OBLIGATIONS OF THE DATA CONTROLLER Clause Samples

OBLIGATIONS OF THE DATA CONTROLLER. 5.1 The Data Controller is responsible for the lawful basis for the processing of personal data, in particular with Schedule 1 of the Data Protection Act 2018. 5.2 The Data Controller must use accuRx or another safe communications channel to communicate Personal Data and/or Special Categories of Personal Data to the Data Processor. The security of the channel used must correspond to the privacy risk involved. 5.3 The Data Controller must accept responsibility for use of content that it produces. 5.4 The Data Controller is responsible for the validity of any mobile numbers or emails entered by the Data Controller's staff. 5.5 The Data Controller must not rely on accuRx for the communication of vital information. SMS messages should only be used to support and enhance communication. accuRx provide no guarantees or assurances that SMS messages have been delivered or read by the recipient. 5.6 The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Special Categories of Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of England and Wales. 5.8 The Data Controller must ensure that all data fields in accuRx are correctly filled in and do not contain patient identifiable information where they are not supposed to. 5.9 The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Special Categories of Personal Data on its behalf for the purpose of providing the Services, including the purpose of usage data reports in anonymised form. 5.10 The Data Controller, by entering into this Agreement, instructs the Data Processor to engage in reasonable monitoring of messages to prevent abuse, fraud or harm to patients through technical or user errors. This monitoring shall be proportionate and carried out through a person acting as a clinical lead.

OBLIGATIONS OF THE DATA CONTROLLER. 5.1 The Healthcare Organisation and eConsult acknowledge that, for the purpose of the Data Protection Legislation; 5.1.1 the Healthcare Organisation is the Controller and eConsult is the Processor; 5.1.2 the Healthcare Organisation retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the processing instructions it gives to eConsult. 5.2 The Healthcare Organisation warrants and represents that eConsult's processing of Personal Data as contemplated under this Data Processing Agreement will comply with the Data Protection Legislation. 5.3 The Healthcare Organisation acknowledges that: 5.3.1 it is responsible for ensuring its use of eConsult to communicate with Data Subjects is appropriate and complies with Data Protection Legislation; and 5.3.2 it must not use the Services in a manner which is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive. 5.4 The Schedule to this Agreement has been reviewed and approved by the Healthcare Organisation and sets out: 5.4.1 the types of Personal Data and categories of Data Subject whose Personal Data are Processed; 5.4.2 the categories of Processing carried out under this Data Processing Agreement; and 5.4.3 a description of the technical and organisational measures adopted by eConsult to protect the Personal Data. 5.5 eConsult shall create and maintain a register which includes the details set out in the Schedule, as well as each transfer of Personal Data to a territory outside of the UK and, where relevant, the documentation of suitable safeguards.

OBLIGATIONS OF THE DATA CONTROLLER. The Data Controller agrees and warrants that any disclosure of Personal Data made by or on behalf of it to the Data Processor is made with the Data Subject’s consent or is otherwise lawful.

OBLIGATIONS OF THE DATA CONTROLLER. 6.1. The Data Controller has, in accordance with the GDPR, a general obligation to ensure that the technical and organizational measures are maintained which includes technical and organizational measures of the Data Processor (see section 3.3). The Data Controller is satisfied that the Data Processor has implemented appropriate measures. 6.2. The Data Controller shall, in its use of the Service, process Personal Data in accordance with the requirements of all relevant data protection laws and regulations. For the avoidance of doubt, The Data Controller’s instructions for the processing of Personal Data shall comply with data protection Laws and regulations. 6.3. The Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which The Data Controller acquired Personal Data. This includes for the Data Controller to be responsible for ensuring that the collection and processing of personal data in the Services has a lawful basis in the data protection legislation. The Data Controller is responsible for ensuring that the Data Subjects have received all information required to ensure transparency under the data protection legislation and to comply with any request from data subjects to exercise their rights under the data protection legislation. 6.3.1. The Data Controller is responsible for complying with any requests from the data subjects. Data deletion and other requests can be made by sending an email to ▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇.

OBLIGATIONS OF THE DATA CONTROLLER. The Data Controller is obligated to: a) Make available the Personal Data to the Data Processors, through the Principal Investigator that will collect them or facilitate the collection thereof within the framework of the Trial. b) Carry out, when appropriate, the corresponding data protection impact assessment for the data on the Processing to be carried out by the Data Processor. c) Carry out the corresponding prior consultations with the Control Authorities d) Ensure, in advance and while the Processing is being performed, that the Data Processor complies with the Regulation, especially with regard to compliance with the duties of information to the interested parties and compliance with the principles established in the GDPR. e) Notify the Data Processors at least seven (7) working days in advance of the intention to carry out an audit in accordance with the provisions of section l) of Clause 4 above. f) Assure that the monitor chosen and designated for this Trial, complies with all obligations regarding Protection of personal data, in accordance with current regulations at all times. If necessary, because the monitor acts on behalf of the Controller, Controller commits to grant a contract for the processing of personal data with him.

OBLIGATIONS OF THE DATA CONTROLLER. 3.1 The Data Controller warrants that the personal data is processed for legitimate and objective purposes and that the Data Processor is not processing more personal data than required for fulfilling such purposes. 3.2 The Data Controller is responsible for ensuring that a valid legal basis for processing exists at the time of transferring the personal data to the Data Processor. Upon the Data Processor's request, the Data Controller undertakes, in writing, to account for and/or provide documen- tation of the basis for processing. 3.3 In addition, the Data Controller warrants that the data subjects to which the personal data pertains have been provided with sufficient information on the processing of their personal data.

OBLIGATIONS OF THE DATA CONTROLLER. 2.1 The Data Controller shall provide the personal data to the Data Processor together with such other information as the Data Processor may reasonably require in order for the Data Processor to provide the Services. 2.2 The instructions given by the Data Controller to the Data Processor in respect of the personal data shall at all times be in accordance with the laws of the United Kingdom.

OBLIGATIONS OF THE DATA CONTROLLER. 8.1. In case further activities or specific measures become necessary for compliance with the provisions relating to the protection of data, or in case of changes to the Framework Agreement with impact on the processing of personal data, where necessary, the Data Controller will provide the Date Processor with further instructions with regard to the purposes, methods and procedures for the use and processing of Personal Data, and will agree with the Data Processor the most suitable technical and organisational measures.

OBLIGATIONS OF THE DATA CONTROLLER. 3.1 The Data Controller warrants that the personal data is processed for legitimate and objective purposes and that the Data Processor is not processing more personal data than required for fulfilling such purposes. 3.2 The Data Controller is responsible for ensuring that a valid legal basis for processing exists at the time of transferring the personal data to the Data Processor. Upon the Data Processor's request, the Data Controller undertakes, in writing, to account for and/or provide documentation of the basis for processing. 3.3 In addition, the Data Controller warrants that the data subjects to which the personal data pertains have been provided with sufficient information on the processing of their personal data. 3.4 In case the Data Controller instructs a sub-Data Processor, appointed in accordance with clause 5.1 directly, the Data Controller must immediately inform the Data Processor hereof. The Data Processor shall not in any way be liable for any processing carried out by the sub-Data Processor in accordance with such instructions.