1. Introduction
1.1 For the purposes of this Agreement the terms “Controller”, “Processor”, “Personal Data”, “Sensitive Personal Data”, “Data Subject” and “Processing” (and Process and Processed shall be construed accordingly) shall have their respective meanings under the Data Protection Act 2018 (“DPA”) as amended or replaced from time to time, together with all equivalent legislation of the UK and any other applicable jurisdiction (the “Data Protection Legislation”).
1.2 For the purposes of this Agreement, the Customer is the Controller, and SANNO is the Processor.
2. Data Processor Responsibilities
2.1 The Processor shall not cause the Controller to breach any obligation under the Data Protection Legislation.
2.2 The Processor shall notify the Controller without undue delay, if in the delivery of the Services, it identifies any potential areas of actual or potential non-compliance with the Data Protection Legislation in respect of its Processing of Agreement Data.
2.3 The Controller authorizes the Processor to Process the Agreement Data during the term of this Agreement as a Data Processor for the purposes of providing the Services only.
2.4 The Controller warrants that any disclosure to nominated recipients (as described in Schedule 1) by the Data Processor, under the Agreement, shall not cause the Processor to breach any obligation under the Data Protection Legislation.
Sub-Processing
2.5 The Processor shall not engage, use or permit any third party to carry out Processing of any Agreement Data without the prior written consent of the Controller, which may be withheld or subject to conditions at the Controller’s discretion. This Agreement shall be regarded as written consent to engage the Sub Processors identified at Schedule 1. If the Controller has consented to the use of any third party (subsequently, an “Authorized Sub-Processor”) for the Processing of Agreement Data.
2.6 The Processor shall provide the Controller with advance notice of any intended changes to any Authorized Sub-Processor, allowing the Controller sufficient opportunity to object; and
2.7 The Authorized Sub-Processor’s activities must be specified, and the same contractual terms set out in this Agreement imposed on that Authorized Sub-Processor.
2.8 Without prejudice to this clause 2.4, the Processor shall remain responsible for all acts or omissions of the Authorized Sub-Processor as if they were its own.
Data Processor Obligations
2.9 The Data Processor shall (and shall procure that any Authorized Sub-Processor shall process the Agreement Data only on documented instructions from the Controller, including this Agreement):
2.10 The Processor shall ensure that Agreement Data will only be used by the Processor to the extent required to provide the Services. The Processor shall not without the express prior written consent of the Controller (a) convert any Agreement Data into anonymised, pseudonymised, depersonalized, aggregated or statistical data; (b) use any Agreement Data for “big data” analysis or purposes; or (c) match any Agreement Data with or against any other Personal Data (whether the Processor’s or any third party’s).
2.11 The Processor shall not permit any Processing of Contract Data outside of the UK or the European Economic Area without the Controller’s prior written consent which may be subject to conditions at the Controller’s discretion (unless the Processor or Authorized Sub-Processors are required to transfer the Contract Data, to comply with UK laws and such laws prohibit notice to the Controller on public interest grounds).
2.12 The Processor shall ensure that any person authorized to Process the Agreement Data has committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
2.13 The Processor shall ensure that any person authorized to Process the Agreement Data processes the Agreement Data are appropriately reliable, qualified and trained in relation to their Processing of Agreement Data.
2.14 The Processor shall implement (and assist the Controller to implement) technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing the Agreement Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed (together, a “Data Security Incident”).
2.15 The Processor shall notify the Controller without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay, and for the avoidance of doubt, the Processor and Authorized Sub-Processor may not delay notification under this clause on the basis that an investigation is incomplete or ongoing, and not make or permit any announcement to any party, without the Controller’s consent, which may be subject to conditions at the Controller’s sole discretion.
2.16 The Processor shall provide reasonable assistance to the Controller in responding to requests for exercising the Data Subject's rights under the Data Protection Legislation, including by appropriate technical and organizational measures, insofar as this is possible.
2.17 The Processor shall provide reasonable assistance to the Controller in reporting any Data Security Incident to any supervisory authority or Data Subjects and documenting any Security Breach.
2.18 The Processor shall provide reasonable assistance to the Controller in taking measures to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.19 The Processor shall provide reasonable assistance to the Controller in conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate persons accordingly.
2.20 The Processor, at the choice of the Controller, will securely delete or return all Agreement Data to the Controller after the end of the provision of services relating to Processing, and securely delete any remaining copies and certify when this exercise has been completed to current international / national (NIST / NCSC) Standards; and
2.21 The Processor shall hold Agreement Data physically and electronically separate to any other records or Personal Data, Processed by the Processor or Authorized Sub-Processor other than for the performance of the Services.
2.22 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause and allow for and contribute to audits.
Requests from Data Subjects and Regulators
2.23 The Processor warrants and undertakes that it shall notify the Controller within five (5) working days (being any day in England and Wales that is a week day and not a bank holiday) of any complaint by a Data Subject in respect of Data relating to them or any request received from a Data Subject to have access to their Data or of any other communication relating directly or indirectly to the Data Processing in connection with this Agreement and provide all details of such complaint, request or communication to the Controller and promptly and fully cooperate and assist the Controller in relation to any such request or communication.
2.24 The Processor shall not respond directly to any Data Subject access request for their Data, to any Data Subject complaint in relation to their Data, or (unless and to the extent required by law) any communication by a Data Protection Authority to them in relation to the Data, in each case unless expressly approved in writing in advance by the Controller.
Schedule 1 – Scope of Processing
- Purpose for Processing:
As described under ‘Services’ above.
- Manner of Processing:
User accounts will be created, and the user will provide personal and sensitive personal data about their health. With their consent, the data will be shared with Customer on an anonymized basis. It is noted that, as part of internal processes, SANNO processes pseudonymized data for software analytics.
Sanno tracks clicks to review the journey throughout pages and cannot see an identifier that would permit identification in this context. However, it would be possible to cross reference with the database using other IDs (note IDs, e.g. note ID associated with a note made by user in the stress/ mood section) and identify the individual. This will only occur in relation to Sanno’s own legitimate Controller activities and only where it aligns with the privacy policy provided to the data subject.
- Data Subjects:
Data subjects wishing to participate in the study have been invited to sign up to the Sanno App by both the Controller and the Processor.
- Included Data Sets: NameSchedule 1 – Scope of Processing, Address, Gender, Date of Birth, Contact details. Login credentials. User free text entry. Questionnaires sent by Customer to capture patient reported outcomes. Under entered health data (medical history, symptoms, nutrition intake, sleep hours, mood and stress, activity level, bowel movements etc.) Sub Processors: Firebase.