Terms and Conditions

Software End User Licence and Support Terms and Conditions

IMPORTANT NOTICE:

• BY ORDERING, DOWNLOADING OR OTHERWISE ACCESSING THE SOFTWARE OR BY CONFIRMING THE ORDER AS PART OF THE DOWNLOADING OR ORDERING PROCESS, THE CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT WHICH WILL BIND IT AND ITS EMPLOYEES.
• IF YOU ARE ENTERING INTO THIS AGREEMENT AND ACCEPTING THESE TERMS AND CONDITIONS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT, IN WHICH CASE THE TERM “YOU” OR “CUSTOMER” SHALL REFER TO SUCH ENTITY.  IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT USE THE SOFTWARE. IF YOU DO NOT INTEND TO BE LEGALLY BOUND TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT ACCESS OR OTHERWISE USE THE SOFTWARE AND DO NOT CLICK “ACCEPT” OR OTHERWISE ASSENT TO THIS AGREEMENT. THE CUSTOMER acknowledges the terms of and AGREES TO THE TERMS OF DATA PROCESSING AGREEMENT at annex 2 of the Agreement WHICH WILL BIND IT AND ITS EMPLOYEES.
• IF THE CUSTOMER DOES NOT AGREE TO THE TERMS OF THIS AGREEMENT, THE SUPPLIER WILL NOT LICENCE THE SOFTWARE TO THE CUSTOMER AND THE CUSTOMER MUST DISCONTINUE THE DOWNLOADING OR ORDERING PROCESS NOW BY CANCELLING THE DOWNLOADING OR ORDERING PROCESS. IN THIS CASE, THE DOWNLOADING OR ORDERING PROCESS WILL TERMINATE OR THE CUSTOMER MAY NOT DOWNLOAD OR USE THE SOFTWARE.

1.        Definitions and Interpretation

1.1       The definitions and rules of interpretation in this clause apply in this Agreement.

Affiliate: in relation to the person concerned: a holding company or a subsidiary or a subsidiary of a holding company of such person (where “holding company” and “subsidiary” have the meanings given to such terms in section 8 and section 7 respectively of the Companies Act 2014); a person directly or indirectly Controlled by such person; a person under Common Control with such person; a person that Controls such person; or an associated undertaking of such person.

Agreement: (a) the Order Form, (b) these Software End User Licence and Support Terms and Conditions (the “T&Cs”) and (c) the Appendices.

Authorised Installation: an instance of the Software (up to the maximum quantity specified on the Order Form (if any)) for which the Customer has a valid User Licence.

Authorised Site: has the meaning set out in the Order Form (or if not specified, the address, in United Kingdom, where the Customer’s medical practice).

Authorised Users: those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Software and the Documentation and (where applicable) to use the Drug Information and receive the Hardware Support Services, as may be set out in the Order Form.

Appendices: Appendix 1 (Direct Debit Mandate), Appendix 2 (Data Processing Agreement) and Appendix 3 (Messaging Terms and Conditions (if applicable) to these T&Cs and including the schedules to the Appendices.

Business Day: any day which is not a Saturday, Sunday or public/bank holiday in United Kingdom.

Confidential Information: information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 8.

Control: the ability of a person or persons, directly or indirectly, to direct or cause the direction of the affairs of another person, whether through provisions contained in its constitutional documents or, as the case may be, certificate of incorporation or by-laws or other documentation regulating or managing the affairs of that or any other person, or by virtue of any powers conferred by any applicable laws or regulations, the ownership of voting securities, by contract or otherwise, and “Controlled” or “under Common Control” shall be construed accordingly.

Customer: has the meaning set out in the Order Form or the practice or partnership using the Software.

Customer Data: the data inputted by or on behalf of the Customer for the purpose of using the Software or facilitating the Customer’s use of the Software, and shall include, where the context so requires, Personal Data.

Documentation: the documents made available to the Customer by the Supplier online via www.clanwilliamhealth.com or such other web address notified by the Supplier to the Customer from time to time which sets out a description and the user instructions for the Software.

Drug Information: means the database of medical, pharmaceutical and commercial information and periodic updates owned by or licensed to the Supplier.

Effective Date: has the meaning set out in the Order Form (or the date that the Customer accesses or otherwise commences use of the Software).

Hardware Maintenance Services Policy: in circumstances where the Supplier provides Hardware Support Services, the Supplier’s hardware maintenance services policy as available at www.clanwilliamhealth.com as may be varied from time to time by the Supplier.

Hardware Support Services: if applicable, the standard hardware maintenance services provided to Authorised Users in respect of Supported Hardware by the Supplier in accordance with the Hardware Maintenance Services Policy. If the Customer has requested such services, these will be specified on the Order Form.

Initial Period: has the meaning set out in the Order Form and in the event no period is listed, 2 years from the Effective Date.

Licence Fee: the charges payable by the Customer to the Supplier as set out in the Order Form (or as otherwise notified by the Supplier to you).

Licence Term: the Initial Period together with any subsequent Renewal Periods.

Normal Business Hours: 9am to 5.30pm on a Business Day in United Kingdom.

Order Form: the Software End User Licence Order Form signed by the Supplier and Customer detailing the commercial terms of the Agreement.

Permitted Purpose: the use of an Authorised Installation for a Customer’s own internal business purposes for the uses described in the Documentation.

Personal Data: has the meaning set out in Appendix 2.

Renewal Period:has the meaning given to that term in clause 5.1 of these T&Cs.

Software: the software applications provided by the Supplier to the Customer, as more particularly described in the Order Form (or the Supplier’s software application accessed or used by the Customer).

Software Support Services: the standard software support and maintenance services provided to Authorised Users by the Supplier, in accordance with the Software Support Services Policy.

Software Support Services Policy: the Supplier’s standard support services policy as available at www.clanwilliamhealth.com as may be varied from time to time by the Supplier.

Supplier: has the meaning set out in the Order Form. In the event that an Order Form is not signed or available, the supplier shall be CLANWILLIAM HEALTH (DGL) Limited (Company number 03020555).

Supported Hardware: those items of computer equipment and/or peripherals provided to the Customer by the Supplier that the Supplier notifies the Customer are covered by this Agreement which are physically located in an Authorised Site.

Support Hours: 8:30 am to 6.00 pm from Monday to Friday, excluding Bank Holidays.

User Licence: a licence purchased by the Customer pursuant to this Agreement which entitles Authorised Users to access and use an Authorised Installation of the Software, the Drug Information and the Documentation for the Permitted Purpose.

Virus: any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.

1.1       A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.

1.2       Words in the singular shall include the plural and vice versa.

1.3       A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.

1.4       A reference to writing or written includes e-mail.

1.5       Clause, appendix, schedule and paragraph headings shall not affect the interpretation of this Agreement. References to clauses, appendices and schedules are to the clauses, appendices and schedules of this Agreement. The words “includes” and “including” are to be construed without limitation.

1.        User Licences and Related Products and Services

1.1       Subject to the Customer having purchased the User Licences in accordance with the terms and conditions of this Agreement, and subject to the terms and conditions herein, the Supplier hereby grants to the Customer, as of the Effective Date, a non-exclusive, non-transferable right to permit the Authorised Users to use Authorised Installations of the Software at the Authorised Site(s) together with the Documentation during the Licence Term solely for the Permitted Purpose.

1.2       The licence granted to the Customer under clause 2.1 is personal to the Customer and the Customer shall not, without the prior written consent of the Supplier, assign, transfer, novate, charge, sub-licence or deal in any other manner with all or any of its rights or obligations under this Agreement.

1.3       In relation to the Authorised Sites, the Customer undertakes that:

(a)     it will ensure that there are no instances of the Software or the Drug Information on computer equipment which is owned or leased by the Customer which is not an Authorised Installation;

(b)     in the event that it wishes to decommission an Authorised Installation, it will use all reasonable steps to remove all references to and files associated with the Software and/or the Drug Information and/or the Documentation from the computer equipment prior to creating a new Authorised Installation; and

(c)      it will ensure that there is no unauthorised access to, or use of, the Software and/or the Drug Information and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify the Supplier.

1.4       The Customer may purchase from the Supplier any of the below products and/or services, and the Supplier agrees, if purchased, to provide such products and/or services subject to the terms of this Agreement:

(a)     additional User Licences which will have the effect of increasing the number of Authorised Installations;

(b)     Supported Hardware;

(c)      Hardware Support Services; and

(d)     Drug Information.

1.5       Should the Customer purchase any of the products and/or services specified in clause 2.4 during the Licence Term, the parties agree that the Order Form If applicable) (and/or, for the avoidance of doubt, these Software End User Licence and Support Terms and Conditions, any Licence Fees or other fees) shall be amended to account for these products and/or services.

1.6       Subject to the charges and payment provisions of the Agreement, if the Customer agrees to purchase any of the products and/or services specified in clause 2.4, the Supplier shall debit the Customer’s bank account by an amount equal to the relevant fees for any of the products and/or services specified in clause 2.4 as may be agreed by the Supplier with the Customer.

1.7       The Customer shall from the date hereof provide to the Supplier valid, up-to-date and complete credit card details or direct debit information acceptable to the Supplier and any other relevant valid, up-to-date and complete contact and billing details and, if the Customer provides: (a) its credit card details to the Supplier, the Customer hereby authorises the Supplier to bill such credit card monthly in arrears for the fees payable in respect of this Agreement; or (b) up to date bank account details: Payment for the Software (or any services) is by direct debit. Your designated bank account will be charged automatically each month; (c) and the Customer shall pay each invoice within 30 days after the date of such invoice and authorises the Supplier to debit such account or card supplied for billing purposes. If the Supplier has  not received payment within 30 days after the due date, without prejudice to any other rights or remedies, the Supplier may, without liability to the Customer, disable or suspend the Customer’s password and the Customer’s access to all or part of the Software or services and the Supplier shall be under no obligation to provide any or all of the Software or services while the invoice(s) / fees concerned remain unpaid.

1.8       The Supplier shall be entitled to increase the Licence Fees on prior notice to the Customer and the Licence Fee shall be deemed to have been amended accordingly.

1.9       The Customer acknowledges that should it use the Software otherwise than as specified in this Agreement, without the prior written consent of the Supplier, it may be liable to the Supplier for additional fees, including on any change of use approved by the Supplier.

1.10     If no Supported Hardware and/or Hardware Support Services and/or Drug Information are purchased under this Agreement, then all references to Supported Hardware and/or Hardware Support Services and/or Drug Information in this Agreement shall be disregarded, and the remainder of the relevant provisions shall be construed accordingly.

2.        The Supplier’s Obligations

2.1       In relation to the Software, the Supplier:

(a)     shall provide the Software together with any access keys, where applicable, required for the operation thereof and make available the Documentation to the Customer during the Licence Term on and subject to the terms of this Agreement;

(b)     will from time to time and at the Supplier’s sole discretion make available to the Customer updates to fix defects or enhance the stability of the Software in accordance with the Supplier’s release plan; and

(c)      may: (i) modify the Software by issuing updates; and (ii) new features, functionality, applications or tools available in respect of the Software, whose use may be subject to the Customer’s acceptance of further terms and conditions. The Supplier does not warrant that such modifications or new features, functionality, applications or tools will be error free and will be provided “as is”.

2.2       The Customer accepts responsibility for the accuracy of its data, any decisions related to its data and the selection of the Software to achieve its intended results. The Supplier does not warrant, represent or undertake that:

(a)     the use of the Software will be uninterrupted or error-free; or

(b)     any data or reports generated by the Software will be accurate or error-free; or

(c)      any decision support tools within the Software will be accurate or error-free.

2.3       In relation to the Software Support Services, the Supplier:

(a)     will provide Authorised Users with the Software Support Services in accordance with the Supplier’s Software Support Services Policy in effect at the time; and

(b)     will use reasonable endeavours to provide Software Support Services outside Support Hours, if requested to do so by the Customer, and the Customer will be liable to pay the Supplier’s prevailing callout charges and reimburse any directly related costs; and

(c)      may, at its sole discretion, make information available to third party software/hardware suppliers where the problem is diagnosed and involves the Software, software other than the Software or hardware in order to resolve any identified problems.

For the avoidance of doubt, at the date of this Agreement, the Supplier’s Software Support Services Policy does not include the provision of any support services in relation to computer hardware or other equipment.

2.4       In relation to the Drug Information, the Supplier:

(a)     shall provide the Drug Information together with any access keys, where applicable, required for the operation thereof to the Customer during the Licence Term on and subject to the terms of this Agreement; and

(b)     will from time to time and at the Supplier’s sole discretion, at no additional cost to the Customer, make available to the Customer updates to the Drug Information.

2.5       In relation to the Supported Hardware, the Supplier:

(a)     will provide Authorised Users with the Supplier’s standard customer support services in accordance with the Supplier’s Hardware Maintenance Services Policy in effect at the time; and

(b)     if the Customer requests Hardware Support Services outside Support Hours, the Supplier will use reasonable endeavours to provide such support and the Customer will be liable to pay the Supplier’s prevailing callout charges and reimburse any directly related costs; and

(c)      will not provide Hardware Support Services where attempts to fix or service the Supported Hardware are made by other than by the Supplier, without the prior approval of the Supplier or hardware other than Supported Hardware supplied by the Supplier is installed on the system without the prior written consent of the Supplier.

in addition to the services outlined in this clause, the Supplier offers a number of additional hardware support services, including (inter alia) a fix or replacement policy for Supported Hardware provided by the Supplier for a period of up to three years after installation. For the avoidance of doubt, this service is not included in the Supplier’s basic hardware support services but may be requested by the Customer at the time such equipment is provided by the Supplier.

2.6       The Supplier’s obligations under this clause 3 shall cease immediately in the event that:

(a)     adjustments to the Software are required because of accident, neglect, misuse or cause other than ordinary use; or

(b)     attempts to fix or service the Software are made by other than the Supplier, without the prior approval of the Supplier; or

(c)      proper backup of data has not been maintained by the Customer; or

(d)     where the Customer owes the Supplier any monies outside the Supplier’s usual trading terms; or

(e)     where the Customer infringes the copyright of the software licensed by the Supplier and any of its Affiliates or agents.

2.7       If, in the opinion of the Supplier, user support services are required as a result of cases stated in clause 3.6, the Customer may be liable to pay the Supplier the prevailing callout charges, and for reimbursement of any directly related expenses.

2.8       The Supplier shall not be liable for any non-availability of the Software arising out of any failure of the internet or any other communication system required to access the Software or for any defect or fault in the Customer’s computer system which prevents Authorised Users from accessing the Software.

3.        The Customer’s Obligations

3.1       Throughout the Licence Term, the Customer shall:

(a)     make available personnel and provide information, facilities, services, and equipment to the Supplier as and when necessary so that the Supplier can fulfil its obligations under this Agreement at no cost to the Supplier; and

(b)     ensure that the latest version of the Software and the Drug Information is installed, and the Customer acknowledges that the Supplier shall not be obliged to support other than the latest version; and

(c)      promptly notify the Supplier of any error message or problem with the Software or the Drug Information and ensure the full co-operation of its employees and agents with the Supplier in the diagnosis of any Software issue; and

(d)     ensure that the environment and electrical supply are maintained in a satisfactory manner; and

(e)     ensure existing computer networks to which computers operating the Software are connected are properly maintained as configured at the time of initial installation. Alterations to the network must not be made without consultation with the Supplier; and

(f)      keep and operate the Software in a proper and prudent manner and ensure that only competent trained Authorised Users are allowed to operate the Software and the Drug Information; and

(g)     comply with the terms and conditions or policies of third parties as may be notified by the Supplier to the Customer from time to time.

3.2       The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Software that:

(a)     is unlawful, harmful, discriminatory, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; or

(b)     causes damage or injury to any person or property,

and the Supplier reserves the right, without liability to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause.

3.3       Except as may be allowed by any applicable law which is incapable of exclusion by Agreement between the parties, the Customer shall not:

(a)     attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Drug Information and/or Documentation (as applicable) in any form or media or by any means; or

(b)     attempt to reverse compile, disassemble, reverse engineer, or otherwise reduce to human-perceivable form all or any part of the Software and/or the Drug Information; or

(c)      access all or any part of the Software and/or Drug Information and/or Documentation in order to build a product or service which competes with the Software and/or the Drug Information and/or the Documentation; or

(d)     licence, sub-licence, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Software and/or the Drug Information and/or Documentation available to any third party except the Authorised Users; or

(e)     attempt to obtain, or assist third parties in obtaining, access to the Software and/or the Drug Information and/or the Documentation, other than as provided under this Agreement.

3.4       The Customer shall ensure that no third party or person in the Customer’s organisation shall service or attempt to remedy any defect or in any way interfere with the Software, the Drug Information, Supported Hardware, network or setup of the Supported Hardware, except on each occasion under the instructions of the Supplier’s personnel. Any such interference may violate any obligations the Supplier has under this Agreement.

3.5       The Customer shall not (and shall not permit any third party to) carry out any integrations of the Software without the prior written consent of the Supplier.

3.6       The Customer shall not conduct, facilitate, authorise or permit any text or data mining or software scraping in relation to the Software or any services provided via, or in relation to, the Software. This includes using (or permitting, authorising or attempting the use of): (a) any “robot”, “bot”, “spider”, “scraper” or other automated device, program, tool, algorithm, code, process or methodology to access, obtain, copy, monitor or republish any portion of the Software or any data, content, information or services accessed via the Software; and/or (b) any automated analytical technique aimed at analysing text and data in digital form to generate information which includes but is not limited to patterns, trends and correlations.

3.7       The Customer acknowledges and agrees that the Supplier is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the services identified in this Agreement or provided to the Customer and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

3.8       The Customer shall provide the Supplier with: (i) all necessary co-operation in relation to this Agreement; (ii) all necessary access to such information as may be required by the Supplier, (iii) in order to provide the Software or services inlcuding security access information and configuration services;

3.9       The Customer shall, without affecting its other obligations under this agreement, comply with all applicable laws and regulations, including any of those relating to the export of data and software, with respect to its activities under this Agreement;

3.10     The Customer shall ensure that its network and systems comply with the relevant specifications provided by the Supplier from time to time;

3.11     The Customer shall be solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to the Supplier’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.

3.12     The Customer acknowledges and agrees the Supplier may refer to the Customer, orally or in writing, as a customer of the Software (or services) for promotional, marketing and financial reporting purposes.

3.13     The Customer is responsible for ensuring the accuracy, suitability and integrity and any back-ups of any Customer Data.

3.14     The Customer is responsible for reviewing, issuing prescriptions, dictations, transcription, diagnoses, prognosis and reports issued or provided using the Software and acknowledged that the Supplier does not warrant that any reports issued through the Software is accurate or complete.

3.15     In respect of any dictation or transcription services, the output and content of such dictations (or the end product thereof, the transcriptions) are provided “as is” and the Customer is responsible for reviewing the output and the correction any errors contained therein.

4.        Term and Termination

4.1       This Agreement shall, unless otherwise terminated as provided in this clause 5, commence on the Effective Date and shall continue for the Initial Period. After the Initial Period, this Agreement shall be automatically renewed for successive periods, each equal to the length of the Initial Period (each a “Renewal Period“), unless:

(a)     the Customer notifies the Supplier of termination, in writing, at least 90 days before the end of the Initial Period or any Renewal Period, in which case this Agreement shall terminate upon the expiry of the applicable Initial Period or Renewal Period; or

(b)     the Agreement is otherwise terminated in accordance with the provisions of this Agreement.

4.2       Without affecting any other right or remedy available to it, the Supplier may terminate this Agreement (or any features, functionality, applications or tools or services) for convenience with 30 days written notice to the Customer.

4.3       For the avoidance of doubt, in the event that the Customer notifies the Supplier of the termination of this Agreement, any unpaid portions of the Licence Fee will continue to be payable by the Customer to the Supplier in accordance with the charges and payment provisions of the Order Form (or herein). Further, in the event the Customer ceases to use the Software before the end of the Licence Term such amounts will continue to be payable by the Customer to the Supplier.

4.4       If the Customer is in breach of this Agreement, the Supplier may (but shall not be obliged to) disable the Customer’s access to the Software for so long as the relevant breach remains unremedied, without liability or prejudice to its other rights and without prior notice to the Customer.

4.5       Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate this Agreement without liability to the other if the other party commits a material breach of any of the terms of this Agreement and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing of the breach.

4.6       Without prejudice to any other rights or remedies to which the parties may be entitled, the Supplier may terminate this Agreement without liability to Customer if:

(a)     the Customer fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than 30 days after being notified to make such payment; or

(b)     the Customer ceases or threatens to cease to do business, becomes unable to pay its debts as they fall due, becomes or is deemed insolvent, has a receiver, manager, examiner, liquidator, administrator, administrative receiver or similar officer appointed in respect of the whole or any parts of its assets or business, makes any composition or arrangement with its creditors, or suffers or undergoes any analogous process to the above in any jurisdiction because of debt.

4.7       On termination of this Agreement for any reason:

(a)     all licences granted under this Agreement shall immediately terminate;

(b)     each party shall return and make no further use of any equipment, property, Documentation, Drug Information, and other items (and all copies of them) belonging to the other party;

(c)      subject to clause 5 of Appendix 2, the Supplier may destroy or otherwise dispose of any of the Customer Data in its possession unless the Supplier receives, no later than ten days after the effective date of the termination of this Agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. The Supplier shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Supplier in returning or disposing of Customer Data; and

(d)     the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.

5.        Customer Data

5.1       Any capitalised terms in this clause 6 shall, unless otherwise defined, have the meaning given to them in Appendix 2.

5.2       The Customer shall have sole responsibility for ensuring the legality, reliability, integrity, accuracy, and quality of the Customer Data used in conjunction with and/or entered into the Software.

5.3       The parties acknowledge that in entering into this Agreement they have entered into the Data Processing Agreement at Appendix 2 which shall govern the Processing of Personal Data.

5.4       If the Supplier Processes any Personal Data on the Customer’s behalf when performing its obligations under this Agreement, the parties record their intention that the Customer shall be the Controller and the Supplier shall be a Processor and in any such case:

(a)     the Customer shall ensure that the Customer is entitled, under an appropriate legal basis under the GDPR, to transfer the relevant Personal Data to the Supplier so that the Supplier may lawfully use, Process, and transfer the Personal Data in accordance with this Agreement on the Customer’s behalf; and

(b)     the Customer shall ensure that the relevant third parties have been informed of, and, where necessary, have given their consent to, such use, Processing, and transfer as required by all applicable Data Protection Laws; and

(c)      the Supplier shall Process the Personal Data only in accordance with the terms of this Agreement and any lawful instructions reasonably given by the Customer from time to time; and

(d)     each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction, or damage.

5.5       During the Licence Term, the Supplier shall have the right to use anonymised, aggregated prescription information processed by it on behalf of the Customer and the Customer grants the Supplier the rights to utilise such data to the extent that such usage shall not be in contravention of any applicable Data Protection Laws in effect at the time.

5.6       The Customer will back-up all data and verify that data is correctly backed up at least on a daily basis in line with prudent industry norms. Such data shall be made available to the Supplier, as required to support the Software. The Supplier is under no obligation to and makes no warranty in respect of back-ups of Customer Data and shall not under any circumstances be liable for any loss of or corruption of data.

5.7       The Customer will take reasonable precautions to ensure its system is protected from Viruses by using anti-virus software and that any anti-virus software is updated, as specified, to ensure the latest protection technology is used. The Customer accepts that the Supplier is not responsible for protecting software and transaction data from Viruses or for ensuring that Customers are using anti-virus software or ensuring that Customers are keeping their anti-virus software up to date.

6.        Third Party Providers

6.1       The Customer acknowledges that the Software may enable or assist it to access the website content of, correspond with, and purchase products and services from, third parties via third-party websites and that it does so solely at its own risk. The Supplier makes no representation or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer, with any such third party. Any contract entered into and any transaction completed via any third-party website is between the Customer and the relevant third party, and not the Supplier. The Supplier recommends that the Customer undertakes thorough due diligence of the third party’s website terms and conditions, privacy policy and cyber security standards prior to using the relevant third-party website. The Supplier does not endorse or approve any third-party website nor the content of any of the third-party website made available via the Software.

6.2       The Customer acknowledges that any use of any third-party integration into the Software is at its own risk. The Supplier shall have no obligations and makes no warranty, representation or undertaking in respect of a third party’s products or services integrated into the Software. By using or otherwise sending SMS, RCS, MMS or other forms of communication messages using the Software (or any integration), the Customer hereby acknowledges and agrees that it: (i) shall be liable for the costs / charges of such messages as notified to the Customer from time to time, to be included in the invoice for the services/ Software; (ii) will comply with the suppliers terms and conditions relating to the provision of those services (including but not limited to the provisions of Appendix 3); (iii) shall be responsible and liable for the content of any text messages sent using or integrated with the Software; (iv) is responsible and shall ensure that it has the necessary consents to send text messages to its patients/ a recipient; and (v) is responsible for and shall ensure that all information, details contained in or patient information is accurate, up to date and correct.

6.3       The Customer shall comply with the terms and conditions of any third-party website or integration into the Software contained via the following link: https://www.dglpm.co.uk/third-parties

7.        Confidentiality

7.1       The provisions of this clause shall survive termination of this Agreement, however arising.

7.2       Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party’s Confidential Information shall not be deemed to include information that:

(a)     is or becomes publicly known other than through any act or omission of the receiving party; or

(b)     was in the other party’s lawful possession before the disclosure; or

(c)      is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or

(d)     is independently developed by the receiving party, which independent development can be shown by written evidence; or

(e)     is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.

7.3       Each party shall:

(a)     hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this Agreement; and

(b)     take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.

7.4       Neither party shall be responsible for any loss, destruction, alteration, or disclosure of Confidential Information of the other party caused by any third party.

7.5       The Customer acknowledges that details of the Software, and the results of any performance tests of the Software, constitute the Supplier’s Confidential Information.

8.        Proprietary Rights

The Customer acknowledges and agrees that the Supplier and/or its licensors own all intellectual property rights in the Software, the Drug Information, and the Documentation. Except as expressly stated herein, this Agreement does not grant the Customer any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Software or the Drug Information or the Documentation.

9.        Indemnity

9.1       The Customer shall defend, indemnify and hold harmless the Supplier and any Supplier Affiliate against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer’s use of the Software and/or the Drug Information and/or the Documentation, including in relation to data inputted by Customer and/or any Authorised User, and/or any integrations made to the Software.

9.2       The foregoing states the Customer’s sole and exclusive rights and remedies, and the Supplier’s (including the Supplier’s employees’, agents’, and sub-contractors’) entire obligations and liability, for infringement of any patent, copyright, trade mark, database right or right of confidentiality.

9.3       For the purpose of this clause, Supplier enters into this Agreement on its own behalf and as agent for each of its Affiliates, each of which may exercise the rights of Supplier under this Agreement.

10.     Limitation of liability

10.1     Subject to the provisions of clause 10, this clause sets out the entire financial liability of the Supplier (including any liability for the acts or omissions of its employees, agents, and sub-contractors) to the Customer in respect of:

(a)     any breach of this Agreement; and

(b)     any use made by the Customer of the Software and/or the Drug Information and/or the Documentation or any part of them; and

(c)      any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.

10.2     Except as expressly and specifically provided in this Agreement:

(a)     the Customer assumes sole responsibility and the Supplier expressly disclaims any liability for results obtained from the use of the Software and/or the Drug Information and/or the Documentation and/or Supported Hardware by the Customer, and for conclusions drawn from such use;

(b)     the Supplier shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to the Supplier by the Customer in connection with the Software or the Drug Information, or faults which arise from the misuse, incorrect use of or damage to the Software, from whatever cause, caused by the Customer or any actions taken by the Supplier at the Customer’s direction;

(c)      the Supplier shall have no liability for any damage caused by the accuracy of any data or reports generated by the Software, or for any decision support tools within the Software or the content of any dictations or prescriptions issued or generated by or in connection the Software;

(d)     the Supplier shall have no liability for any loss or damage suffered by the Customer due to any integrations carried out on the Software;

(e)     the Supplier shall have no liability for any loss or damage suffered by the Customer due to a third party’s products or services integrated into the Software;

(f)      all warranties, representations, conditions, and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement;

(g)     subject to clause 3.1, the Software, Documentation, Drug Information, and Supported Hardware are provided to the Customer on an “as is” basis and expressly subject to the disclaimer in clause 11.2(b);

(h)     subject to clause 6 and Appendix 2, the Supplier shall not be liable for the acts or omissions of any sub-contractors it appoints; and

(i)      in no event shall the Supplier, its employees, agents, and sub-contractors be liable to the Customer for any reports produced by the Software.

10.3     Nothing in this Agreement excludes the liability of the Supplier:

(a)     for death or personal injury caused by the Supplier’s negligence; and/or

(b)     for fraud or fraudulent misrepresentation; and/or

(c)      any matter for which it would be unlawful for the parties to exclude liability.

10.4     Subject to clauses 11.2 and 11.3:

(a)     the Supplier shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and

(b)     the Supplier’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited to the total Licence Fees paid for the User Licences during the 12 months immediately preceding the date on which the claim arose.

10.5     The Supplier shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, epidemics or pandemics, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Supplier or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Customer is notified of such an event and its expected duration.

11.     Records and Audit

11.1     The Customer shall maintain accurate and complete records of its installation and usage of the Software including:

(a)     the number of copies (including backup copies);

(b)     the number of Authorised Users; and

(c)      the Authorised Sites and equipment on which it is installed.

11.2     Within five Business Days of being requested to do so by the Supplier, the Customer shall provide the Supplier with copies of the records referred to in clause 12.1 for the purpose of verifying that the Customer’s treatment of the Software is in accordance with this Agreement.

11.3     The Customer shall allow and procure for the Supplier (and any authorised representatives of the Supplier) access to its premises to inspect the equipment on which the Software is installed or on which the Supplier reasonably believes the Software might be installed, and to audit (and take copies of) the relevant records of the Customer, to the extent necessary to verify that the installation and use of the Software is in accordance with this Agreement.

11.4     At the Supplier’s option, the audit and inspection referred to in clause 12.3 may be undertaken by way of remote access or by way of physical attendance at any premises where the Customer locates its computer equipment.

11.5     The provisions of this clause 12 shall survive termination or expiry of this Agreement for a period of 12 months.

12.     Other

12.1     The Supplier reserves the right to make changes to these T&Cs at any time and shall make the updated terms available to the Customer on the Supplier’s website (www.clanwilliamgroup.com) as soon as reasonably practicable.

12.2     If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other provisions shall remain in force.

12.3     If any invalid, unenforceable or illegal provision would be valid, enforceable, or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect.

12.4     This Agreement, and any documents referred to in it, constitute the whole Agreement between the parties and supersede any previous arrangement, understanding or Agreement between them relating to the subject matter they cover.

12.5     Each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.

12.6     The Supplier may at any time assign, transfer, charge, sub-contract, or deal in any other manner with all or any of its rights or obligations under this Agreement.

12.7     This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns).

12.8     Any notice required to be given under this Agreement shall be in writing and shall be sent to the other party at its address set out in this Agreement, or such other email or postal address as may have been notified by that party for such purposes.

12.9     A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in Normal Business Hours, at 9am on the first Business Day following delivery). A correctly addressed notice sent by post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by email shall be deemed to have been received at the time of the receipt of an emailed reply to sender from the recipient confirming receipt of the original notice.

12.10   This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement. The parties consent to the execution of this Agreement by electronic means.

13.     Governing Law and Jurisdiction

13.1     This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of England.

13.2     The parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

 

APPENDIX 2

DATA PROCESSING AGREEMENT (“DPA”)

 

For the purposes of this DPA, the Customer shall be known as the Controller and the Supplier shall be known as the Processor (each a “Party” and together the “Parties“).

1. INTERPRETATION
   • The following definitions and rules of interpretation apply in this DPA.

“Affiliate”	shall have the meaning given to that term in the Principal Agreement;
“Data”	means Personal Data and Special Categories of Personal Data (as the context requires);
“Data Protection Laws”	means the Data Protection Acts 1988 to 2018; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR“); Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011 (to the extent applicable);
“Normal Business Hours”	shall have the meaning given to that term in the Principal Agreement;
“Principal Agreement”	the Agreement as defined in the Software End User License and Support Terms and Conditions to which this DPA is appended;
“Processor System”	any information technology system or systems owned or operated by the Processor to which Data is delivered or on which the Services are performed in accordance with this DPA;
“Personal Data Breach”	a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
“Services”	the services to be supplied by the Processor to the Controller in connection with the Principal Agreement (to the extent relevant);
“Standard Contractual Clauses”	the “Standard Contractual Clauses” annexed to the European Commission Decision of: i) 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR or ii) (until such times as Processor has entered into the Standard Contractual Clauses outlined at i), the 5 February 2010 for the Transfer of Customer Personal Data to Processors established in Third Countries under Directive 95/46/EC);
“Technical and Organisational Security Measures”	shall mean those measures aimed at protecting Data against accidental or unlawful destruction, accidental or unauthorised loss, alteration or unauthorised disclosure of or access to Data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, as set out at Schedule 2; and
“Term”	means the Initial Term and any Renewal Periods in accordance with the provisions of the Principal Agreement.

• For the purposes of this DPA, the terms “Personal Data”, “Data Subject”, “controller”, “processor”, “Processing” (and “Process” and “Processed” shall have a corresponding meaning), “Special Categories of Personal Data” and “Recipient” shall have the same meanings as in the Data Protection Laws.

 

2. DATA PROCESSING
   • The subject matter, nature, and purpose of the Processing of Personal Data, together with the duration of the Processing, the type of Personal Data and the categories of Data Subjects is set out at Schedule 1.
   • During the Term, the Processor will process the Data in accordance with the terms and conditions set out in this DPA, and in particular the Processor will:
     • comply with its obligations as a Processor under the Data Protection Laws;
     • having regard to the state of the art, costs of implementation (where applicable) and taking into account the nature, scope, context and purposes of the Processing and the risk to the rights and freedoms of Data Subjects posed by the Processing and the information available to the Processor, implement the Technical and Organisational Security Measures, which the Controller and the Processor agree to be appropriate for the purposes of this DPA;
     • at the cost of the Controller, insofar as reasonably possible and practicable to do so, assist the Controller:
       • in complying with the rights of the Data Subjects as set out in the Data Protection Laws;
       • in conducting data protection impact assessments involving the Services (which may include by provision of documentation to allow customer to conduct their own assessment); and
       • with respect to any investigations relating to a Personal Data Breach including preparing any required notices, and providing any information reasonably requested by the Controller in relation to any Personal Data Breach.
     • without due delay, notify the Controller of any actual Personal Data Breach which does actually affect the Data, after becoming aware of such Personal Data Breach;
     • unless otherwise lawfully directed in writing by Controller:
       • insofar as it is reasonably possible and lawful to do so, process the Data solely in accordance with the instructions of Controller as notified in writing in advance by the Controller, except as required/permitted to do otherwise by European Union law or the laws of any member state to which the Processor is subject, and (where permitted) the Processor will inform the Controller of such;
       • take reasonable steps to ensure that each of its employees, officers, representatives, advisers and/or subcontractors engaged in processing the Data will be informed of the confidential nature of the Data and are under an obligation to keep the Data confidential; and
       • not Process or transfer any Data outside the European Economic Area (“EEA”) without the prior written consent of the Controller, other than as provided by clause 3 of this DPA.
     • To the extent that Processor cannot comply with the Controller’s instructions pursuant to clause 2.2.5(a) of this DPA or a change to those instructions (as the case may be) without incurring material additional costs, the Processor shall: (i) immediately inform the Controller, giving full details of the problem; and (ii) cease all processing of the affected Data (other than securely storing that Data) until revised instructions are received.
     • The Processor will, at the cost of the Controller and on reasonable notice during Normal Business Hours, give commercially reasonable assistance to the Controller, in ensuring compliance with the Controller’s obligations under the Data Protection Laws having regard to the state of the art, costs of implementation (where applicable) and taking into account the nature, scope, context and purposes of the Processing and the risk to the rights and freedoms of Data Subjects posed by the Processing and the information available to the Processor.
     • The Controller hereby agrees that it will comply with its obligations as a Controller under the Data Protection Laws. In particular, the Controller shall ensure that at all relevant times there is a legal basis for Processing in accordance with the Data Protection Laws to enable the Processor (and the Processor’s Affiliates) to Process the Data and/or Special Categories of Personal Data as pursuant to the Services under this DPA.

 

3. SUB-CONTRACTING
   • The Controller hereby grants to the Processor authorisation to subcontract its processing functions as it deems necessary in respect of Processing the Data pursuant to this DPA to any of the third parties listed at Schedule 3, including those third parties based outside the EEA which are also listed at Schedule 3.
   • The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-contractors from such list and the Controller, acting reasonably, will have the right to object to a proposed change within thirty (30) days from receiving written notice from the Processor such notice to include evidence as to why the Controller objects. In the event that the Controller objects to any such proposed change, the Processor will have the option to propose an alternative contractor or terminate the Principal Agreement (which will be effective ten (10) days from the Controller exercising its right to object).
   • In the event that a sub-contractor is contracted by the Processor to carry out Processing, the Processor will procure (so far as it is within the Processor’s control to do so) that such sub-contractor enters into an agreement with the Processor in relation to Processing the Data, the terms of which are similar to, but not less onerous than, the terms of this DPA.
   • If required, the Customer authorises the Processor to enter into Standard Contractual Clauses contained in Schedule 3 to this DPA with the subcontractor in the Customer’s name and on its behalf. The Provider will make the executed SCCs available to the Customer on request.
   • The Processor is hereby authorised to transfer the Data to the third parties listed in Schedule 3 as being based outside the EEA provided that, to the extent applicable, for transfers of Controller Data from the EEA to locations outside the EEA (either directly or via onward transfer) that do not have adequate standards of data protection as determined by the European Commission, Processor relies upon:
     • the Standard Contractual Clauses; or
     • such other appropriate safeguards, or derogations (to the limited extent appropriate), specified or permitted under the Data Protection Laws.
   • With respect to Processor’s reliance on the Standard Contractual Clauses for international transfers of Customer Data under the DPA, Processor shall act in its capacity as ‘data exporter’ as set out in the relevant modules of the Standard Contractual Clause.

 

4. AUDIT
   • Not more than once in any period of twelve months during the Term, the Processor will, at the cost of and on reasonable notice from the Controller during Normal Business Hours:
     • provide all information necessary; and/or
     • permit the Controller (or any auditor acting under the authority of the Controller) to carry out an audit or inspection,

to demonstrate the Processor’s compliance with its obligations laid down in Article 28 of the GDPR, PROVIDED HOWEVER that:

• the scope of an audit will be limited to Processor Systems, processes, and documentation relevant to the processing and protection of Controller Data;
• Controller shall ensure that any auditors or representatives that it appoints will conduct audits subject to any appropriate and reasonably confidentiality restrictions requested by Controller;
• any information obtained by the Controller in connection with or in the course of any such audit and any such information provided to or obtained by the Controller shall be maintained by the Controller in the strictest confidence, shall be used solely for the purposes of ensuring that the Processor is complying with its obligations as a Processor under the Article 28 of the GDPR and shall not be used or disclosed for any other purpose

 

5. RETURN OR DESTRUCTION OF DATA
   • Upon prior written request and at the option and cost of the Controller, the Processor will as soon as reasonably practicable and possible to do so:
     • destroy or return to Controller all Data; and
     • to the extent technically practicable, erase all Data from the Processor System.
   • Nothing in clause 5.1 of this DPA shall require the Processor to return or destroy Data that the Processor is required to retain by applicable law, or to satisfy the requirements of any laws of the European Union or member state law, regulatory authority or body of competent jurisdiction to which the Processor is subject.

 

6. LIABILITY
   • The Controller acknowledges that the Processor is reliant on the Controller for direction as to the extent to which the Processor is entitled to use and process the Personal Data. Consequently, the Processor will not be liable for and the Controller shall indemnify and keep indemnified and defend at its own expense the Processor against all claims, costs (including without limitation court costs and legal fees), damages (direct or indirect), losses or expenses (“Loss“) suffered or incurred by the Processor or for which the Processor may become liable including and in particular to such arising from:
     • civil claims where a final award of damages has been granted or which are subject to a court approved settlement; and/or
     • administrative fines imposed by a supervisory authority and approved by a court of competent jurisdiction,

in each case, except to the extent that any such Loss arises due to the failure by the Processor to comply with any of its obligations under this DPA or for breach of the Data Protection Laws.

 

 

SCHEDULE 1

 

(A)	Subject matter, nature and purpose of the processing of Personal Data under the Principal Agreement	Subject matter The provision of Services by the Processor to the Controller under the Principal Agreement. Nature Processing activities, such as storage, retrieval, analysing, data collection and data transfer will all be undertaken by the Processor. Purpose ·          Software Updates ·          Drug Information Updates ·          Technical Support Services ·          Remote Connection for Technical Support ·          Support Call Logging ·          Telephone Support ·          Transfer of Data for Troubleshooting ·          Transcription Services
(B)	Duration of the processing of Personal Data under the Principal Agreement	Personal Data will be processed for the Term of the Principal Agreement unless the Principal Agreement is terminated earlier in accordance its clause 5 or the Personal Data processing extends beyond the termination of the Principal Agreement in order to comply with applicable laws pursuant to clause 5.2 of this DPA.
(C)	Type of Personal Data processed under the Principal Agreement	Personal Data Personal Data can be processed and can include, name, address, telephone or mobile number, fax number, email address, information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title, identification numbers, and social security details. Special Categories of Personal Data Sensitive Personal Data can be processed and can include racial or ethnic origin, religion, physical or mental health condition and sexual life, notes, prescriptions, maternity, lab results and other medical data
(D)	Categories of data subjects of the Personal Data processed under the Principal Agreement	Categories of the individuals to whom the Personal Data relates – e.g. past, present and prospective patients; past, present and prospective employees, personnel and third-party suppliers.

 

 

 

 

SCHEDULE 2

TECHNICAL AND ORGANISATION SECURITY MEASURES

To the extent such measure apply to the Agreement

 

Domain	Practices
Organisation of Information Security	Security Ownership. The Processor have an internal security committee and a Data protection officer Security Roles and Responsibilities. The Processor’s staff with access to Customer Data are subject to confidentiality agreements within their contracts. Risk Management Program. ISO 27001 framework is used to identify risks to Availability of our services and confidentiality data assets.
Asset Management	Asset Inventory.  The Processor uses IS0 27001 framework for developing an internal asset inventory. Asset Handling ·          The Processor regularly review access to assets with departments. ·          The Processor ‘s human resources department issue joiner requests listing requirements for access and also removal of assets for leavers ·          Monitoring of internal activity is controlled by a SIEM Solution ·          All Assets are have anti-virus installed and regularly scanned. ·          All Assets are encrypted with Bitlocker
Human Resources Security	Security Training.  The Processor issue all staff with data protection training modules on induction and refresher training every 12 months. Train modules cover Data protection principles, data subject access request, Data Breach and keeping data secure. The Processor human resources department issue starter and leaver forms to IT for removal of access to building, emails, and any IT assets.
Physical and Environmental Security	Physical Access to Facilities.  The Processor requires Fob pass to enter building and fob to enter office. Physical Access to Components. Records of employees entering the processor’s office are logged. Visitors require sign in on book and issued visitor passes. Protection from Disruptions.  The Processor information technology communications room has redundancy with UPS, high availability ISP and firewalls. Component Disposal. A data retention policy and procedure has been introduced to comply to GDPR.  Shredding is carry out on site and certified
Communications and Operations Management	Operational Policy.  The Processor maintains an Information security management system which contains documents for security access, internet usage , BYOD, email policy, password policy and many others Data Recovery Procedures 1.         The Processor reviews their backup requirements with relevant departments every 3 months. 2.         Off site and on site backups are maintained. 3.         The processor leverages native AWS and/or Azure backup technologies.  KeepItSafe, Barracuda Cloud Backup and other 3rd Party backup and replication solutions are also used. 4.         Backups are periodically restored and tested Malicious Software.    The Processor uses industry standard Antivirus and Antimalware solutions such as Microsoft Defender, Microsoft Defender for Cloud, ESET Security and Microsoft Endpoint Protection Manager. Network monitoring solutions are in place to identify and alert against suspicious activity such as SolarWinds and/or Log360. Data Beyond Boundaries The Processor encrypts data at rest and in-transit where applicable. Event Logging.  System events are logged using native technologies or other 3rd party SIEM solution(s).
Access Control	Access Policy.  The Processor maintains a record of security privileges of individuals having access to Customer Data. These are reviewed with line managers every 6 months.   Access Authorization 1.         Access to data is approved by the relevant line manager 2.         Human Resources policies and procedures are implemented for employees who are joiners and leavers. 3.         The Processor deactivates authentication credentials from employees who are leavers and reviews its access directory periodically 4.         O365 access is managed by the Processor’s information technology department 5.         All server access is IP locked, using the Key and password. –    The Processor ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins. Least Privilege –    Customer support personnel are only permitted to have access to Customer Data when needed. –    The Processor restricts access to Customer Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality –    The Processor instructs its personnel to disable administrative sessions when leaving premises that the processor controls or when computers (used by the Processor’s personnel) are otherwise left unattended. –    The Processor stores passwords in a way that makes them unintelligible while they are in force. Authentication –    The Processor uses industry standard practices to identify and authenticate users who attempt to access information systems. –    Where authentication mechanisms are based on passwords, the Processor requires that the passwords are renewed regularly. –    Where authentication mechanisms are based on passwords,  the Processor requires the password to be at least eight characters long with Complexity –    The Processor ensures that de-activated employees (former employees) are not granted access to data or premises.
Information Security Incident Management	Incident Response Process –    The Processor have a procedure in place for reporting security breaches. –    A major incident policy is in place for the event of such breaches Service Monitoring.  The Processor review monitoring logs periodically.
Business Continuity Management	–    The Processor maintains a business continuity plan to insure customers have access to services in the event of environmental or physically building access issues.

 

 

 

SCHEDULE 3

LIST OF PROCESSORS ENGAGED BY THE PROCESSOR

 

Sub-contractor	Function	Location
Microsoft Azure	Data Centre for hosting DGL Platform and data	Ireland/Netherlands
Commify UK Limited t/a Esendex	SMS Service Provider	UK
RSA	RSA Keyfobs for secure access to DGL PM hosted platform	UK
New World IT	IT Partner	UK
Codec-dss Ltd	CRM System partner	Ireland
Dictate IT	Transcription Services	UK
British Orient Limited	Transcription Services	India
Redcentric	Data Centre (Hosting)	UK
Medisoft (if customer is using Medisoft software)	Integration with Medisoft (ophthalmology software)	UK
Zeiss (If customer is using Medisoft software)	Integration with Zeiss (ophthalmology software)	UK
HCA Lab,	One-way integration appointments and patients with data flowing into DGL PM	UK
TLC LAB (The London Clinic)	Integration with TLC for diagnostic/lab results	UK
TDL (The Doctors Laboratory)	Integration with TDL for blood results.	UK
World Pay	Integration for card payments	UK
Amplitude	Integration for clinical outcomes	UK
Pharmacierge	Integration for medication prescriptions	UK
Healthcode	Integration for   EDI Billing, BUPA lookup and membership lookup.	UK
Google Calendar	Integration with Google Calendar on a one-way link (DGL to Google)	UK
Bupa	Integration with clinician list	UK
Interfax.net	Ability to send efax	UK
Galway Clinic Link	Integration into Galway Clinic booking system.(Ireland Only)	Ireland
Viapost	Integration for bulk posting service	UK
Cardsave	Card payments	UK
CDW	Managed Services Partner	UK
MBC (Medical Billing Collection)	Billing Collection Service	UK
Bill Medical	Billing Collection Service	UK

 

 

SCHEDULE 4

 

STANDARD CONTRACTUAL CLAUSES

For the transfer of personal data to third countries

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a)                   The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ([i]) for the transfer of data to a third country.

(b)                   The Parties:

(i)                    the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)                   the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)                   These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)                   The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)                   These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)                   These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)                   Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)                    Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)                   Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii)                  Clause 9(a), (c), (d) and (e);

(iv)                  Clause 12(a), (d) and (f);

(v)                   Clause 13;

(vi)                  Clause 15.1(c), (d) and (e);

(vii)                 Clause 16(e);

(viii)                Clause 18(a) and (b).

(b)                   Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)                   Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)                   These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)                   These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

 

 

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a)                   An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)                   Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)                   The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

 

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a)                   The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)                   The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a)                   The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)                  The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)                   In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)                   The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union ([ii]) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)                    the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)                   the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)                  the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)                  the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a)                  The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)                   The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)                   The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)                   The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)                   The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)                   The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)                   Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. ([iii]) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)                   The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)                   The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)                   The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)                   The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)                   The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)                   In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)                   The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b)                   In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)                   Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)                    lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)                   refer the dispute to the competent courts within the meaning of Clause 18.

(d)                   The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)                   The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)                    The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)                   Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)                   The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)                   Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)                   The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)                   Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)                    The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)                   The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

 

Clause 13

Supervision

• The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

 

• The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a)                   The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)                   The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)                    the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)                   the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (^[iv]);

(iii)                  any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)                   The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)                   The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)                   The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)                    Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1                Notification

(a)                   The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)                    receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)                   becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b)                   If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)                   Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)                   The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)                   Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2                Review of legality and data minimisation

(a)                   The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)                   The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)                   The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)                   The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)                   In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)                   The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)                    the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)                   the data importer is in substantial or persistent breach of these Clauses; or

(iii)                  the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)                   Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)                   Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 18

Choice of forum and jurisdiction

(a)                   Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)                   The Parties agree that those shall be the courts of the Republic of Ireland.

(c)                   A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)                   The Parties agree to submit themselves to the jurisdiction of such courts

 

 

APPENDIX 1

ANNEX I

1. LIST OF PARTIES

Data exporter(s):

Name:            The entity identified as the “Customer” in the Principal Agreement

Address:       the address for the Customer associated with the Customer’s account or otherwise specified in the Order Form

Contact person’s name, position and contact details: the contact details associated with the Customer’s account or otherwise specified in the Order Form

Activities relevant to the data transferred under these Clauses: The services specified or identified in the Principal Agreement

 

The personal data transferred will be subject to the following basic processing activities (please specify):

1. Software Updates
2. Drug Information Updates
3. Technical Support Services
4. Remote Connection for Technical Support
5. Support Call Logging
6. Telephone Support
7. Transcription Services

 

Data importer(s):

Name: CLANWILLIAM HEALTH (DGL) LIMITED (company number 03020555)

Trading Address: Aurora House Deltic Avenue, Rooksley, Milton Keynes, Buckinghamshire, MK13 8LW, United Kingdom

Registered address: Aurora House Deltic Avenue, Rooksley, Milton Keynes, Buckinghamshire, MK13 8LW, United Kingdom

Contact person’s name, position and contact details:

Name:           Eileen Byrne

Position: Managing Director

Tel.:                01280 824 600

e-mail:           gdpr@clanwilliamhealth.com

Activities relevant to the data transferred under these Clauses:

 

The personal data transferred will be subject to the following basic processing activities (please specify):

1. Software Updates
2. Drug Information Updates
3. Technical Support Services
4. Remote Connection for Technical Support
5. Support Call Logging
6. Telephone Support
7. Transcription Services

 

1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

 

Patients

Relatives of patients

Client contact details

Categories of personal data transferred

 

Personal Data and Sensitive Data

Personal Data:

Personal Data that is captured can include, among other information, personal contact information such as name, address, telephone or mobile number, fax number, email address, information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title, identification numbers, and social security details.

Sensitive Data: Data that reveals data concerning health.

 

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

1. Software Updates
2. Drug Information Updates
3. Technical Support Services
4. Remote Connection for Technical Support
5. Support Call Logging
6. Telephone Support
7. Transcription Services

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

CONTINOUS BASIS – the Term

 

 

Nature of the processing

 

1. Software Updates
2. Drug Information Updates
3. Technical Support Services
4. Remote Connection for Technical Support
5. Support Call Logging
6. Telephone Support
7. Transcription Services

Purpose(s) of the data transfer and further processing

Performance of Contract

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Term

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Subject matter

The provision of Services by the Processor to the Controller under the Principal Agreement.

Nature

Processing activities, such as storage, retrieval, analysing, data collection and data transfer will all be undertaken by the Processor.

Purpose

• Software Updates
• Drug Information Updates
• Technical Support Services
• Remote Connection for Technical Support
• Support Call Logging
• Telephone Support
• Transcription Services

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Term

 

1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The Data Protection Commission

 

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Domain	Practices
Organisation of Information Security	Security Ownership. The Processor have an internal security committee and a Data protection officer Security Roles and Responsibilities. The Processor’s staff with access to Customer Data are subject to confidentiality agreements within their contracts. Risk Management Program. ISO 27001 framework is used to identify risks to Availability of our services and confidentiality data assets.
Asset Management	Asset Inventory.  The Processor uses IS0 27001 framework for developing an internal asset inventory. Asset Handling ·          The Processor regularly review access to assets with departments. ·          The Processor ‘s human resources department issue joiner requests listing requirements for access and also removal of assets for leavers ·          Monitoring of internal activity is controlled by a SIEM Solution ·          All Assets are have anti-virus installed and regularly scanned. ·          All Assets are encrypted with Bitlocker
Human Resources Security	Security Training.  The Processor issue all staff with data protection training modules on induction and refresher training every 12 months. Train modules cover Data protection principles, data subject access request, Data Breach and keeping data secure. The Processor human resources department issue starter and leaver forms to IT for removal of access to building, emails, and any IT assets.
Physical and Environmental Security	Physical Access to Facilities.  The Processor requires Fob pass to enter building and fob to enter office. Physical Access to Components. Records of employees entering the processor’s office are logged. Visitors require sign in on book and issued visitor passes. Protection from Disruptions.  The Processor information technology communications room has redundancy with UPS, high availability ISP and firewalls. Component Disposal. A data retention policy and procedure has been introduced to comply to GDPR.  Shredding is carry out on site and certified
Communications and Operations Management	Operational Policy.  The Processor maintains an Information security management system which contains documents for security access, internet usage , BYOD, email policy, password policy and many others Data Recovery Procedures 1.         The Processor reviews their backup requirements with relevant departments every 3 months. 2.         Off site and on site backups are maintained. 3.         The processor leverages native AWS and/or Azure backup technologies.  KeepItSafe, Barracuda Cloud Backup and other 3rd Party backup and replication solutions are also used. 4.         Backups are periodically restored and tested Malicious Software.    The Processor uses industry standard Antivirus and Antimalware solutions such as Microsoft Defender, Microsoft Defender for Cloud, ESET Security and Microsoft Endpoint Protection Manager. Network monitoring solutions are in place to identify and alert against suspicious activity such as SolarWinds and/or Log360. Data Beyond Boundaries The Processor encrypts data at rest and in-transit where applicable. Event Logging.  System events are logged using native technologies or other 3rd party SIEM solution(s).
Access Control	Access Policy.  The Processor maintains a record of security privileges of individuals having access to Customer Data. These are reviewed with line managers every 6 months.

 

 

 

Access Control	Access Authorization 1.         Access to data is approved by the relevant line manager 2.         Human Resources policies and procedures are implemented for employees who are joiners and leavers. 3.         The Processor deactivates authentication credentials from employees who are leavers and reviews its access directory periodically 4.         O365 access is managed by the Processor’s information technology department 5.         All server access is IP locked, using the Key and password. –    The Processor ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins. Least Privilege –    Customer support personnel are only permitted to have access to Customer Data when needed. –    The Processor restricts access to Customer Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality –    The Processor instructs its personnel to disable administrative sessions when leaving premises that the processor controls or when computers (used by the Processor’s personnel) are otherwise left unattended. –    The Processor stores passwords in a way that makes them unintelligible while they are in force. Authentication –    The Processor uses industry standard practices to identify and authenticate users who attempt to access information systems. –    Where authentication mechanisms are based on passwords, the Processor requires that the passwords are renewed regularly. –    Where authentication mechanisms are based on passwords,  the Processor requires the password to be at least eight characters long with Complexity –    The Processor ensures that de-activated employees (former employees) are not granted access to data or premises.
Information Security Incident Management	Incident Response Process –    The Processor have a procedure in place for reporting security breaches. –    A major incident policy is in place for the event of such breaches Service Monitoring.  The Processor review monitoring logs periodically.
Business Continuity Management	–    The Processor maintains a business continuity plan so insure customers have access to services in the event of environmental or physically building access issues.
Digital Dictation Physical Security	The digital dictation front-end, DIT3, and back-end, DIT3.5, are hosted at an NHS IGT level 3 certified data centre located in Reading in partnership with Redcentric. As an existing supplier to the NHS, Redcentric are ideally placed to provide the secure and reliable service required when hosting sensitive data. The data centre is ISO27001 compliant and Dictate IT are provisioned with a dedicated cabinet with restricted access.   A summary of the key features offered by the Redcentric service are outlined below: •                      Geographic Diversity – Data centres in London, Reading and Harrogate ·          Private Suite – Variable-sized secure suites to host multiple pods ·          Colocation – Lockable pods within fully secure Colocation rooms ·          Physical Security – Employment of strict security policies complemented with card readers and video surveillance providing full audit control and logging. ·          Redundant Power – Redundant UPS with automatic transfer to permanent onsite generators with power configured to an N+1 standard ·          Heating, Ventilation & Air Conditioning (HVAC) – Installed to N+1 standard, providing a monitored consistent temperature and humidity environment ·          Diverse Fibre Entry – Diverse fibre entry into the data centres and multiple common raisers to diversely located telecommunication “meet me rooms” from multiple carriers ·          Security – State of the art physical and access security, including photo ID cards and restricted access to the data centres

 

 

 

Digital Dictation Cyber Security	Redcentric provide managed security access to the HSCN network and enhanced protection to external threats such as Distributed Denial of Service (DDOS) attacks. Within the Dictate IT environment, network security is managed by next generation firewalls that support intelligent advanced threat management which detects and prevents malware, botnets and intrusions at the network perimeter. Beyond the firewall, there are 3 layers of network security, an internet facing DMZ server, an application server for the business logic and separate database servers that host each customer’s data. Each of these network layers are configured with their own VLAN with access across layers limited to specific ports. Depending on the customer’s requirement, access to the digital dictation platform can be via the internet or restricted to the N3 network  only.  Dictate IT employ SSL 256-bit AES encryption for all data in transit.
ASR Software Physical Security	The ASR software is hosted at AWS where Dictate IT can rapidly increase server resources as required to support the high computational demand of speech to text conversion. Dictate IT host the ASR service in the AWS London region and ensures that all customer data will not be held outside of this region. All databases are configured for multi-AZ deployment meaning they are replicated to another availability zone in the London region to provide high availability. A summary of the key features offered by AWS service are outlined below: ·          Fully redundant electrical power systems which are maintainable without impact to operations 24 hours a day ·          Climate and temperature controls monitored and maintained 24/7 ·          Fire detection using smoke detection sensors accompanied with fire suppressions systems ·          Leakage detection to detect water and prevent ongoing damage ·          Security – CCTV at all locations, separate processes for employee and 3rd party data access, intrusion detection. ·          ISO27001 accredited
ASR Software Cyber Security	The Dictate IT AWS account is segregated into multiple organisations with each organisation dedicated to supporting a single product environment. This ensures that each organisation is configured with its own specific security and approved user access The ASR product is deployed in a dedicated organisation with all components deployed in a dedicated virtual private cloud (VPC) with access to the VPC limited to other Dictate IT components with external connections facilitated by and Elastic Load Balancer using SSL 256-bit AES encryption for all data in transit.
Outsources Transcription via DIT3.5	Transcription team access to the Dit3.5 platform is via a desktop client installed on user’s local machine. Users will download ‘Jobs’ assigned to their transcription queue and the data is encrypted locally in the Dit3.5 desktop client and the data is subsequently deleted after the user has completed the transcription. All communication between the desktop clients and the server are via HTTPS encrypted by SSL 256-bit encryption in transit. End point security for user PCs is provided by BitLocker for hard disk encryption, Bitdefender for anti-virus and Windows security updates set to maximum deferral of 5 days. The Dit3.5 desktop client is installed and removed on the user’s PC in accordance with the employee leaver/joiner process. The audit process of the above is continuous and is supported by Datto Remote Monitoring Management (RMM). Administrator access is also provided to a restricted group of users via a web client that enables these users to make configuration changes to the application. User accounts are configured via the administration portal and accounts are assigned privilege based roles as appropriate. All system users involved in this processing activity receive regular data protection and information security training The Processor and Sub processors host a full suite of data protection and information security policies

 

 

 

Support Services Physical Security	The supporting platform Avaya and the servers are hosted at the the Processor’s headquarters in Dublin in partnership with Welltel. The commination and the voice is flowing as the encrypted data between the servers and the client locations and encrypted by the VPN. This site is following the ISO27001 processes and servers for Avaya and are provisioned with a dedicated cabinet with restricted access.   A summary of the key measures that we applied on this platforms are outlined below: ·          Physical Security – Employment of strict security policies complemented with card readers and video surveillance providing full audit control and logging. ·          Redundant Power – Redundant UPS with automatic transfer to permanent onsite generators with power configured to an N+1 standard ·          Heating, Ventilation & Air Conditioning (HVAC) – Installed to N+1 standard, providing a monitored consistent temperature and humidity environment ·          Diverse Fibre Entry – Diverse fibre entry into the data centres and multiple common raisers to diversely located telecommunication “meet me rooms” from multiple carriers ·          Security – State of the art physical and access security, including photo ID cards and restricted access to the data centres
Support Services Cyber Security	The Processor has deployed the necessary measures and enhanced protection to external threats such as Distributed Denial of Service (DDOS) attacks. Within the Avaya environment, network security is managed by next generation firewalls that support intelligent advanced threat management which detects and prevents malware, botnets and intrusions at the network perimeter. Beyond the firewall, there are 3 layers of network security, an internet facing DMZ server, an application server for the business logic and separate database servers that host each customer’s data. Each of these network layers are configured with their own VLAN with access across layers limited to specific ports. Depending on the customer’s requirement, access to the digital dictation platform can be via the internet or restricted to the CWH network only. We employ SSL 256-bit AES encryption for all data in transit.
Outsource Support Services- Avaya Desktop	The Processor’s support personnel access to the Avaya platform is via a desktop client installed on user’s local machine.  The Processor’s support personnel will get the calls assigned to them, the data is encrypted locally in the Avaya desktop client and the data is subsequently deleted after the user has completed the call. All communication between the desktop clients and the server are via HTTPS encrypted by SSL 256-bit encryption in transit. End point security for user PCs is provided by BitLocker for hard disk encryption, ESET for anti-virus and Windows security updates set to maximum deferral of 5 days. The Avaya desktop client is installed and removed on the user’s PC in accordance with the employee leaver/joiner process. The audit process of the above is continuous and is supported by Datto Remote Monitoring Management (RMM). Administrator access is also provided to a restricted group of personnel via a web client that enables these personnel to make configuration changes to the application. User accounts are configured via the administration portal and accounts are assigned privilege based roles as appropriate. All system users involved in this processing activity receive regular data protection and information security training The Processor and Sub processors host a full suite of data protection and information security policies

 

Both Dictate IT and British Orient Infotel Private Limited (BOIPL) are certified to ISO 27001

 

 

 

 

 

APPENDIX 3

Messaging Terms and Conditions

• Definitions and interpretation
  • In this Schedule:

Unless otherwise stated to the contrary or as otherwise defined herein, defined terms used or referred to in this schedule shall have the same meaning as in the Agreement, in this Schedule:
Agreement	means the software end user licence and support terms and conditions relating to the use of the Software;
Applicable Law	means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time together with applicable laws in the United Kingdom from time to time;
Business Day	means a day other than a Saturday, Sunday or bank or public holiday in England and / or Dublin, Ireland (as the case may be);
Data Protection Laws	in this Schedule means all Applicable Laws relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances: (a)                   the GDPR; (b)                   the Irish Data Protection Act 2018; (c)                   the UK Data Protection Laws; (d)                   any laws which implement any such laws; and any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time);
Force Majeure	means an event or sequence of events beyond a party’s reasonable control preventing or delaying it from performing its obligations under this schedule, including any matters relating to transfer of data over public communications networks and any delays or problems associated with any such networks or with the internet;
Intellectual Property Rights	means in respect of the Service, any and all copyright, rights in inventions, patents, know-how, trade secrets, trade marks and trade names, service marks, design rights, rights in get-up, database rights and rights in data, domain names and all similar rights and, in each case whether registered or not;
Network Operator	means any telecommunications network operator;
Permitted Purpose	means use solely for the Customer’s business operations and also for the internal business of operations of the Customer, in each case in accordance with this Schedule. Permitted Purpose expressly excludes any of the following to the maximum extent permitted by law: (a)                   copying, reproducing, distributing, redistributing, transmitting, modifying, adapting, editing, abstracting, selling, licensing, leasing, renting, assigning, transferring, disclosing (in each case whether or not for charge) or in any way commercially exploiting any part of any Service; (b)                   permitting any use of any Service in any manner by any third party (including permitting use in connection with any timesharing or service bureau, outsourced or similar service to third parties or making any Service (or any part) available to any third party or allowing or permitting a third party to do any of the foregoing (other than to the Authorised Users for the Permitted Purpose)); (c)                   combining, merging or otherwise permitting any Service to become incorporated in any other program or service, or arranging or creating derivative works based on it (in whole or in part); or (d)                   attempting to reverse engineer, observe, study or test the functioning of or decompile the Services (or any part), except as expressly permitted under this Schedule.
Policies	means each of the following: (a)                   the Text Message Supplier’s policy on acceptable use of the Services from time to time (the Acceptable Use Policy); (b)                   the Text Message Supplier’s policy on information security as amended and updated from time to time (the Information Security Policy); (c)                   the Text Message Supplier’s privacy policy as amended and updated from time to time (the Privacy Policy), as may be updated from time to time and available at www.esendex.co.uk
Regulator	means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority;
Service(s)	means the communication services relating a Transaction provided by the Text Message Supplier and used by the Customer using the Software;
Schedule	means the terms and conditions set out in the clauses and other provisions of this schedule;
Text Message Supplier	mean Commify UK Limited (trading as Esendex) a company registered in England and Wales with registration number 04217280 whose registered office address is at 20 Wollaton Street, Nottingham NG 1 5FW;
Transaction	means any SMS, RCS, MMS, email, voice or other format message sent or received; (ii) any voicemail received: (iii) any voice call made or received; (iv) any GSM or GPS device detection; and (v) any other form of communication accessed or engaged in, using the service.

• Rights of use
  • The provisions of this Schedule apply to the Customer in respect of the Customer’s use of the Services.
  • Upon using the text message service or otherwise sending a Transaction, you agree to be bound by the terms of these terms and conditions and you are granted a non-exclusive, non-transferable, sub-licence to use each Service for the Permitted Purpose.
  • The Customer hereby agrees to:
    • ensure only Authorised Users use the Services and that such use is at all times in accordance with these terms and conditions;
    • ensure Authorised Users are, at all times whilst they have access to the Services, the Customer’s employees or contractors;
    • keep and maintain a list of all Authorised Users;
    • ensure that your account (and account details) cannot be used by more than one medical practice at the same time;
    • shall at all times comply with the terms of this Agreement (including this Schedule);
    • are required to maintain a confidential password or access details for any Service and not share that password with any third party other than with Authorised Users.
  • The Customer shall:
    • be liable for the acts and omissions of the Authorised Users as if they were its own; and
    • only provide Authorised Users with access to the Services via the access method provided by the Supplier (or the Text Message Supplier as the case may be) and shall not provide access to (or permit access by) anyone other than an Authorised User.
  • The Customer acknowledges that use of the Services is at all times subject to the Customer’s compliance with the Agreement and this Schedule.
• Support
  • In respect of the Services, support services shall be available during the hours of 0900-17.30 on a Business Day and in accordance with the Support Services provided by the Supplier.
• Changes to services and terms
  • You acknowledge that the Text Message Supplier may update the Policies and you agree to be bound by the terms of and comply with those Policies.
  • The Customer acknowledges that the Text Message Supplier shall be entitled to modify the features and functionality of the Services.
  • The Text Message Supplier may replace virtual mobile numbers from time to time.
  • SMS message fees are charged on a per SMS basis. Each SMS is a set of systematized textual and numeric characters (text) of up to 160 characters when using the GSM alphabet. Some symbols constitute more than one character (as more particularly set out at https://support.esendex.co.uk/sms/long-message-can-send/). If message text exceeds 160 characters, it shall be charged as more than 1 SMS. If the GSM alphabet is not used, the character limit for 1 SMS shall be less than 160 characters.
  • By sending a Transaction (whether or not such Transaction is received), the Customer shall be liable for the costs of the Transaction, payable to the Supplier and in accordance with the suppliers payment terms.
  • Fees shall be incurred for each Transaction submitted whether or not such Transaction is received by the intended recipient of a Transaction.
  • Fees for Transactions may be increased on notice to the Customer.
  • Any pre-paid Transaction credit purchased or Transaction balance shall be non-refundable and shall expire 12 months after the date purchased.
  • The Services may be subject to delays, interruptions, errors or other problems resulting from use of the internet or public electronic communications networks used by the parties or third parties. The Customer acknowledges that such risks are inherent in communications services and that neither the Supplier or Text Message Supplier shall have any liability for any such delays, interruptions, errors or other problems.
  • The Customer acknowledges that neither the Supplier or Text Message Supplier has any liability or obligations (howsoever arising whether under contract, tort, in negligence or otherwise) in relation to:
    • the content of Transactions; or
    • without prejudice to clause 6.1.3, the Services being free of minor errors or defects.
  • Customer’s responsibilities
    • The Customer agrees and shall ensure that Authorised Users shall at all times comply with all applicable laws, rules and regulations relating to the use or receipt of the Services, including to the Data Protection Laws.
    • The Customer shall at all times comply with the Policies.
    • The Customershall:
      • reasonably co-operate with the Supplier and/or Text Message Supplier in all matters relating to the Services;
      • provide, in a timely manner, such information as the Supplier and/or Text Message Supplier may reasonably require in order to provide the Services;
      • provide the the Supplier and/or Text Message Supplier with reasonable and available information if requested by a Network Operator and/or Regulator relating to a Customer’s use of the Services.
    • The Customer shall defend, indemnify and hold harmless the Supplier and the Text Message Supplier against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection any claim by a third party in connection with the content of a Transaction or the use of the Service.
    • Clauses 1 to 5.4 (inclusive) shall survive termination or expiry of the Agreement.
  • Intellectual Property
    • All Intellectual Property Rights in and to the Services belong to and shall remain vested in the Text Message Supplier or the relevant third party owner. To the extent that the Customer or any person acting on its or their behalf acquires any Intellectual Property Rights in the Services, the Customer shall assign or procure the assignment of such Intellectual Property Rights with full title guarantee (including by way of present assignment of future Intellectual Property Rights) to the Text Message Supplier or such third party as the Text Message Supplier may elect. The Customer shall execute all such documents and do such things as the Supplier and/or Text Message Supplier may consider necessary to give effect to this clause 1.
    • Except for the rights expressly granted in this Schedule, the Customer and its direct and indirect sub-contractors, shall not acquire in any way any title, rights of ownership, or Intellectual Property Rights of whatever nature in the Services and no Intellectual Property Rights of either party are transferred or licensed as a result of this Schedule or the Agreement.
    • This clause 6 shall survive the termination or expiry of the Agreement.
  • Customer Systems and Customer Data
    • The Customer acknowledges that neither the Supplier or the Text Message Supplier has any control over any Customer Data hosted as part of the provision of the Services and will not actively monitor the content of your data. The Customer acknowledges that the Customer is responsible for the accuracy, quality, integrity and legality of the Customer Data and that its use (including use in connection with the Service) complies with all applicable Data Protection Laws and Intellectual Property Rights.
    • The Customer acknowledges that the Text Message Supplier makes use of automated fraud detection on receipt of the Customer Data to protect end-users from fraudulent or otherwise deceptive conduct.
    • If the Supplier or the Text Message Supplier becomes aware that any of your data does not comply with the Acceptable Use Policy or any other part of this Schedule, the Supplier (or the Text Message Supplier) shall have the right to permanently delete or otherwise remove or suspend access to the relevant Customer Data which is suspected of being in breach of any of the foregoing from the Services and/or and if required by law, disclose Customer Data to law enforcement
    • Neither the Supplier or the Text Message Supplier shall be liable for consequential, indirect or special losses.
  • Suspension
    • The Supplier or Text Message Supplier may suspend access to the Services on reasonable notice if:
      • the Supplier or Text Message Supplier reasonably suspects that there has been any material misuse of the Services or breach of this Schedule;
      • a Network Operator or Regulator requires it;
      • the Customer (or any third party) significantly exceeds its usual volumes of Transactions and has not provided the Supplier or Text Message Supplier with reasonable prior notice; or
      • the Customers fails to pay any sums due in respect of the Services.
    • Where the reason for the suspension is suspected misuse of the Services or breach of these terms, the Supplier or Text Message Supplier, may terminate the Services and may at its discretion take steps to investigate the issue and may restore or continue to suspend access.
  • Termination of the Services
    • Notwithstanding that the Supplier or Text Message Supplier may terminate (or suspend access without notice), the Customer may terminate the Services on 60 days prior written notice.
  • Consequences of termination of the Services
    • Immediately on termination or expiry of this Schedule (and/or the Agreement if applicable) (for any reason), the rights granted by the Customer under this Schedule shall terminate and the Customer shall:
      • stop using the Services; and
      • pay all outstanding fees due and payable.
    • Termination or expiry of this Schedule (and/or the Agreement if applicable) shall not affect any accrued rights and liabilities of a party at any time up to the date of termination or expiry and shall not affect any provision of this Schedule that is expressly or by implication intended to continue beyond termination.
    • Except as expressly provided in this Schedule, the Supplier or Text Message Supplier (as the case may be) may at any time assign, sub-contract, sub-licence (including by multi-tier), transfer, mortgage, charge, declare a trust of or deal in any other manner with any or all of its rights or obligations under this Schedule.
    • The Customer acknowledges that the Supplier or Text Message Supplier are independent and are not partners or principal and agent and that no joint venture, trust, fiduciary or other relationship is established between them, other than the contractual relationship expressly provided for in it. The Supplier does not represent that it has, any authority to make any commitments on behalf of the Text Message Supplier.
    • If any provision of this Schedule (or part of any provision) is or becomes illegal, invalid or unenforceable, the legality, validity and enforceability of any other provision of this Schedule shall not be affected.
    • If any provision of this Schedule (or part of any provision) is or becomes illegal, invalid or unenforceable but would be legal, valid and enforceable if some part of it was deleted or modified, the provision or part-provision in question shall apply with such deletions or modifications as may be necessary to make the provision legal, valid and enforceable. In the event of such deletion or modification, the parties shall negotiate in good faith in order to agree the terms of a mutually acceptable alternative provision.
    • No failure, delay or omission by either the Supplier or the Text Message Supplier in exercising any right, power or remedy provided by law or under this Schedule shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right, power or remedy.
    • No single or partial exercise of any right, power or remedy provided by law or under this Schedule shall prevent any future exercise of it or the exercise of any other right, power or remedy.
    • Neither the Supplier or the Text Message Supplier shall be in breach of this Schedule nor liable for delay in performing, or failure to perform, any of its obligations under this Schedule if such delay or failure result from a Force Majeure.
    • The Supplier shall have no liability to the Customer in respect of the provision of the Services.
    • In respect of the Services, in the event if any conflict between the provisions of the Agreement and this Schedule, the provisions of this Schedule shall apply.