Effective 17 SEP, 2024
Capitalised terms used in this Data Protection Schedule ("Schedule") have the meanings given in the Agreement, unless otherwise defined herein.
1.1 "Agreement" means the contract within which this Schedule is incorporated.
1.2 “Personal Data Breach” shall have the meaning given in Applicable Data Protection Law.
2.1 The parties acknowledge that for the purposes of Applicable Data Protection Law, the Licensee is the controller and Feebris is the processor of Licensee Data, including that set out in Appendix 1, which sets out the scope, nature and purpose of processing by the processor, the duration of the processing and the types of personal data and categories of data subject. Feebris shall comply with its obligations set out in paragraph 3.
2.2 Licensee is responsible for obtaining all consents, licences and legal bases required to allow Feebris to process personal data in accordance with Applicable Data Protection Law.
3.1 In respect of Licensee Data, Feebris shall:
3.1.1 only process Licensee Data on the documented instructions of the Licensee for the purpose of performing its obligations under the Agreement or as may be agreed in writing between the parties and shall not process the Licensee Data for its own purposes;
3.1.2 to the extent permitted by law, immediately notify the Licensee in writing if it believes it has been provided with any instruction to process the Licensee Data in breach of Applicable Data Protection Law;
3.1.3 use reasonable endeavours to notify the Licensee if it is obliged to make a disclosure of the Licensee Data collected under or in connection with the Agreement under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law;
3.1.4 take appropriate technical and organisational measures against a Personal Data Breach involving Licensee Data;
3.1.5 without undue delay upon discovery, notify the Licensee of any confirmed Personal Data Breach;
3.1.6 take reasonable steps to ensure the reliability of all personnel who have access to Licensee Data and ensure that only personnel who require access to the Licensee Data are given access (and only to the extent necessary) and that such personnel: (i) are informed of the confidential nature of the Licensee Data; (ii) have received appropriate training on protecting personal data; and (iii) are bound by contractual or statutory confidentiality obligations in relation to the Licensee Data, and ensure that any such access is revoked once no longer required;
3.1.7 promptly notify the Licensee if it receives a request pertaining to the exercise of a data subject right pursuant to Applicable Data Protection Law, including without limitation, subject access rights, rights to rectification, restriction of processing, data portability and the right to object to processing. Feebris shall not respond to a data subject request without the Licensee’s prior written consent. Feebris will provide Licensee with reasonable assistance with responses to data subjects’ requests to exercise their rights under Data Protection Law;
3.1.8 immediately provide such cooperation, assistance and information to the Licensee, at the Licensee’s reasonable costs, as may be required to allow the Licensee to comply with: (a) the completion of any data protection impact assessment as reasonably required from time to time pursuant to Applicable Data Protection Law; and (b) notices served by any supervisory authority, such as the Information Commissioner’s Office in the UK;
3.1.9 at the Licensee’s reasonable costs, and subject to Feebris' confidentiality requirements, provide a copy of its latest audit report to demonstrate compliance with the requirements of this paragraph 3, provided that such a right is not exercised more than once annually. In the event of Personal Data Breach caused by Feebris, Feebris will allow for and contribute to audits, including inspections, conducted by Licensee or another auditor mandated by Licensee;
3.1.10 not transfer Licensee Data from the European Economic Area ("EEA") or the UK outside the EEA or the UK unless Feebris has, prior to any such transfer, put in place appropriate safeguards as required by Applicable Data Protection Law to protect the Licensee Data including (without limitation) executing with the Licensee and any sub-processors such further documentation as may be necessary for the transfers to be lawful; and
3.1.11 on demand from the Licensee, destroy and/or permanently delete from its information technology systems all copies of Licensee Data in its possession (in any form or format whatsoever) and give the Licensee a certificate signed by one of its authorised signatories confirming that it has done so. This sub paragraph shall not apply to the extent that Feebris is required to retain Licensee Data: (a) due to a legal obligation; or (b) any of the Licensee Data is also data processed by Feebris for another of Feebris' licensees.
3.2.1 The Licensee consents to Feebris using sub-processors for processing personal data. Feebris' current sub-processors are listed at: https://www.feebris.com/sub-processors
3.2.2 Feebris will ensure that its sub-processors comply with terms equivalent to Feebris’ obligations in this Schedule and implement appropriate safeguards before transferring personal data internationally. Feebris remains liable for the actions, errors, or omissions of its sub-processors under this Schedule.
3.2.3 Feebris may appoint new sub-processors but must notify the Licensee in writing at least 14 days before the sub-processor is given access to Licensee Data.
3.2.4 The Licensee may reasonably object in writing to any new sub-processor. If the parties cannot reach an agreement within a reasonable time, either party may terminate this Schedule.
4.1 Each party's liability under this Schedule shall be subject to the exclusions and limitations set out in the Agreement.
(a) Scope, nature and purpose of processing:
(i) Provision and improvement of the Service and the Feebris Platform;
(ii) Access control in the Feebris Platform for Licensee Authorised Users and patients;
(iii) Supporting and training patients and Licensee Authorised Users;
(iv) Recording, storing, transmitting, computing, and displaying patient health information within the Feebris Platform;
(v) Anonymising/ de-identifying patient health information for the purposes of improving the Services and the Feebris Platform (including safety and performance monitoring to comply with medical device regulation)
(vi) Anonymising/ de-identify / aggregate patient health information for reporting to PublicHealth Authorities, Regulators, and the Buyer; and
(vii) Sharing patient health information and other inputted patient data via the Feebris Platform, on an individual patient basis, with other third-party Licensees which: (A) are also using the Feebris Platform; (B)have also entered into a Data Protection Schedule on substantially the form of this Schedule; (C) also have a duty of care as a healthcare provider to that individual patient; and (D) have either independently added that individual patient to their Feebris Platform or been invited by the Licensee to access that individual patient's record in the Feebris Platform.
Data must be anonymised when used for any purpose other than those mentioned above.
(b) Categories of Personal Data:
(i) Identity and contact data.
(ii) Patient health information (including observations, symptoms, vital sign measurements, notes) available to the Licensee in the Feebris Platform, either inputted into the Feebris Platform by Authorised Users or outputted by computations in the Feebris Platform.
(c) Categories of data subjects:
(i) Patients; and
(ii) Licensee Authorised Users.
(d) Duration of processing:
(i) Until the termination of the Agreement, at which time the Licensee Data will be destroyed per 3.1.11, or returned if so requested by the Licensee.
Feebris' current sub-processors are listed at: https://www.feebris.com/sub-processors
