notice, immediately suspend the Member access to the Software, the Application and the Member Data. WIMPOLE DIGITAL shall notify the Member of such action as soon as reasonably practicable.
12.4 Except to the extent otherwise provided in these Conditions, WIMPOLE DIGITAL shall not have any liability for any loss or damage of Member Data nor for the unreliability or any inaccuracies of such Member Data occurring during any conversion process and in the event of any loss, damage, unreliability or inaccuracy to Member Data, the Member sole and exclusive remedy shall be for WIMPOLE DIGITAL to use reasonable commercial endeavours to restore the lost or damaged Member Data from the latest back-up of such Member Data maintained by WIMPOLE DIGITAL or the third parties that it works with in Registration to provide the Services. WIMPOLE DIGITAL shall not be responsible for any loss, destruction, alteration or disclosure of Member Data caused by any third party.