General Data Protection Regulations

Our group consists of the following brands and companies: Pharmalogic, MDS Healthcare Ltd, Issa Group, HBS Pharmacies, MDS Healthcare (Care Homes) Ltd and AK Sons Trading Ltd. These brands are referred to in this document as “we” or “us”.

The “GDPR” will apply to us as a Processor and Controller of Personal Data. It will also apply to Customers of ours if they are a Controller of Personal Data, and Suppliers of goods and/or services to us if they are Processing our Personal Data.

There will be an Agreement in place between you and us. Your Agreement may take the form of a specific written contract, terms and conditions of purchase, terms and conditions of business, or an implied contract. Your Agreement will now need to be updated to reflect the new legal requirements under the “GDPR”.

Accordingly, and with immediate effect, any data protection clause(s) or other relevant provision(s), including an express or implied obligation to comply with applicable laws contained in your Agreement are supplemented as applicable with the new Data Protection clause below. All other aspects of your Agreement shall remain unchanged.

1.1 “Data Protection Laws” means applicable data protection laws and regulations protecting the
personal data of natural persons, including but not limited to the Data Protection Act 1998 and the GDPR, and any national legislation which implements, amends and/or supplements the GDPR, together with any binding guidance, codes of conduct, codes of practice or certification issued from time to time by the relevant Supervisory Authorities (as defined in Section 1.3 below); in each case, as amended, supplemented or replaced from time to time.

1.2 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data including where applicable any local implementing laws as updated from time to time.

1.3 “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing”, “Processed” and “Supervisory Authority” have the same meaning as described in the Data Protection Laws.

1.4 “Supplier” means the entity delivering the goods and/or services to the Customer

1.5 “Customer” means the entity receiving the goods and/or service from Supplier

The “GDPR” governs the processing of an individual’s personal data to ensure that such data is processed in a manner that protects the rights of that individual.

In consideration of the mutual benefits and covenants of both parties, we and the Customer or Supplier agree as set out below. Unless otherwise specified, any defined terms used in this letter agreement shall have the meaning set out in the “GDPR”.

  1. Where Processing of Personal Data takes place in the EEA or the UK, or otherwise involves the Processing of Personal Data of citizens in the EEA or the UK in connection with an Agreement, we shall:
    1.1 Process the Personal Data only on the instructions of the Customer or Supplier, except to the extent that any Processing of Personal Data is required by applicable laws to which the Customer or Supplier is subject;
    1.2 Notify us where the Customer or Supplier believes any instructions from us in respect of the Processing of Personal Data infringe the “GDPR” or applicable EU/EEA data protection laws (together the Data Protection Legislation), or any other applicable laws to which we or the Customer or Supplier is subject;
    1.3 Ensure that its personnel who are authorised to Process the Personal Data have committed themselves to confidentiality;
    1.4 Taking into account the nature of the Processing, assist the Customer or Supplier by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer or Supplier’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Legislation;
    1.5 Notify the Customer or Supplier without undue delay but not later than 72 hours after becoming aware of any breach relating to the Personal Data;
    1.6 Assist the Customer or Supplier in its compliance with paragraph 6 below, taking into account the nature of the Processing and the information available to us;
    1.7 At the Customer or Supplier’s option, delete or return to the Customer or Supplier, all of the Personal Data Processed under the applicable Agreement on termination of the contact, and delete any copies of such Personal Data unless any applicable laws to which we are subject require that copies are kept;
    1.8 Make available to the Customer or Supplier all information and submit to such audits (in each case to the extent reasonably necessary) as are required to demonstrate compliance with its obligations in paragraph one.
  2. We shall not sub-contract Processing of Personal Data to a third party without the Customer or Supplier’s prior specific or general written authorisation (not to be unreasonably withheld, conditioned or delayed). We shall inform the Customer or Supplier of any intended changes concerning the addition or replacement of any sub-contractors so authorised, and the Customer or Supplier shall notify us of any objections it has to any such changes in writing within five (5) business days, after which any such changes which the Client has not objected to in accordance with this paragraph (2) shall be deemed to be accepted.
  3. Where we sub-contract Processing of Personal Data to a third party in accordance with paragraph 2 above, we shall ensure that the third party is engaged on terms equivalent to those set out in this letter agreement and shall remain liable to the Customer or Supplier for any Processing of Personal Data by any such third party.
  4. We and the Customer or Supplier shall co-operate with any applicable regulator of the Data Protection Legislation on request in respect of the performance of its tasks under any Agreement, including this letter agreement.
  5. We and the Customer or Supplier shall each implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing in accordance with Article 32 of the GDPR.
  6. To the extent required by the relevant Data Protection Legislation, we shall provide all reasonable assistance to the Customer or Supplier that is necessary to facilitate Customer or Supplier’s compliance with:
    6.1 its breach notification requirements under the Data Protection Legislation; and
    6.2 its obligations relating to conducting privacy impact assessments and (where applicable) liaising with the relevant regulator in relation to the same.

 

ANNEX 1: PROCESSING DETAILS

The Annex 1 includes details relating to the Processing activities of the Supplier (Issa Group and its brands and companies consisting of Pharmalogic, MDS Healthcare Ltd, Issa Group, HBS Pharmacies, MDS Healthcare (Care Homes) Ltd and AK Sons Trading Ltd).

Subject Matter and Duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Agreement.

The nature and purpose of the Processing of the Personal Data
The Supplier shall process Personal Data in order to provide goods and/or services to Customer

The types of Personal Data to be Processed
Personal Data Processed may include, but is not limited to, the name, identification number(s), address, online identifier(s) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Data Subject. The Supplier may also Process special categories of data which includes, but it’s not limited to, information relating to a Data Subjects health.

The categories of Data Subject to whom the Personal Data relates
Personal Data will be processed in relation to customers and/or staff of Customer.

The obligations and rights of the Data Controller and Data Controller Affiliates
The obligations and rights of the Data Controller are set out in the Agreement.

 

ANNEX 2: PROCESSING DETAILS

The Annex 2 includes details relating to the Processing activities of a Supplier with respect to supplying goods and/or services to Issa Group and its brands and companies consisting of Pharmalogic, MDS Healthcare Ltd, Issa Group, HBS Pharmacies, MDS Healthcare (Care Homes) Ltd and AK Sons Trading Ltd Personal Data.

Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Agreement.

The nature and purpose of the Processing of the Personal Data
The Supplier shall Process Personal Data in order to provide goods and/or services to Issa Group and its brands and companies consisting of Pharmalogic, MDS Healthcare Ltd, Issa Group, HBS Pharmacies, MDS Healthcare (Care Homes) Ltd and AK Sons Trading Ltd.

The Types of Personal Data to be Processed
Personal Data Processed may include, but it’s not limited to, the name, identification number(s), address, online identifier(s) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Data Subject. The Supplier may also Process special categories of data which includes, but are not limited to, information relating to a Data Subjects health.

The Categories of Data Subjects to whom the Personal Data relates
Personal Data will be processed in relation to customers and/or staff of Issa Group and its brands and companies consisting of Pharmalogic, MDS Healthcare Ltd, Issa Group, HBS Pharmacies, MDS Healthcare (Care Homes) Ltd and AK Sons Trading Ltd.

The obligations and rights of the Data Controller and Data Controller Affiliates
The obligations and rights of the Data Controller are set out in the Agreement.