This page sets out Patient Watch Ltd’s standard data processing terms where another organisation uses Patient Watch and is the data controller for the relevant dataset or project.

These terms are intended to satisfy Article 28 UK GDPR and, where applicable, Article 28 EU GDPR requirements. They form part of the agreement between Patient Watch Ltd (“Processor”, “we”, “us”) and the organisation that determines the purposes and means of processing (“Controller”), where incorporated into an order form, master services agreement, statement of work, protocol, or other signed commercial terms.

This page does not replace the need to confirm the actual controller / processor roles for each deployment. In some deployments, a commissioning sponsor, participating healthcare organisation, clinician, site, registry, or other party may have different roles for different processing activities. In some situations, as described in our Privacy Policy, Patient Watch Ltd may act as a controller for separate processing activities of its own.

1. Scope

1. We process personal data only on the Controller’s documented instructions, including instructions set out in the relevant contract, statement of work, protocol, configuration choices, support request, or agreed written direction, unless required to do otherwise by applicable law.
2. If applicable law requires us to process personal data other than on the Controller’s instructions, we will inform the Controller before processing unless the law prohibits us from doing so on important grounds of public interest.
3. The Controller remains responsible for determining the lawful basis for processing; any Article 9 condition and DPA 2018 Schedule 1 condition where required; the content of participant notices, consent materials, and governance approvals; whether any international access or onward disclosure is permitted; and whether Patient Watch acts as processor, controller, or joint controller for the relevant activity.

2. Details of Processing

The exact processing details should be confirmed in the relevant contract, protocol, order form, statement of work, or implementation paperwork. Unless that paperwork states otherwise, the typical processing details are:

• Subject matter: Provision of the Patient Watch webapp and related support services.
• Nature of processing: Collection, recording, hosting, organisation, structuring, storage, adaptation, retrieval, consultation, use, export, transmission, restriction, deletion, and related support activities on the Controller’s instructions.
• Purpose: Delivery of digital questionnaires, diaries, reminders, role-based access, reporting, and related support services.
• Duration: For the term of the relevant agreement, plus any agreed transition, return, backup, or deletion period.
• Data subjects: Patients, research participants, clinicians, researchers, administrators, and other authorised users.
• Personal data categories: Identity and contact details, account and access metadata, questionnaire responses, diary entries, clinical or health-related data, and any other categories configured by the Controller.
• Special category data: May include health data where the Controller configures Patient Watch for research, care, audit, registry, post-market surveillance, or similar use cases.

3. Confidentiality and Instructions

1. We ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
2. We will promptly inform the Controller if, in our opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.
3. We will ensure that authorised personnel process personal data only as necessary to provide, secure, support, and maintain the Service or as otherwise instructed by the Controller.

4. Security Measures

1. We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
2. Our current security measures are described in our Data Security & Privacy page and related due diligence materials.
3. As part of our standard deployment, patient data is hosted in the United Kingdom, unless otherwise agreed in writing.
4. Our measures are designed to include, as appropriate to the Service, encryption in transit and at rest, role-based access controls, access logging and audit trails, least privilege access for operational support, backup and business continuity arrangements, vulnerability management and security review processes, procedures for responding to suspected security incidents, and confidentiality obligations for personnel with access to personal data.
5. The Controller is responsible for configuring user access appropriately, maintaining accurate authorised-user details, and ensuring its own users handle exported data securely.

5. Sub-processors

1. The Controller gives general authorisation for us to use sub-processors to support the Service.
2. We remain responsible for ensuring that any sub-processor engaged for the Service is bound by written terms that provide data protection obligations no less protective than those set out in this page, so far as applicable to the services provided.
3. We will maintain information about relevant sub-processors, including the nature of the service provided and relevant hosting or infrastructure arrangements, through our Subprocessors summary, contract, due diligence materials, or related legal or security documentation.
4. Where we intend to add or replace a sub-processor in a way that materially affects the processing of personal data for the Controller, we will give reasonable prior notice through an agreed channel so the Controller can raise reasonable, data-protection-based objections.
5. If the Controller objects to a proposed sub-processor on reasonable data protection grounds, the parties will work in good faith to agree a commercially reasonable resolution, which may include alternative arrangements, additional safeguards, or termination of the affected services if no reasonable resolution is available.

6. Assistance to the Controller

Taking into account the nature of the processing and the information available to us, we will assist the Controller with:

• data subject rights requests;
• personal data breach investigation and notification support;
• information reasonably required for DPIAs and, where relevant, prior consultation with a regulator;
• return, export, deletion, or restricted processing of data where contractually required.

Where a data subject contacts us directly about personal data that we process as processor, we will, where reasonably possible and legally permitted, direct the request to the Controller or otherwise handle it on the Controller’s documented instructions.

7. Personal Data Breach

1. We will notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under these terms.
2. Our notice will include information reasonably available to us at the time, which may include the nature of the breach, affected categories of data, likely consequences, measures taken or proposed, and a contact point for follow-up.
3. We will take reasonable steps to contain, investigate, and mitigate the breach and will provide further information as it becomes available, taking into account the nature of the processing and the information available to us.
4. The Controller remains responsible for determining whether any notification to a regulator, data subject, sponsor, site, ethics body, or other party is required, unless otherwise agreed in writing.

8. International Transfers

1. Our standard deployment is UK-hosted.
2. We will not transfer personal data outside the United Kingdom except on the Controller’s documented instructions, where necessary to comply with law, or where an appropriate transfer mechanism and supplementary measures are in place as required by applicable law.
3. Where EU GDPR applies and personal data is processed in the United Kingdom, the parties will document the relevant transfer basis, including any applicable adequacy decision or other lawful transfer mechanism.
4. Where a transfer or remote access outside the UK or EEA is proposed, including access by a sponsor, affiliate, support provider, or other third party, the parties should document the destination, purpose, transfer mechanism, safeguards, and any required transfer risk assessment in the relevant contract or data protection paperwork.
5. The Controller is responsible for ensuring that its own onward transfers, sponsor access, affiliate access, exports, or disclosures are lawful and covered by appropriate notices, permissions, governance approvals, and transfer mechanisms.

9. Audit Information

1. We will make available to the Controller information reasonably necessary to demonstrate compliance with our Article 28 obligations.
2. Where the Controller reasonably requires additional assurance, the parties may agree an audit or review process that is proportionate, protects the confidentiality and security of other customers, systems, personnel, and commercially sensitive information, and avoids disruption to the Service.
3. We may satisfy audit requests through appropriate written information, security documentation, policies, technical summaries, third-party assurance materials, questionnaires, meetings, or other reasonable evidence.
4. On-site or live-system audits must be agreed in advance, limited to what is reasonably necessary, subject to confidentiality obligations, and conducted in a way that does not compromise the security or availability of the Service.

10. Return and Deletion

1. On termination of the relevant services, we will delete or return personal data in accordance with the Controller’s instructions, the contract, and applicable law.
2. Backup or residual copies may be retained for limited periods where required for security, business continuity, legal, or regulatory reasons, after which they will be securely deleted in the normal course.
3. Where data must be retained for legal, regulatory, dispute, audit, or clinical governance reasons, we will continue to protect it in accordance with these terms and applicable law.
4. The Controller is responsible for deciding whether data should be retained, returned, anonymised, archived, or deleted at the end of a project, subject to applicable law and any agreed clinical, research, audit, or regulatory requirements.

11. Project-specific Schedules

For deployments involving multiple controllers, sponsors, sites, countries, special category data, regulatory submissions, post-market surveillance, or clinical governance requirements, the parties should complete a project-specific data protection schedule. That schedule should cover:

• controller, processor, and any joint-controller roles;
• participating sites, clinicians, sponsors, and affiliates;
• hosting location and access locations;
• sub-processors and support providers;
• retention, export, anonymisation, and deletion requirements;
• permitted reporting outputs, including whether outputs are identifiable, pseudonymised, aggregated, or anonymised;
• any ethics, clinical governance, sponsor, regulatory, or transfer requirements.

If there is a conflict between this page and a signed project-specific data protection schedule, the signed project-specific schedule will take precedence for that project.

12. Contact

For contractual, privacy, or data protection queries relating to these terms, contact info@patient-watch.com.