top of page

Proud members of the European AI Alliance

GDPR Annex to Commercial Contracts

ANNEX (UK GDPR)

Agreed terms

1.              Interpretation and Priority

1.1           This Annex shall have effect as if set out in full in the body of the Contract and shall hereby be an indivisible part thereof.

1.2           Where conflict arises between this Annex and the Contract or any schedule thereto, the provisions in this Annex shall prevail.

1.3           The following definitions and rules of interpretation apply in this Annex.

                  Agreed Purposes: compliance with obligations under terms of the Contract.

                  Annex: this annex to the Contract.

                  Contract: the agreement to which this Annex is annexed. For the avoidance of doubt this Annex shall be included and incorporated into the Contract and form and indivisible part thereof for the purposes of references to the Contract in this Annex.

                  Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.

                  Data Protection Legislation: all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation (i) any data protection legislation from time to time in force in the UK including the Data Protection Act 2018 or any successor legislation, as well as (ii) the General Data Protection Regulation ((EU) 2016/679), including as retained in the UK, and any other directly applicable European Union regulation relating to data protection and privacy.

                  MAHL: My Anna Health Limited, a company registered in the territory of England a Wales, with company registration number 15492390 and with its registered office at 18 Foster Crescent, Silverdale, Newcastle, ST5 6SW, Staffordshire, UK.

                  Permitted Recipients: You, Your employees and any third parties engaged or contracted by You.

                  Shared Personal Data: the personal data to be shared between the parties under the Contract.  Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject: name, email address, diagnosis made by software owned and operated by MAHL, symptoms or other medical history provided to MAHL by the data subject.

                  You: each and every party to the Contract other than MAHL, whereby each and every party to the Contract is hereby deemed to have entered into a separate Annex

1.4           Otherwise than as stated above, definitions and interpretation of the Contract shall apply.

2.              Data protection

2.1           The provisions which follow set out the framework for the sharing of personal data between the parties. You acknowledge that acknowledges MAHL will regularly disclose to You Shared Personal Data (or part thereof) collected by the MAHL. Such data will be shared for the Agreed Purposes. You shall:

(a)        where required give full information to any data subject whose personal data may be processed under the Contract of the nature such processing. This includes giving notice that, on the termination of the Contract, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assigns;

(b)        process the Shared Personal Data only for the Agreed Purposes;

(c)        not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

(d)        ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by the Contract;

(e)        ensure that You have in place appropriate technical and organisational measures, reviewed and approved by MAHL, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;

(f)         not transfer any personal data received from MAHL outside the EEA (other than to the United Arab Emirates) unless the transferor:

(i)          complies with the provisions of Article 26 of the GDPR (in the event the transferee is a joint controller); and

(ii)         ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

2.2           Compliance.  You shall comply with the Data Protection Legislation and agree that any material breach of the Data Protection Legislation shall give grounds to MAHL to terminate the Contract with immediate effect.

2.3           Mutual assistance.  You shall assist MAHL in complying with all applicable requirements of the Data Protection Legislation. In You shall:

(a)        consult with MAHL about any notices given to data subjects in relation to the Shared Personal Data;

(b)        promptly inform MAHL about the receipt of any data subject access request;

(c)        provide MAHL with reasonable assistance in complying with any data subject access request;

(d)        not disclose or release any Shared Personal Data in response to a data subject access request without first consulting MAHL wherever possible;

(e)        assist MAHL in responding to any request from a data subject and in ensuring compliance with Your obligations under the Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;

(f)         notify MAHL without undue delay on becoming aware of any breach of the Data Protection Legislation;

(g)        at the written direction of MAHL, delete or return Shared Personal Data and copies thereof to MAHL on termination of the Contract unless required by law to store the personal data;

(h)        use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers.

2.4           Indemnity.  You shall indemnify MAHL against all claims and proceedings and all liability, loss, costs and expenses incurred by MAHL as a result of any claim made or brought by a data subject or other legal person in respect of any loss, damage or distress caused to them as a result of any breach of the Data Protection Legislation by You, Your employees or agents, provided that MAHL gives You prompt notice of such claim, full information about the circumstances giving rise to it and reasonable assistance in dealing with the claim at Your cost. Liability under this clause shall be subject to any limitations on liability as in the Contract, save that no limitation to liability shall be aggregated and each and every counterparty to the Contract shall be liable to any limit as set therein as if it were the sole counterparty to the contract.

bottom of page