UNITED KINGDOM, EUROPEAN UNION, MIDDLE EAST REGIONAL ANNEX
This Annex forms part of the Agreement if the place of business of the Customer as specified in the Quote is in the United Kingdom, the European Union, Saudi Arabia or any country not listed in the table at clause 27.2 of the Service Terms.
1 INTERPRETATION AND DEFINITIONS
1.1 In this Annex:
any reference to a statute, statutory provision, subordinate legislation or code of practice is a reference to that statute, statutory provision, subordinate legislation or code of practice as amended, modified, consolidated or re-enacted from time to time; and reference to any statutory provision includes a reference to any subordinate legislation made under that provision from time to time, including in the case of EU law all decisions of the European Commission published as such in the Official Journal of the European Union;
“2018 Act” means the UK Data Protection Act 2018;
“Description of Processing” means the description of Processing referred to in the Quote or as otherwise agreed in writing by the parties as part of the Agreement;
“DPPEC Regulations” means the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019;
“GDPR” means (a) in the case of RLDatix, or in the case of any Customer whose place of business is in the United Kingdom or which offers goods or services to or monitors the behaviour of Data Subjects in the United Kingdom, UK GDPR with effect on and after 1 January 2021 (Central European Time); and (b) in all other cases and at all other times, EU GDPR;
“EU GDPR” means the General Data Protection Regulation 2016 (Regulation (EU) 2016/679);
“UK GDPR” means all applicable laws and regulations relating to the processing of personal data and privacy in force in the United Kingdom from time to time, including (with effect from midnight on 1 January 2021 (Central European Time)) the EU GDPR and the 2018 Act as both amended by the DPPEC Regulations;
“Standard Contractual Clauses” means a written agreement containing clauses in the form of (a) the standard contractual clauses (controller to processor) for the transfer of personal data to third countries as set out in the Annex to Commission Decision 2010/87/EU, or such replacement or alternative clauses as may be published from time to time pursuant to a subsequent decision by the European Commission;
a “Restricted Country” means any country of the world which at the relevant time is not (a) within the European Economic Area; nor (b) the subject of a adequacy decision by the European Commission pursuant to Article 45 EU GDPR;
“RLDatix” means Datix Limited, registered in England and Wales with company number 02046379;
“Sub-Processor” means as defined in clause 11.4.2 of the Agreement, and
“Supplemental Provisions” means the supplemental provisions set out at Clause 3.4 of this Annex.
1.2 References in this Annex to Clauses are to Clauses of this Annex unless otherwise specified.
2 CONFIDENTIALITY
2.1 As an exception to the confidentiality provisions of the Service Terms the Customer irrevocably consents to RLDatix revealing its findings from any audit process to the Health and Social Care division of the NHS.
3 DATA PROTECTION
3.1 This Clause 3 applies and forms part of the Agreement only to the extent that GDPR applies to the Processing of any Customer Personal Data.
3.2 This Clause applies in respect of Processing of Customer Personal Data by RLDatix, in circumstances in which (a) the Customer is subject to EU GDPR and (b) the United Kingdom is not within the European Economic Area nor the subject of an adequacy ruling pursuant to Article 45 of the GDPR. Where this Clause applies:
3.2.1 RLDatix and the Customer shall execute the Standard Contractual Clauses, in which respect the Customer shall be the ‘data exporter’ and RLDatix shall be the ‘data importer’; and the parties shall accurately and fully complete all other relevant details, (including the Appendices to the Standard Contractual Clauses) but provided that all optional indemnifications shall be excluded; and the Parties hereby undertake to execute any replacement or updated Standard Contractual Clauses and/or additional provisions thereto as may be required from time to time in order for each of them to comply with their respective continuing obligations under GDPR; and
3.2.2 RLDatix shall upon the Customer’s written request provide reasonable cooperation and assistance (at the Customer’s cost and expense) in relation to any assessment by the Customer of the laws and practices of the United Kingdom insofar as they affect (or may affect) such Processing and which interfere (or may interfere) with the rights of any Data Subjects of such Customer Personal Data; and if the Customer reasonably concludes following such assessment, that additional protections are required to supplement the Standard Contractual Clauses in order to ensure that the protections afforded to Data Subjects of the Customer Personal Data are essentially equivalent to the guarantees provided under EU GDPR, then RLDatix shall upon the Customer’s written request enter into the Supplemental Provisions.
3.3 RLDatix shall ensure that, in respect of each Sub-Processor engaged by it which is established in or undertakes any Processing in a Restricted Country:
3.3.1 all transfers of Customer Personal Data to such Sub-Processor shall comply with Article 44 of the GDPR;
3.3.2 if necessary, RLDatix and such Sub-Processor shall have entered into contractual clauses which impose equivalent obligations on such Sub-Processor (as ‘data importer’) and RLDatix (as ‘data exporter’) as would be imposed by the corresponding provisions of the Standard Contractual Clauses, and which confer equivalent third-party rights and enforceable legal remedies on Data Subjects as those conferred on them by the corresponding provisions of the Standard Contractual Clauses;
3.3.3 if necessary, RLDatix shall have undertaken an assessment of the laws and practices of the country of the relevant Sub-Processor insofar as they affect (or may affect) such Processing and which interfere (or may interfere) with the rights of any Data Subjects of such Customer Personal Data; and if RLDatix has reasonably concluded following such assessment that supplemental clauses are required in addition to the contractual clauses to which such Sub-Processor is subject in order to ensure that the protections afforded to Data Subjects of the Customer Personal Data are essentially equivalent to the guarantees provided under GDPR, then RLDatix shall have required the Sub-Processor to enter into supplemental clauses substantially equivalent to the Supplemental Clauses; and
3.3.4 RLDatix shall upon the Customer’s written request provide a copy of the contractual clauses (if any), and a summary of the assessment and a copy of the supplemental clauses (if any), entered into with each such Sub-Processor.
Subject to the foregoing, the Customer hereby consents to all such transfers to such Sub-Processors.
3.4 The Supplemental Provisions, which apply to a Restricted Country to which Customer Personal Data is intended to be transferred or which it is intended to be Processed (in this Clause a “Country of Import”), as follows:
3.4.1 RLDatix shall (to the extent not already implemented) implement such further or additional encryption other security technologies as are in RLDatix’s consideration reasonable and proportionate in the circumstances, which are designed to prevent or mitigate against mass and indiscriminate interception, surveillance or other processing of Customer Personal Data by or on behalf of any law enforcement, security, regulatory or other government authority or agency of the Country of Import (collectively “Country of Import Government Agency”);
3.4.2 RLDatix shall promptly notify the Customer if RLDatix has reasonable grounds to believe that any Customer Personal Data is being intercepted, accessed or otherwise processed (with or without RLDatix’s consent) by any Country of Import Government Agency; and, if requested by the Customer, RLDatix shall immediately suspend or terminate all further transfers of affected Customer Personal Data and/or (so far as reasonably possible) delete all affected Customer Personal Data from its records, servers and systems;
3.4.3 except where and to the extent prohibited by applicable law of the Country of Import, RLDatix shall promptly notify the Customer of any inquiry, communication, request or complaint (“Correspondence”) relating to the RLDatix’s Processing of Customer Personal Data which is received from any Country of Import Government Agency, any Data Subject or any other person; and thereafter RLDatix shall provide all reasonable and proportionate co-operation and assistance to the Customer in respect of any response to or action in respect of the Correspondence. To the extent that such Correspondence amounts to a Data Production Request (as defined below) paragraph 3.4.4 below shall apply.
3.4.4 if RLDatix receives a request from any Country of Import Government Agency to disclose any Customer Personal Data Processed by RLDatix, whether or not in writing and whether or not referencing data protection law or identifying any specific Data Subjects, (a “Data Production Request”), it shall handle that Data Production Request in accordance with the following principles:
a) RLDatix shall not disclose any Customer Personal Data in response to a Data Production Request unless either it is under a compelling legal obligation to make such disclosure, or (having regard to the circumstances and the privacy rights of any affected Data Subjects) there is an imminent risk of serious harm that merits disclosure in any event (for example, in order to protect individuals’ vital interests);
b) where it is considered that disclosure of Customer Personal Data is required in response to a Data Production Request, RLDatix shall notify the Customer in advance (setting out all relevant details) and shall thereafter provide all reasonable co-operation with the Customer and (if requested and at the Customer’s cost and expense) assist the Customer with any application to protect against disclosure of Customer Personal Data;
c) save where the imminent risk of serious harm prohibits prior notification, RLDatix shall in addition consult with the relevant Supervisory Authority in respect of the Data Production Request, and at all times thereafter cooperate with the Supervisory Authority and the Customer to deal with and address the Data Production Request; and shall if legally permissible place the Data Protection Request on hold in order to notify and consult with the Customer and the relevant Supervisory Authority;
d) in circumstances in which RLDatix is prohibited from notifying the relevant Supervisory Authority or suspending a Data Production Request, RLDatix shall use all reasonable endeavours (taking into account the nature, urgency, scope and validity of the Data Production Request) to inform the requesting Country of Import Government Agency as to its obligations under Data Protection Legislation; and RLDatix shall where reasonable and proportionate to do so seek to obtain a waiver of such prohibition;
e) RLDatix shall keep detailed, accurate and up-to-date records relating to its efforts and communications with the requesting Country of Import Government Agency and shall make available to the Customer on request all information necessary to demonstrate compliance with its obligations under this Clause 3.4.4 in respect of such Data Production Request; and
f) if RLDatix is prohibited from notifying the relevant Supervisory Authority in relation to a Data Production Request, RLDatix shall provide to the relevant Supervisory Authority (with a copy to the Customer) a confidential annual report, which summarises the number and type of Data Production Requests (to the extent known) it has received for the preceding year and the requesting Country of Import Government Agencies who made those requests;
PROVIDED ALWAYS THAT:
(i) nothing in this Clause 3.4 shall require RLDatix to take or refrain from or delay in taking any acts which would thereby create civil or criminal liability, whether under the laws of the Country of Import or otherwise, on the part of any RLDatix entity or any of its officers, sub-contractors or agents; and RLDatix’s obligations under this Clause shall be deemed qualified accordingly;
(ii) RLDatix shall to the fullest extent permissible under applicable law not be liable to the Customer in respect of any diminution, impairment, reduction in functionality, or non-availability of any of the Services, in whole or in part, or any suspensions or termination of transfers of, or deletion of, any Customer Personal Data, as a result of any acts or omissions taken or omitted to be taken by RLDatix pursuant to this Clause or at the Customer’s request in connection with the subject-matter of this Clause; and
(iii) RLDatix shall not in the performance of its obligations under this Clause be required to incur expenditure which is, in its reasonable consideration, excessive or disproportionate (having regard to all of the circumstances, including the nature of Customer Personal Data involved and the severity and likelihood of any impact on the privacy rights of any affected Data Subjects), save in circumstances in which the Customer has agreed in advance to reimburse RLDatix for such expenditure.
3.5 The Customer shall ensure that the Description of Processing at all times accurately reflects RLDatix's Processing of Customer Personal Data as a Processor for the Customer in relation to the Services. If the Customer requires changes to the Description of Processing it shall provide an amended version (a "Revised Description") to RLDatix. Such Revised Description shall be deemed to have replaced the Description of Processing within 5 days' of RLDatix's written confirmation and the Agreement shall be deemed amended accordingly on that date. If (in RLDatix's reasonable opinion) a Revised Description or a change to the nature of the Processing under the Agreement ("Processing Change") materially changes the scope of the Services and would require a variation to the Charges then RLDatix shall promptly notify the Customer of the Processing Change and shall request confirmation from the Customer as to whether it wishes to affirm or withdraw such Processing Change and variation to the Charges. In the event that the Customer agrees to such Processing Change, RLDatix may vary the Charges accordingly to reflect the increased cost to RLDatix of providing the Services as a result of the Processing Change, by serving not less than 20 days' written notice in advance of such increase on the Customer;
3.6 The Customer shall be and remain solely responsible for determining the legal basis for the Processing of all Customer Personal Data under the Agreement.
4 FOIA
4.1 The Customer acknowledges and agrees that, where the Customer receives an information request under the Freedom of Information Act 2000 (“FOIA”) in connection with the Agreement, the Customer will immediately notify the same to RLDatix, and, where the information request refers to RLDatix’s commercially sensitive information or Confidential Information, the Customer will allow RLDatix sufficient time to raise an objection to the extent, type and/or nature of disclosure requested, and will work with RLDatix to agree the form of disclosure.
4.2 RLDatix is not itself subject to the FOIA but shall assist and cooperate with the Customer to enable it to comply with its disclosure obligations under the FOIA.
4.3 Where RLDatix receives a request for information under the FOIA which relates to the Agreement which does not refer to RLDatix’s commercially sensitive information or Confidential Information, RLDatix will not respond to that request (unless directed to do so by the Customer) and will use its best endeavours to transfer the request to the Customer within two Business Days).
4.4 With the exception of RLDatix’s commercially sensitive information or Confidential Information, RLDatix agrees that the Agreement and any recorded information held by RLDatix on the Customer’s behalf for the purposes of the Agreement are subject to the obligations and commitments of the Customer under the FOIA.
4.5 RLDatix agrees that, save in respect of RLDatix’s commercially sensitive information or Confidential Information, the decision on whether any other exemption to the general obligations of public access to information applies to any request for information received under the FOIA is a decision solely for the Customer.
4.6 RLDatix acknowledges that the Customer, acting in accordance with the codes of practice issued and revised from time to time under section 45 of FOIA, may disclose information concerning RLDatix and the Agreement, save for RLDatix’s commercially sensitive information or Confidential Information.
4.7 RLDatix agrees to assist the Customer in responding to a request for information, by processing information (as defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, using reasonable endeavours to provide copies of all information requested by the Customer which is not exempted within five Business Days of that request and without charge.
5 CHARGES
5.1 RLDatix shall be entitled to increase the Annual Charge no more than once in each Year, by an amount which does not exceed the greater of the percentage increase in RPI (as published by the United Kingdom Office for National Statistics from time to time) in the preceding twelve month period and 5% (the first such increase being based on the latest available figure for the percentage increase in RPI at the beginning of the last month before the first anniversary of the Commencement Date).
5.2 Interest shall accrue on all overdue amounts due from one party to the other before as well as after any judgment at the rate of 3% per annum above the base lending rate from time to time of Lloyds TSB Bank Plc in the United Kingdom.
6 LIMITATION OF LIABILITY
6.1 The following provisions set out RLDatix's entire liability (including any liability for the acts and omissions of its employees, agents and sub-contractors) to the Customer.
6.2 All warranties, conditions, guarantees, rights and remedies not set out in the Agreement whether implied by any applicable statute or otherwise are excluded to the maximum extent permitted by law.
6.3 The Customer acknowledges that:
6.3.1 it will comply with all laws, rules and regulations (including any rules, codes of conduct or regulations which apply to the Customer’s particular business or industry);
6.3.2 the Services have not been designed to meet the Customer’s individual requirements;
6.3.3 it is the Customer’s responsibility to ensure that the Services are fit for the Customer’s purposes;
6.3.4 it is solely responsible for the content of any reports which are generated by the Services and that it is the Customer’s responsibility to ensure that reports generated are adequate for the Customer’s needs and purposes; and
6.3.5 any data which is inputted by the Customer while using the Services shall be in accordance with any instructions given by RLDatix, and shall be inputted accurately and properly.
6.4 Nothing in the Agreement shall limit or exclude RLDatix’s liability for:
6.4.1 death or personal injury caused by the negligence of RLDatix or its officers, employees, contractors or agents;
6.4.2 fraud or fraudulent misrepresentation; or
6.4.3 any other liability which may not be excluded by law.
6.5 Subject to Clause 6.4, RLDatix shall have no liability to the Customer in respect of any failure or delay by it to provide the Services in accordance with the Agreement where such failure or delay is attributable to any failure or delay by the Customer to comply with its obligations under the Agreement.
6.6 Subject to Clause 6.4, RLDatix shall not be liable under or in relation to the Agreement (whether such liability arises due to negligence, breach of contract, misrepresentation or otherwise) for any:
6.6.1 indirect, special or consequential loss or damage;
6.6.2 any form of exemplary or incidental loss or damages;
6.6.3 loss of profits or anticipated profit;
6.6.4 loss of sales, business, customers or revenue;
6.6.5 loss of goodwill or damage to reputation;
6.6.6 loss of contract;
6.6.7 loss of savings or anticipated savings;
6.6.8 loss of opportunity;
6.6.9 loss or corruption of data;
6.6.10 any loss or damage arising as a result of any loss of or corruption to data (whether temporary or permanent);
6.6.11 any loss or damage arising out of an inability to restore data due to the loss of or damage to any encryption key by the Customer;
6.6.12 loss or damage relating to or arising from any reliance on any report or data which is entered into or extracted out of the Services by the Customer; or
6.6.13 loss or damage relating to or arising from reliance on the Services by the Customer to meet any of the Customer’s legal obligations under any law or regulation (including, without limitation, health and safety law).
6.7 Subject to Clause 6.4, RLDatix shall not be liable in respect of any breach of the Agreement or for any representation, statement or tortious act or omission:
6.7.1 which results from any breach of the Agreement by, or any negligent act or omission of, the Customer; and/or
6.7.2 unless the Customer shall have served notice of the same upon RLDatix within six months of the date it became aware of it or, if earlier, the date when it ought reasonably to have become so aware; and/or
6.7.3 to the extent RLDatix remedies any breach of the Agreement within six months after being notified by the Customer of the breach.
6.8 Subject to Clause 6.4, neither RLDatix nor any of RLDatix’s affiliates or licensors will be responsible for any compensation, reimbursement, or damages arising in connection with:
6.8.1 the Customer’s inability to use the Services, including as a result of any (i) termination or suspension of the Customer’s use of or access to the Service Offerings, (ii) RLDatix’s discontinuation of any or all of the Service Offerings, or, (iii) any unanticipated or unscheduled downtime of all or a portion of the Services for any reason;
6.8.2 the cost of procurement of substitute goods or services;
6.8.3 any investments, expenditures, or commitments by the Customer in connection with the Agreement or the Customer’s use of or access to the Service Offerings; or
6.8.4 any unauthorised access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of the Customer Content or other data.
6.9 Subject to Clause 6.4 any liability of RLDatix for any Losses, fines and penalties in connection with clause 11 of the Service Terms or Clause 3 of this Annex is limited to the extent that RLDatix is responsible for the event giving rise to the Losses, fines and penalties and RLDatix shall not have any liability to the extent the Customer is responsible for the Losses, fines and penalties.
6.10 Subject to Clause 6.4 and without prejudice to Clause 6.6, RLDatix’s liability for damage to or loss of physical property shall not exceed £30,000 (thirty thousand pounds) in respect of any one event or series of connected events giving rise to a claim for any such damage or loss.
6.11 Subject to Clause 6.4 and without prejudice to Clauses 6.6 and 6.10, the total aggregate liability of RLDatix to the Customer in connection with the provision of the Services or otherwise arising out of or in connection with the Services or the Agreement during each Year howsoever arising whether in contract, tort (including negligence) or otherwise shall be limited to the amount of Charges paid or payable by the Customer for the provision of the Services giving rise to the claim in question during the immediately preceding Year (or during the first Year the Charges paid and payable during that period) subject to a maximum amount of £1,000,000 (one million pounds) if lower than the actual amount of the Charges over that Year.
6.12 In the event that the provision of the Services (or part thereof) is terminated prior to the expiry of the Minimum Term or without compliance with the Notice Period (as applicable) other than by reason of the Customer exercising its right to terminate pursuant to clauses 15.3 or 15.5 of the Service Terms or should the Customer purport to terminate the provision of the Services without complying with the applicable provisions of the Agreement, none of the provisions of this Clause 6 shall operate so as to exclude RLDatix’s right to recover from the Customer the Charges which would have been payable by the Customer in respect of the Services up until the earliest point at which the Customer could have lawfully terminated the provision of the Services in accordance with the Agreement, provided that RLDatix shall be obliged to mitigate its loss in accordance with common law principles.
6.13 The Service Offerings are provided “as is.” Except as expressly provided in the Agreement, or to the extent prohibited by law, or to the extent any statutory rights apply that cannot be excluded, limited or waived, RLDatix and RLDatix’s affiliates and licensors:
6.13.1 make no representations or warranties of any kind, whether express, implied, statutory or otherwise regarding the Service Offerings or the Third Party content, and
6.13.2 disclaim all warranties, including any implied or express warranties (i) of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement, or quiet enjoyment, (ii) arising out of any course of dealing or usage of trade, (iii) that the Service Offerings or Third Party content will be uninterrupted, error free or free of harmful components, and (iv) that any content will be secure or not otherwise lost or altered.
6.14 None of the provisions of this Clause 6 shall operate so as to exclude or limit RLDatix’s right to recover from the Customer the Charges which would have been payable by the Customer (including any element of the Charges which is profit).
6.15 The Customer acknowledges that the provisions of this Clause 6 are, taking into account all the circumstances and the ability of the parties to obtain insurance, reasonable in every respect.
6.16 The provisions of this Clause 6 shall survive any termination of the Agreement.
To view the Master Services Agreement click here.