Data Processing Agreement

Last updated on

Data Processing Agreement

This page sets out Patient Watch Ltd’s standard data processing terms where another organisation uses Patient Watch and is the data controller for the relevant dataset or project.

These terms are intended to satisfy Article 28 UK GDPR requirements and form part of the agreement between Patient Watch Ltd (“Processor”, “we”, “us”) and the organisation that determines the purposes and means of processing (“Controller”), where incorporated into an order form, master services agreement, or other signed commercial terms.

This page does not replace the need to confirm the actual controller / processor roles for each deployment. In some situations, as described in our Privacy Policy, Patient Watch Ltd may act as a controller for separate processing activities of its own.

1. Scope

  1. We process personal data only on the Controller’s documented instructions, unless required to do otherwise by law.
  2. The Controller remains responsible for determining:
  • the lawful basis for processing;
  • any Article 9 condition and DPA 2018 Schedule 1 condition where required;
  • the content of participant notices, consent materials, and governance approvals;
  • whether Patient Watch acts as processor, controller, or joint controller for the relevant activity.

2. Details of Processing

The exact processing details should be confirmed in the relevant contract, protocol, order form, or implementation paperwork. Typical details are:

  • Subject matter: Provision of the Patient Watch webapp and related support services.
  • Nature of processing: Collection, hosting, organisation, storage, retrieval, export, and deletion of research, audit, or service delivery data on the Controller’s instructions.
  • Purpose: Delivery of digital questionnaires, diaries, reminders, role-based access, reporting, and related support services.
  • Duration: For the term of the relevant agreement, plus any agreed transition, return, backup, or deletion period.
  • Data subjects: Patients, research participants, clinicians, researchers, administrators, and other authorised users.
  • Personal data categories: Identity and contact details, account and access metadata, questionnaire responses, diary entries, clinical or health-related data, and any other categories configured by the Controller.
  • Special category data: May include health data where the Controller configures Patient Watch for research, care, audit, registry, post-market surveillance, or similar use cases.

3. Confidentiality and Instructions

  1. We ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
  2. We will promptly inform the Controller if, in our opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.

4. Security Measures

  1. We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
  2. Our current security measures are described in our Data Security & Privacy page and related due diligence materials.
  3. As part of our standard deployment, patient data is hosted in the United Kingdom, unless otherwise agreed in writing.

5. Sub-processors

  1. The Controller gives general authorisation for us to use sub-processors to support the Service.
  2. We remain responsible for ensuring that any sub-processor engaged for the Service is bound by written terms that provide data protection obligations no less protective than those set out in this page, so far as applicable to the services provided.
  3. Information about relevant hosting and infrastructure arrangements is provided through our contract, due diligence materials, and related legal or security documentation.

6. Assistance to the Controller

Taking into account the nature of the processing and the information available to us, we will assist the Controller with:

  • data subject rights requests;
  • personal data breach investigation and notification support;
  • information reasonably required for DPIAs and, where relevant, prior consultation with a regulator;
  • return, export, deletion, or restricted processing of data where contractually required.

7. International Transfers

  1. Our standard deployment is UK-hosted.
  2. We will not transfer personal data outside the United Kingdom except:
  • on the Controller’s documented instructions;
  • where necessary to comply with law; or
  • where an appropriate transfer mechanism and supplementary measures are in place as required by applicable law.
  1. Where a transfer outside the UK is proposed, the parties should document the destination, transfer mechanism, and any required transfer risk assessment in the relevant contract or data protection paperwork.

8. Audit Information

  1. We will make available to the Controller information reasonably necessary to demonstrate compliance with our Article 28 obligations.
  2. Where the Controller reasonably requires additional assurance, the parties may agree an audit or review process that is proportionate, protects the confidentiality and security of other customers and systems, and avoids disruption to the Service.

9. Return and Deletion

  1. On termination of the relevant services, we will delete or return personal data in accordance with the Controller’s instructions, the contract, and applicable law.
  2. Backup or residual copies may be retained for limited periods where required for security, business continuity, legal, or regulatory reasons, after which they will be securely deleted in the normal course.

10. Contact

For contractual, privacy, or data protection queries relating to these terms, contact info@patient-watch.com.