Data Processing Agreement

The PainChek Platform and associated PainChek Application process personal data on behalf of care homes and other customers who use the PainChek’s Services to support their healthcare activities. The purpose of this document (“Services DPA”) is to ensure the contractual arrangements between us in respect of that data processing, meet the strict requirements of UK and European Law – specifically the UK GDPR and Regulation (EU) 2016/679 (the GDPR). These requirements mean this document must record specific contractual arrangements and instructions.

The Services DPA forms part of, and is incorporated into, your PainChek Service Terms with PainChek (“Principal Agreement“). Words and phrases in this Services DPA have the same meaning as in the Principal Agreement (unless otherwise indicated).

1.       Processing of Relevant Personal Data

1.1    The Parties acknowledge and agree that:

1.1.1 PainChek shall Process Relevant Personal Data as Processor on behalf of Customer for the purposes described in this Services DPA and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by Applicable Law;

1.1.2 Customer is the Data Controller of the Relevant Personal Data and (i) has complied (and will continue to comply) with all Applicable Laws, (ii) shall be responsible for ensuring that Customer has and will continue to have, the right to transfer, or provide access to the Relevant Personal Data to PainChek for any Processing in accordance with the terms of this Services DPA, and (iii) has provided adequate information to Data Subjects in connection with the Processing of the Relevant Personal Data by PainChek;

1.1.3 Customer is solely responsible for configuring its use of (i) the Services and (ii) the Relevant Personal Data, and such configuration and Relevant Personal Data will determine the Processing operations of the Services;

1.1.4 Customer shall, in its use of the Services, Process Relevant Personal Data in accordance with its obligations as a Data Controller and the requirements of all Applicable Laws.

1.2    Customer instructs PainChek to Process Relevant Personal Data:

1.2.1 to perform the Services pursuant to the Principal Agreement (as such Services may be determined by Customer);

1.2.2 pursuant to Customer’s other reasonable documented instructions consistent with the terms of the Principal Agreement;

1.2.3 for the purposes of anonymising the Relevant Personal Data (and Relevant Personal Data that has been anonymised shall no longer be Relevant Personal Data pursuant to this Services DPA);

1.2.4 as may be required by Applicable Laws, provided that PainChek shall have informed Customer of the same before Processing, unless prohibited to do so on important grounds of public interest.

1.3    PainChek shall not otherwise Process Relevant Personal Data as Processor on behalf of Customer and PainChek shall immediately inform the Customer if, in its opinion, an instruction infringes Applicable Law.

1.4    The Relevant Personal Data to be Processed (including the type of Personal Data it comprises), the duration of such Processing, the nature and purpose of the Processing and the categories of relevant Data Subjects are determined by the Customer through its use of the Services.

1.5    PainChek shall ensure that persons authorised by it to have access to the Relevant Personal Data:

1.5.1 comply with Applicable Laws in the context of their duties to PainChek; and

1.5.2 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

1.6    Taking into account:

1.6.1 the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PainChek shall with respect to its processing of Relevant Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR; and

1.6.2 the nature of the Processing, PainChek shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.

1.7    Upon termination of the Principal Agreement, and after a period of ninety (90) days, PainChek shall delete all copies of Relevant Personal Data, provided:

1.7.1 Customer may in its absolute discretion by written notice to PainChek within thirty (30) days of termination require PainChekto (a) return a complete copy of all Relevant Personal Data to Customer by secure file transfer in such format as is reasonably determined by PainChek; and (b) delete all other copies of Relevant Personal Data Processed by PainChek;

1.7.2 PainChek may retain Relevant Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws; and

1.7.3 PainChek’s obligations to delete Relevant Personal Data will be met by the anonymisation of Relevant Personal Data.

1.8    PainChek shall make available to Customer on request, and subject to the confidentiality obligations in the Principal Agreement, all information reasonably necessary to demonstrate PainChek’s compliance with this Services DPA, and shall allow for use of such information in connection with any Audits (as defined in clause 4 below) or an audit (by a party that is not a PainChek competitor) that is otherwise permitted under the Principal Agreement which shall be subject to the terms and restrictions relevant to such audit.

2.       Assisting the Customer in its compliance

2.1    With respect to Relevant Personal Data Processed by PainChek, it shall provide reasonable assistance to Customer in meeting Customer’s compliance with the following obligations, to the extent required under Applicable Laws:

2.1.1 notification of a Personal Data Breach to a Supervisory Authority;

2.1.2 communication of a Personal Data Breach to the Data Subject;

2.1.3 carrying out a data protection impact assessment to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to PainChek; and

2.1.4 consultation with the Supervisory Authority.

2.2    In respect of clauses 2.1.1 and 2.1.2, PainChek shall notify Customer without undue delay upon it becoming aware of any Personal Data Breach affecting Relevant Personal Data.

3.       Sub-processors

Subject to clause 5.1, Customer hereby authorises PainChek to engage PainChek Affiliates and third-party sub-processors (collectively “Sub-processors”) to Process Relevant Personal Data on PainChek’s behalf. The list of Sub-processors engaged by PainChek is maintained in the PainChek Trust Centre available at: https://security.painchek.com

3.1    PainChek may, by giving not less than ten (10) calendar days notice to Customer (such notice being satisfied by updating the Sub-processor List in the Trust Centre) add or make changes to the Sub-processors. Customer may object in writing to the appointment of any new Sub-processer, provided such objection is made within ten (10) calendar days after the notification published by PainChek. In the event Customer objects, PainChek shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Subscription Service.

3.2    PainChek shall ensure that Sub-processors authorised by it to Process Relevant Personal Data are subject, in a written contract, to the substantially the same obligations as are imposed on PainChek by this Services DPA and, in that connection, are subject to appropriate obligations of confidentiality, including to the extent applicable the implementation of appropriate technical and organisational measures.

4.       Audit Rights

4.1    Subject to clause 1.8 Customer’s rights of audit shall be satisfied by the provision by PainChek of such information or documentation generally made available to its Customers for audit purposes.

5.       Restricted Transfers

5.1    PainChek shall be permitted to make a Restricted Transfer of Relevant Personal Data provided such transfer is protected by appropriate safeguards pursuant to Article 46 of the GDPR.

6.       Limitation of Liability

6.1    Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Services DPA whether in contract, tort or under any other theory of liability, is subject to the “Liability’ section of the Principal Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Principal Agreement and this Services DPAs together.

7.       General Terms

7.1    This Services DPA shall be governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement, and the parties to this Services DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising hereunder.

7.2    In the event of inconsistencies between the provisions of this Services DPA and any other agreements between the parties, the provisions of this Services DPA shall prevail provided that nothing in this Services DPA reduces Customer’s or PainChek’sobligations under the Principal Agreement in relation to the Processing of Relevant Personal Data.

7.3    Should any provision of this Services DPA be invalid or unenforceable, then the remainder of this Services DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

8.       Definitions

8.1    In this Services DPA, the words and phrases shall have the meanings given them in the Principal Agreement, save that the following terms shall have the meanings set out below:

Applicable Laws” means all laws and regulations of (i) the United Kingdom; (ii) the European Union, (iii) the European Economic Area and their Member States, and (iv) Switzerland, as may be applicable to Processing of Personal Data under the Agreement.

Affiliate” means an entity that a party, directly or indirectly, controls, an entity that controls a party or an entity that is under common control with a party. For purposes of this Agreement, “control” means ownership of at least fifty percent (50%) of the outstanding voting shares of the entity.

Customer” means the customer Subscribing for the Services.

Documentation” means any documentation related to the Serices made available by PainChek to the Customer.

Processing” means the processing (as defined by the GDPR) of Relevant Personal Data by PainChek in the provision of the Services.

Relevant Personal Data” means Personal Data Processed by PainChek on behalf of Customer in the provision of the Subscription Service, including as may be set out in the Documentation.

Restricted Transfer” means a transfer of Personal Data from PainChek to a Sub-processor, or from a Sub-processor to another Sub-processor where such transfer would be prohibited by the GDPR in the absence of appropriate safeguards pursuant to Article 46 of the GDPR.

8.2    The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“,“Process”,Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR.

8.3    References to the GDPR shall, where the context requires, include the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and its corresponding provisions, and as amended by Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

8.4    The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

Privacy Preference Center

Privacy Preferences

PainChek
Powered by  GDPR Cookie Compliance
Cookies on the PainChek website

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.