1. Data Protection
1.1 For the purposes of the clauses set out in this document (the “Diagnostics360 Data Protection Clauses”), the terms below shall have the following meaning:
“Agreement” means the agreement into which these Diagnostics360 Data Protection Clauses are deemed to be incorporated by reference;
“Diagnostics360” means the entity which is party to the Agreement;
“Portal” means the online service management portal made available to you by or on behalf of Diagnostics360 from time to time;
“Commencement Date” means the date from which any Services are first made available to you;
“Data Policies” has the meaning given to it in clause 2.7.2;
“Data Protection Legislation” means
(i) any legislation in force currently within the United Kingdom which implements the European Community’s Directive 95/46/EC and Directive 2002/58/EC, including the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
(ii) from 25 May 2018 only, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation”);
(iii) any other relevant legislation in force at the time the contract is entered into in the United Kingdom relating to privacy and/or the processing of personal data; and (iv) any guidance or statutory codes of practice issued by the Information Commissioner or the European Data Protection Board set up under the General Data Protection Regulation in relation to such legislation;
“Security Incident” means any incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of or access to personal data that is likely to result in a high risk to the rights and freedoms of natural persons;
“Services” means any services provided to you by or on behalf of Diagnostics360 under the Agreement; and
“you” means the party to the Agreement other than Diagnostics360, and “your” shall be construed accordingly.
1.2 The terms “processing” (and its derivatives), “personal data”, “data controller”, “data processor” and “data subject” will, where used in the Diagnostics360 Data Protection Clauses, have the meanings given to them under the Data Protection Legislation.
1.3 Diagnostics360 reserves the right to update these Diagnostics360 Data Protection Clauses in order to comply with its obligations under new Data Protection Legislation or changes in case law. The prevailing terms shall be those of the most recent version of the Diagnostics360 Data Protection Clauses made available on the Diagnostics360 Portal and/or the Diagnostics360 website.
2. Data protection principles
2.1 Diagnostics360 has developed its Services with IT security and the Data Protection Legislation in mind, in accordance with its primary role as a data processor of sensitive information.
2.2 You may provide data to Diagnostics360 which will include personal data in connection with the Agreement. Each party acknowledges that Diagnostics360 will process the personal data you provide to it:
2.2.1 for the purpose of the performance of Diagnostics360’s obligations under, and the provision of the Services pursuant to, the Agreement; and
2.2.2 for the duration of the Agreement only.
2.3 Each party acknowledges that:
2.3.1 if personal data are processed in connection with the Agreement, the categories of data subjects and types of personal data will be as specified in the Agreement;
2.3.2 Diagnostics360 will be a data processor acting on your behalf and in accordance with your written instructions in relation to the processing of personal data pursuant to Diagnostics360’s performance of the Services under the Agreement; and
2.3.3 under certain circumstances, each party will be a data controller in connection with the processing of personal data where you provide Diagnostics360 with personal data and Diagnostics360 uses such personal data:
- to comply with its own obligations under any applicable law;
- for statistical or other analytical purposes;
- as part of its claims management processes;
- as part of ancillary non-clearing services that Diagnostics360 provides to you; or
- in any other context which requires Diagnostics360 to determine the purposes and means of such processing.
2.4 To the extent that Diagnostics360 acts as a data processor pursuant to the Agreement or in accordance with Data Protection Legislation, Diagnostics360 will:
2.4.1 only process personal data to the extent, and in such a manner, as is necessary for the performance of Diagnostics360’s obligations under the Agreement and in accordance with your written instructions as set out in the Agreement or as otherwise instructed from time to time, and will not process such personal data for any other purpose;
2.4.2 implement and ensure compliance with appropriate technical and organisational measures to protect the security of personal data processed by Diagnostics360 in performance of the Services, and to protect personal data against unauthorised or unlawful processing, accidental or unlawful destruction and damage or accidental loss, alteration, unauthorised disclosure, or access;
2.4.3 take reasonable steps to ensure the reliability and trustworthiness of employees or agents which have access to any personal data, and ensure that such employees or agents are under confidentiality obligations;
2.4.4 to the extent permitted by applicable laws, promptly notify you of any request made by a data subject, regulator or any other person requesting access to personal data processed by Diagnostics360 and you will handle such request and Diagnostics360 will at all times cooperate with and assist you in executing your obligations under the Data Protection Legislation in relation to such access requests. In all cases, Diagnostics360 will provide a copy to you of all personal data which Diagnostics360 discloses unless prohibited by law;
2.4.5 notify you without undue delay by written notice with relevant details reasonably available of a Security Incident and provide reasonable cooperation and information upon your request in relation to the Security Incident;
2.4.6 on termination, return any data to you or, at your option, securely destroy it to the extent reasonably practicable;
2.4.7 make available to you and any competent data protection or privacy authority all necessary information regarding Diagnostics360’s data processing activities unless providing this information would be in breach of applicable laws (including the Data Protection Legislation), in which case Diagnostics360 must inform you to the extent it is permitted by applicable law to do so;
2.4.8 subject to clause 2.4.9, not engage any sub-contractor, who may be located in the European Economic Area or elsewhere, to assist Diagnostics360 in the fulfilment of Diagnostics360’s data processing obligations under the Agreement except with your prior written consent and unless there is a written contract in place with the sub-contractor which requires the sub-contractor to:
- only carry out such processing as may be necessary from time to time for the purposes of its engagement by Diagnostics360 in connection with the Agreement; and
- comply with terms and conditions (and only sub-contract on terms and conditions) which provide an equivalent level of protection to personal data as set out in this clause 2.4,
2.4.9 and Diagnostics360 shall be responsible for the acts and omissions of any such sub-contractors in the performance of data processing obligations under the Agreement as if they were Diagnostics360’s own acts and omissions;
2.4.10 notify you fourteen (14) days in advance before engaging any data sub-processor that Diagnostics360 has not previously communicated to you (via its relevant policies or otherwise) by directing you to an updated list of data sub-processors (or otherwise); if you wish to object to the engagement of such new data sub-processor you shall provide Diagnostics360 with written notice of such objection including reasonable details of the grounds for your objection (“Objection Notice”) as soon as possible; following receipt of an Objection Notice, Diagnostics360 will endeavour to discuss any reasonable objections with you in good faith; if, after 61 days from the date on which Diagnostics360 received the Objection Notice, you can demonstrate that the new data sub-processor is unable to comply with clauses 2.4.8(A) and (B) then you may terminate the Agreement by notice in writing to Diagnostics360; and
2.4.10 not transfer personal data to any country or territory outside the United Kingdom unless Diagnostics360 has ensured that such transfer complies with applicable Data Protection Legislation, either by having in place EU-approved standard contractual clauses to govern the transfer, or using another basis to ensure the transfer complies with the applicable Data Protection Legislation.
2.5 You hereby agree to Diagnostics360 sub-contracting the processing of personal data to third parties from time to time in accordance with Diagnostics360’s privacy policies as communicated to you or can be found at: LINK provided that Diagnostics360 acts in accordance with its obligations under clauses 2.4.8 – 2.4.10 above.
2.6 To the extent that Diagnostics360 acts as a data controller pursuant to the Agreement (in relation to any personal data provided by you or on your behalf and in respect of which you are also a data controller), Diagnostics360 and you will each:
2.6.2 deal promptly, reasonably and in good faith with all reasonable and relevant enquiries from the other party relating to its processing of personal data.
2.7 Irrespective of whether Diagnostics360 acts as a data processor or a data controller:
2.7.1 you will comply at all times with: (i) all applicable laws and regulations relating to the processing of personal data and privacy; and (ii) all applicable Data Protection Legislation;
2.7.2 without prejudice to clause 2.7.1, you shall comply at all times with your own data processing, privacy and cyber security policies in relation to the processing of personal data and any cyber security incident (“Data Policies”). Within 5 Business Days following the Commencement Date and each anniversary of the Commencement Date, you shall provide Diagnostics360 with copies of your Data Policies relating to the processing of personal data and any cyber security incident for Diagnostics360’s review. Without prejudice to your obligations under clause 2.7, if Diagnostics360 reasonably believe that your Data Policies are not appropriate, Diagnostics360 may require you to comply with Diagnostics360’s Data Policies;
2.7.3 Diagnostics360 will be entitled to assume that any disclosure of personal data to Diagnostics360 by you is done so in a manner which is compliant with: (i) all applicable laws and regulations relating to the processing of personal data and privacy; and (ii) all applicable Data Protection Legislation;
2.7.4 you will provide all necessary information and notices to, and obtain all necessary consents from, any data subjects whose personal data you provide to Diagnostics360, so that Diagnostics360 is able to use or otherwise process this personal data for the purposes of the Agreement without needing any further consent, approval or authorisation, and upon Diagnostics360’s request from time to time you will consult with Diagnostics360, and comply with any reasonable requests of Diagnostics360 in relation to the same; and
2.8 if requested by Diagnostics360, you will promptly provide reasonable evidence that you have provided all necessary information and notices to and obtained all necessary consents from data subjects.